diff --git a/docs/detections/detections-index.asciidoc b/docs/detections/detections-index.asciidoc
index 557b99198c..da13686789 100644
--- a/docs/detections/detections-index.asciidoc
+++ b/docs/detections/detections-index.asciidoc
@@ -44,8 +44,6 @@ include::query-alert-indices.asciidoc[]
 
 include::prebuilt-rules/tune-rule-signals.asciidoc[]
 
-include::prebuilt-rules/prebuilt-rules-changelog.asciidoc[]
-
 include::prebuilt-rules/prebuilt-rules-reference.asciidoc[]
 
 include::prebuilt-rules/rule-desc-index.asciidoc[]
diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
deleted file mode 100644
index 840544c80f..0000000000
--- a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
+++ /dev/null
@@ -1,1959 +0,0 @@
-[[prebuilt-rules-changelog]]
-== Prebuilt rule changes per release
-
-The following lists prebuilt rule updates per release. Only rules with
-significant modifications to their query or scope are listed. For detailed
-information about a rule's changes, see the rule's description page.
-
-[float]
-=== 8.6.0
-
-<<a-scheduled-task-was-created>>
-
-<<a-scheduled-task-was-updated>>
-
-<<abnormal-process-id-or-lock-file-created>>
-
-<<accepted-default-telnet-port-connection>>
-
-<<account-password-reset-remotely>>
-
-<<adversary-behavior-detected-elastic-endgame>>
-
-<<clearing-windows-console-history>>
-
-<<component-object-model-hijacking>>
-
-<<connection-to-commonly-abused-web-services>>
-
-<<creation-or-modification-of-root-certificate>>
-
-<<file-transfer-or-listener-established-via-netcat>>
-
-<<kubernetes-anonymous-request-authorized>>
-
-<<kubernetes-exposed-service-created-with-type-nodeport>>
-
-<<kubernetes-pod-created-with-hostipc>>
-
-<<kubernetes-pod-created-with-hostnetwork>>
-
-<<kubernetes-pod-created-with-hostpid>>
-
-<<kubernetes-pod-created-with-a-sensitive-hostpath-volume>>
-
-<<kubernetes-privileged-pod-created>>
-
-<<kubernetes-suspicious-assignment-of-controller-service-account>>
-
-<<kubernetes-suspicious-self-subject-review>>
-
-<<kubernetes-user-exec-into-pod>>
-
-<<ms-office-macro-security-registry-modifications>>
-
-<<modification-of-amsienable-registry-key>>
-
-<<modification-of-wdigest-security-provider>>
-
-<<network-logon-provider-registry-modification>>
-
-<<nullsessionpipe-registry-modification>>
-
-<<port-forwarding-rule-addition>>
-
-<<potential-application-shimming-via-sdbinst>>
-
-<<potential-remote-credential-access-via-registry>>
-
-<<potential-shadow-credentials-added-to-ad-object>>
-
-<<potential-shadow-file-read-via-command-line-utilities>>
-
-<<powershell-script-block-logging-disabled>>
-
-<<process-creation-via-secondary-logon>>
-
-<<process-termination-followed-by-deletion>>
-
-<<remote-computer-account-dnshostname-update>>
-
-<<sip-provider-modification>>
-
-<<scheduled-tasks-at-command-enabled>>
-
-<<solarwinds-process-disabling-services-via-registry>>
-
-<<suspicious-file-creation-in-etc-for-persistence>>
-
-<<suspicious-powershell-engine-imageload>>
-
-<<suspicious-wmi-image-load-from-ms-office>>
-
-<<system-log-file-deletion>>
-
-<<temporarily-scheduled-task-creation>>
-
-<<windows-defender-disabled-via-registry-modification>>
-
-<<windows-registry-file-creation-in-smb-share>>
-
-[float]
-=== 8.5.0
-
-<<abnormal-process-id-or-lock-file-created>>
-
-<<account-discovery-command-via-system-account>>
-
-<<adfind-command-activity>>
-
-<<adding-hidden-file-attribute-via-attrib>>
-
-<<attempt-to-disable-gatekeeper>>
-
-<<azure-automation-runbook-deleted>>
-
-<<binary-executed-from-shared-memory-directory>>
-
-<<bypass-uac-via-event-viewer>>
-
-<<chkconfig-service-add>>
-
-<<clearing-windows-event-logs>>
-
-<<command-execution-via-solarwinds-process>>
-
-<<conhost-spawned-by-suspicious-parent-process>>
-
-<<control-panel-process-with-unusual-arguments>>
-
-<<creation-of-hidden-shared-object-file>>
-
-<<creation-or-modification-of-root-certificate>>
-
-<<creation-or-modification-of-a-new-gpo-scheduled-task-or-service>>
-
-<<credential-acquisition-via-registry-hive-dumping>>
-
-<<delete-volume-usn-journal-with-fsutil>>
-
-<<deleting-backup-catalogs-with-wbadmin>>
-
-<<direct-outbound-smb-connection>>
-
-<<disable-windows-event-and-security-logs-using-built-in-tools>>
-
-<<disable-windows-firewall-rules-via-netsh>>
-
-<<elastic-agent-service-terminated>>
-
-<<encrypting-files-with-winrar-or-7z>>
-
-<<enumerating-domain-trusts-via-nltest-exe>>
-
-<<enumeration-command-spawned-via-wmiprvse>>
-
-<<enumeration-of-administrator-accounts>>
-
-<<execution-from-unusual-directory-command-line>>
-
-<<execution-of-com-object-via-xwizard>>
-
-<<execution-of-file-written-or-modified-by-microsoft-office>>
-
-<<execution-of-file-written-or-modified-by-pdf-reader>>
-
-<<execution-of-persistent-suspicious-program>>
-
-<<execution-via-mssql-xp-cmdshell-stored-procedure>>
-
-<<execution-via-tsclient-mountpoint>>
-
-<<exporting-exchange-mailbox-via-powershell>>
-
-<<finder-sync-plugin-registered-and-enabled>>
-
-<<google-workspace-admin-role-assigned-to-a-user>>
-
-<<iis-http-logging-disabled>>
-
-<<image-file-execution-options-injection>>
-
-<<imageload-via-windows-update-auto-update-client>>
-
-<<incoming-dcom-lateral-movement-via-mshta>>
-
-<<incoming-dcom-lateral-movement-with-mmc>>
-
-<<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows>>
-
-<<installutil-process-making-network-connections>>
-
-<<installation-of-custom-shim-databases>>
-
-<<interactive-terminal-spawned-via-python>>
-
-<<kubernetes-pod-created-with-a-sensitive-hostpath-volume>>
-
-<<kubernetes-suspicious-self-subject-review>>
-
-<<kubernetes-user-exec-into-pod>>
-
-<<launch-agent-creation-or-modification-and-immediate-loading>>
-
-<<macos-installer-package-spawns-network-event>>
-
-<<microsoft-365-inbox-forwarding-rule-created>>
-
-<<microsoft-build-engine-started-an-unusual-process>>
-
-<<microsoft-build-engine-started-by-a-system-process>>
-
-<<microsoft-build-engine-started-by-an-office-application>>
-
-<<microsoft-build-engine-using-an-alternate-name>>
-
-<<microsoft-iis-connection-strings-decryption>>
-
-<<microsoft-iis-service-account-password-dumped>>
-
-<<modification-of-boot-configuration>>
-
-<<modification-of-standard-authentication-module-or-configuration>>
-
-<<mounting-hidden-or-webdav-remote-shares>>
-
-<<mshta-making-network-connections>>
-
-<<ntds-or-sam-database-file-copied>>
-
-<<new-activesyncalloweddeviceid-added-via-powershell>>
-
-<<parent-process-pid-spoofing>>
-
-<<peripheral-device-discovery>>
-
-<<persistence-via-docker-shortcut-modification>>
-
-<<persistence-via-telemetrycontroller-scheduled-task-hijack>>
-
-<<persistence-via-update-orchestrator-service-hijack>>
-
-<<persistence-via-wmi-event-subscription>>
-
-<<persistence-via-wmi-standard-registry-provider>>
-
-<<potential-application-shimming-via-sdbinst>>
-
-<<potential-credential-access-via-windows-utilities>>
-
-<<potential-evasion-via-filter-manager>>
-
-<<potential-kerberos-attack-via-bifrost>>
-
-<<potential-local-ntlm-relay-via-http>>
-
-<<potential-modification-of-accessibility-binaries>>
-
-<<potential-remote-desktop-tunneling-detected>>
-
-<<potential-sharprdp-behavior>>
-
-<<privilege-escalation-via-named-pipe-impersonation>>
-
-<<privilege-escalation-via-windir-environment-variable>>
-
-<<process-activity-via-compiled-html-file>>
-
-<<process-execution-from-an-unusual-directory>>
-
-<<process-termination-followed-by-deletion>>
-
-<<remote-desktop-enabled-in-windows-firewall-by-netsh>>
-
-<<remote-execution-via-file-shares>>
-
-<<remote-file-copy-to-a-hidden-share>>
-
-<<remote-file-download-via-desktopimgdownldr-utility>>
-
-<<remote-file-download-via-powershell>>
-
-<<remote-system-discovery-commands>>
-
-<<remotely-started-services-via-rpc>>
-
-<<renamed-autoit-scripts-interpreter>>
-
-<<ssh-authorized-keys-file-modification>>
-
-<<sunburst-command-and-control-activity>>
-
-<<searching-for-saved-credentials-via-vaultcmd>>
-
-<<security-software-discovery-using-wmic>>
-
-<<service-command-lateral-movement>>
-
-<<signed-proxy-execution-via-ms-work-folders>>
-
-<<softwareupdate-preferences-modification>>
-
-<<startup-folder-persistence-via-unsigned-process>>
-
-<<startup-or-run-key-registry-modification>>
-
-<<suspicious-net-code-compilation>>
-
-<<suspicious-browser-child-process>>
-
-<<suspicious-child-process-of-adobe-acrobat-reader-update-service>>
-
-<<suspicious-cmd-execution-via-wmi>>
-
-<<suspicious-crontab-creation-or-modification>>
-
-<<suspicious-endpoint-security-parent-process>>
-
-<<suspicious-execution-via-scheduled-task>>
-
-<<suspicious-explorer-child-process>>
-
-<<suspicious-ms-office-child-process>>
-
-<<suspicious-ms-outlook-child-process>>
-
-<<suspicious-managed-code-hosting-process>>
-
-<<suspicious-microsoft-diagnostics-wizard-execution>>
-
-<<suspicious-pdf-reader-child-process>>
-
-<<suspicious-process-execution-via-renamed-psexec-executable>>
-
-<<suspicious-solarwinds-child-process>>
-
-<<suspicious-wmic-xsl-script-execution>>
-
-<<suspicious-werfault-child-process>>
-
-<<suspicious-zoom-child-process>>
-
-<<suspicious-macos-ms-office-child-process>>
-
-<<svchost-spawning-cmd>>
-
-<<system-shells-via-services>>
-
-<<uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer>>
-
-<<uac-bypass-attempt-via-windows-directory-masquerading>>
-
-<<uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface>>
-
-<<uac-bypass-via-icmluautil-elevated-com-interface>>
-
-<<uac-bypass-via-windows-firewall-snap-in-hijack>>
-
-<<uncommon-registry-persistence-change>>
-
-<<unusual-child-process-from-a-system-virtual-process>>
-
-<<unusual-child-processes-of-rundll32>>
-
-<<unusual-file-creation-alternate-data-stream>>
-
-<<unusual-network-activity-from-a-windows-system-binary>>
-
-<<unusual-network-connection-via-dllhost>>
-
-<<unusual-network-connection-via-rundll32>>
-
-<<unusual-parent-process-for-cmd-exe>>
-
-<<unusual-parent-child-relationship>>
-
-<<unusual-service-host-child-process-childless-service>>
-
-<<user-account-creation>>
-
-<<volume-shadow-copy-deleted-or-resized-via-vssadmin>>
-
-<<volume-shadow-copy-deletion-via-powershell>>
-
-<<volume-shadow-copy-deletion-via-wmic>>
-
-<<wmi-incoming-lateral-movement>>
-
-<<whoami-process-activity>>
-
-<<windows-defender-disabled-via-registry-modification>>
-
-<<windows-network-enumeration>>
-
-<<windows-script-executing-powershell>>
-
-<<windows-script-interpreter-executing-process-via-wmi>>
-
-[float]
-=== 8.4.0
-
-<<aws-deletion-of-rds-instance-or-cluster>>
-
-<<aws-ec2-full-network-packet-capture-detected>>
-
-<<aws-efs-file-system-or-mount-deleted>>
-
-<<aws-elasticache-security-group-created>>
-
-<<aws-elasticache-security-group-modified-or-deleted>>
-
-<<aws-eventbridge-rule-disabled-or-deleted>>
-
-<<aws-route-table-created>>
-
-<<aws-route53-private-hosted-zone-associated-with-a-vpc>>
-
-<<aws-saml-activity>>
-
-<<aws-sts-getsessiontoken-abuse>>
-
-<<aws-security-group-configuration-change-detection>>
-
-<<aws-security-token-service-sts-assumerole-usage>>
-
-<<access-of-stored-browser-credentials>>
-
-<<access-to-keychain-credentials-directories>>
-
-<<account-discovery-command-via-system-account>>
-
-<<account-password-reset-remotely>>
-
-<<adfind-command-activity>>
-
-<<attempt-to-install-root-certificate>>
-
-<<attempt-to-mount-smb-share-via-command-line>>
-
-<<attempt-to-remove-file-quarantine-attribute>>
-
-<<authorization-plugin-modification>>
-
-<<azure-alert-suppression-rule-created-or-modified>>
-
-<<azure-automation-runbook-deleted>>
-
-<<azure-blob-permissions-modification>>
-
-<<azure-full-network-packet-capture-detected>>
-
-<<azure-kubernetes-events-deleted>>
-
-<<azure-kubernetes-pods-deleted>>
-
-<<azure-kubernetes-rolebindings-created>>
-
-<<azure-virtual-network-device-modified-or-deleted>>
-
-<<binary-executed-from-shared-memory-directory>>
-
-<<bypass-uac-via-event-viewer>>
-
-<<component-object-model-hijacking>>
-
-<<connection-to-commonly-abused-free-ssl-certificate-providers>>
-
-<<control-panel-process-with-unusual-arguments>>
-
-<<creation-of-hidden-files-and-directories-via-commandline>>
-
-<<creation-of-hidden-launch-agent-or-daemon>>
-
-<<delete-volume-usn-journal-with-fsutil>>
-
-<<disable-windows-event-and-security-logs-using-built-in-tools>>
-
-<<elastic-agent-service-terminated>>
-
-<<enumeration-of-privileged-local-groups-membership>>
-
-<<enumeration-of-users-or-groups-via-built-in-commands>>
-
-<<executable-file-creation-with-multiple-extensions>>
-
-<<execution-from-unusual-directory-command-line>>
-
-<<execution-with-explicit-credentials-via-scripting>>
-
-<<gcp-firewall-rule-creation>>
-
-<<gcp-firewall-rule-deletion>>
-
-<<gcp-firewall-rule-modification>>
-
-<<gcp-iam-custom-role-creation>>
-
-<<gcp-iam-role-deletion>>
-
-<<gcp-iam-service-account-key-deletion>>
-
-<<gcp-logging-bucket-deletion>>
-
-<<gcp-logging-sink-deletion>>
-
-<<gcp-logging-sink-modification>>
-
-<<gcp-pub-sub-subscription-creation>>
-
-<<gcp-pub-sub-subscription-deletion>>
-
-<<gcp-pub-sub-topic-creation>>
-
-<<gcp-pub-sub-topic-deletion>>
-
-<<gcp-service-account-creation>>
-
-<<gcp-service-account-deletion>>
-
-<<gcp-service-account-disabled>>
-
-<<gcp-service-account-key-creation>>
-
-<<gcp-storage-bucket-configuration-modification>>
-
-<<gcp-storage-bucket-deletion>>
-
-<<gcp-storage-bucket-permissions-modification>>
-
-<<gcp-virtual-private-cloud-network-deletion>>
-
-<<gcp-virtual-private-cloud-route-creation>>
-
-<<gcp-virtual-private-cloud-route-deletion>>
-
-<<google-workspace-mfa-enforcement-disabled>>
-
-<<group-policy-abuse-for-privilege-addition>>
-
-<<incoming-dcom-lateral-movement-via-mshta>>
-
-<<installation-of-security-support-provider>>
-
-<<kerberos-traffic-from-unusual-process>>
-
-<<kubernetes-user-exec-into-pod>>
-
-<<lsass-memory-dump-creation>>
-
-<<lateral-movement-via-startup-folder>>
-
-<<launchdaemon-creation-or-modification-and-immediate-loading>>
-
-<<linux-restricted-shell-breakout-via-linux-binary-s>>
-
-<<ms-office-macro-security-registry-modifications>>
-
-<<macos-installer-package-spawns-network-event>>
-
-<<microsoft-365-inbox-forwarding-rule-created>>
-
-<<microsoft-exchange-server-um-spawning-suspicious-processes>>
-
-<<microsoft-iis-service-account-password-dumped>>
-
-<<modification-of-boot-configuration>>
-
-<<modification-of-environment-variable-via-launchctl>>
-
-<<modification-of-openssh-binaries>>
-
-<<modification-of-wdigest-security-provider>>
-
-<<new-or-modified-federation-domain>>
-
-<<o365-exchange-suspicious-mailbox-right-delegation>>
-
-<<outbound-scheduled-task-activity-via-powershell>>
-
-<<peripheral-device-discovery>>
-
-<<persistence-via-folder-action-script>>
-
-<<persistence-via-hidden-run-key-detected>>
-
-<<persistence-via-kde-autostart-script-or-desktop-file-modification>>
-
-<<persistence-via-update-orchestrator-service-hijack>>
-
-<<persistent-scripts-in-the-startup-directory>>
-
-<<possible-consent-grant-attack-via-azure-registered-application>>
-
-<<potential-cookies-theft-via-browser-debugging>>
-
-<<potential-credential-access-via-dcsync>>
-
-<<potential-credential-access-via-duplicatehandle-in-lsass>>
-
-<<potential-credential-access-via-lsass-memory-dump>>
-
-<<potential-credential-access-via-trusted-developer-utility>>
-
-<<potential-evasion-via-filter-manager>>
-
-<<potential-microsoft-office-sandbox-evasion>>
-
-<<potential-openssh-backdoor-logging-activity>>
-
-<<potential-password-spraying-of-microsoft-365-user-accounts>>
-
-<<potential-persistence-via-login-hook>>
-
-<<potential-privacy-control-bypass-via-localhost-secure-copy>>
-
-<<potential-privacy-control-bypass-via-tccdb-modification>>
-
-<<potential-privilege-escalation-via-installerfiletakeover>>
-
-<<potential-process-injection-via-powershell>>
-
-<<potential-remote-credential-access-via-registry>>
-
-<<potential-remote-desktop-shadowing-activity>>
-
-<<potential-reverse-shell-activity-via-terminal>>
-
-<<powershell-kerberos-ticket-request>>
-
-<<powershell-keylogging-script>>
-
-<<powershell-psreflect-script>>
-
-<<powershell-script-block-logging-disabled>>
-
-<<powershell-suspicious-discovery-related-windows-api-functions>>
-
-<<powershell-suspicious-payload-encoded-and-compressed>>
-
-<<powershell-suspicious-script-with-audio-capture-capabilities>>
-
-<<powershell-suspicious-script-with-screenshot-capabilities>>
-
-<<privilege-escalation-via-named-pipe-impersonation>>
-
-<<process-activity-via-compiled-html-file>>
-
-<<process-execution-from-an-unusual-directory>>
-
-<<process-termination-followed-by-deletion>>
-
-<<psexec-network-connection>>
-
-<<registry-persistence-via-appinit-dll>>
-
-<<remote-file-copy-to-a-hidden-share>>
-
-<<remote-ssh-login-enabled-via-systemsetup-command>>
-
-<<remotely-started-services-via-rpc>>
-
-<<scheduled-task-created-by-a-windows-script>>
-
-<<scheduled-task-execution-at-scale-via-gpo>>
-
-<<scheduled-tasks-at-command-enabled>>
-
-<<solarwinds-process-disabling-services-via-registry>>
-
-<<startup-persistence-by-a-suspicious-process>>
-
-<<sublime-plugin-or-application-script-modification>>
-
-<<suspicious-net-reflection-via-powershell>>
-
-<<suspicious-calendar-file-modification>>
-
-<<suspicious-certutil-commands>>
-
-<<suspicious-dll-loaded-for-persistence-or-privilege-escalation>>
-
-<<suspicious-endpoint-security-parent-process>>
-
-<<suspicious-execution-via-scheduled-task>>
-
-<<suspicious-image-load-taskschd-dll-from-ms-office>>
-
-<<suspicious-ms-office-child-process>>
-
-<<suspicious-microsoft-diagnostics-wizard-execution>>
-
-<<suspicious-portable-executable-encoded-in-powershell-script>>
-
-<<suspicious-powershell-engine-imageload>>
-
-<<suspicious-process-access-via-direct-system-call>>
-
-<<suspicious-process-creation-calltrace>>
-
-<<suspicious-rdp-activex-client-loaded>>
-
-<<suspicious-remote-registry-access-via-sebackupprivilege>>
-
-<<suspicious-script-object-execution>>
-
-<<suspicious-wmi-image-load-from-ms-office>>
-
-<<suspicious-wmic-xsl-script-execution>>
-
-<<svchost-spawning-cmd>>
-
-<<symbolic-link-to-shadow-copy-created>>
-
-<<system-log-file-deletion>>
-
-<<system-shells-via-services>>
-
-<<unusual-service-host-child-process-childless-service>>
-
-<<user-account-exposed-to-kerberoasting>>
-
-<<virtual-machine-fingerprinting-via-grep>>
-
-<<volume-shadow-copy-deletion-via-powershell>>
-
-<<web-shell-detection-script-process-child-of-common-web-processes>>
-
-<<webserver-access-logs-deleted>>
-
-<<windows-script-interpreter-executing-process-via-wmi>>
-
-[float]
-=== 8.3.0
-
-<<adminsdholder-sdprop-exclusion-added>>
-
-<<attempts-to-brute-force-a-microsoft-365-user-account>>
-
-<<component-object-model-hijacking>>
-
-<<connection-to-commonly-abused-web-services>>
-
-<<emond-rules-creation-or-modification>>
-
-<<microsoft-365-inbox-forwarding-rule-created>>
-
-<<potential-password-spraying-of-microsoft-365-user-accounts>>
-
-<<remote-system-discovery-commands>>
-
-<<ssh-authorized-keys-file-modification>>
-
-<<suspicious-ms-office-child-process>>
-
-<<tampering-of-shell-command-line-history>>
-
-[float]
-=== 8.2.0
-
-<<aws-deletion-of-rds-instance-or-cluster>>
-
-<<aws-security-group-configuration-change-detection>>
-
-<<aws-waf-rule-or-rule-group-deletion>>
-
-<<account-discovery-command-via-system-account>>
-
-<<azure-conditional-access-policy-modified>>
-
-<<azure-service-principal-credentials-added>>
-
-<<enumeration-of-users-or-groups-via-built-in-commands>>
-
-<<interactive-terminal-spawned-via-python>>
-
-<<local-scheduled-task-creation>>
-
-<<microsoft-windows-defender-tampering>>
-
-<<network-connection-via-registration-utility>>
-
-<<potential-privilege-escalation-via-installerfiletakeover>>
-
-<<potential-process-injection-via-powershell>>
-
-<<powershell-keylogging-script>>
-
-<<powershell-psreflect-script>>
-
-<<powershell-suspicious-payload-encoded-and-compressed>>
-
-<<powershell-suspicious-script-with-audio-capture-capabilities>>
-
-<<powershell-suspicious-script-with-screenshot-capabilities>>
-
-<<svchost-spawning-cmd>>
-
-<<symbolic-link-to-shadow-copy-created>>
-
-<<systemkey-access-via-command-line>>
-
-<<unusual-print-spooler-child-process>>
-
-[float]
-=== 8.1.0
-
-<<account-discovery-command-via-system-account>>
-
-<<account-password-reset-remotely>>
-
-<<attempts-to-brute-force-a-microsoft-365-user-account>>
-
-<<azure-virtual-network-device-modified-or-deleted>>
-
-<<disabling-user-account-control-via-registry-modification>>
-
-<<installation-of-security-support-provider>>
-
-<<kerberos-traffic-from-unusual-process>>
-
-<<local-scheduled-task-creation>>
-
-<<microsoft-365-inbox-forwarding-rule-created>>
-
-<<microsoft-windows-defender-tampering>>
-
-<<modification-of-amsienable-registry-key>>
-
-<<modification-of-wdigest-security-provider>>
-
-<<network-connection-via-registration-utility>>
-
-<<o365-exchange-suspicious-mailbox-right-delegation>>
-
-<<persistence-via-hidden-run-key-detected>>
-
-<<port-forwarding-rule-addition>>
-
-<<potential-command-and-control-via-internet-explorer>>
-
-<<potential-credential-access-via-lsass-memory-dump>>
-
-<<potential-password-spraying-of-microsoft-365-user-accounts>>
-
-<<potential-port-monitor-or-print-processor-registration-abuse>>
-
-<<potential-privilege-escalation-via-installerfiletakeover>>
-
-<<rdp-enabled-via-registry>>
-
-<<registry-persistence-via-appcert-dll>>
-
-<<scheduled-tasks-at-command-enabled>>
-
-<<service-control-spawned-via-script-interpreter>>
-
-<<solarwinds-process-disabling-services-via-registry>>
-
-<<unusual-print-spooler-child-process>>
-
-<<volume-shadow-copy-deleted-or-resized-via-vssadmin>>
-
-<<windows-defender-disabled-via-registry-modification>>
-
-[float]
-=== 8.0.0
-
-<<application-added-to-google-workspace-domain>>
-
-<<component-object-model-hijacking>>
-
-<<connection-to-commonly-abused-web-services>>
-
-<<domain-added-to-google-workspace-trusted-domains>>
-
-<<google-workspace-api-access-granted-via-domain-wide-delegation-of-authority>>
-
-<<google-workspace-admin-role-assigned-to-a-user>>
-
-<<google-workspace-admin-role-deletion>>
-
-<<google-workspace-custom-admin-role-created>>
-
-<<google-workspace-mfa-enforcement-disabled>>
-
-<<google-workspace-password-policy-modified>>
-
-<<google-workspace-role-modified>>
-
-<<incoming-dcom-lateral-movement-via-mshta>>
-
-<<incoming-dcom-lateral-movement-with-mmc>>
-
-<<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows>>
-
-<<incoming-execution-via-powershell-remoting>>
-
-<<incoming-execution-via-winrm-remote-shell>>
-
-<<launchdaemon-creation-or-modification-and-immediate-loading>>
-
-<<mfa-disabled-for-google-workspace-organization>>
-
-<<o365-excessive-single-sign-on-logon-errors>>
-
-<<persistence-via-folder-action-script>>
-
-<<potential-lateral-tool-transfer-via-smb-share>>
-
-<<potential-sharprdp-behavior>>
-
-<<powershell-minidump-script>>
-
-<<powershell-suspicious-discovery-related-windows-api-functions>>
-
-<<powershell-suspicious-script-with-audio-capture-capabilities>>
-
-<<remote-scheduled-task-creation>>
-
-<<remotely-started-services-via-rpc>>
-
-<<suspicious-certutil-commands>>
-
-<<suspicious-java-child-process>>
-
-<<suspicious-portable-executable-encoded-in-powershell-script>>
-
-<<wmi-incoming-lateral-movement>>
-
-<<windows-defender-exclusions-added-via-powershell>>
-
-[float]
-=== 7.16.0
-
-<<clearing-windows-event-logs>>
-
-<<disabling-windows-defender-security-settings-via-powershell>>
-
-<<exporting-exchange-mailbox-via-powershell>>
-
-<<hosts-file-modified>>
-
-<<incoming-dcom-lateral-movement-via-mshta>>
-
-<<incoming-dcom-lateral-movement-with-mmc>>
-
-<<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows>>
-
-<<incoming-execution-via-powershell-remoting>>
-
-<<incoming-execution-via-winrm-remote-shell>>
-
-<<installutil-process-making-network-connections>>
-
-<<kerberos-traffic-from-unusual-process>>
-
-<<local-scheduled-task-creation>>
-
-<<microsoft-build-engine-started-by-a-script-process>>
-
-<<microsoft-exchange-worker-spawning-suspicious-processes>>
-
-<<network-connection-via-signed-binary>>
-
-<<new-activesyncalloweddeviceid-added-via-powershell>>
-
-<<outbound-scheduled-task-activity-via-powershell>>
-
-<<potential-dll-side-loading-via-microsoft-antimalware-service-executable>>
-
-<<potential-lateral-tool-transfer-via-smb-share>>
-
-<<potential-sharprdp-behavior>>
-
-<<potential-windows-error-manager-masquerading>>
-
-<<process-activity-via-compiled-html-file>>
-
-<<remote-file-download-via-powershell>>
-
-<<remote-file-download-via-script-interpreter>>
-
-<<remote-scheduled-task-creation>>
-
-<<remotely-started-services-via-rpc>>
-
-<<scheduled-task-created-by-a-windows-script>>
-
-<<suspicious-ms-office-child-process>>
-
-<<suspicious-zoom-child-process>>
-
-<<system-shells-via-services>>
-
-<<volume-shadow-copy-deleted-or-resized-via-vssadmin>>
-
-<<wmi-incoming-lateral-movement>>
-
-<<web-shell-detection-script-process-child-of-common-web-processes>>
-
-<<windows-defender-exclusions-added-via-powershell>>
-
-[float]
-=== 7.15.0
-
-<<azure-active-directory-high-risk-sign-in>>
-
-<<ntds-or-sam-database-file-copied>>
-
-<<windows-network-enumeration>>
-
-[float]
-=== 7.14.0
-
-<<accepted-default-telnet-port-connection>>
-
-<<apple-script-execution-followed-by-network-connection>>
-
-<<attempts-to-brute-force-a-microsoft-365-user-account>>
-
-<<attempts-to-brute-force-an-okta-user-account>>
-
-<<cobalt-strike-command-and-control-beacon>>
-
-<<command-prompt-network-connection>>
-
-<<component-object-model-hijacking>>
-
-<<connection-to-external-network-via-telnet>>
-
-<<connection-to-internal-network-via-telnet>>
-
-<<creation-of-hidden-files-and-directories-via-commandline>>
-
-<<default-cobalt-strike-team-server-certificate>>
-
-<<executable-file-creation-with-multiple-extensions>>
-
-<<external-alerts>>
-
-<<external-ip-lookup-from-non-browser-process>>
-
-<<google-workspace-mfa-enforcement-disabled>>
-
-<<google-workspace-password-policy-modified>>
-
-<<halfbaked-command-and-control-beacon>>
-
-<<high-number-of-okta-user-password-reset-or-unlock-attempts>>
-
-<<ipsec-nat-traversal-port-activity>>
-
-<<image-file-execution-options-injection>>
-
-<<inbound-connection-to-an-unsecure-elasticsearch-node>>
-
-<<mfa-disabled-for-google-workspace-organization>>
-
-<<macos-installer-package-spawns-network-event>>
-
-<<mshta-making-network-connections>>
-
-<<network-connection-via-certutil>>
-
-<<network-connection-via-compiled-html-file>>
-
-<<network-connection-via-msxsl>>
-
-<<network-connection-via-registration-utility>>
-
-<<network-connection-via-signed-binary>>
-
-<<persistence-via-folder-action-script>>
-
-<<possible-fin7-dga-command-and-control-behavior>>
-
-<<potential-credential-access-via-windows-utilities>>
-
-<<potential-password-spraying-of-microsoft-365-user-accounts>>
-
-<<rdp-remote-desktop-protocol-from-the-internet>>
-
-<<rpc-remote-procedure-call-from-the-internet>>
-
-<<rpc-remote-procedure-call-to-the-internet>>
-
-<<roshal-archive-rar-or-powershell-file-downloaded-from-the-internet>>
-
-<<smb-windows-file-sharing-activity-to-the-internet>>
-
-<<smtp-on-port-26-tcp>>
-
-<<shell-execution-via-apple-scripting>>
-
-<<suspicious-certutil-commands>>
-
-<<suspicious-dll-loaded-for-persistence-or-privilege-escalation>>
-
-<<suspicious-powershell-engine-imageload>>
-
-<<unusual-network-connection-via-rundll32>>
-
-<<vnc-virtual-network-computing-from-the-internet>>
-
-<<vnc-virtual-network-computing-to-the-internet>>
-
-<<web-application-suspicious-activity-post-request-declined>>
-
-<<web-application-suspicious-activity-unauthorized-method>>
-
-<<web-application-suspicious-activity-sqlmap-user-agent>>
-
-[float]
-=== 7.13.0
-
-<<aws-cloudtrail-log-created>>
-
-<<aws-cloudtrail-log-deleted>>
-
-<<aws-cloudtrail-log-suspended>>
-
-<<aws-cloudtrail-log-updated>>
-
-<<aws-cloudwatch-alarm-deletion>>
-
-<<aws-cloudwatch-log-group-deletion>>
-
-<<aws-cloudwatch-log-stream-deletion>>
-
-<<aws-config-resource-deletion>>
-
-<<aws-configuration-recorder-stopped>>
-
-<<aws-deletion-of-rds-instance-or-cluster>>
-
-<<aws-ec2-encryption-disabled>>
-
-<<aws-ec2-network-access-control-list-creation>>
-
-<<aws-ec2-network-access-control-list-deletion>>
-
-<<aws-guardduty-detector-deletion>>
-
-<<aws-iam-deactivation-of-mfa-device>>
-
-<<aws-iam-group-creation>>
-
-<<aws-iam-group-deletion>>
-
-<<aws-iam-password-recovery-requested>>
-
-<<aws-iam-user-addition-to-group>>
-
-<<aws-management-console-root-login>>
-
-<<aws-rds-cluster-creation>>
-
-<<aws-rds-instance-cluster-stoppage>>
-
-<<aws-s3-bucket-configuration-deletion>>
-
-<<aws-vpc-flow-logs-deletion>>
-
-<<aws-waf-access-control-list-deletion>>
-
-<<access-to-keychain-credentials-directories>>
-
-<<account-discovery-command-via-system-account>>
-
-<<adding-hidden-file-attribute-via-attrib>>
-
-<<adobe-hijack-persistence>>
-
-<<bypass-uac-via-event-viewer>>
-
-<<clearing-windows-event-logs>>
-
-<<command-shell-activity-started-via-rundll32>>
-
-<<conhost-spawned-by-suspicious-parent-process>>
-
-<<connection-to-commonly-abused-web-services>>
-
-<<creation-or-modification-of-domain-backup-dpapi-private-key>>
-
-<<creation-or-modification-of-a-new-gpo-scheduled-task-or-service>>
-
-<<delete-volume-usn-journal-with-fsutil>>
-
-<<deleting-backup-catalogs-with-wbadmin>>
-
-<<disable-windows-firewall-rules-via-netsh>>
-
-<<enumeration-of-users-or-groups-via-built-in-commands>>
-
-<<execution-from-unusual-directory-command-line>>
-
-<<execution-via-mssql-xp-cmdshell-stored-procedure>>
-
-<<external-ip-lookup-from-non-browser-process>>
-
-<<gcp-storage-bucket-configuration-modification>>
-
-<<gcp-storage-bucket-deletion>>
-
-<<gcp-storage-bucket-permissions-modification>>
-
-<<gcp-virtual-private-cloud-route-creation>>
-
-<<hosts-file-modified>>
-
-<<iis-http-logging-disabled>>
-
-<<keychain-password-retrieval-via-command-line>>
-
-<<lsass-memory-dump-creation>>
-
-<<local-scheduled-task-creation>>
-
-<<microsoft-build-engine-started-an-unusual-process>>
-
-<<microsoft-build-engine-started-by-a-script-process>>
-
-<<microsoft-build-engine-started-by-a-system-process>>
-
-<<microsoft-build-engine-started-by-an-office-application>>
-
-<<microsoft-build-engine-using-an-alternate-name>>
-
-<<microsoft-exchange-server-um-writing-suspicious-files>>
-
-<<mimikatz-memssp-log-file-detected>>
-
-<<modification-of-boot-configuration>>
-
-<<modification-of-environment-variable-via-launchctl>>
-
-<<modification-of-standard-authentication-module-or-configuration>>
-
-<<network-connection-via-registration-utility>>
-
-<<persistence-via-login-or-logout-hook>>
-
-<<persistence-via-telemetrycontroller-scheduled-task-hijack>>
-
-<<potential-application-shimming-via-sdbinst>>
-
-<<potential-command-and-control-via-internet-explorer>>
-
-<<potential-credential-access-via-trusted-developer-utility>>
-
-<<potential-evasion-via-filter-manager>>
-
-<<process-activity-via-compiled-html-file>>
-
-<<program-files-directory-masquerading>>
-
-<<remote-file-copy-via-teamviewer>>
-
-<<remote-file-download-via-desktopimgdownldr-utility>>
-
-<<remote-file-download-via-mpcmdrun>>
-
-<<sunburst-command-and-control-activity>>
-
-<<security-software-discovery-via-grep>>
-
-<<service-control-spawned-via-script-interpreter>>
-
-<<setuid-setgid-bit-set-via-chmod>>
-
-<<startup-or-run-key-registry-modification>>
-
-<<suspicious-certutil-commands>>
-
-<<suspicious-explorer-child-process>>
-
-<<suspicious-ms-outlook-child-process>>
-
-<<suspicious-managed-code-hosting-process>>
-
-<<suspicious-pdf-reader-child-process>>
-
-<<suspicious-print-spooler-spl-file-created>>
-
-<<suspicious-printspooler-service-executable-file-creation>>
-
-<<suspicious-script-object-execution>>
-
-<<suspicious-werfault-child-process>>
-
-<<suspicious-macos-ms-office-child-process>>
-
-<<svchost-spawning-cmd>>
-
-<<system-shells-via-services>>
-
-<<timestomping-using-touch-command>>
-
-<<uac-bypass-via-diskcleanup-scheduled-task-hijack>>
-
-<<unusual-child-process-from-a-system-virtual-process>>
-
-<<unusual-child-process-of-dns-exe>>
-
-<<unusual-executable-file-creation-by-a-system-critical-process>>
-
-<<unusual-file-modification-by-dns->>
-
-<<unusual-network-connection-via-rundll32>>
-
-<<unusual-parent-process-for-cmd->>
-
-<<unusual-persistence-via-services-registry>>
-
-<<unusual-process-execution-path-alternate-data-stream>>
-
-<<user-account-creation>>
-
-<<user-added-to-privileged-group>>
-
-<<volume-shadow-copy-deleted-or-resized-via-vssadmin>>
-
-<<volume-shadow-copy-deletion-via-wmic>>
-
-<<webproxy-settings-modification>>
-
-<<whoami-process-activity>>
-
-<<windows-script-executing-powershell>>
-
-[float]
-=== 7.12.1
-
-[float]
-=== 7.12.0
-
-<<access-to-keychain-credentials-directories>>
-
-<<attempt-to-remove-file-quarantine-attribute>>
-
-<<azure-automation-account-created>>
-
-<<azure-automation-runbook-created-or-modified>>
-
-<<azure-automation-runbook-deleted>>
-
-<<azure-automation-webhook-created>>
-
-<<azure-blob-container-access-level-modification>>
-
-<<azure-command-execution-on-virtual-machine>>
-
-<<azure-diagnostic-settings-deletion>>
-
-<<azure-event-hub-authorization-rule-created-or-updated>>
-
-<<azure-event-hub-deletion>>
-
-<<azure-firewall-policy-deletion>>
-
-<<azure-key-vault-modified>>
-
-<<azure-network-watcher-deletion>>
-
-<<azure-resource-group-deletion>>
-
-<<azure-storage-account-key-regenerated>>
-
-<<connection-to-commonly-abused-web-services>>
-
-<<credential-acquisition-via-registry-hive-dumping>>
-
-<<execution-from-unusual-directory-command-line>>
-
-<<execution-with-explicit-credentials-via-scripting>>
-
-<<installation-of-custom-shim-databases>>
-
-<<outbound-scheduled-task-activity-via-powershell>>
-
-<<persistence-via-microsoft-office-addins>>
-
-<<persistence-via-microsoft-outlook-vba>>
-
-<<persistence-via-update-orchestrator-service-hijack>>
-
-<<potential-command-and-control-via-internet-explorer>>
-
-<<potential-remote-desktop-tunneling-detected>>
-
-<<potential-secure-file-deletion-via-sdelete-utility>>
-
-<<prompt-for-credentials-with-osascript>>
-
-<<remote-ssh-login-enabled-via-systemsetup-command>>
-
-<<scheduled-task-created-by-a-windows-script>>
-
-<<service-command-lateral-movement>>
-
-<<setuid-setgid-bit-set-via-chmod>>
-
-<<sudoers-file-modification>>
-
-<<suspicious-cmd-execution-via-wmi>>
-
-<<suspicious-image-load-taskschd-dll-from-ms-office>>
-
-<<suspicious-powershell-engine-imageload>>
-
-<<suspicious-rdp-activex-client-loaded>>
-
-<<suspicious-script-object-execution>>
-
-<<suspicious-wmi-image-load-from-ms-office>>
-
-<<suspicious-wmic-xsl-script-execution>>
-
-<<tampering-of-shell-command-line-history>>
-
-<<timestomping-using-touch-command>>
-
-<<uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer>>
-
-<<uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface>>
-
-<<windows-script-interpreter-executing-process-via-wmi>>
-
-[float]
-=== 7.11.2
-
-<<credential-acquisition-via-registry-hive-dumping>>
-
-<<persistence-via-wmi-event-subscription>>
-
-<<potential-remote-desktop-tunneling-detected>>
-
-[float]
-=== 7.11.0
-
-<<attempt-to-modify-an-okta-network-zone>>
-
-<<attempt-to-modify-an-okta-policy-rule>>
-
-<<azure-automation-account-created>>
-
-<<azure-automation-runbook-created-or-modified>>
-
-<<azure-automation-runbook-deleted>>
-
-<<azure-automation-webhook-created>>
-
-<<azure-blob-container-access-level-modification>>
-
-<<azure-command-execution-on-virtual-machine>>
-
-<<azure-conditional-access-policy-modified>>
-
-<<azure-diagnostic-settings-deletion>>
-
-<<azure-event-hub-authorization-rule-created-or-updated>>
-
-<<azure-event-hub-deletion>>
-
-<<azure-external-guest-user-invitation>>
-
-<<azure-firewall-policy-deletion>>
-
-<<azure-global-administrator-role-addition-to-pim-user>>
-
-<<azure-key-vault-modified>>
-
-<<azure-network-watcher-deletion>>
-
-<<azure-privilege-identity-management-role-modified>>
-
-<<azure-resource-group-deletion>>
-
-<<azure-storage-account-key-regenerated>>
-
-<<clearing-windows-event-logs>>
-
-<<gcp-firewall-rule-creation>>
-
-<<gcp-firewall-rule-deletion>>
-
-<<gcp-firewall-rule-modification>>
-
-<<gcp-iam-custom-role-creation>>
-
-<<gcp-iam-role-deletion>>
-
-<<gcp-iam-service-account-key-deletion>>
-
-<<gcp-logging-bucket-deletion>>
-
-<<gcp-logging-sink-deletion>>
-
-<<gcp-logging-sink-modification>>
-
-<<gcp-pub-sub-subscription-creation>>
-
-<<gcp-pub-sub-subscription-deletion>>
-
-<<gcp-pub-sub-topic-creation>>
-
-<<gcp-pub-sub-topic-deletion>>
-
-<<gcp-service-account-creation>>
-
-<<gcp-service-account-deletion>>
-
-<<gcp-service-account-disabled>>
-
-<<gcp-service-account-key-creation>>
-
-<<gcp-storage-bucket-configuration-modification>>
-
-<<gcp-storage-bucket-deletion>>
-
-<<gcp-storage-bucket-permissions-modification>>
-
-<<gcp-virtual-private-cloud-network-deletion>>
-
-<<gcp-virtual-private-cloud-route-creation>>
-
-<<gcp-virtual-private-cloud-route-deletion>>
-
-<<iis-http-logging-disabled>>
-
-<<microsoft-build-engine-using-an-alternate-name>>
-
-<<microsoft-iis-connection-strings-decryption>>
-
-<<microsoft-iis-service-account-password-dumped>>
-
-<<multi-factor-authentication-disabled-for-an-azure-user>>
-
-<<persistence-via-telemetrycontroller-scheduled-task-hijack>>
-
-<<possible-consent-grant-attack-via-azure-registered-application>>
-
-<<potential-credential-access-via-trusted-developer-utility>>
-
-<<potential-modification-of-accessibility-binaries>>
-
-<<potential-secure-file-deletion-via-sdelete-utility>>
-
-<<potential-windows-error-manager-masquerading>>
-
-<<rdp-remote-desktop-protocol-from-the-internet>>
-
-<<rpc-remote-procedure-call-from-the-internet>>
-
-<<rpc-remote-procedure-call-to-the-internet>>
-
-<<remote-file-download-via-desktopimgdownldr-utility>>
-
-<<remote-file-download-via-mpcmdrun>>
-
-<<renamed-autoit-scripts-interpreter>>
-
-<<smb-windows-file-sharing-activity-to-the-internet>>
-
-<<suspicious-net-code-compilation>>
-
-<<suspicious-endpoint-security-parent-process>>
-
-<<suspicious-ms-office-child-process>>
-
-<<suspicious-process-execution-via-renamed-psexec-executable>>
-
-<<suspicious-zoom-child-process>>
-
-<<uac-bypass-via-diskcleanup-scheduled-task-hijack>>
-
-<<unusual-child-processes-of-rundll32>>
-
-<<unusual-file-modification-by-dns-exe>>
-
-<<unusual-network-connection-via-rundll32>>
-
-<<unusual-parent-child-relationship>>
-
-<<user-added-as-owner-for-azure-application>>
-
-<<user-added-as-owner-for-azure-service-principal>>
-
-<<vnc-virtual-network-computing-from-the-internet>>
-
-<<vnc-virtual-network-computing-to-the-internet>>
-
-[float]
-=== 7.10.0
-
-<<aws-ec2-snapshot-activity>>
-
-<<aws-execution-via-system-manager>>
-
-<<aws-iam-assume-role-policy-update>>
-
-<<aws-iam-brute-force-of-assume-role-policy>>
-
-<<aws-management-console-root-login>>
-
-<<aws-root-login-without-mfa>>
-
-<<aws-waf-rule-or-rule-group-deletion>>
-
-<<account-discovery-command-via-system-account>>
-
-<<administrator-privileges-assigned-to-an-okta-group>>
-
-<<attempt-to-create-okta-api-token>>
-
-<<attempt-to-deactivate-an-okta-policy>>
-
-<<attempt-to-deactivate-an-okta-policy-rule>>
-
-<<attempt-to-delete-an-okta-policy>>
-
-<<attempt-to-modify-an-okta-network-zone>>
-
-<<attempt-to-modify-an-okta-policy>>
-
-<<attempt-to-modify-an-okta-policy-rule>>
-
-<<attempt-to-reset-mfa-factors-for-an-okta-user-account>>
-
-<<attempt-to-revoke-okta-api-token>>
-
-<<attempted-bypass-of-okta-mfa>>
-
-<<command-prompt-network-connection>>
-
-<<connection-to-external-network-via-telnet>>
-
-<<connection-to-internal-network-via-telnet>>
-
-<<direct-outbound-smb-connection>>
-
-<<file-transfer-or-listener-established-via-netcat>>
-
-<<microsoft-build-engine-using-an-alternate-name>>
-
-<<modification-or-removal-of-an-okta-application-sign-on-policy>>
-
-<<msbuild-making-network-connections>>
-
-<<network-connection-via-certutil>>
-
-<<network-connection-via-compiled-html-file>>
-
-<<network-connection-via-msxsl>>
-
-<<network-connection-via-registration-utility>>
-
-<<network-connection-via-signed-binary>>
-
-<<okta-brute-force-or-password-spraying-attack>>
-
-<<possible-okta-dos-attack>>
-
-<<potential-application-shimming-via-sdbinst>>
-
-<<potential-evasion-via-filter-manager>>
-
-<<potential-modification-of-accessibility-binaries>>
-
-<<process-activity-via-compiled-html-file>>
-
-<<psexec-network-connection>>
-
-<<suspicious-activity-reported-by-okta-user>>
-
-<<unusual-network-connection-via-rundll32>>
-
-<<unusual-parent-child-relationship>>
-
-<<unusual-process-network-connection>>
-
-<<whoami-process-activity>>
-
-[float]
-=== 7.9.0
-
-<<accepted-default-telnet-port-connection>>
-
-<<account-discovery-command-via-system-account>>
-
-<<adding-hidden-file-attribute-via-attrib>>
-
-<<adobe-hijack-persistence>>
-
-<<attempt-to-disable-syslog-service>>
-
-<<base16-or-base32-encoding-decoding-activity>>
-
-<<bypass-uac-via-event-viewer>>
-
-<<clearing-windows-event-logs>>
-
-<<command-prompt-network-connection>>
-
-<<connection-to-external-network-via-telnet>>
-
-<<connection-to-internal-network-via-telnet>>
-
-<<delete-volume-usn-journal-with-fsutil>>
-
-<<deleting-backup-catalogs-with-wbadmin>>
-
-<<direct-outbound-smb-connection>>
-
-<<disable-windows-firewall-rules-via-netsh>>
-
-<<enumeration-of-kernel-modules>>
-
-<<file-deletion-via-shred>>
-
-<<file-permission-modification-in-writable-directory>>
-
-<<file-transfer-or-listener-established-via-netcat>>
-
-<<hping-process-activity>>
-
-<<ipsec-nat-traversal-port-activity>>
-
-<<interactive-terminal-spawned-via-perl>>
-
-<<interactive-terminal-spawned-via-python>>
-
-<<kernel-module-removal>>
-
-<<local-scheduled-task-creation>>
-
-<<microsoft-build-engine-started-an-unusual-process>>
-
-<<microsoft-build-engine-started-by-a-script-process>>
-
-<<microsoft-build-engine-started-by-a-system-process>>
-
-<<microsoft-build-engine-started-by-an-office-application>>
-
-<<microsoft-build-engine-using-an-alternate-name>>
-
-<<modification-of-boot-configuration>>
-
-<<msbuild-making-network-connections>>
-
-<<network-connection-via-certutil>>
-
-<<network-connection-via-compiled-html-file>>
-
-<<network-connection-via-msxsl>>
-
-<<network-connection-via-registration-utility>>
-
-<<network-connection-via-signed-binary>>
-
-<<nping-process-activity>>
-
-<<potential-credential-access-via-trusted-developer-utility>>
-
-<<potential-disabling-of-selinux>>
-
-<<psexec-network-connection>>
-
-<<rdp-remote-desktop-protocol-from-the-internet>>
-
-<<rpc-remote-procedure-call-from-the-internet>>
-
-<<rpc-remote-procedure-call-to-the-internet>>
-
-<<smb-windows-file-sharing-activity-to-the-internet>>
-
-<<smtp-on-port-26-tcp>>
-
-<<service-control-spawned-via-script-interpreter>>
-
-<<setuid-setgid-bit-set-via-chmod>>
-
-<<sudoers-file-modification>>
-
-<<suspicious-certutil-commands>>
-
-<<suspicious-ms-office-child-process>>
-
-<<suspicious-ms-outlook-child-process>>
-
-<<suspicious-pdf-reader-child-process>>
-
-<<svchost-spawning-cmd>>
-
-<<system-shells-via-services>>
-
-<<unusual-network-connection-via-rundll32>>
-
-<<unusual-parent-child-relationship>>
-
-<<unusual-process-network-connection>>
-
-<<user-account-creation>>
-
-<<vnc-virtual-network-computing-from-the-internet>>
-
-<<vnc-virtual-network-computing-to-the-internet>>
-
-<<virtual-machine-fingerprinting>>
-
-<<volume-shadow-copy-deleted-or-resized-via-vssadmin>>
-
-<<volume-shadow-copy-deletion-via-wmic>>
-
-<<windows-script-executing-powershell>>
-
-[float]
-=== 7.8.0
-
-<<unusual-network-connection-via-rundll32>>
-
-[float]
-=== 7.7.0
-
-
-These prebuilt rules have been removed:
-
-* Execution via Signed Binary
-* Suspicious Process spawning from Script Interpreter
-* Suspicious Script Object Execution
-
-These prebuilt rules have been updated:
-
-<<adding-hidden-file-attribute-via-attrib>>
-
-<<adversary-behavior-detected-elastic-endgame>>
-
-<<clearing-windows-event-logs>>
-
-<<command-prompt-network-connection>>
-
-<<credential-dumping-detected-elastic-endgame>>
-
-<<credential-dumping-prevented-elastic-endgame>>
-
-<<credential-manipulation-detected-elastic-endgame>>
-
-<<credential-manipulation-prevented-elastic-endgame>>
-
-<<delete-volume-usn-journal-with-fsutil>>
-
-<<deleting-backup-catalogs-with-wbadmin>>
-
-<<direct-outbound-smb-connection>>
-
-<<disable-windows-firewall-rules-via-netsh>>
-
-<<exploit-detected-elastic-endgame>>
-
-<<exploit-prevented-elastic-endgame>>
-
-<<file-transfer-or-listener-established-via-netcat>>
-
-<<hping-process-activity>>
-
-<<local-scheduled-task-creation>>
-
-<<malware-detected-elastic-endgame>>
-
-<<malware-prevented-elastic-endgame>>
-
-<<msbuild-making-network-connections>>
-
-<<network-connection-via-compiled-html-file>>
-
-<<network-connection-via-registration-utility>>
-
-<<network-connection-via-signed-binary>>
-
-<<nping-process-activity>>
-
-<<permission-theft-detected-elastic-endgame>>
-
-<<permission-theft-prevented-elastic-endgame>>
-
-<<potential-modification-of-accessibility-binaries>>
-
-<<process-injection-detected-elastic-endgame>>
-
-<<process-injection-prevented-elastic-endgame>>
-
-<<psexec-network-connection>>
-
-<<rdp-remote-desktop-protocol-from-the-internet>>
-
-<<rpc-remote-procedure-call-from-the-internet>>
-
-<<rpc-remote-procedure-call-to-the-internet>>
-
-<<ransomware-detected-elastic-endgame>>
-
-<<ransomware-prevented-elastic-endgame>>
-
-<<smb-windows-file-sharing-activity-to-the-internet>>
-
-<<service-control-spawned-via-script-interpreter>>
-
-<<suspicious-certutil-commands>>
-
-<<suspicious-ms-office-child-process>>
-
-<<suspicious-ms-outlook-child-process>>
-
-<<system-shells-via-services>>
-
-<<unusual-network-connection-via-rundll32>>
-
-<<unusual-parent-child-relationship>>
-
-<<unusual-process-network-connection>>
-
-<<user-account-creation>>
-
-<<vnc-virtual-network-computing-from-the-internet>>
-
-<<vnc-virtual-network-computing-to-the-internet>>
-
-<<volume-shadow-copy-deleted-or-resized-via-vssadmin>>
-
-<<volume-shadow-copy-deletion-via-wmic>>
-
-<<windows-script-executing-powershell>>
-
-[float]
-=== 7.6.2
-
-<<adobe-hijack-persistence>>
-
-[float]
-=== 7.6.1
-
-<<accepted-default-telnet-port-connection>>
-
-<<ipsec-nat-traversal-port-activity>>
-
-<<rdp-remote-desktop-protocol-from-the-internet>>
-
-<<rpc-remote-procedure-call-from-the-internet>>
-
-<<rpc-remote-procedure-call-to-the-internet>>
-
-<<smb-windows-file-sharing-activity-to-the-internet>>
-
-<<smtp-on-port-26-tcp>>
-
-<<vnc-virtual-network-computing-from-the-internet>>
-
-<<vnc-virtual-network-computing-to-the-internet>>
-