From 9aab3c812e25ceea8e1aa966ce22dc305df16d1f Mon Sep 17 00:00:00 2001
From: wagga40 <6437862+wagga40@users.noreply.github.com>
Date: Mon, 11 Nov 2024 20:48:52 +0100
Subject: [PATCH] Calculate memory and automatically choose used cores Update
 rules Refactor a lot of code

---
 docs/Zircolite_manual.pdf                |  Bin 690193 -> 690186 bytes
 rules/rules_linux.json                   |   14 +-
 rules/rules_windows_generic.json         |   93 +-
 rules/rules_windows_generic_full.json    |  229 +++--
 rules/rules_windows_generic_high.json    |   93 +-
 rules/rules_windows_generic_medium.json  |  229 +++--
 rules/rules_windows_generic_pysigma.json |  229 +++--
 rules/rules_windows_sysmon.json          |   93 +-
 rules/rules_windows_sysmon_full.json     |  229 +++--
 rules/rules_windows_sysmon_high.json     |   93 +-
 rules/rules_windows_sysmon_medium.json   |  229 +++--
 rules/rules_windows_sysmon_pysigma.json  |  229 +++--
 zircolite.py                             | 1171 +++++++++++-----------
 zircolite_dev.py                         | 1040 +++++++++----------
 14 files changed, 2310 insertions(+), 1661 deletions(-)

diff --git a/docs/Zircolite_manual.pdf b/docs/Zircolite_manual.pdf
index e469aaeae9605ed7dd6974c50bb64c77a3f18bb6..49f89be8c898ef4566ae2be7cb9ab5f2d433b561 100644
GIT binary patch
delta 9904
zcmajEMNk}E7p)zFHtrrAg1fuBLvVL@w<gd)aMDQQ?!ny~P2=u_0D(Yo2<|uazmxx~
zJGhf0Rp(6hv(~OvwZEn?$E7fbgWy2#LGU015F!W(gbYGy0UXr;dAP*IQN4Y<Y%N_;
z1J+GbHQXa4u}98B;>6Z@<t6=A7@}ph@KT+O-%1a0EL-TBQV6iZp4gulD3sstz$T}A
zLMM}&Zme9Z)f2>Bbxx}A4#v|m+@>}O>C}CyRIx{jYvPi|B;tkLBemMbHeAh8J>0h>
zHtJXIrs}G^@kWM#f!=H}upwsc;!+-MtmF*Y$sV&4%J!tARv`f^VGI!QsmX6+drB)#
zmK?m^>n(8?r8aINE<wBCH(Q|l2FsF-Fb<OA(S+Qr9xwgodJk1j4jSUZtZ7wd-H&u6
zn{nVJ-9Xbq=lzsx0mYPQ5HW++5z|$vq-TNwIw|dUkgpRE-6$ZAXBPJucNR6Pkjse~
zpgpQfl}NmR&V}(SOx48u7ZYGE6fUme3}g5u6L%J!?yC^8RJ>JoctZ)O)dP8X5Y+pv
z>?43}3>ASb4uIK(uQ6MkrKvL%82h3WP^+oKW2rzo%~F{(CnePiT5($tPX)Z`4F)1E
zk(PGC=dOrrvhB3)hpE<(PCNUoc<ArGDRq2XBSO5}<ovsMW4%UMeqhLaw%oOI`*E5w
zCv1>KW=3X>-xWH(1<XbNLk(#>1K>g0>Hv&D!T;fyX6(Eni5<0d!*a`2hTz;PfSl0Z
zR%4}@jr%c5e0+YLK$ghnVc@NAK0gwkVD;kk>?D_mbjqrG=GIj#Zlu151uG1{qN^4O
zcvvTMI5Jmo%ny#OJo2K8dTU~ObZ87^dMuFJ9r-nre6V?Zem=wD4m8zi;ST%ZQ?RrP
z3udpad<H0Nx%UzQ0t-I4LFNRWZWm*hm~pKx`8PvIVsZiu^f%{#IV)x{<5<4Igjkdt
zG6q5>Pp=CCeIMk=%N#q@rH$7<z0MPrQO4b#lzb8ut1|e#kSgC-`?}$;0{Wowd&?>_
zd1A^(G^te;-WA?Z69~58fMYuOn(=uO=^9~N(s`H(o7(`FyONI)jh78+omxH8Yxr~8
za6X(=7QIxKQ3R{HQOb}Kt}e@Wsa7kbYCo!K1}zdEO%g@e#k=!t;R4A;r3iJ5^VF#Z
z1@2WDF+NcPTu}#IrJ+cAExu+QK0xcT2)2`}l1FLbWPjwe6!5}A>7sBJ4~e2YT=HUD
z@gk*=9f<<hF8l~#4MUggCtxXQ7}L^kalP=E)khfDhtww{N?jp>FzU{&3en%_mi=e9
z9FZVy8q?4Bws8-IlZC;oM~8})6_!ZV@_q_Sbk*|qLe&h7U6qB_zDgc8ni|LoNgzzF
zKlI4Jq+xcLh=P}M7}lNppshJekLz74ZkOu#!*@D$Y0%^+s@PtW$R<t?LBsty9<0fy
z9@hFHPK*Z5PeTs56$YD+Pur*6VM(Y^AQU9O`JbY=8v&}oQMYat*R=y)64RpZ*f&LQ
zVW|(8Z8e1#YIa^TLY<vS@i$(ZCo^OB{{A)mJGm}*YMW6Dm-C;f1JSxed6b(=f9l(7
zJ=bE|ijWc|+dk=1NOS)beKCA92z`6F4-rjM6YdPf?4Af-+wAMB(S|HqPMkrK`RTF(
zdVhrEPVY1@xwXM;_{r$UIwaa8^174v?6fGi2HP!9_4Q-iwobq~D^_^={E)U#EC@pr
zfC<6X_=T-qrwKq0ryH{7eJTxoHd*S6nIX8vk4$nQ<`OGA#P`y~VM-h;XMrcs#AKsJ
zQ=>-S9FeMw6-XGi%rI97^gZkfYxw?|QsI`<^iHkg^<xXnPmlom_D&|v_Tj(6Y&HM0
z8sGm|Eq&8%T@qXVJP_5qyqf0ZMU4(58?IQXwvo06M;=_15#dVGF}gt%BL163k?KP|
zjK|(yOcj!|RPL(2c0DuuX~SpSPt6$Xa5XQ6+1A~0t0i^N##bj#cGumP@oCKGLH8Cq
zE;C+!d_Xxf5pyn4kPqx?WBI!Qbp(cS#B8iUU^F(q>z-E=3I*J>KWo}3VLHMt>!y$?
zyHwU3v%&0L$NNz?Lf^ZLKGXUaiX&d$Q}OOVQ#TmPhW8e<LdHqMP&{h}1|!hb_w^ON
zwM~z1+N>C3g@){}om~FS($F>r8bW6P!5g36#&;%8iI^$afoTVI;Tg1ub3t@aim^S~
zEJT|xJSp_*dtZ#D!%7)ZXW{XS2z(TBm(Qqc*+%WDt1)S++p1mU^2TE#y=Q4XQ`iiy
zu;rydUwb1tn-;COxKF?%qlhRaRD+{OS;U665G{}m-QYmel^$lb9A=7+e&yuY9}4hS
z6j~U&P(lO>kQO#A@^7bwg$XA_D9Y22R1uQI{`opIx<e#;Z@3g&P}EK#0du^$N5l!s
z5D$1}hojvgk~<;}-oND8ySgU{+Pmb@{dYbA!Dd(}!?a3yD#v}00x3nqqJIWGi#o$W
z83$)}DK6q^@}%-{Ih%5usc4&!dlhn<!)5SyEUa!+$!nT+x7T9-T^$J-Bgsc8ep7+r
zedUF|EYdz=FVW)2=hw+j0dU0r<}QCR$3H|*%HtPWBRcjZb~-YJ{qoHPs$U(6qC<9s
zr=LAt%s;v;l+Qq;`i|?hcJCw%Fzr74C$^xr|4VGCQ%*yi*r4+;)DOnWm(WFN&Qf)4
zbT#8_gdpENH77-z62X|B(9^uK7*v=0(z$7;R@4b6txiA9or?35Xe3_;)7`^)(_Z@4
z3hUztK`k|BWa`%q?@eUO&bp_&M^)yKr`0g%8O6`#<7r>dYXgiMU{z~!_bKyobrF2a
zhOq`SP90&+hHatuZ_K>xsrO}r^<3As7XrQl?p<P=8s3zB)LUI8T^s3S`D_2$xvafc
zWL!k?wg(ru*;EG7*S6>EUur>^SfbgyBp4TNa^)@--{1;tkZ3K~yPRN5E@oxVRA#_X
z-ZxN@(sU}KU*;|c@*@2%L{KiuWs;iIm8p_KQl`G-DMZxiLZ~eau^OitHVGeoA)z~y
z_83*3#ajmD?@-a5;p(WffVyl(>1Egf%wK6Co?t+yLs6Pz8mFzQJc`y|kP>Yij&vG1
zCh13R=}L?D$ccErJN_*s)HZp$6ud`{lJd`*fwY0eT}W)0NCdo<7UBod;OQ(Q=O7#)
z)}UE0C0SYlM*HhxS#1dvvgH5L5)U<R`S_#%KW-Ks|G4q~Pm@U9h#Ta@jy`|F@ANS&
zJs3u0a`?np6MWHcw&LT1#?RJhc7MCEPua67iDtfkF@ugL!J!vb6}$sn(>t#sI#}1u
za68>}!u{B__#KT_YpKiL3%Hq<cW|)L^u$Pp`#N*`WI%4V)!yC4q(-b7-`BGY3<?r;
zk!E5R9(uU=qbNH$;`G*WvxvX{Bkth`-ryESr+aVcm$70ejce|oq3dxjuIyG`lXqu!
z!1FE^KARw%0K@(Hs7m#Ag3T`NRJN(8o<PoA)k%S&F;VU%iC|Hg)x#Q~ibz+?#DEwI
znA1B=1YC&1PZFt@R7~C?Z}NWKupbX!p%9;Lhe-;RpFvNPYMR?S4Pn;!v$RbheB*mO
z{5@QRC<I>yp4Cjk22XW8d+GBrQji-xV^r6Va4QAJcgo~U41eUlr2dhTqq0%r(uk$N
z$NQzN>fr#{=>#y)c!qv&1-kY28H=zM1(Uh;!qjRo#0oT4{H)WSUf=EWtW5mJLbU52
z3xWS-G2r$u<3^v0j!<myA{kid<H-~okd-W#w_PT18iBi1^hED(qh3D#i@0O|BJML!
zGali$k#XKU6p7s0e>q0S+DSn_*qb1hHjfN%SbI@ziR;1LmuZ8Fwaxa)%uEp!(>~<Z
z8@A@szPzeNq)^fce5qB~GM_Mr%~rp7>1wB=yK-uTnu~PROpe7J@?z6GpU9Yt_!DU~
zuTvZb-nV=6b$-tsS@3VX1Kzf`y_BJ4smn^`KY4Hse`+gtHrCry_Aa*|z0qJVpLiXE
z=f05$uJ$+ys18#W=zz(cQ^+w-BZC2o5qA0W2)r?gfCDg)<PSkUlLJ6Q6L%=%Go6bn
zX{jXM@Sb<BMx@~Wst#!&7!BJ#Gh7f}2Q^~a40M+piSMF13nnb&a#5{`x?+>8&*yef
zf>1eVss6D){{=AO#p6~?ipa#xo6&Sd(jG0$N}(Pi$FE*et>loBAUH~$El%N(@h1qX
z&Eh-+l@!XXgRU&+Nf^otb$A-p_ZDhWW793evYlbiylIEA(9#gHm}6m=HS4kJ9PgL1
zyKjG196KHoi(qYSZ6DMh?yx$OPZ9s4DcA!L1peow&^Vzk*7?$J>C#L!%hHynMBf6E
z#uhPF=}IrRH{4Ud#C%ZP&Y66E=1~%G-DEzbdTGq||5FH2HXy&*^a7!ol_@(QNqgOu
zdR%?ZqT4*le6WL;4*Gf49<%@A>^}>ylQy~X$Y2C>1J7u{qW7s9k}+U0Qlt4lmVukr
zK7uXPE1DSq$)L<@1$#=)C;Z0<ck%Z2_qDqEnR)!CqdxxDZi0nglHh7oFJ9q2qiqLb
zg^5LiRIsX+)S9XmedRFpj>gY4=yjr|emc7<J0(Ob@Ntxe4W4cJ>ye^wscRv9;-YLE
z^8~A=8G@1A6hUlSaIu=Wmb?Sb4{EW{fPyesJ;7CX>q5&8?I6X=sP@ireFA?UORhwZ
zX&lD?SF85oUVua+kmvs|{SgymcYLLcuq|^OcX*Nau$Lw$YR^+C$%W0?q3h+vNKg6%
z`d#TZN4~c(C>~^dv?jr)jH_3Xp@f@u`X=66UDm9WAc4n`J{1mmBmpMHbME1xiV|O9
zFHJ@ckEhOa$QjN;KBr(=2y>^s5aE;?5~~Cbm)NNnK?PVDP42(|^$$`eipX&kY3UVp
zRIY*nh|{1YK|F*^AtwvnFZTV~9=Q0t1TY{R9dF(xu_HP@3ig;%F6LLl07R6L0Zq?o
zd`E^zd*wi3HtPCvl{ltjR@&lm6({0yX;JGe!uJ(YDif<~Jg0&fSgOIq>VRo<$R8jr
z0#C#!+E_x91>-1w1Zg&j!d}$pST@F?CWd~WI1xKU9Q=I4d8OF?n&_X(UPzslJdX&O
zvPuKF!yNPk-q||vdi;&eHq)L>%#Q(xT&33RDf)$AqKN3={X>Z|!7C(MeDdAeXt-^q
z^KI=i{3~idOjeY6m4VNDVr8so*(g9}ScJ~vTJ!cU3C4k!k0xs09*D7QN2YE^q-^Yl
zkYAS+b6<Vo6Y0(lBccajz>)<~is~bYs&UKcsxltBr5B3q3%Za_WQ+$A8+;HA$`LZB
zk~*WuBG|^Yq!Lm6Qn8J1o0(uhkpKPHcZMB=5sFSJY*J>V$etKdOM~x9Keqrg7!9O3
z=6HRk@q*AXE~tvEBPC;E>BALfXdd3pGOr>q3yr+Pn8!%4QYqv}VcM4V666#0t<WjW
zC{agUP_&Fd&6J15GElvvUeQKtply|!#mTISGTey;!7t*gS^c(v%QhGvviK|<$Sqk)
zsc1oATq>yMH-!<4^1y{W>jefHQK8ir)9-e!qV5SKEP+gaJAfFBB$<ss77mG2(s(F(
zxa(ejaS#brt`cQq;+1HQ4p4+Zh^K&(q{@I{KxKs9EWQJR9C|{OYIK7dl>Xu4cif{Y
zMP_S)R>=Xc?4f&^aJY|*F&Xf$ycPZ5sXLL7qEff(l)UV>jb#)Z>KK7eLdZ4J)<hOc
z&$p8AD<jJ*-oa1xz|ly}7<+L90nT?={tzK}4sVASMyY)MMLGy~iN36@DHmx{DwK!1
z_r5So1=S(nirqrK82&fDe$@_2ZO0^h*q{o^R~mI5UI(`T;SxCbUvyE3;fy9S(fxXR
z6w_g1k1OYI@s$w{<!A7~@&ohf>E*Xp|GDZX$-mcf22bJ)qt|kdBca1lUO1Q(DK~dJ
z<%jW{C!vy^o;dFxmgQ7Cp2|~Rc4A6CZvI}PFUgHm$D)|6YOm0@-^8Nq!lD#hITvb=
z9?H&DN!sFnkvEaA8Kg8#?Mx2xxW?YyB7f-!?G_92I%pE<6yD4SzTJfe-VH>S6eM$W
zU46?$|7e(HodU=r=d|{m&foJEZluDgnO@Pgau+ZxWxty!p6ghxcaEi3tg){kg6MO7
zN=-MT(3hZahe~b-7ZYv5t|WYcW+OJ-u1zVnTD_uL$*D|hP3ru|FVu%J2XThG9adhx
zc~xqzPO2@+W-lwi(c=JNN?W$Rr<A(xS@4GX=*yMdodRn%GyT5Dx~+U2F0ai9s)1c1
z(YiEmf_>aP%>q{Xu6#coNwF%;MD<m!(O!7QNf%Oc^?-{L=QlG6t&JuA6VwNcTvw{d
z%igOJ(T^)@I$u6ZxlYXrprbO7MlXEKT2s>dF~tqWOK3U(noRMLm)rS3ChJDs45<>G
zRCE+l`pM?;IS-wX*it3i=}}q{5{d0}Q6D@p-ER-VvSx7lgya=a@W`KOl+<+QZSrZV
zTvm?+mA+MN+Wtsu`w8un<le}r$rqOTz+l*tKI+M7{jKy9xT93x{_&7<M$J)j9xrj1
z+=@m%C%dB!$lx1|Qj1;$M)=Mzbk83n9D=;?olGxMg!S}yuvV13&}0;vjJAWyx;E5~
z7~E(*$n%h^sM%CLmbNmm_Gv%}J;Iw9`9RbbS=~w2$(k9^O{c{>RUV@|MwfI~&Rn&T
zwH^Wh>m2NA&FBS3R&J&FXWV)io!q(ptz-Lul;O7k<lCH`_l-jh3mo80-}0ApNmnGV
z7qxs8_x#Zl9l3{F9U^^P6X=lXZddm)^I&a(`PhA0b-53{m!r9O1md+08CWiNBsiw`
zz#sFGaQ>BBKl#aSDPh=md{i|4om0^}q15l`vq}Um)yg6A*aFmwylAJVpR`-YjW&k5
z(x%#}fa&fkWlmL-(#El<ddRh48wZtQXQdNvrC<05L%zp#A;}kxN~HnDG~PL@as{bc
z^F27%LBeM_{a)dsYIpp<PHROJvc+-J0co^fYiYka$`(td_$4wa5P;5A^14h|3HffC
z=#1;xVb*mpp_?KAk5G8lH^dx6GP$d?^<x_-a8yvWp<L5Rx-#Kq-6x{`c;S6z-j!*q
zkZ<?=QCmw<Mq6u}aCmT<_RX=T{iCk~^!IYwEH6ENPlo1njl@JL=8OFB^i%mdI=Na4
zN%upWu5UShwU|_#K+M9eM?L1UfvNk#&|e6uE5=a`^L2u0ASKA*#=m=Y@idF>2%SY0
z7+lv)4x*{plr9=;6eE+(Q;NznG|95`bh&>$Q!xyfI`9>Xe2y}_CW{1B@<i8jM>nk0
z-$$2~IM|?{KEB8~SF0h4L7T|xn@p^K6K`T`Q!!KXEfK0+VU4S6*%RTs0@FN#2k%7Y
ze`CrNS^hi_qfJe#u>IJ|1fBiC_dt3B<jN_>83f^QBOSXiJcLkd-bR}wsZHyWKD_=Y
z)CIrrUl(3iIi!VlU+O(f5kAScwZ0HSfC8UeYwgM_?aTL?$$kggEf;3|+9y3b!%pi)
z3`}ir@lW@q0N!&?ptlz|A0q2$kNYX+zn|-v{<#Jf`C<Qce?LWxhX>_%({z0kFx~u{
zNaSs(dspU7D4`xd$vPl<%tf2ca@9t2vv`aS?eF!?6Ny?wR%AQ%r(QI}daI_UV4<-k
zGSNDAw=%;vG$o!0{`$m2?|6bw(PC9@KKZ<Cf+)4~(+IQRvMr5L1bu?9H&bym$<FTL
zl*IU<r;hr@K|w^^8_mQkGg}E9K!3vu1oAy;o^f=c5))uWZy?04LFH@I^hHhkhD}HL
zs&LlNZVotZ#GZ2e$Xr@ylj<zF753X7xsBNtxr_QYgUVw=w>|ERQEn<)D~Z(vt?JCi
zASVssnV38q)0^-p^5_K=5@V^^>-lqKKc01+rroC<H4HUlnLx27Cmu5>u+#cj+w@cN
zXB+s8v1+o8dS~G>`%)GGT@wN)yD6Q{-!cUeD*W+x)xM}@-CYggFf&NPNujR(jkekv
zR34yn3Ogm-JO3tZ8IoLf3<>W(Vnj~_kKdHfhe;nMd=q}h;?IM&Xe9qH6gUW!0bCuA
zEUKTq9B<FwC!K4tWhbixTj+h;seYUyr*w_Z)J=J>Q*u`zGtp0$;`6M3#90W|2~K`a
z;K%h#Uii@R;nao)4U3_vZ~p<jDICB9?s2J^VY99ar5eMSPpi8saYMXRYu&O6TKpNo
zX(yd&!_8&~V(Kd#cT62OV7BzV65`h<Sj+N}&(BDedmRPx{cUjqZfTbpx!n#luKhVj
znloQ9j_hjHSpKBZacE*F;2)7&V3BfKYww01@5J?KnP=CvicG)0E(ujB;TM^AxO+6V
z**$S|mVwW3FGJ3=!?<v(Y?L1-=G2;mj|~eqkT@f#taM|Gz*%W~<6C%!A>-cg2E3mH
z<h<#?ZEfB}zca`bXzPsJ1+Uj|gO_}L+utr0%~~xU7VvUm%om0|?rW+-D$esX(cBJ`
ziSFLW73gx`TLN*e)$e56TONVCznvksOX)&3yTZDLc=OLHLxonuM~zAA7>bWY>*w6l
z-9j6EDx%9a;8;(;H@9$npZB9u5n;Q$yf^QjIEBQgo`HV@F>>0?CHzzVShqK)GI_o{
zqe40K9eHd+uP>fMf_+K0T9m+b;7L|ENEwawFg?e1-2s@8nE-<ON#Aj4P#Yk`aE?WP
zF2Bd(eYfYMV<bWckv_;CR^f^(yO_}4whdA?IK?UxCu~a!vAwqa9zlNm{L2SER0b?V
zC{z)h9aagfjAn3W2%Z1i@`ac{-NViiMMYI1o8dss@hB#nf%Q{%hGVBPx}kQcsyOec
zu{h0n%$_S#qMo0VvVkv^sYo`i9>qS@ma!0AilLcMC3u*^LDIP#CcsuIzxy&>&n~n`
zpWKZA53xuwt02jm=!DM_6yb)Lxv=NF&))S8XiEhKs5f>9eqBR9p|hC}VfK1pAfD6|
zkwB7RBGEfkL(HHUv^f+q%*fBA<eEs1rtD`;$V{JYP}UG{z7F74nR!j>T!rr}tq5RY
z4`VipW*8m(VuHmzP{EMDeI%(Jkz8|nFJ&-JDlZAjB^NTMAlI3;JG>#u$j{->wnOx$
z*%t!hc?(o|O!zqxE~6$}WwJEd(a&2mT;IBgs|%Ta$ynKR$VTPz>Ru3IDKG??_@w=!
zji>S^plN0l3Plkj5Cr+e#L+1fSznl$Z*10iWidu+Gsl4;Hp{e-53~>3%Ob-fRee=^
z8){)iO#oda(0I6JYWS>LhTE`qvZ1=V`d1(%JO+Ew`>N1#(Ig#Eo1tJc;EnEw$R_^g
z*9;ytDa_PP+p~1^B7$2{sPCFOyev5_VDYMx`+O2HDNAYY1JmD#f1LjOr@e2S%yKu+
zKw$l^@||L1OUJ5PU#<_4|Lc!u&&R;4orQvvEq^-5wO#kq-DY>}hYVzmr1~xqjaMKt
zgx56HKtlP-pZ)dw!`2zYm>KYFn(}+AY;}JFYKM`+i@B@7=A1iZ^O!^5zT$urrU5Ic
z44+A2t$0F2TywF%bodT~>BH<dk{ccTM^(t_vyEAL|6a2<^E%gRu3WbAvjjE7iTg>~
zW0;c^Ez8&cNpvl{S-($LxZu&Ntp!Sdu=$m?c+D;-Yy>S1MM;jT0tB7XX&H-PB-3gk
z{$81$D{MVr!3xJEsn?_gjk13sz(BM6tp#<OSQ)72?VvfTujB}iL}ATBqDT0i9&_MG
z#i~rpw5+s0fSag@>d9i(KmlJG+p{u;wC$++g}-oytFmD^guvVhR-k|V85ua>2OZ$`
z1F*!5FH(h**cV&=X$Eleg?)$i`}WxUW=?S}`XbF#bQlbvk{#6af3!mE?RP({b;AKC
z&SLiakSN%UYU-U=iY(&#C|SpbLtF3Y{tB0x$<8_uV0`&2Pa6iCj%G#KV4#_c+w-T<
zMhRYIUW80a17%Uat7I^K90$(LP5h-fbjef97_n$dp^M$2_%ImP_bnXi;;B#xZ+swX
zxas+55kdbA&*N~0I=+9?<t~S}f*sDc`U?c5RDJ}9FdjL`EXzT@OY<}P(BH4=jh9J8
z1TTx5!|uTbR#<Oy$b#s3A19D)kdo_ciM2kHHrg|&Khw%R<|^{W$CUtO&KSfDH@`x5
zMpk*~<WLc5NH0~kgx*Evt!6QOu+HgA@3(D|7t%`7JDKc9w~(`%HBTeWz-<s-gY;N@
zfN50(CSGNm4OX;Yr}{SQqfh>;z^`usDTjp<QDwlr8v4!J4yKCp7i9O#rHl4HHp3N^
zZ*#LUA05^NPMsXoB3^*u5#~3yB^IJ~JJ}hg-Jg>g5g-hbJ?_z<SmhVu5P#RN^=PTd
zFRh|iz6nHWHjI@z;3CEddd@sKa8dJ@GDrFDR=_3tp)40MwN@Zmea9-1_X-!F!}@IA
zUX3wafkLmYw@|7SoS14hOdMM@P{(VB|2S(eIj>tfQ^pwE77vWX{;V(GS&7pKFxWBp
zX3amxZ;N-zHDO~Vy-v?jSsHW>9glH2fi13d_@J=88A7wKO-aw@J)n^er*Z|Qr~vC!
zae{B~78r@&!ldor*4Jlj5HT#JuS-7*QCmvRm+QI*_@LBjsdL--32xcX7S_Xc;EQ(t
z{1h^y38CnH_zQexUS^vqn04>!Pp0@_?ss{#tA8H$b_jt&LvD_57cM(f?kHSm_!sY{
zRwllkEnHn;Z5W^dMSFX??t>0??4J6%gRdX07EE*Vfjw6tk#X18N5`fO56=%ZPqK*2
z6;sC8z<JYrliV=*L}Dns48dZm|21M_i9eSMmOkYW4p0G$L*q-vK}Mep?#7+$tb#k$
zl7!=2jP%KsMAt&{n^GRd>*eL<;r@}tmt*nyAlXmHVvo{uz1L-|k5rg?=*J}ojN9rO
z6!}2WV`7OQKfmWou=qYbI`U1u{Rg_oe}lZ>wU_=0i5cWK3LA{7AeYP(b_o%&V@`~#
z_!pZ+OyKX}ZM^LBA3k4zX9Ue#Pq4X#tJG7ZI>G8``bgI#>H+?<%`&6c)7$ndo$E7A
zhiD;^@}j>_$s7fJuLtV*uf2uft-|vn?tu6(AzhH0wA>gebAF*TC8aV!j&?g{x+9*R
z=Ggg<^TJ{xNn7x}c4dcHWk4S}vwK+3-SbGZG7!J;*TmZ8$em<7Ny$hknvn}n9q|XJ
z21a#@qI&;1g?f<7Fu}%fY}SC%LKvU!2{v;WoUYL|q?rDsM2=NqV!_<(`R_eWX<)0^
zR+xDMh}wXc2>CPOaX1C5_Bd06W&s6j?ux|#^9@Ds<}Q9HyZWkQO$SL0h(XV2`M9Wf
z0w{6`V9uUE)O1WSk4x(*5Dt$s!AytLZ@nJFwt^hNB<_?<!so^Mid;Z|wzPa)azQjX
z?eF~AJ0ZOtIA3$P#10%M(&!qgl9<9qG)W${P$oONEm(q4QkH*x*u&|=2J>pD#B2wb
zLtoV>Ut3;05+A#sFB8$+I%emnNit~|u%u^^+ZH27s`1+h*s5JBjLYp=-0d2}<7&5i
zg~QAS8`|^ehFDKn5}_YIglcy1iNF~&(J-*ayu7W?!{RthdOtB@P%^06$znIY>6hYY
z&>$V3BGbZJ<zG?7ff&DTP9EqD-yj<La=l_-^6RM^k<{}0mxuCVfz?}7CH*g49D{gP
z<e^l{!{=z`WDemJOxKBoD&7pW)HX5LM%u_T4F++v9Jijj+WT*CB6bnIkO6yCd`M^{
zDv30=HJ`13pb$5owV<64zb&_rEsp@Fr5!(?4L83Hza6i*=>O{lWHl010gews1wtj|
zr>j(qOK(T#yNm<GqW<KQl2gOgxlEGJ&L8EJ)55Q3bo|ISYFw5To9)kY%D)?_vv5DF
zs&NDH{P!0~H<#3e(Qd`W|I5r}@Ff66LK#;HXYS8V5Ka^K8-j!#7^GoI7LvVC5|F86
zOyGE+p=c)_Pd>nyO8A_nR0#I^ey5WOl?savA(yZQSA%h`rtGt3w8k87ltdWZ!3&%p
zHms4;d!V7sv^nlyc^dHSsuQNJ@(xxFCC?H}b>o1|&%E&qs9yT%O}qsXGa-%2BT(_c
z&ttgh>35-jX;N+X+*UsXTWFk=;l@9`s+`o*-7ypl;xV@Z@24kJe=^uxQ=Y`X=#rv_
zToLeZQQyJH$qVNf_e9{=3~T3ePgA8-f6`;=35g9H$YeqlDB?N=Re#T)_gyiIoTtWo
z`|%2d9Rz09k74nI{3XqyOi{3aOB&V^B#m#thB^Fw!+HT&2M)&Uc?z1*?$k19Z2RB^
z(x?xP3ChtjVd36MfFBrnk7q879at~7`lj8T`ADJLsZ|{~L_1aqCB5~%DqPFkNG(8z
zw^BlZT|(9Y;TCr%tg|6`(YRYgwIMr~0c&8udySnilZXXRBzC#(#0gJCz2bjkDU&Ea
zSoOubbyK56XAg#TSHt*Y&S*d5YELmE3EmyOAJI1*AN(!gr{$ev^E%M{cg<S(n}23T
z!Y=8;lFYXu0i-h)Bw<nZmsI&f?iZqM#lF*sJzpRf#ytu87ueGyUOjOu7s5aLa{_>9
z(4oKpGAK;MVJd_O*iSk4c>3{~1h|8VX4L+%=;k4$rOiEZ`P7vwYk~Hj&q#oM7!{-X
z*XtgNI_zETRZP)M+f5H&2(!_aQA~xUa2pKMp*Qby9w%P6g?$TBTi98g*j&(RS38*>
zjAE5Cxag*qulB}?|8}5n6{}XImJI0a@y-Z{`Q4-?pFB>-Q_x6Ye@Agr!FdqJAl%vm
zKk2(PtMswhal5A=#m8OQT#(M}x(g|xHDK9NXu3a3knF&Uq^>`(1La^>+9XNE^Ml?m
z=9<CQ4y1Mqbms=rm0hGC31oahw{EMG2X&yf{b;jimTNDyKTC*3D_1h^`;V4+KPu*o
z+47J19-XTX;A2e=1H0wlSnfhNzn%yDERtFmoAJb$j|p&_wXkrXQNZo|d8LklN*Um`
zT<DN;U`jg4d=tX@btd>{?LbrJL2B%C&Vg90J99{UVV%()U^sd~2=XTel^TT)m7ZQs
ILmu`20P_C{5&!@I

delta 9906
zcmai!Ra6`bldTiHfe_q-ySrQC?(Xgu+#6{iNC-6U?!kgLcCg^??(Xg|XXbyov*zJG
z)Y@y6ywq2<qvIJ8;u(U$pTRI-STGzI9*h7+1S2&7j(>wV_(epJ-96l_%$$&YmW>kE
zqI=lT!!KU2TRrrOM0ui6)F&%cb&cwtKQ(?^3sqA1jo10s#2<!dp!%5c#P6PQHRG6_
z4#j)#Zn9GDXqhkhb8DO1MD;!2z^R=LQ_JXH@x041di-X_XzDB`0-S3VITrNr)FIfU
zWY%K~wZ8z(-3Ba2$ZL8?9Ujdk{79?!eD}MZwcKBh?(f0s5k*TT?Fft-`eV;}%ij4?
zhqJW2+P9mvf3Ea?3KitG^uzFx+a3;|)NaBNh89p6q!IbXnEGJWEuyJxCzQWu53o<O
zEL=C&TKKdO_Jon4Vab$J!bekNN#zlYr^T0A=QV-~>ENB>@xq#Zz>TSD$i<5n!PsT7
zGk-4uuKtR082{G)8CnA*zwQ)U{Y8(!48%-eL~o!g;YY&i{~az^i%T<F%@aq}&}Z;(
zmWGcH%omC~2F@THR~V(;Y7|!*14nUX>8O6o4-2&i)I{bRQDJpffp3s2xMkfD`D*g@
zdxRXu-qLirvlb4kx2pd>B)aO<vm&2=O-*oF^I;ya^1D!fYVc}Vb>3NBj^%CVxiucH
zKKsk`@B+&_e+ZX4Sr5QYZLJ2-f_VNH#iTX+V=?UTiyLhBB?<Z=%Xg+9d4Gc&gh}jQ
zKCu%x<<XG;McH_#s>j78RDHCzo-lT>u^BjVYH~UT_I*4zt-b(>PfCv8iaYL$@en~3
znX)AX6(b?o?<4M0QdiGahwr#HtlO!n3y#hH0fGK56H*|`#8RynBjLcH-RbCI((kuB
z^S%j?=B0Npf>+-aVgvSE8S%c0ow3yXuBb?>Ig;00JEsMm&YH|bpGU)s-r@IU&yDxf
zOd!>iIYxEjzdVz>Jfx0Z3izLFb7CjNM{ln5Bs<H4&e{li&<3t64@-C4xJgtnnejsA
zLzw84>OiTX*!QyaV%G3}2v&L2+t^41OaOve%p`b1JXk06QXv1fn7sK!aNZ~+PjO5P
zmzH^OiwaPIvy-RK4yz@Iu9a98OHhVdgyj?Lt&}}Mc1#5<jd+-{UZf;A&CekuVFHkF
zRTOP?L&`Fi$}_<FCtr{no2dBIRjoIH2V_3AASxf#Ljdeo3o$YuS1KP_H9Xj_^qgXz
z(WeL%UoOD*GUkzNg7!|6p11<v00LhGM#M`gfiXS)&9k9`%>H;6YXvC8fMINx5RU!;
zRqIJ%+&d4d*%>xiEy}h+drYmudSb0aT_erOIw%z%M_FkYrHpta{w*X-RK`4Y=UXea
zR9EB+@7AAOob{$BJ%AC-o`*$75xMw2LwuicHBb+qFN<mBFdbn(&^TqGlN3=mt-_2;
zS>w0!Yv84q6R%YG2FQd(dgMR%#9IeY041+Er!Kz-a}gNj|3$yc{|HKaLi5rCZe@<{
z=D54Lf5SW3gD&MJUR|8)I`!}`oo7N(N_UDY#ji=cUaXU><vMD{3my%=4SR91<P6{I
z_#zGYJl#GP`n<m19PRngWqP>1V0xwg`qLKZZ&b`u-kY*klj|hQapl+gB$VB2M!)9x
zYsisD9`YUJ2omtl9U3bT>5O#gU3S-rbly0HWHy^)>F}gBy&<JC`~lFz1sc53H|zWX
zP=D5Ztv^@}4|-~>2>fcocuJ4(ZHdj?Pkx4eH;+P{Fi}Ydfgz7rUmQ0>91R*1ri$f)
zAJxm$6?c6+?fGW<6IL|t)C_u_>H4N(`|He=A?O3f?ZRsQzZWA2;{9JgmTVHUtcotP
z@rLcYs*anu3S#`Rd5kRXq_7s=<g&DD59@$gAadI5GWt~am60xMRndApJM%kqxw=^?
zP_9JurD=6Q!L2N_;@83baw@y;&jDz<rLX$jo)p)6N@+o+qE1`Ei*c4Y$6Lqx>HF*3
zvlFP<A(Kbp0@S~AS9N${lEa&>QsJ|?fAGLU)9TZ<-j&OG)!>BY#F484u@nH$9VmR{
ztTI>La|g8=y-exU)nr<@J^WezrE|Yf?H^ORXbAE6qZ|8cq^#Pp(&s#y<6g==Hqlog
z0Cy;WGXOVnQ8RbmhTg0u^4eqy1P#nP{SM0GY9weN9E!=2c2l9;JCc3E9F7_xm&h8#
zYz|$O1@7j{(1|%5hVWI5kySAd*^pJ-Q&jL&I4WfiM}{>{M(_<<{^m!bWbGLg62m93
zXUE?=g>(=4{ZHmF9iPA|RV~<(s;9g5MjEX`3N2nsr)+fC7GX#hoM4s8By9}(R}Yw_
zjsF$Ve}#%NAyzXcR`Pbx-16#%;x+cTkF~TJO?1T0^U)V0C_;qqH6l3S5{1GuR@nV<
zZ};E09o$OQNbhB}p(PGde)_kR4b&>(9DLcl9674$ov7QtLZNsiJ}2oSn<m($C!y@+
zzu};0Tk!AWzu|+!utbxd=<B8vM2pM5<bzAF4&fLKIR&Co@T=Oyhsg>Td<6<)n(ZFS
zPiCP{Q4ZLBd4x|G-&{NrqJFuyBaX=MYp(MlIv|~CZ@+(IGaN`4jXPTbS7kn4HBUCK
zG26esBkDR^%l_vD1DpPjr6-Ol_p+gbFMN?nfk=BBEb2JrRGM&VV%TWJ8a4(LYP4=M
z5*s;|HvOL!qHdRVvhV!9rFd$!IcsiZUYw;!H(nT?9L?r-P&XDz9E9?zIoZgNzpq$u
z!kM+&MWpV_G6eVqyjFBN=kR8(-+lKm_%#Mnv2hU<ov+hoKFfb=K`p}Ef-V~?Q+{)3
zzL;|(pu_1@$yX`tDy!65xj6L8@xNn!8viysXVbcue&&lGbSUersiule%p&d9<Z{Ht
zl@hRnhRsxHhi%`QBaIR7@KI%h(R6ly-*#0m)S0`hmedcgF;oN`LUy1>l4rgRZj1%d
z{{-^Wg{afn$fI-4soKYfsLQ^hmYK_wiaF5XDe8gKaAa36#I{-BB7eg%*V1?(B9ebk
zO>@&HpQV;yA#jsZjUsMUOjI0{LMc{E1k+n^i2s1lDiW&2q8IGCPVyySh{I#?*=ErV
z2-{{2B9WgEKjf*Yz;bLy4igPw&2h81vX$il;cswwlRU;(^>1Px{n77F-)8e(9b4`W
zSk8#wI)3Mq?i;<n!FV;SR{aN@dCUI=r=-v;h8}V8gya8PcId%59Me_<1;e3OZOQ_g
zJ|DaUcJe#y;$8B-+!TkI7#|Si9DVk!qgUia`k3>A76G#eH4LC0I+b$7N2~a(v65?t
zAwzGT26s8R7ZvZt_HvJ;DlgYJC-1)Ahs(p@?sohNP_FdE#zs><Hh1>stJjH~<Y<3M
zyAgstiu-Y&+Yw-k^zUkF_j;eBmbVNv^ZdSvW+kmYt>d7$jlL%ELxMRS2xpwq>Oo#H
zW2BVYIc>@4PUAulON%vf=ELzz@oj>H72Qkd=wev;e9O<{Ybezy@m?GiU8vIEyq|@1
zh{6;s2A`d_0MV4H$dJn<GI$~^MmlsGJwADuLnkrvKSIH}Apm5zFQMY00*UaBij0eV
zw3VFs54#v(XKK1|=xV6BjNK=BVtSfGsUL}lKq)dyId+vO5^St(bwyXl)Xi1^4TW7`
zN#n<gUtpt`q4)#Os-H^cBL1_#NZ^8s+W8AS3S?p7KQx4(|I*<5U#^|lZ6EgEG(`GI
z4CGaH)|AMQqIlvV4aIVKx7HpI<gseUQF0fPHPB&xXwSju_$y~U7Ve3g)3P!6Vtiik
zxWAnHXJKVWYerwfcoo2$KBMV8{k6GM(+C}RrNY08g{mj@y8hA6ciFLdeo={3CJ|Kp
zW=9kG#-Lr0j}`Fn5C^t2PHlT>EFD?S`kgibOWyN~{I=2C`>NLVG=XFQ<Wfz(kWuf$
zhb{PF<9z}pg~lIAVehtn#gi~}B7%BpDOGdWAn#9I?wWTJ<_M9^yw;Z@55$!|x49Mi
z8={`86>SGlr3X{lZqX}=DJ-VBvVio0bGFh$wJ+hQ*&PXFd;S&yk+~!kMFyU@epo0A
z7bno_h4S^H_7SA1qkEuHv>#v=nOcOVG<;GrvoL4Qs(};sAI_sT3dxgV&(95up|zb-
z93<mMHkbDhk!U24B@eR}k3e--Ez{=A?}U5PEK?DW5${A@(>iRl?kU2G3zf9T8jqB-
zNlOb=9_tfGP^nj@(T;estNwN~qgrC~4!L$Bt~qJ30x4*3WD&7+m`HUg?~J*8d2@2G
zX}d}Sfj-BOoj(2tCvQ7|7i8bdh8pp&3w{%nj>>MN4?)*Wgoinq=RSjNX__V=T;V&<
zcj;PW5mq$qrBx8^+HE+`P?keHTDM;>3<ENleV^tX!5H^RV8|yx8d?kM8I!SwG_14V
z^h<*qoFC36&hOm4Cn+_On3|s%1O}=htSSR3`(&;^z6`Vh2T4}BL2rR>d|vjGswn_5
zzqC7An~Pc>yysX}kq0Mu{c@ICzPZ4`TV9K5z5+KfNCmPRm%y(6rX{}2$Siy!WK<2f
zG_FQn*4Onw;gyZ}KJvR}e7Q9vK0wRYZ-k->wyG&1LsqHimzV=#`A=-EdA+=Lq=u*r
zB24-R$(4YT*hz{Oa{tFmk+-;9#(iFg1G`=su<&z2anFGXfm47EAE**58s>j?)tuh}
z5UB%k|G&52Z>Z;vEz=a#)kU#^U=5S>;?@g<lkSCI!LPoG{ptS<EJKmT5Lc4zF?)Xt
zpiQm*eLSq5icUfyX{BS8b2s9yY|T84{5QP;G87zU{&y!Y-J6e(2HZczng1m&1W=mp
zf&ULq++iWx<W4ij<F~YeEfSFCwi;*Y<OUHgcD4TyTxlE`OA)Np*WqCeop>JNb{Lx;
z`z!#=C^0u1Lm#IpJs$u$BYLOn6K2M^Pb?P#GTe_{D&<I7ly(^KwrLrkO*B_xH)pX>
zc1pa?40V5!X9|Ye9yK?r26;}MB1*_iUa{5bX}VWd1Y(IWYAKvegaYUmBa{HR8*VAB
z$A)c*4E!<{OL^V%PakfQnI4v@K>xS;P$c9DrlTTBQ*8+sYW^_8S%N?q#eyPJ<?U2R
zH2+xnXU5D$J&prDJ)FSyQ2c3jyg^3QArxS*@Xc+mdX{e(26Eh$cJHUlB5&7n_2?&b
zK}1}*qvB1m>m2nIcqI^AvPC!j@u}YBRcwSizW^P)iJN%R^d<SiW%l&09|{q}7ex2c
zBZi-su1PR0;LY0PP_p<$)DmWWOUGhB1RFnGK~O|idA9^#SjuN%47fYkG%8wbK6|-8
zO=`0+r9M<Egs#caro==cvcXJ-C_pOi!4xvqpJ6Q#dG=<Xro}+|3fN5fskVdy2LRy+
z1fTfHI$&OJALc)WHVFZrY;hc6lC#W%5sna~>!>I32C-eq`LhUfpfmL9BWkqac13JJ
zc*VjUNi6i>c!zTM#e`+DL!{B!p5K>}J)iBPY3kf+KPfTonbnGA3lWe_f2Csk#jKu1
z)3zTW34Tq3wdDuNF~^7NOhK*;9pSHu{@V9cyK#wQF_Ymii?cOIqvr$Q7y(ZFPd{K{
zil3wldi$v`?%ct|J)!qtH5pBzZ8%LJqb)L5C<Ve_aT<xmk`2f!mIdHWlPb9`T0hT}
zf6VNa{GVW~B#DvFpbQPuop?joupT+r1*%rg%c^`zE*%hdV-~D-ejQ3JRggc~=UL#4
zMsSGr`lp1v1Ljt|4)DVz&MitPpSi2pWKXf!_b*$)J_ru<Wd%T%=`3Y<x6hNK)bLy?
z?09UHQz35Am9ws3ZNvS~qFdBpS&UKwLM~pR?5W_--yuCPV%XK>5~hr9Uu{Icy*=;q
zO5#Xz-l2ooIvzcOI^T0UVzh<fAf>E5%U{`nC9Lv{Bor)3F|L=vzd=a6N+w`4QkdbN
zG3bNMEapAJT;Zp@8^qtdbry7D-OvPt{Ul3+MA}3yI(-*9{0CZtMq0Uv=XVX=UYm}1
zw>ivl-VZZI17`~h2k<|h4?mhjU4F$~7<ra1*sOqJx<ry5NQDLbJl&Rz3<oUvhK93(
z6$f{N31ZyuxpHTs;G;}EJ4-PA+lDASTTO6({_PJkQeXm_3k$ckL*vRbe&6=W-R%tB
zW5ETH`Ar21eONpUcq-D&(4gqy&W&K*@nu7pPb}-#FCZcw)oI*uj5IpD>C3Yve<dq-
z=Rlyi_PEj;wfXHf?;|J*bL$y+wT7i_!(vL4o;`Agh0`rLkDO8a9}b81N!$W6A&n&5
z^q?|gUKpAobSq3f?d*eD3d9D>1@1JhFV-4idUwxJ%hgS0I)g5oj<5u=7ulqH{2fC%
z;;5+h4iTMZs%%qiSt4Vj%JtjMDG6DoNy4B5`|2$=?!q=pFDb7P7&}da41rL%_4txt
zIUP>hbT}w8u#DQakF8LB@Rz$!z39V8K-}dRyMTDw<|dw;eFlW)23yXmSDRK&U+Iix
zr=;QT{SF?o)MR-#3pi#QDyWi-3nMU~u7dPYcL>a=eE2xa!$NXwvv$$3*q3Mf8bRFU
zoRYRyNXb-eO+($y{IgqvX*}z-gsWzDtQ#>5T*GE8hWHS1gXxrK?%w#=Z&*1)2a=%>
zZl#iTwDD@>aWnL+UOv79dO=rpN_8R)xkc)z0y`ezB6*tc?YvrYYvZ%~3h`M2q`&-{
zmWd?aO4{oiB4^CIToS#Vj@W7&GC|cx5h>LgnwKLeCFQT3jOLY++dg}MnTM#IeQsi^
zRMkB!eVZ|f-T-!Y;clUc9Bn<2zxAJctHZ!_9OllXnNHLu9;HfM){sKkk{3O!g8-{)
zj!J8)Y7OaqJvdbq_`!6pYOr#psfN}zXJ`umSfFR?QUj^bnqMZFFLvyN1(gRFFlZ@Q
z;V#Q-)(Y4rQ%M+L8Y!5k%3+rBkyaac@A-pO6e#*vFw@)mSe~=uAp2E$3p3wM;8I|B
z?V!yVE*Go()3*s_ih0CQj^CmbDKWo<HaIBqSC9pm9MA5V*Ois0QZM;=@{_m=kC%HZ
zr44-^HDq2KU8c(@oi#3f0ZIKe3*`=1#}c<XT`0k7H_F8oJIlJL7%Oi})^0BT(%4Yd
zIQMzAFsZ^MQedV=;)S`n1YAO&zu5?OvwqW~@jT?E@LK1cv);5V7+V}`F0SA#Ry_l#
zxASK;Mf!Wz{yp}~BuVMgv~^Im(aN_u9eyE`tn6y*FL9orQnS%D11-C+?U7;gpWz}a
z#hopY9V;@Nj&2X5##r<|c$*COIEd7o5bUy!7MS2uNoKPLB(sA%eEWHszDZG9*e+bK
z>T5VL96lwl`6TZVG7cO@#KWio%FCN<GeD|d(E@EhE;rPA&Hx)1vZ;co;Ss)>53!2s
zIVst*C9mS{3%d@ppaI7WX(TM^LHytK>AN@KVoOAB{5<>`cDpa`Vd`@CE0bZ<r3GsD
zXMYX$nhj2gmgesj4BzMA=9@Co3v$vS6V6Eo>3U)M(JKxuZ4#>IxVuX0)9YIEzOP#&
zOq{Dh)y1TWa`Y?YzQ~e00{%81=dQU@8JQCIqoZU=BLZE+Anl;4bJXSLjwAE=2R+>-
zOIuoentHiLuvsF|GlnLSX>f-3!iKBc8f`s7^Nz)`BYJ4~e2+@U<+26Zl5D-iLN$i8
z+|E-n!K|%GaNhu(@?CD&Bx{ft#1d0T2@*`eG}Mxu=Vgo*s_u9SFjc*6EH!dEIx-q`
zoG>>O1#xzQR;{uzUE@*4=s0&{-EOk)_l=gjS)_0Udh6Gn6SpGFPdxlCI^hPfFEi9p
z-Qs?KFSo`uYFl*o|7#!mUEO33g^~K}%1vi6Hk4V)h_^y}R-noeqeA#dh|~+>IR}gD
zhObO%=?D*;QRre^8naayio1y9<>qqwvNtwZG3Ijv+K;PJ@YE7UfPB%VsdV1#tUgN0
zNvK{`{jOD(&aJYS;vI<0vc$ArIZvN-e%u2?;;+H+CrsUFPJ!F%gP2;ek+j($zN_jO
zd?lPxZ31&%QOL$6&#;gw{{krHtUmtqd-aS-)q#MTzc_C#iKd~rJgoeBq<E<fg|Abl
z(N;tNG?g;D7UJqnDt1gE+Qu_s2O7*GDN15XR3Ej?l~lY?IupL;T$WuFR`#CsYDgSo
z5=t9<jyO>8I@uhPz5Y`t(j41*6+*=;s{tMV1;y#(oePRNQu9abNduTch8of^N*+TQ
zN|hKa%E5DE2aASUmNwG_zWU0zPm~{XgEJMNK!s%c)+NLN>%uM~Nsy7tm*aU6Jssh#
z5_hY$Re)PiD6pwHr&W!qqF+;QBDT5M*{B05z(B<w?K1kglR(^O%L3opd<x?s!|}S1
z{$v&tXSth?%jRP;p=$8eS@$>@;tbOHO&#J=1EX)9ACKkob@9!xb0nwDO2OS|@7NQR
zT=ne`O}BeqMQC~j*5n@lPucV1)?Kg5+#`@~!IRnUarBgRVm$|y;N01L{kSth2dl@j
zD}pE|yj<bD8cMo~pl0NC@_d9g;{z?c-!p}!aItI2_)&e+F5RUCz3ZROCQNZgtZg8g
znC`?^SP5Y|Yv>!;0UcL2<+7->F{Xfc9fRIq>%t^2+Oo41qfYP^9s?WYGwDwX2k`J#
zPAVTulpr3-mezn4CL97v7T?d_oT&|}<t<5NQ29#S6!}4RUl5%yFNH~Z8*ORk^fGxX
zw!i|FakLs!xJe2O>x@Q^J&5kEuGVvxv9N{%cUSk|VuELqmx|vq!QH;>C=wKHZ+mS$
zP0Oqj^FwV5&L$<Iw$G!;&TT!ZB&f`;N4?lCJ*BcQo_cOzS0b!^kMcT5c0Fa<)~d7w
ztc5t;SV(WSXNGp&k&N{zeJ?qTLGCmJp~2cOU`E`YYyIN&7$RYG-J-ze3P3pW%t&a>
z5{!?kr*uE+-~U6O$1f6TBM6E*z>bN*N+0`2S)699lp@t7v>UbY#)2&gVwSwFX?jGi
zn39udbrki4QU7ZD_<6MFhaTWd<?Sw~!Y|tT+tZ7*7~yyYzv$-e?a~4(+fb(1!8<an
z0Q+q~H5wK5<KS`}DY*Ez8Jy(cP{Pe#H~XGrigB*lQR@?hl{Oo#c@Bt^-8&Jv*)i4H
ztm=|3q7~CYn?l%H++|{aCut_!)_3h^NjW-Yv*23&b-L7`lnlMdA0!SPa*i0tOk})9
zh=i<nnXDVO0K&yx<JuWRYLq%%aRHsLoVBpq5<7&|szahZ@i<eyb8Q!oAydpstPB;2
z8-TQCc_htrm$tXNiw*Jx_#gp=dA|}$k7=b(+WSi43JsX*Om5$}@G?e?!bj6f$&sYc
zcw@K*-WIH6We2pqSxAjH(#0FarynMcobUSi>uvC(zs>9TQaZL{ok$xPACb_f;HIvO
zmCl@BuajnOOo%wI2R??qo#gC7)*Zb+pdit@-s{cBU1*#4E2ygl9A4O0&=Y*H(ej9L
z0BX&p@_(vp^C4cqEQjf3*!25$2dZ21kojmiHV%S{h_(gu2MIli!3TI*@~^Sd4O$Dv
z$Z(4Aw~Fv@bpDcRlQ7<<n_AUBN-p(IFV=GihsM=3>P>}d-PXYhI6Mv`HS+jLxi~Ub
zE&Qz!3eByv2RY#!lVOz>m3VhgO+DkBN%$}+Dor}jMlCPf`4C4j&~<smAyf&Q_<l+n
z^a+0^lk@`qw$){0{PnD5(1{jQ+>OIypl0$35kr^bi#$>+<JXB9F><P(MY^=<hzeX3
z^nF!6-F~R?G}p$oM8T!(<jcV#19?6AH(CMZ-$2Gwh#(TUl{bW$Me5(g3>smdth1sb
z@+WBinSCVqfLXYLBv*<xg;O9GgG(-`gV6yJYez9Sw=iAB%}^;>9&y1>Ggib2<Pv%v
zh3BdYlhi+{VczH069-S?{V;%qT3lqqL_Z(D2@?GwbIkl9$q3nqk|jS?t5h}NKzYNU
z$7j_m$O6&H$gqyY6xDlD=;4M9i9@I&{5_BupQ~Zs|MY*$M{~@+vGg1`3InA4R{p10
zG?EF%yME1OItvOnTTWq25l@ICqsv5c=xbF#a3l^7MIDjR{`*(ZSo2oH8>{QgEK2xQ
zhIEt7BZrAJo<IniVkQZ1-<Ollcl8VV$em(}i2)Rc)|z>1=_z9zfoCxhk4=yL!?uq#
z@Zb}+m$^-eN37GcHcaXe;hrSFejO()XE06_5Ts_WEC0{2rO9=uC$UWSKKHnTA0T&q
zT4jFBn4JyweLlKo8(0#?f|v51P@m$_yxo-5c~9EjuhYBnTy1GY`CD4zYj&R1Mnh#j
zHvn`GiySn!@+<TzE!;uh>kL7p0NpU-(^V${CJn=##pPO~R40p~$o<0g=mNX3DkMKo
zSuUagDdiszT)BvGij)$9vw506&LXUSQ?TToQ~S2L$*9o))n;6)LN0gyClX)X*85O|
z1bH51KMV`12!yujG_^yC+|P0v2_mTlRLdY1G;ug%g1rLiJ{r?-i>kOK$(1Cfh5@F;
zD1cpRdmiMt<AZ_pPaUa-$<8!+!>i4k{j|4Ti$d=kT0tXTAcTP`R_R&uH(D?^SM@U>
z`^~{YG!cgj446tp*aw3@%Vnx}Y)z53Nb?WHFKq?n0>e5HHq|e8{dBH`rHuS;pFuM#
zC%Vl-q9q$1A*6x+Zgc&W6S-Z_FTYsd?|Wl%n@E*ezyX(M_W=@tCZJB}xrk7gPxH^l
z%a{7flaYxB5|<{Iwig*zR^GL}rT!QH3Enc<iE7ae#LQo$6K!8L^W2u(;jebik8iI}
zDee0nzu{Np#ewo!ZHeD7d+%NE*g?eKZy%47Y<-=N1gYxY#NYyN3Dw^caRcf4L_|);
z*FOY3{a#;QOvZT@KBNsF66TvV8%6S1v4v$#h6}!KoA%d=_{G7TpWa^ezud%K6_y^*
zUep{~827lUegv!o3v_7lRw~bljNg4l9v|o&Walh;!5&XXOTLkIX(p$%g&;4w4cOet
zfP)f=*PFbwx9<AFE|V;0Ue|s#PZk14cNjp^_Y0P}Yf+bv@82WVzafvY(e`p_c7D7^
z?xeDM7hKlBC%+;DeogK+xE;x-@W5h_pI5zt!+CyGtyoNgx|b<t)`rRl9RwlbbbMk+
z>`N8zKLhsP?5XkxU7fzrPJkHHf}>RqXj4sKnXO}SAE<5X##+oh%DM~qLc%-OrARw4
z|6u4iV$oV7&?>#msn$u9J;JNnO_@Ze)c(S)BWCU*5e>ZB=as!N_pf_{ngS$hZCTJ@
zQ06}i>lP(xnC6QJ>+;ofhiV<e`n3(vKO1J%&gg#U)CDO0Zuq?*Aq7hH-p118N=3<=
zChNkc_Z9X0gwsmQup#V!zyGMjs>HFgMk#e*bc;;CuL6`Gl)bu|iMJ>cLVqS7U=YeX
zXUxNB7FX(x=eE5?=koe&TT;&2AG`aKrZ&QUGjU<u`F^K_bJ|H_yNb_cqPa`BGA<QH
zh*t?sim`QyG_-V<{sQXKGPY0u6ET*zIA<<bw?fv1&l^O_`;1$+|F}Tg6_^Tq?Y+}s
z^l8M$Y1b##z7(jb(4{nt_%g0thtQRwCr3H|j|t0PLLBR1BX*7Rakz9l6m44!w;w6g
zcjsJp#inX6F_bPTVS7U}Iw~I@{bi5u_94<~?B<<ihhLgH#HZPD%wsRX_%ftFxUXJ%
zco7KmWRL?Z`=_(y9FUgC!6~!doJ=X(gE4``$w^P7hZ`X`sX#4c>{Q<{WCC$cE(>ce
zOLj93b2Cm$b8{|sE)I4+E*>s^a}GXhJ`Qscq5oe;>TDRY%xAt-VlXlxFG87YbaFE?
z_f>RsDDpaYHxZ35`Bk-K1|~)cUGydn_0LJRcFhdEO=`}uX%^PFo!A|&F|Ll=RL6gZ
zL3~rye^9))g&hBZUHlPwNf(4q3n43*+SkYU!|{PHYK|GHVul!yF|)HcT2vTK^^CQh
zjt8N{w{n9KHNz~U%DQ=j+pkH?CC}|sN%v5fqkkB)NoUm@vb~X`NaP)qON-5}i;<t-
z=v+!3E8fLEjVNbG{1b4%@3l_lJwU?n1hNat_-hAfEtOY;Oyt^hiWl#i<hK7~Sv>sQ
zCgPhgWbej$`ZKVW^<IPC<@zmk(L^OEJpe(aT=Qc~u!hYyCM)jk`zJKb@`<Z4ouz<G
zAtX-MT6v4Y3sf_kFnI;2N(6^*q>$p?sb=n1n|BspIO}cMWQB)78*IUg1ewa!SJ1$L
z9-s6MY00A{Q|3itJv-vSmQPl&Z(0l%_xnfWJ6KL=3-;PFt03W0JF(Oa`cvpj=?-dE
zc>)-*?uAq?5If`E=8>5T`_aW@r+JRh$^K!8X*GJ}J3LQ*M@@%<i1rq41IYHHh_HDF
zjp-l41{Zr#l0F2XxO@1qzqmpnRUjYaiA{3DD0f$uYVo$84zA4A5^bJ0wb*BI$y;U(
zZ4IA!w*wkh{s4F__?Ml^|B-J9vhB-mL2>xbJ8ve;BIXb!+=BP8^|^tkeqHwm?G;y0
zMD7lr5AK8+Mo`qj6_W8kHCIHA5+_++?LSg4IgGnquIN~L`h9S^dL15xjR!zPkFYG=
znU9q3;Q7(!OP=@Gd6%xunnxmU-ASl0TGd3%)N&`RezSL<kMgfA9ow}QR0S?NhkIHX
zS2P6MY*Ear=Bk6LEy4V|Do-Cw8Vj4#(D@bm#V;Clh+Z-drY8qEi+EL$RsQ~FE~jB(
zwWRtR`ZM}9B^Ds!VAv_>EEL2Ji&%Jfz&0v*GK9g0B2(yTfg9J$ZmX2`lb;V`U<Yor
zU#MZdJ}5I*!xcff_lOUxYRuX~1lRNn%imT$QoKzHrk=(YxKs;vmR{}_WZoSCrhbl9
zFwu9!6bl?}Q)=h#vlgww1DEizfGs!MmC4B%P`Gh9YKK0tpOfR^oti}u?N|F->B<BB
zpX&;@0emS6!WZ+0AO&I4sJ)e(6E0ckPODtluHwWUA*$R%08`3|(8UzlgZBh8;qI4*
zcAc;u@rkOs)pOrmgi1!C+_=4$oQHwV^3z2FIBqQpl~3b8X0%ebB9Y0F_>rlprBtMm
F{|oJ=FhBqR

diff --git a/rules/rules_linux.json b/rules/rules_linux.json
index ef3d8e8..8d6d71d 100644
--- a/rules/rules_linux.json
+++ b/rules/rules_linux.json
@@ -1863,9 +1863,9 @@
         "filename": "proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml"
     },
     {
-        "title": "Python Spawning Pretty TTY",
+        "title": "Python Spawning Pretty TTY Via PTY Module",
         "id": "c4042d54-110d-45dd-a0e1-05c47822c937",
-        "description": "Detects python spawning a pretty tty which could be indicative of potential reverse shell activity",
+        "description": "Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.\n",
         "author": "Nextron Systems",
         "tags": [
             "attack.execution",
@@ -1874,9 +1874,9 @@
         "falsepositives": [
             "Unknown"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (((Image LIKE '%/python' ESCAPE '\\' OR Image LIKE '%/python2' ESCAPE '\\' OR Image LIKE '%/python3' ESCAPE '\\') OR (Image LIKE '%/python2.%' ESCAPE '\\' OR Image LIKE '%/python3.%' ESCAPE '\\')) AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (((Image LIKE '%/python' ESCAPE '\\' OR Image LIKE '%/python2' ESCAPE '\\' OR Image LIKE '%/python3' ESCAPE '\\') OR (Image LIKE '%/python2.%' ESCAPE '\\' OR Image LIKE '%/python3.%' ESCAPE '\\')) AND (CommandLine LIKE '%import pty%' ESCAPE '\\' OR CommandLine LIKE '%from pty %' ESCAPE '\\') AND CommandLine LIKE '%spawn%' ESCAPE '\\')"
         ],
         "filename": "proc_creation_lnx_python_pty_spawn.yml"
     },
@@ -2174,9 +2174,9 @@
         "filename": "proc_creation_lnx_crontab_enumeration.yml"
     },
     {
-        "title": "Potential Python Reverse Shell",
+        "title": "Python Reverse Shell Execution Via PTY And Socket Modules",
         "id": "32e62bc7-3de0-4bb1-90af-532978fe42c0",
-        "description": "Detects executing python with keywords related to network activity that could indicate a potential reverse shell",
+        "description": "Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.\n",
         "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.execution"
@@ -2186,7 +2186,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Image LIKE '%python%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%import%' ESCAPE '\\' AND CommandLine LIKE '%pty%' ESCAPE '\\' AND CommandLine LIKE '%spawn(%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (Image LIKE '%python%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%import%' ESCAPE '\\' AND CommandLine LIKE '%pty%' ESCAPE '\\' AND CommandLine LIKE '%socket%' ESCAPE '\\' AND CommandLine LIKE '%spawn%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\')"
         ],
         "filename": "proc_creation_lnx_python_reverse_shell.yml"
     },
diff --git a/rules/rules_windows_generic.json b/rules/rules_windows_generic.json
index 91c5fce..61be916 100644
--- a/rules/rules_windows_generic.json
+++ b/rules/rules_windows_generic.json
@@ -562,7 +562,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_persistence_com_hijacking_builtin.yml"
     },
@@ -1379,7 +1379,7 @@
     {
         "title": "Enable LM Hash Storage",
         "id": "c420410f-c2d8-4010-856b-dffe21866437",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -2102,6 +2102,25 @@
         ],
         "filename": "registry_set_chrome_extension.yml"
     },
+    {
+        "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry",
+        "id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d",
+        "status": "test",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "attack.execution",
+            "attack.t1059.001"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (((NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\') AND (NewValue LIKE '% -e %' ESCAPE '\\' OR NewValue LIKE '% -ec %' ESCAPE '\\' OR NewValue LIKE '% -en %' ESCAPE '\\' OR NewValue LIKE '% -enc %' ESCAPE '\\' OR NewValue LIKE '% -enco%' ESCAPE '\\' OR NewValue LIKE '%ftp%' ESCAPE '\\' OR NewValue LIKE '%Hidden%' ESCAPE '\\' OR NewValue LIKE '%http%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\')) OR (NewValue LIKE '%wmic%' ESCAPE '\\' AND (NewValue LIKE '%shadowcopy%' ESCAPE '\\' OR NewValue LIKE '%process call create%' ESCAPE '\\'))))"
+        ],
+        "filename": "registry_set_runmru_susp_command_execution.yml"
+    },
     {
         "title": "Macro Enabled In A Potentially Suspicious Document",
         "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd",
@@ -6321,7 +6340,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler",
         "id": "2bfc1373-0220-4fbd-8b10-33ddafd2a142",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -6339,7 +6358,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor",
         "id": "8fa65166-f463-4fd2-ad4f-1436133c52e1",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -10952,7 +10971,7 @@
     {
         "title": "Tamper Windows Defender - ScriptBlockLogging",
         "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -11782,7 +11801,7 @@
     {
         "title": "Tamper Windows Defender - PSClassic",
         "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c",
-        "status": "experimental",
+        "status": "test",
         "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -12306,7 +12325,7 @@
     {
         "title": "Suspicious File Creation Activity From Fake Recycle.Bin Folder",
         "id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -13160,10 +13179,10 @@
         "filename": "file_event_win_tsclient_filewrite_startup.yml"
     },
     {
-        "title": "RDP File Creation From Suspicious Application",
+        "title": ".RDP File Created By Uncommon Application",
         "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d",
         "status": "test",
-        "description": "Detects Rclone config file being created",
+        "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense-evasion"
@@ -13173,7 +13192,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (TargetFilename LIKE '%.rdp' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\olk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\teams.exe' ESCAPE '\\'))"
         ],
         "filename": "file_event_win_rdp_file_susp_creation.yml"
     },
@@ -13548,7 +13567,7 @@
     {
         "title": "Uncommon File Created In Office Startup Folder",
         "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -13661,6 +13680,24 @@
         ],
         "filename": "file_event_win_susp_desktopimgdownldr_file.yml"
     },
+    {
+        "title": ".RDP File Created by Outlook Process",
+        "id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
+        "status": "experimental",
+        "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n",
+        "author": "Florian Roth",
+        "tags": [
+            "attack.defense-evasion"
+        ],
+        "falsepositives": [
+            "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (TargetFilename LIKE '%.rdp' ESCAPE '\\' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.Outlook\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Olk\\\\Attachments\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\')))"
+        ],
+        "filename": "file_event_win_office_outlook_rdp_file_creation.yml"
+    },
     {
         "title": "HackTool - Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -13843,7 +13880,7 @@
     {
         "title": "HackTool Named File Stream Created",
         "id": "19b041f6-e583-40dc-b842-d6fa8011493f",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -13895,7 +13932,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\'))"
         ],
         "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml"
     },
@@ -14054,7 +14091,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((NewProcessName LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND Initiated = 'true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((NewProcessName LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND Initiated = 'true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
         ],
         "filename": "net_connection_win_susp_file_sharing_domains_susp_folders.yml"
     },
@@ -14075,7 +14112,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR (NewProcessName = '') OR (NewProcessName = '')))"
+            "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR (NewProcessName = '') OR (NewProcessName = '')))"
         ],
         "filename": "net_connection_win_domain_dead_drop_resolvers.yml"
     },
@@ -14381,7 +14418,7 @@
     {
         "title": "HackTool - EfsPotato Named Pipe Creation",
         "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -14897,7 +14934,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pixeldrain.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
         ],
         "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml"
     },
@@ -16925,7 +16962,7 @@
     {
         "title": "HackTool - NoFilter Execution",
         "id": "7b14c76a-c602-4ae6-9717-eff868153fc0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
         "author": "Stamatis Chatzimangou (st0pp3r)",
         "tags": [
@@ -20108,7 +20145,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName = 'curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName = 'curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_curl_download_susp_file_sharing_domains.yml"
     },
@@ -20274,7 +20311,7 @@
         "title": "Suspicious Windows Service Tampering",
         "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330",
         "status": "test",
-        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts",
+        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior",
         "tags": [
             "attack.defense-evasion",
@@ -20285,7 +20322,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('net.exe', 'net1.exe', 'PowerShell.EXE', 'psservice.exe', 'pwsh.dll', 'sc.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('net.exe', 'net1.exe', 'PowerShell.EXE', 'psservice.exe', 'pwsh.dll', 'sc.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%WSearch%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_susp_service_tamper.yml"
     },
@@ -21686,7 +21723,7 @@
     {
         "title": "Suspicious Process Execution From Fake Recycle.Bin Folder",
         "id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -22722,7 +22759,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_powershell_download_susp_file_sharing_domains.yml"
     },
@@ -24554,7 +24591,7 @@
     {
         "title": "HackTool - EDRSilencer Execution",
         "id": "eb2d07d4-49cb-4523-801a-da002df36602",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n",
         "author": "@gott_cyber",
         "tags": [
@@ -24654,7 +24691,7 @@
     {
         "title": "Forfiles.EXE Child Process Masquerading",
         "id": "f53714ec-5077-420e-ad20-907ff9bb2958",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati",
         "tags": [
@@ -26244,7 +26281,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName = 'wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName = 'wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_wget_download_susp_file_sharing_domains.yml"
     },
@@ -26995,7 +27032,7 @@
     {
         "title": "Renamed Cloudflared.EXE Execution",
         "id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of a renamed \"cloudflared\" binary.",
         "tags": [
             "attack.command-and-control",
@@ -28335,7 +28372,7 @@
     {
         "title": "Suspicious Greedy Compression Using Rar.EXE",
         "id": "afe52666-401e-4a02-b4ff-5d128990b8cb",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes",
         "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)",
         "tags": [
diff --git a/rules/rules_windows_generic_full.json b/rules/rules_windows_generic_full.json
index 39b5b6f..9555bc5 100644
--- a/rules/rules_windows_generic_full.json
+++ b/rules/rules_windows_generic_full.json
@@ -3585,7 +3585,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -4402,7 +4402,7 @@
     {
         "title": "Enable LM Hash Storage",
         "id": "c420410f-c2d8-4010-856b-dffe21866437",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -5125,6 +5125,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry",
+        "id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d",
+        "status": "test",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "attack.execution",
+            "attack.t1059.001"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (((NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\') AND (NewValue LIKE '% -e %' ESCAPE '\\' OR NewValue LIKE '% -ec %' ESCAPE '\\' OR NewValue LIKE '% -en %' ESCAPE '\\' OR NewValue LIKE '% -enc %' ESCAPE '\\' OR NewValue LIKE '% -enco%' ESCAPE '\\' OR NewValue LIKE '%ftp%' ESCAPE '\\' OR NewValue LIKE '%Hidden%' ESCAPE '\\' OR NewValue LIKE '%http%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\')) OR (NewValue LIKE '%wmic%' ESCAPE '\\' AND (NewValue LIKE '%shadowcopy%' ESCAPE '\\' OR NewValue LIKE '%process call create%' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Macro Enabled In A Potentially Suspicious Document",
         "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd",
@@ -8068,7 +8087,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler",
         "id": "2bfc1373-0220-4fbd-8b10-33ddafd2a142",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -8086,7 +8105,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor",
         "id": "8fa65166-f463-4fd2-ad4f-1436133c52e1",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -11764,7 +11783,7 @@
     {
         "title": "Tamper Windows Defender - ScriptBlockLogging",
         "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -12575,7 +12594,7 @@
     {
         "title": "Tamper Windows Defender - PSClassic",
         "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c",
-        "status": "experimental",
+        "status": "test",
         "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -13042,7 +13061,7 @@
     {
         "title": "Suspicious File Creation Activity From Fake Recycle.Bin Folder",
         "id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -13837,10 +13856,10 @@
         "filename": ""
     },
     {
-        "title": "RDP File Creation From Suspicious Application",
+        "title": ".RDP File Created By Uncommon Application",
         "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d",
         "status": "test",
-        "description": "Detects Rclone config file being created",
+        "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense-evasion"
@@ -13850,7 +13869,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\'"
+            "SELECT * FROM logs WHERE TargetFilename LIKE '%.rdp' ESCAPE '\\' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\olk.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -14187,7 +14206,7 @@
     {
         "title": "Uncommon File Created In Office Startup Folder",
         "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -14300,6 +14319,24 @@
         ],
         "filename": ""
     },
+    {
+        "title": ".RDP File Created by Outlook Process",
+        "id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
+        "status": "experimental",
+        "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n",
+        "author": "Florian Roth",
+        "tags": [
+            "attack.defense-evasion"
+        ],
+        "falsepositives": [
+            "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE TargetFilename LIKE '%.rdp' ESCAPE '\\' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.Outlook\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Olk\\\\Attachments\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": ""
+    },
     {
         "title": "HackTool - Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -14463,7 +14500,7 @@
     {
         "title": "HackTool Named File Stream Created",
         "id": "19b041f6-e583-40dc-b842-d6fa8011493f",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -14515,7 +14552,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -14696,7 +14733,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
         ],
         "filename": ""
     },
@@ -14717,7 +14754,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))"
+            "SELECT * FROM logs WHERE (Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))"
         ],
         "filename": ""
     },
@@ -15058,7 +15095,7 @@
     {
         "title": "HackTool - EfsPotato Named Pipe Creation",
         "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -15460,7 +15497,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pixeldrain.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
         ],
         "filename": ""
     },
@@ -17284,7 +17321,7 @@
     {
         "title": "HackTool - NoFilter Execution",
         "id": "7b14c76a-c602-4ae6-9717-eff868153fc0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
         "author": "Stamatis Chatzimangou (st0pp3r)",
         "tags": [
@@ -20472,7 +20509,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -20638,7 +20675,7 @@
         "title": "Suspicious Windows Service Tampering",
         "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330",
         "status": "test",
-        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts",
+        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior",
         "tags": [
             "attack.defense-evasion",
@@ -20649,7 +20686,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%WSearch%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -21910,7 +21947,7 @@
     {
         "title": "Suspicious Process Execution From Fake Recycle.Bin Folder",
         "id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -22988,7 +23025,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -24782,7 +24819,7 @@
     {
         "title": "HackTool - EDRSilencer Execution",
         "id": "eb2d07d4-49cb-4523-801a-da002df36602",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n",
         "author": "@gott_cyber",
         "tags": [
@@ -24861,7 +24898,7 @@
     {
         "title": "Forfiles.EXE Child Process Masquerading",
         "id": "f53714ec-5077-420e-ad20-907ff9bb2958",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati",
         "tags": [
@@ -26435,7 +26472,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -27186,7 +27223,7 @@
     {
         "title": "Renamed Cloudflared.EXE Execution",
         "id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of a renamed \"cloudflared\" binary.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -28450,7 +28487,7 @@
     {
         "title": "Suspicious Greedy Compression Using Rar.EXE",
         "id": "afe52666-401e-4a02-b4ff-5d128990b8cb",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes",
         "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)",
         "tags": [
@@ -31007,10 +31044,29 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Command Executed Via Run Dialog Box - Registry",
+        "id": "f9d091f6-f1c7-4873-a24f-050b4a02b4dd",
+        "status": "experimental",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "detection.threat-hunting",
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (NOT TargetObject LIKE '%\\\\MRUList' ESCAPE '\\') AND (NOT (NewValue LIKE '%ping%' ESCAPE '\\' OR (NewValue LIKE '\\%appdata\\%\\\\1' ESCAPE '\\' OR NewValue LIKE '\\%localappdata\\%\\\\1' ESCAPE '\\' OR NewValue LIKE '\\%public\\%\\\\1' ESCAPE '\\' OR NewValue LIKE '\\%temp\\%\\\\1' ESCAPE '\\' OR NewValue LIKE 'calc\\\\1' ESCAPE '\\' OR NewValue LIKE 'dxdiag\\\\1' ESCAPE '\\' OR NewValue LIKE 'explorer\\\\1' ESCAPE '\\' OR NewValue LIKE 'gpedit.msc\\\\1' ESCAPE '\\' OR NewValue LIKE 'mmc\\\\1' ESCAPE '\\' OR NewValue LIKE 'notepad\\\\1' ESCAPE '\\' OR NewValue LIKE 'regedit\\\\1' ESCAPE '\\' OR NewValue LIKE 'services.msc\\\\1' ESCAPE '\\' OR NewValue LIKE 'winver\\\\1' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Amsi.DLL Load By Uncommon Process",
         "id": "facd1549-e416-48e0-b8c4-41d7215eedc8",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects loading of Amsi.dll by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -31484,6 +31540,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Access To Browser Credential Files By Uncommon Applications - Security",
+        "id": "4b60e527-ec73-4b47-8cb3-f02ad927ca65",
+        "status": "experimental",
+        "description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n",
+        "author": "Daniel Koifman (@Koifsec), Nasreddine Bencherchali",
+        "tags": [
+            "attack.credential-access",
+            "attack.t1555.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4663 AND ObjectType='File' AND AccessMask='0x1') AND ((ObjectName LIKE '%\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Local State%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\') OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%\\\\places.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND (NOT (ProcessName='System' OR (ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))) AND (NOT (ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Scheduled Task Deletion",
         "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617",
@@ -32049,7 +32125,7 @@
     {
         "title": "Compressed File Extraction Via Tar.EXE",
         "id": "bf361876-6620-407a-812f-bfe11e51e924",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n",
         "author": "AdmU3",
         "tags": [
@@ -32165,7 +32241,7 @@
     {
         "title": "Firewall Configuration Discovery Via Netsh.EXE",
         "id": "0e4164da-94bc-450d-a7be-a4b176179f1f",
-        "status": "experimental",
+        "status": "test",
         "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems",
         "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
         "tags": [
@@ -32456,7 +32532,7 @@
     {
         "title": "Compressed File Creation Via Tar.EXE",
         "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3",
         "tags": [
@@ -33224,7 +33300,7 @@
     {
         "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer",
         "id": "b86852fb-4c77-48f9-8519-eb1b2c308b59",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33495,7 +33571,7 @@
     {
         "title": "Potential PowerShell Execution Policy Tampering",
         "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33762,7 +33838,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Via Registry",
         "id": "85b88e05-dadc-430b-8a9e-53ff1cd30aae",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -35010,7 +35086,7 @@
     {
         "title": "DLL Names Used By SVR For GraphicalProton Backdoor",
         "id": "e64c8ef3-9f98-40c8-b71e-96110991cb4c",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts known SVR-specific DLL names.",
         "author": "CISA",
         "tags": [
@@ -35109,7 +35185,7 @@
     {
         "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE",
         "id": "e5144106-8198-4f6e-bfc2-0a551cc8dd94",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of concatenated commands via \"cmd.exe\". Pikabot often executes a combination of multiple commands via the command handler \"cmd /c\" in order to download and execute additional payloads.\nCommands such as \"curl\", \"wget\" in order to download extra payloads. \"ping\" and \"timeout\" are abused to introduce delays in the command execution and \"Rundll32\" is also used to execute malicious DLL files.\nIn the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.\n",
         "author": "Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -35463,7 +35539,7 @@
     {
         "title": "Potential Direct Syscall of NtOpenProcess",
         "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potential calls to NtOpenProcess directly from NTDLL.",
         "author": "Christian Burkard (Nextron Systems), Tim Shelton (FP)",
         "tags": [
@@ -37630,25 +37706,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Powershell Exfiltration Over SMTP",
-        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
-        "status": "test",
-        "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.exfiltration",
-            "attack.t1048.003"
-        ],
-        "falsepositives": [
-            "Legitimate script"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND (ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND (NOT ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Certificate Exported Via PowerShell - ScriptBlock",
         "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c",
@@ -38501,7 +38558,7 @@
     {
         "title": "Cloudflared Tunnels Related DNS Requests",
         "id": "a1d9eec5-33b2-4177-8d24-27fe754d0812",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects DNS requests to Cloudflared tunnels domains.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -39271,7 +39328,7 @@
     {
         "title": "PSScriptPolicyTest Creation By Uncommon Process",
         "id": "1027d292-dd87-4a1a-8701-2abe04d7783c",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -40165,7 +40222,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -40331,7 +40388,7 @@
     {
         "title": "Suspicious Wordpad Outbound Connections",
         "id": "786cdae8-fefb-4eb2-9227-04e34060db01",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -42586,7 +42643,7 @@
     {
         "title": "Potentially Suspicious AccessMask Requested From LSASS",
         "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process handle on LSASS process with certain access mask",
         "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)",
         "tags": [
@@ -43187,6 +43244,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet",
+        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
+        "status": "test",
+        "description": "Detects the execution of a PowerShell script with a call to the \"Send-MailMessage\" cmdlet along with the \"-Attachments\" flag. This could be a potential sign of data exfiltration via Email.\nAdversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n",
+        "author": "frack113",
+        "tags": [
+            "attack.exfiltration",
+            "attack.t1048.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND ScriptBlockText LIKE '%Send-MailMessage%-Attachments%' ESCAPE '\\')"
+        ],
+        "filename": ""
+    },
     {
         "title": "SMB over QUIC Via PowerShell Script",
         "id": "6df07c3b-8456-4f8b-87bb-fe31ec964cae",
@@ -43293,7 +43370,7 @@
     {
         "title": "Access To Sysvol Policies Share By Uncommon Process",
         "id": "8344c19f-a023-45ff-ad63-a01c5396aea0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file access requests to the Windows Sysvol Policies Share by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -45919,7 +45996,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE",
         "id": "8cbc9475-8d05-4e27-9c32-df960716c701",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -46211,7 +46288,7 @@
     {
         "title": "Potentially Suspicious Command Targeting Teams Sensitive Files",
         "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.\n",
         "author": "@SerkinValery",
         "tags": [
@@ -46459,7 +46536,7 @@
     {
         "title": "Cloudflared Tunnel Execution",
         "id": "9a019ffc-3580-4c9d-8d87-079f7e8d3fd4",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.",
         "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -47764,7 +47841,7 @@
     {
         "title": "Uncommon Child Process Of Conhost.EXE",
         "id": "7dc2dedd-7603-461a-bc13-15803d132355",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.",
         "author": "omkar72",
         "tags": [
@@ -49089,7 +49166,7 @@
     {
         "title": "Cloudflared Tunnel Connections Cleanup",
         "id": "7050bba1-1aed-454e-8f73-3f46f09ce56a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -49110,7 +49187,7 @@
     {
         "title": "Uncommon System Information Discovery Via Wmic.EXE",
         "id": "9d5a1274-922a-49d0-87f3-8c653483b909",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n",
         "author": "TropChaud",
         "tags": [
@@ -49750,7 +49827,7 @@
     {
         "title": "PUA - Process Hacker Execution",
         "id": "811e0002-b13b-4a15-9d00-a613fce66e42",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.\n",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -50320,7 +50397,7 @@
     {
         "title": "Binary Proxy Execution Via Dotnet-Trace.EXE",
         "id": "9257c05b-4a4a-48e5-a670-b7b073cf401b",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects commandline arguments for executing a child process via dotnet-trace.exe",
         "author": "Jimmy Bayne (@bohops)",
         "tags": [
@@ -52335,7 +52412,7 @@
     {
         "title": "Cscript/Wscript Potentially Suspicious Child Process",
         "id": "b6676963-0353-4f88-90f5-36c20d443c6a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -52488,7 +52565,7 @@
     {
         "title": "Cloudflared Portable Execution",
         "id": "fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of the \"cloudflared\" binary from a non standard location.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -53282,7 +53359,7 @@
     {
         "title": "Cloudflared Quick Tunnel Execution",
         "id": "222129f7-f4dc-4568-b0d2-22440a9639ba",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.\n",
         "author": "Sajid Nawaz Khan",
         "tags": [
@@ -53720,7 +53797,7 @@
         "filename": ""
     },
     {
-        "title": "Suspicious Schtasks From Env Var Folder",
+        "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE",
         "id": "81325ce1-be01-4250-944f-b4789644556f",
         "status": "test",
         "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware",
@@ -53735,7 +53812,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT ((ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\' OR CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\') OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\' OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
diff --git a/rules/rules_windows_generic_high.json b/rules/rules_windows_generic_high.json
index 91c5fce..61be916 100644
--- a/rules/rules_windows_generic_high.json
+++ b/rules/rules_windows_generic_high.json
@@ -562,7 +562,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_persistence_com_hijacking_builtin.yml"
     },
@@ -1379,7 +1379,7 @@
     {
         "title": "Enable LM Hash Storage",
         "id": "c420410f-c2d8-4010-856b-dffe21866437",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -2102,6 +2102,25 @@
         ],
         "filename": "registry_set_chrome_extension.yml"
     },
+    {
+        "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry",
+        "id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d",
+        "status": "test",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "attack.execution",
+            "attack.t1059.001"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (((NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\') AND (NewValue LIKE '% -e %' ESCAPE '\\' OR NewValue LIKE '% -ec %' ESCAPE '\\' OR NewValue LIKE '% -en %' ESCAPE '\\' OR NewValue LIKE '% -enc %' ESCAPE '\\' OR NewValue LIKE '% -enco%' ESCAPE '\\' OR NewValue LIKE '%ftp%' ESCAPE '\\' OR NewValue LIKE '%Hidden%' ESCAPE '\\' OR NewValue LIKE '%http%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\')) OR (NewValue LIKE '%wmic%' ESCAPE '\\' AND (NewValue LIKE '%shadowcopy%' ESCAPE '\\' OR NewValue LIKE '%process call create%' ESCAPE '\\'))))"
+        ],
+        "filename": "registry_set_runmru_susp_command_execution.yml"
+    },
     {
         "title": "Macro Enabled In A Potentially Suspicious Document",
         "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd",
@@ -6321,7 +6340,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler",
         "id": "2bfc1373-0220-4fbd-8b10-33ddafd2a142",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -6339,7 +6358,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor",
         "id": "8fa65166-f463-4fd2-ad4f-1436133c52e1",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -10952,7 +10971,7 @@
     {
         "title": "Tamper Windows Defender - ScriptBlockLogging",
         "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -11782,7 +11801,7 @@
     {
         "title": "Tamper Windows Defender - PSClassic",
         "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c",
-        "status": "experimental",
+        "status": "test",
         "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -12306,7 +12325,7 @@
     {
         "title": "Suspicious File Creation Activity From Fake Recycle.Bin Folder",
         "id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -13160,10 +13179,10 @@
         "filename": "file_event_win_tsclient_filewrite_startup.yml"
     },
     {
-        "title": "RDP File Creation From Suspicious Application",
+        "title": ".RDP File Created By Uncommon Application",
         "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d",
         "status": "test",
-        "description": "Detects Rclone config file being created",
+        "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense-evasion"
@@ -13173,7 +13192,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (TargetFilename LIKE '%.rdp' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\olk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\teams.exe' ESCAPE '\\'))"
         ],
         "filename": "file_event_win_rdp_file_susp_creation.yml"
     },
@@ -13548,7 +13567,7 @@
     {
         "title": "Uncommon File Created In Office Startup Folder",
         "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -13661,6 +13680,24 @@
         ],
         "filename": "file_event_win_susp_desktopimgdownldr_file.yml"
     },
+    {
+        "title": ".RDP File Created by Outlook Process",
+        "id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
+        "status": "experimental",
+        "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n",
+        "author": "Florian Roth",
+        "tags": [
+            "attack.defense-evasion"
+        ],
+        "falsepositives": [
+            "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (TargetFilename LIKE '%.rdp' ESCAPE '\\' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.Outlook\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Olk\\\\Attachments\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\')))"
+        ],
+        "filename": "file_event_win_office_outlook_rdp_file_creation.yml"
+    },
     {
         "title": "HackTool - Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -13843,7 +13880,7 @@
     {
         "title": "HackTool Named File Stream Created",
         "id": "19b041f6-e583-40dc-b842-d6fa8011493f",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -13895,7 +13932,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\'))"
         ],
         "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml"
     },
@@ -14054,7 +14091,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((NewProcessName LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND Initiated = 'true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((NewProcessName LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND Initiated = 'true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
         ],
         "filename": "net_connection_win_susp_file_sharing_domains_susp_folders.yml"
     },
@@ -14075,7 +14112,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR (NewProcessName = '') OR (NewProcessName = '')))"
+            "SELECT * FROM logs WHERE ((Initiated = 'true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((NewProcessName LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR (NewProcessName = '') OR (NewProcessName = '')))"
         ],
         "filename": "net_connection_win_domain_dead_drop_resolvers.yml"
     },
@@ -14381,7 +14418,7 @@
     {
         "title": "HackTool - EfsPotato Named Pipe Creation",
         "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -14897,7 +14934,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pixeldrain.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
         ],
         "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml"
     },
@@ -16925,7 +16962,7 @@
     {
         "title": "HackTool - NoFilter Execution",
         "id": "7b14c76a-c602-4ae6-9717-eff868153fc0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
         "author": "Stamatis Chatzimangou (st0pp3r)",
         "tags": [
@@ -20108,7 +20145,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName = 'curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName = 'curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_curl_download_susp_file_sharing_domains.yml"
     },
@@ -20274,7 +20311,7 @@
         "title": "Suspicious Windows Service Tampering",
         "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330",
         "status": "test",
-        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts",
+        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior",
         "tags": [
             "attack.defense-evasion",
@@ -20285,7 +20322,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('net.exe', 'net1.exe', 'PowerShell.EXE', 'psservice.exe', 'pwsh.dll', 'sc.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (OriginalFileName IN ('net.exe', 'net1.exe', 'PowerShell.EXE', 'psservice.exe', 'pwsh.dll', 'sc.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%WSearch%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_susp_service_tamper.yml"
     },
@@ -21686,7 +21723,7 @@
     {
         "title": "Suspicious Process Execution From Fake Recycle.Bin Folder",
         "id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -22722,7 +22759,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_powershell_download_susp_file_sharing_domains.yml"
     },
@@ -24554,7 +24591,7 @@
     {
         "title": "HackTool - EDRSilencer Execution",
         "id": "eb2d07d4-49cb-4523-801a-da002df36602",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n",
         "author": "@gott_cyber",
         "tags": [
@@ -24654,7 +24691,7 @@
     {
         "title": "Forfiles.EXE Child Process Masquerading",
         "id": "f53714ec-5077-420e-ad20-907ff9bb2958",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati",
         "tags": [
@@ -26244,7 +26281,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName = 'wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName = 'wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_wget_download_susp_file_sharing_domains.yml"
     },
@@ -26995,7 +27032,7 @@
     {
         "title": "Renamed Cloudflared.EXE Execution",
         "id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of a renamed \"cloudflared\" binary.",
         "tags": [
             "attack.command-and-control",
@@ -28335,7 +28372,7 @@
     {
         "title": "Suspicious Greedy Compression Using Rar.EXE",
         "id": "afe52666-401e-4a02-b4ff-5d128990b8cb",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes",
         "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)",
         "tags": [
diff --git a/rules/rules_windows_generic_medium.json b/rules/rules_windows_generic_medium.json
index 39b5b6f..9555bc5 100644
--- a/rules/rules_windows_generic_medium.json
+++ b/rules/rules_windows_generic_medium.json
@@ -3585,7 +3585,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -4402,7 +4402,7 @@
     {
         "title": "Enable LM Hash Storage",
         "id": "c420410f-c2d8-4010-856b-dffe21866437",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -5125,6 +5125,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry",
+        "id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d",
+        "status": "test",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "attack.execution",
+            "attack.t1059.001"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (((NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\') AND (NewValue LIKE '% -e %' ESCAPE '\\' OR NewValue LIKE '% -ec %' ESCAPE '\\' OR NewValue LIKE '% -en %' ESCAPE '\\' OR NewValue LIKE '% -enc %' ESCAPE '\\' OR NewValue LIKE '% -enco%' ESCAPE '\\' OR NewValue LIKE '%ftp%' ESCAPE '\\' OR NewValue LIKE '%Hidden%' ESCAPE '\\' OR NewValue LIKE '%http%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\')) OR (NewValue LIKE '%wmic%' ESCAPE '\\' AND (NewValue LIKE '%shadowcopy%' ESCAPE '\\' OR NewValue LIKE '%process call create%' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Macro Enabled In A Potentially Suspicious Document",
         "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd",
@@ -8068,7 +8087,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler",
         "id": "2bfc1373-0220-4fbd-8b10-33ddafd2a142",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -8086,7 +8105,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor",
         "id": "8fa65166-f463-4fd2-ad4f-1436133c52e1",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -11764,7 +11783,7 @@
     {
         "title": "Tamper Windows Defender - ScriptBlockLogging",
         "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -12575,7 +12594,7 @@
     {
         "title": "Tamper Windows Defender - PSClassic",
         "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c",
-        "status": "experimental",
+        "status": "test",
         "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -13042,7 +13061,7 @@
     {
         "title": "Suspicious File Creation Activity From Fake Recycle.Bin Folder",
         "id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -13837,10 +13856,10 @@
         "filename": ""
     },
     {
-        "title": "RDP File Creation From Suspicious Application",
+        "title": ".RDP File Created By Uncommon Application",
         "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d",
         "status": "test",
-        "description": "Detects Rclone config file being created",
+        "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense-evasion"
@@ -13850,7 +13869,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\'"
+            "SELECT * FROM logs WHERE TargetFilename LIKE '%.rdp' ESCAPE '\\' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\olk.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -14187,7 +14206,7 @@
     {
         "title": "Uncommon File Created In Office Startup Folder",
         "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -14300,6 +14319,24 @@
         ],
         "filename": ""
     },
+    {
+        "title": ".RDP File Created by Outlook Process",
+        "id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
+        "status": "experimental",
+        "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n",
+        "author": "Florian Roth",
+        "tags": [
+            "attack.defense-evasion"
+        ],
+        "falsepositives": [
+            "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE TargetFilename LIKE '%.rdp' ESCAPE '\\' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.Outlook\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Olk\\\\Attachments\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": ""
+    },
     {
         "title": "HackTool - Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -14463,7 +14500,7 @@
     {
         "title": "HackTool Named File Stream Created",
         "id": "19b041f6-e583-40dc-b842-d6fa8011493f",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -14515,7 +14552,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -14696,7 +14733,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
         ],
         "filename": ""
     },
@@ -14717,7 +14754,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))"
+            "SELECT * FROM logs WHERE (Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))"
         ],
         "filename": ""
     },
@@ -15058,7 +15095,7 @@
     {
         "title": "HackTool - EfsPotato Named Pipe Creation",
         "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -15460,7 +15497,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pixeldrain.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
         ],
         "filename": ""
     },
@@ -17284,7 +17321,7 @@
     {
         "title": "HackTool - NoFilter Execution",
         "id": "7b14c76a-c602-4ae6-9717-eff868153fc0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
         "author": "Stamatis Chatzimangou (st0pp3r)",
         "tags": [
@@ -20472,7 +20509,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -20638,7 +20675,7 @@
         "title": "Suspicious Windows Service Tampering",
         "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330",
         "status": "test",
-        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts",
+        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior",
         "tags": [
             "attack.defense-evasion",
@@ -20649,7 +20686,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%WSearch%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -21910,7 +21947,7 @@
     {
         "title": "Suspicious Process Execution From Fake Recycle.Bin Folder",
         "id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -22988,7 +23025,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -24782,7 +24819,7 @@
     {
         "title": "HackTool - EDRSilencer Execution",
         "id": "eb2d07d4-49cb-4523-801a-da002df36602",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n",
         "author": "@gott_cyber",
         "tags": [
@@ -24861,7 +24898,7 @@
     {
         "title": "Forfiles.EXE Child Process Masquerading",
         "id": "f53714ec-5077-420e-ad20-907ff9bb2958",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati",
         "tags": [
@@ -26435,7 +26472,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -27186,7 +27223,7 @@
     {
         "title": "Renamed Cloudflared.EXE Execution",
         "id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of a renamed \"cloudflared\" binary.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -28450,7 +28487,7 @@
     {
         "title": "Suspicious Greedy Compression Using Rar.EXE",
         "id": "afe52666-401e-4a02-b4ff-5d128990b8cb",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes",
         "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)",
         "tags": [
@@ -31007,10 +31044,29 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Command Executed Via Run Dialog Box - Registry",
+        "id": "f9d091f6-f1c7-4873-a24f-050b4a02b4dd",
+        "status": "experimental",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "detection.threat-hunting",
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (NOT TargetObject LIKE '%\\\\MRUList' ESCAPE '\\') AND (NOT (NewValue LIKE '%ping%' ESCAPE '\\' OR (NewValue LIKE '\\%appdata\\%\\\\1' ESCAPE '\\' OR NewValue LIKE '\\%localappdata\\%\\\\1' ESCAPE '\\' OR NewValue LIKE '\\%public\\%\\\\1' ESCAPE '\\' OR NewValue LIKE '\\%temp\\%\\\\1' ESCAPE '\\' OR NewValue LIKE 'calc\\\\1' ESCAPE '\\' OR NewValue LIKE 'dxdiag\\\\1' ESCAPE '\\' OR NewValue LIKE 'explorer\\\\1' ESCAPE '\\' OR NewValue LIKE 'gpedit.msc\\\\1' ESCAPE '\\' OR NewValue LIKE 'mmc\\\\1' ESCAPE '\\' OR NewValue LIKE 'notepad\\\\1' ESCAPE '\\' OR NewValue LIKE 'regedit\\\\1' ESCAPE '\\' OR NewValue LIKE 'services.msc\\\\1' ESCAPE '\\' OR NewValue LIKE 'winver\\\\1' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Amsi.DLL Load By Uncommon Process",
         "id": "facd1549-e416-48e0-b8c4-41d7215eedc8",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects loading of Amsi.dll by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -31484,6 +31540,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Access To Browser Credential Files By Uncommon Applications - Security",
+        "id": "4b60e527-ec73-4b47-8cb3-f02ad927ca65",
+        "status": "experimental",
+        "description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n",
+        "author": "Daniel Koifman (@Koifsec), Nasreddine Bencherchali",
+        "tags": [
+            "attack.credential-access",
+            "attack.t1555.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4663 AND ObjectType='File' AND AccessMask='0x1') AND ((ObjectName LIKE '%\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Local State%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\') OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%\\\\places.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND (NOT (ProcessName='System' OR (ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))) AND (NOT (ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Scheduled Task Deletion",
         "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617",
@@ -32049,7 +32125,7 @@
     {
         "title": "Compressed File Extraction Via Tar.EXE",
         "id": "bf361876-6620-407a-812f-bfe11e51e924",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n",
         "author": "AdmU3",
         "tags": [
@@ -32165,7 +32241,7 @@
     {
         "title": "Firewall Configuration Discovery Via Netsh.EXE",
         "id": "0e4164da-94bc-450d-a7be-a4b176179f1f",
-        "status": "experimental",
+        "status": "test",
         "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems",
         "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
         "tags": [
@@ -32456,7 +32532,7 @@
     {
         "title": "Compressed File Creation Via Tar.EXE",
         "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3",
         "tags": [
@@ -33224,7 +33300,7 @@
     {
         "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer",
         "id": "b86852fb-4c77-48f9-8519-eb1b2c308b59",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33495,7 +33571,7 @@
     {
         "title": "Potential PowerShell Execution Policy Tampering",
         "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33762,7 +33838,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Via Registry",
         "id": "85b88e05-dadc-430b-8a9e-53ff1cd30aae",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -35010,7 +35086,7 @@
     {
         "title": "DLL Names Used By SVR For GraphicalProton Backdoor",
         "id": "e64c8ef3-9f98-40c8-b71e-96110991cb4c",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts known SVR-specific DLL names.",
         "author": "CISA",
         "tags": [
@@ -35109,7 +35185,7 @@
     {
         "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE",
         "id": "e5144106-8198-4f6e-bfc2-0a551cc8dd94",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of concatenated commands via \"cmd.exe\". Pikabot often executes a combination of multiple commands via the command handler \"cmd /c\" in order to download and execute additional payloads.\nCommands such as \"curl\", \"wget\" in order to download extra payloads. \"ping\" and \"timeout\" are abused to introduce delays in the command execution and \"Rundll32\" is also used to execute malicious DLL files.\nIn the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.\n",
         "author": "Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -35463,7 +35539,7 @@
     {
         "title": "Potential Direct Syscall of NtOpenProcess",
         "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potential calls to NtOpenProcess directly from NTDLL.",
         "author": "Christian Burkard (Nextron Systems), Tim Shelton (FP)",
         "tags": [
@@ -37630,25 +37706,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Powershell Exfiltration Over SMTP",
-        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
-        "status": "test",
-        "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.exfiltration",
-            "attack.t1048.003"
-        ],
-        "falsepositives": [
-            "Legitimate script"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND (ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND (NOT ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Certificate Exported Via PowerShell - ScriptBlock",
         "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c",
@@ -38501,7 +38558,7 @@
     {
         "title": "Cloudflared Tunnels Related DNS Requests",
         "id": "a1d9eec5-33b2-4177-8d24-27fe754d0812",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects DNS requests to Cloudflared tunnels domains.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -39271,7 +39328,7 @@
     {
         "title": "PSScriptPolicyTest Creation By Uncommon Process",
         "id": "1027d292-dd87-4a1a-8701-2abe04d7783c",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -40165,7 +40222,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -40331,7 +40388,7 @@
     {
         "title": "Suspicious Wordpad Outbound Connections",
         "id": "786cdae8-fefb-4eb2-9227-04e34060db01",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -42586,7 +42643,7 @@
     {
         "title": "Potentially Suspicious AccessMask Requested From LSASS",
         "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process handle on LSASS process with certain access mask",
         "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)",
         "tags": [
@@ -43187,6 +43244,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet",
+        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
+        "status": "test",
+        "description": "Detects the execution of a PowerShell script with a call to the \"Send-MailMessage\" cmdlet along with the \"-Attachments\" flag. This could be a potential sign of data exfiltration via Email.\nAdversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n",
+        "author": "frack113",
+        "tags": [
+            "attack.exfiltration",
+            "attack.t1048.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND ScriptBlockText LIKE '%Send-MailMessage%-Attachments%' ESCAPE '\\')"
+        ],
+        "filename": ""
+    },
     {
         "title": "SMB over QUIC Via PowerShell Script",
         "id": "6df07c3b-8456-4f8b-87bb-fe31ec964cae",
@@ -43293,7 +43370,7 @@
     {
         "title": "Access To Sysvol Policies Share By Uncommon Process",
         "id": "8344c19f-a023-45ff-ad63-a01c5396aea0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file access requests to the Windows Sysvol Policies Share by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -45919,7 +45996,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE",
         "id": "8cbc9475-8d05-4e27-9c32-df960716c701",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -46211,7 +46288,7 @@
     {
         "title": "Potentially Suspicious Command Targeting Teams Sensitive Files",
         "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.\n",
         "author": "@SerkinValery",
         "tags": [
@@ -46459,7 +46536,7 @@
     {
         "title": "Cloudflared Tunnel Execution",
         "id": "9a019ffc-3580-4c9d-8d87-079f7e8d3fd4",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.",
         "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -47764,7 +47841,7 @@
     {
         "title": "Uncommon Child Process Of Conhost.EXE",
         "id": "7dc2dedd-7603-461a-bc13-15803d132355",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.",
         "author": "omkar72",
         "tags": [
@@ -49089,7 +49166,7 @@
     {
         "title": "Cloudflared Tunnel Connections Cleanup",
         "id": "7050bba1-1aed-454e-8f73-3f46f09ce56a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -49110,7 +49187,7 @@
     {
         "title": "Uncommon System Information Discovery Via Wmic.EXE",
         "id": "9d5a1274-922a-49d0-87f3-8c653483b909",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n",
         "author": "TropChaud",
         "tags": [
@@ -49750,7 +49827,7 @@
     {
         "title": "PUA - Process Hacker Execution",
         "id": "811e0002-b13b-4a15-9d00-a613fce66e42",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.\n",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -50320,7 +50397,7 @@
     {
         "title": "Binary Proxy Execution Via Dotnet-Trace.EXE",
         "id": "9257c05b-4a4a-48e5-a670-b7b073cf401b",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects commandline arguments for executing a child process via dotnet-trace.exe",
         "author": "Jimmy Bayne (@bohops)",
         "tags": [
@@ -52335,7 +52412,7 @@
     {
         "title": "Cscript/Wscript Potentially Suspicious Child Process",
         "id": "b6676963-0353-4f88-90f5-36c20d443c6a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -52488,7 +52565,7 @@
     {
         "title": "Cloudflared Portable Execution",
         "id": "fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of the \"cloudflared\" binary from a non standard location.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -53282,7 +53359,7 @@
     {
         "title": "Cloudflared Quick Tunnel Execution",
         "id": "222129f7-f4dc-4568-b0d2-22440a9639ba",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.\n",
         "author": "Sajid Nawaz Khan",
         "tags": [
@@ -53720,7 +53797,7 @@
         "filename": ""
     },
     {
-        "title": "Suspicious Schtasks From Env Var Folder",
+        "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE",
         "id": "81325ce1-be01-4250-944f-b4789644556f",
         "status": "test",
         "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware",
@@ -53735,7 +53812,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT ((ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\' OR CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\') OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\' OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
diff --git a/rules/rules_windows_generic_pysigma.json b/rules/rules_windows_generic_pysigma.json
index 39b5b6f..9555bc5 100644
--- a/rules/rules_windows_generic_pysigma.json
+++ b/rules/rules_windows_generic_pysigma.json
@@ -3585,7 +3585,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (NewValue LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -4402,7 +4402,7 @@
     {
         "title": "Enable LM Hash Storage",
         "id": "c420410f-c2d8-4010-856b-dffe21866437",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -5125,6 +5125,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry",
+        "id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d",
+        "status": "test",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "attack.execution",
+            "attack.t1059.001"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (((NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\') AND (NewValue LIKE '% -e %' ESCAPE '\\' OR NewValue LIKE '% -ec %' ESCAPE '\\' OR NewValue LIKE '% -en %' ESCAPE '\\' OR NewValue LIKE '% -enc %' ESCAPE '\\' OR NewValue LIKE '% -enco%' ESCAPE '\\' OR NewValue LIKE '%ftp%' ESCAPE '\\' OR NewValue LIKE '%Hidden%' ESCAPE '\\' OR NewValue LIKE '%http%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\')) OR (NewValue LIKE '%wmic%' ESCAPE '\\' AND (NewValue LIKE '%shadowcopy%' ESCAPE '\\' OR NewValue LIKE '%process call create%' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Macro Enabled In A Potentially Suspicious Document",
         "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd",
@@ -8068,7 +8087,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler",
         "id": "2bfc1373-0220-4fbd-8b10-33ddafd2a142",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -8086,7 +8105,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor",
         "id": "8fa65166-f463-4fd2-ad4f-1436133c52e1",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -11764,7 +11783,7 @@
     {
         "title": "Tamper Windows Defender - ScriptBlockLogging",
         "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -12575,7 +12594,7 @@
     {
         "title": "Tamper Windows Defender - PSClassic",
         "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c",
-        "status": "experimental",
+        "status": "test",
         "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -13042,7 +13061,7 @@
     {
         "title": "Suspicious File Creation Activity From Fake Recycle.Bin Folder",
         "id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -13837,10 +13856,10 @@
         "filename": ""
     },
     {
-        "title": "RDP File Creation From Suspicious Application",
+        "title": ".RDP File Created By Uncommon Application",
         "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d",
         "status": "test",
-        "description": "Detects Rclone config file being created",
+        "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense-evasion"
@@ -13850,7 +13869,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\'"
+            "SELECT * FROM logs WHERE TargetFilename LIKE '%.rdp' ESCAPE '\\' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\olk.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -14187,7 +14206,7 @@
     {
         "title": "Uncommon File Created In Office Startup Folder",
         "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -14300,6 +14319,24 @@
         ],
         "filename": ""
     },
+    {
+        "title": ".RDP File Created by Outlook Process",
+        "id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
+        "status": "experimental",
+        "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n",
+        "author": "Florian Roth",
+        "tags": [
+            "attack.defense-evasion"
+        ],
+        "falsepositives": [
+            "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE TargetFilename LIKE '%.rdp' ESCAPE '\\' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.Outlook\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Olk\\\\Attachments\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": ""
+    },
     {
         "title": "HackTool - Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -14463,7 +14500,7 @@
     {
         "title": "HackTool Named File Stream Created",
         "id": "19b041f6-e583-40dc-b842-d6fa8011493f",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -14515,7 +14552,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -14696,7 +14733,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
         ],
         "filename": ""
     },
@@ -14717,7 +14754,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))"
+            "SELECT * FROM logs WHERE (Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))"
         ],
         "filename": ""
     },
@@ -15058,7 +15095,7 @@
     {
         "title": "HackTool - EfsPotato Named Pipe Creation",
         "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -15460,7 +15497,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pixeldrain.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
         ],
         "filename": ""
     },
@@ -17284,7 +17321,7 @@
     {
         "title": "HackTool - NoFilter Execution",
         "id": "7b14c76a-c602-4ae6-9717-eff868153fc0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
         "author": "Stamatis Chatzimangou (st0pp3r)",
         "tags": [
@@ -20472,7 +20509,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -20638,7 +20675,7 @@
         "title": "Suspicious Windows Service Tampering",
         "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330",
         "status": "test",
-        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts",
+        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior",
         "tags": [
             "attack.defense-evasion",
@@ -20649,7 +20686,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%WSearch%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -21910,7 +21947,7 @@
     {
         "title": "Suspicious Process Execution From Fake Recycle.Bin Folder",
         "id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -22988,7 +23025,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -24782,7 +24819,7 @@
     {
         "title": "HackTool - EDRSilencer Execution",
         "id": "eb2d07d4-49cb-4523-801a-da002df36602",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n",
         "author": "@gott_cyber",
         "tags": [
@@ -24861,7 +24898,7 @@
     {
         "title": "Forfiles.EXE Child Process Masquerading",
         "id": "f53714ec-5077-420e-ad20-907ff9bb2958",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati",
         "tags": [
@@ -26435,7 +26472,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -27186,7 +27223,7 @@
     {
         "title": "Renamed Cloudflared.EXE Execution",
         "id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of a renamed \"cloudflared\" binary.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -28450,7 +28487,7 @@
     {
         "title": "Suspicious Greedy Compression Using Rar.EXE",
         "id": "afe52666-401e-4a02-b4ff-5d128990b8cb",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes",
         "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)",
         "tags": [
@@ -31007,10 +31044,29 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Command Executed Via Run Dialog Box - Registry",
+        "id": "f9d091f6-f1c7-4873-a24f-050b4a02b4dd",
+        "status": "experimental",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "detection.threat-hunting",
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (NOT TargetObject LIKE '%\\\\MRUList' ESCAPE '\\') AND (NOT (NewValue LIKE '%ping%' ESCAPE '\\' OR (NewValue LIKE '\\%appdata\\%\\\\1' ESCAPE '\\' OR NewValue LIKE '\\%localappdata\\%\\\\1' ESCAPE '\\' OR NewValue LIKE '\\%public\\%\\\\1' ESCAPE '\\' OR NewValue LIKE '\\%temp\\%\\\\1' ESCAPE '\\' OR NewValue LIKE 'calc\\\\1' ESCAPE '\\' OR NewValue LIKE 'dxdiag\\\\1' ESCAPE '\\' OR NewValue LIKE 'explorer\\\\1' ESCAPE '\\' OR NewValue LIKE 'gpedit.msc\\\\1' ESCAPE '\\' OR NewValue LIKE 'mmc\\\\1' ESCAPE '\\' OR NewValue LIKE 'notepad\\\\1' ESCAPE '\\' OR NewValue LIKE 'regedit\\\\1' ESCAPE '\\' OR NewValue LIKE 'services.msc\\\\1' ESCAPE '\\' OR NewValue LIKE 'winver\\\\1' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Amsi.DLL Load By Uncommon Process",
         "id": "facd1549-e416-48e0-b8c4-41d7215eedc8",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects loading of Amsi.dll by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -31484,6 +31540,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Access To Browser Credential Files By Uncommon Applications - Security",
+        "id": "4b60e527-ec73-4b47-8cb3-f02ad927ca65",
+        "status": "experimental",
+        "description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n",
+        "author": "Daniel Koifman (@Koifsec), Nasreddine Bencherchali",
+        "tags": [
+            "attack.credential-access",
+            "attack.t1555.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4663 AND ObjectType='File' AND AccessMask='0x1') AND ((ObjectName LIKE '%\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Local State%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\') OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%\\\\places.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND (NOT (ProcessName='System' OR (ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))) AND (NOT (ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Scheduled Task Deletion",
         "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617",
@@ -32049,7 +32125,7 @@
     {
         "title": "Compressed File Extraction Via Tar.EXE",
         "id": "bf361876-6620-407a-812f-bfe11e51e924",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n",
         "author": "AdmU3",
         "tags": [
@@ -32165,7 +32241,7 @@
     {
         "title": "Firewall Configuration Discovery Via Netsh.EXE",
         "id": "0e4164da-94bc-450d-a7be-a4b176179f1f",
-        "status": "experimental",
+        "status": "test",
         "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems",
         "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
         "tags": [
@@ -32456,7 +32532,7 @@
     {
         "title": "Compressed File Creation Via Tar.EXE",
         "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3",
         "tags": [
@@ -33224,7 +33300,7 @@
     {
         "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer",
         "id": "b86852fb-4c77-48f9-8519-eb1b2c308b59",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33495,7 +33571,7 @@
     {
         "title": "Potential PowerShell Execution Policy Tampering",
         "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33762,7 +33838,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Via Registry",
         "id": "85b88e05-dadc-430b-8a9e-53ff1cd30aae",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -35010,7 +35086,7 @@
     {
         "title": "DLL Names Used By SVR For GraphicalProton Backdoor",
         "id": "e64c8ef3-9f98-40c8-b71e-96110991cb4c",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts known SVR-specific DLL names.",
         "author": "CISA",
         "tags": [
@@ -35109,7 +35185,7 @@
     {
         "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE",
         "id": "e5144106-8198-4f6e-bfc2-0a551cc8dd94",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of concatenated commands via \"cmd.exe\". Pikabot often executes a combination of multiple commands via the command handler \"cmd /c\" in order to download and execute additional payloads.\nCommands such as \"curl\", \"wget\" in order to download extra payloads. \"ping\" and \"timeout\" are abused to introduce delays in the command execution and \"Rundll32\" is also used to execute malicious DLL files.\nIn the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.\n",
         "author": "Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -35463,7 +35539,7 @@
     {
         "title": "Potential Direct Syscall of NtOpenProcess",
         "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potential calls to NtOpenProcess directly from NTDLL.",
         "author": "Christian Burkard (Nextron Systems), Tim Shelton (FP)",
         "tags": [
@@ -37630,25 +37706,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Powershell Exfiltration Over SMTP",
-        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
-        "status": "test",
-        "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.exfiltration",
-            "attack.t1048.003"
-        ],
-        "falsepositives": [
-            "Legitimate script"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND (ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND (NOT ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Certificate Exported Via PowerShell - ScriptBlock",
         "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c",
@@ -38501,7 +38558,7 @@
     {
         "title": "Cloudflared Tunnels Related DNS Requests",
         "id": "a1d9eec5-33b2-4177-8d24-27fe754d0812",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects DNS requests to Cloudflared tunnels domains.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -39271,7 +39328,7 @@
     {
         "title": "PSScriptPolicyTest Creation By Uncommon Process",
         "id": "1027d292-dd87-4a1a-8701-2abe04d7783c",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -40165,7 +40222,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -40331,7 +40388,7 @@
     {
         "title": "Suspicious Wordpad Outbound Connections",
         "id": "786cdae8-fefb-4eb2-9227-04e34060db01",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -42586,7 +42643,7 @@
     {
         "title": "Potentially Suspicious AccessMask Requested From LSASS",
         "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process handle on LSASS process with certain access mask",
         "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)",
         "tags": [
@@ -43187,6 +43244,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet",
+        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
+        "status": "test",
+        "description": "Detects the execution of a PowerShell script with a call to the \"Send-MailMessage\" cmdlet along with the \"-Attachments\" flag. This could be a potential sign of data exfiltration via Email.\nAdversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n",
+        "author": "frack113",
+        "tags": [
+            "attack.exfiltration",
+            "attack.t1048.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND ScriptBlockText LIKE '%Send-MailMessage%-Attachments%' ESCAPE '\\')"
+        ],
+        "filename": ""
+    },
     {
         "title": "SMB over QUIC Via PowerShell Script",
         "id": "6df07c3b-8456-4f8b-87bb-fe31ec964cae",
@@ -43293,7 +43370,7 @@
     {
         "title": "Access To Sysvol Policies Share By Uncommon Process",
         "id": "8344c19f-a023-45ff-ad63-a01c5396aea0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file access requests to the Windows Sysvol Policies Share by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -45919,7 +45996,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE",
         "id": "8cbc9475-8d05-4e27-9c32-df960716c701",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -46211,7 +46288,7 @@
     {
         "title": "Potentially Suspicious Command Targeting Teams Sensitive Files",
         "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.\n",
         "author": "@SerkinValery",
         "tags": [
@@ -46459,7 +46536,7 @@
     {
         "title": "Cloudflared Tunnel Execution",
         "id": "9a019ffc-3580-4c9d-8d87-079f7e8d3fd4",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.",
         "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -47764,7 +47841,7 @@
     {
         "title": "Uncommon Child Process Of Conhost.EXE",
         "id": "7dc2dedd-7603-461a-bc13-15803d132355",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.",
         "author": "omkar72",
         "tags": [
@@ -49089,7 +49166,7 @@
     {
         "title": "Cloudflared Tunnel Connections Cleanup",
         "id": "7050bba1-1aed-454e-8f73-3f46f09ce56a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -49110,7 +49187,7 @@
     {
         "title": "Uncommon System Information Discovery Via Wmic.EXE",
         "id": "9d5a1274-922a-49d0-87f3-8c653483b909",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n",
         "author": "TropChaud",
         "tags": [
@@ -49750,7 +49827,7 @@
     {
         "title": "PUA - Process Hacker Execution",
         "id": "811e0002-b13b-4a15-9d00-a613fce66e42",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.\n",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -50320,7 +50397,7 @@
     {
         "title": "Binary Proxy Execution Via Dotnet-Trace.EXE",
         "id": "9257c05b-4a4a-48e5-a670-b7b073cf401b",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects commandline arguments for executing a child process via dotnet-trace.exe",
         "author": "Jimmy Bayne (@bohops)",
         "tags": [
@@ -52335,7 +52412,7 @@
     {
         "title": "Cscript/Wscript Potentially Suspicious Child Process",
         "id": "b6676963-0353-4f88-90f5-36c20d443c6a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -52488,7 +52565,7 @@
     {
         "title": "Cloudflared Portable Execution",
         "id": "fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of the \"cloudflared\" binary from a non standard location.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -53282,7 +53359,7 @@
     {
         "title": "Cloudflared Quick Tunnel Execution",
         "id": "222129f7-f4dc-4568-b0d2-22440a9639ba",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.\n",
         "author": "Sajid Nawaz Khan",
         "tags": [
@@ -53720,7 +53797,7 @@
         "filename": ""
     },
     {
-        "title": "Suspicious Schtasks From Env Var Folder",
+        "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE",
         "id": "81325ce1-be01-4250-944f-b4789644556f",
         "status": "test",
         "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware",
@@ -53735,7 +53812,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT ((ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\' OR CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\') OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\' OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
diff --git a/rules/rules_windows_sysmon.json b/rules/rules_windows_sysmon.json
index 771dac4..df9e082 100644
--- a/rules/rules_windows_sysmon.json
+++ b/rules/rules_windows_sysmon.json
@@ -562,7 +562,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\')) AND ((Details LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\\\%' ESCAPE '\\')) AND ((Details LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_persistence_com_hijacking_builtin.yml"
     },
@@ -1379,7 +1379,7 @@
     {
         "title": "Enable LM Hash Storage",
         "id": "c420410f-c2d8-4010-856b-dffe21866437",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -2102,6 +2102,25 @@
         ],
         "filename": "registry_set_chrome_extension.yml"
     },
+    {
+        "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry",
+        "id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d",
+        "status": "test",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "attack.execution",
+            "attack.t1059.001"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (((Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\') AND (Details LIKE '% -e %' ESCAPE '\\' OR Details LIKE '% -ec %' ESCAPE '\\' OR Details LIKE '% -en %' ESCAPE '\\' OR Details LIKE '% -enc %' ESCAPE '\\' OR Details LIKE '% -enco%' ESCAPE '\\' OR Details LIKE '%ftp%' ESCAPE '\\' OR Details LIKE '%Hidden%' ESCAPE '\\' OR Details LIKE '%http%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\')) OR (Details LIKE '%wmic%' ESCAPE '\\' AND (Details LIKE '%shadowcopy%' ESCAPE '\\' OR Details LIKE '%process call create%' ESCAPE '\\'))))"
+        ],
+        "filename": "registry_set_runmru_susp_command_execution.yml"
+    },
     {
         "title": "Macro Enabled In A Potentially Suspicious Document",
         "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd",
@@ -6321,7 +6340,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler",
         "id": "2bfc1373-0220-4fbd-8b10-33ddafd2a142",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -6339,7 +6358,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor",
         "id": "8fa65166-f463-4fd2-ad4f-1436133c52e1",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -10952,7 +10971,7 @@
     {
         "title": "Tamper Windows Defender - ScriptBlockLogging",
         "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -11782,7 +11801,7 @@
     {
         "title": "Tamper Windows Defender - PSClassic",
         "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c",
-        "status": "experimental",
+        "status": "test",
         "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -12306,7 +12325,7 @@
     {
         "title": "Suspicious File Creation Activity From Fake Recycle.Bin Folder",
         "id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -13160,10 +13179,10 @@
         "filename": "file_event_win_tsclient_filewrite_startup.yml"
     },
     {
-        "title": "RDP File Creation From Suspicious Application",
+        "title": ".RDP File Created By Uncommon Application",
         "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d",
         "status": "test",
-        "description": "Detects Rclone config file being created",
+        "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense-evasion"
@@ -13173,7 +13192,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.rdp' ESCAPE '\\' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\olk.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\'))"
         ],
         "filename": "file_event_win_rdp_file_susp_creation.yml"
     },
@@ -13548,7 +13567,7 @@
     {
         "title": "Uncommon File Created In Office Startup Folder",
         "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -13661,6 +13680,24 @@
         ],
         "filename": "file_event_win_susp_desktopimgdownldr_file.yml"
     },
+    {
+        "title": ".RDP File Created by Outlook Process",
+        "id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
+        "status": "experimental",
+        "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n",
+        "author": "Florian Roth",
+        "tags": [
+            "attack.defense-evasion"
+        ],
+        "falsepositives": [
+            "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.rdp' ESCAPE '\\' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.Outlook\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Olk\\\\Attachments\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\')))"
+        ],
+        "filename": "file_event_win_office_outlook_rdp_file_creation.yml"
+    },
     {
         "title": "HackTool - Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -13843,7 +13880,7 @@
     {
         "title": "HackTool Named File Stream Created",
         "id": "19b041f6-e583-40dc-b842-d6fa8011493f",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -13895,7 +13932,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\'))"
         ],
         "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml"
     },
@@ -14054,7 +14091,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND Initiated = 'true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND Initiated = 'true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
         ],
         "filename": "net_connection_win_susp_file_sharing_domains_susp_folders.yml"
     },
@@ -14075,7 +14112,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR (Image = '') OR (Image = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR (Image = '') OR (Image = '')))"
         ],
         "filename": "net_connection_win_domain_dead_drop_resolvers.yml"
     },
@@ -14381,7 +14418,7 @@
     {
         "title": "HackTool - EfsPotato Named Pipe Creation",
         "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -14897,7 +14934,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pixeldrain.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
         ],
         "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml"
     },
@@ -16925,7 +16962,7 @@
     {
         "title": "HackTool - NoFilter Execution",
         "id": "7b14c76a-c602-4ae6-9717-eff868153fc0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
         "author": "Stamatis Chatzimangou (st0pp3r)",
         "tags": [
@@ -20108,7 +20145,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName = 'curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName = 'curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_curl_download_susp_file_sharing_domains.yml"
     },
@@ -20274,7 +20311,7 @@
         "title": "Suspicious Windows Service Tampering",
         "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330",
         "status": "test",
-        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts",
+        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior",
         "tags": [
             "attack.defense-evasion",
@@ -20285,7 +20322,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('net.exe', 'net1.exe', 'PowerShell.EXE', 'psservice.exe', 'pwsh.dll', 'sc.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('net.exe', 'net1.exe', 'PowerShell.EXE', 'psservice.exe', 'pwsh.dll', 'sc.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%WSearch%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_susp_service_tamper.yml"
     },
@@ -21686,7 +21723,7 @@
     {
         "title": "Suspicious Process Execution From Fake Recycle.Bin Folder",
         "id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -22722,7 +22759,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_powershell_download_susp_file_sharing_domains.yml"
     },
@@ -24554,7 +24591,7 @@
     {
         "title": "HackTool - EDRSilencer Execution",
         "id": "eb2d07d4-49cb-4523-801a-da002df36602",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n",
         "author": "@gott_cyber",
         "tags": [
@@ -24654,7 +24691,7 @@
     {
         "title": "Forfiles.EXE Child Process Masquerading",
         "id": "f53714ec-5077-420e-ad20-907ff9bb2958",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati",
         "tags": [
@@ -26244,7 +26281,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName = 'wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName = 'wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_wget_download_susp_file_sharing_domains.yml"
     },
@@ -26995,7 +27032,7 @@
     {
         "title": "Renamed Cloudflared.EXE Execution",
         "id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of a renamed \"cloudflared\" binary.",
         "tags": [
             "attack.command-and-control",
@@ -28335,7 +28372,7 @@
     {
         "title": "Suspicious Greedy Compression Using Rar.EXE",
         "id": "afe52666-401e-4a02-b4ff-5d128990b8cb",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes",
         "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)",
         "tags": [
diff --git a/rules/rules_windows_sysmon_full.json b/rules/rules_windows_sysmon_full.json
index f5e9e5d..35ef17f 100644
--- a/rules/rules_windows_sysmon_full.json
+++ b/rules/rules_windows_sysmon_full.json
@@ -3585,7 +3585,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\')) AND ((Details LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\\\%' ESCAPE '\\')) AND ((Details LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -4402,7 +4402,7 @@
     {
         "title": "Enable LM Hash Storage",
         "id": "c420410f-c2d8-4010-856b-dffe21866437",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -5125,6 +5125,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry",
+        "id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d",
+        "status": "test",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "attack.execution",
+            "attack.t1059.001"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (((Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\') AND (Details LIKE '% -e %' ESCAPE '\\' OR Details LIKE '% -ec %' ESCAPE '\\' OR Details LIKE '% -en %' ESCAPE '\\' OR Details LIKE '% -enc %' ESCAPE '\\' OR Details LIKE '% -enco%' ESCAPE '\\' OR Details LIKE '%ftp%' ESCAPE '\\' OR Details LIKE '%Hidden%' ESCAPE '\\' OR Details LIKE '%http%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\')) OR (Details LIKE '%wmic%' ESCAPE '\\' AND (Details LIKE '%shadowcopy%' ESCAPE '\\' OR Details LIKE '%process call create%' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Macro Enabled In A Potentially Suspicious Document",
         "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd",
@@ -8068,7 +8087,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler",
         "id": "2bfc1373-0220-4fbd-8b10-33ddafd2a142",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -8086,7 +8105,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor",
         "id": "8fa65166-f463-4fd2-ad4f-1436133c52e1",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -11764,7 +11783,7 @@
     {
         "title": "Tamper Windows Defender - ScriptBlockLogging",
         "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -12575,7 +12594,7 @@
     {
         "title": "Tamper Windows Defender - PSClassic",
         "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c",
-        "status": "experimental",
+        "status": "test",
         "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -13042,7 +13061,7 @@
     {
         "title": "Suspicious File Creation Activity From Fake Recycle.Bin Folder",
         "id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -13837,10 +13856,10 @@
         "filename": ""
     },
     {
-        "title": "RDP File Creation From Suspicious Application",
+        "title": ".RDP File Created By Uncommon Application",
         "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d",
         "status": "test",
-        "description": "Detects Rclone config file being created",
+        "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense-evasion"
@@ -13850,7 +13869,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND ((Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND (TargetFilename LIKE '%.rdp' ESCAPE '\\' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\olk.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -14187,7 +14206,7 @@
     {
         "title": "Uncommon File Created In Office Startup Folder",
         "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -14300,6 +14319,24 @@
         ],
         "filename": ""
     },
+    {
+        "title": ".RDP File Created by Outlook Process",
+        "id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
+        "status": "experimental",
+        "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n",
+        "author": "Florian Roth",
+        "tags": [
+            "attack.defense-evasion"
+        ],
+        "falsepositives": [
+            "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND (TargetFilename LIKE '%.rdp' ESCAPE '\\' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.Outlook\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Olk\\\\Attachments\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "HackTool - Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -14463,7 +14500,7 @@
     {
         "title": "HackTool Named File Stream Created",
         "id": "19b041f6-e583-40dc-b842-d6fa8011493f",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -14515,7 +14552,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -14696,7 +14733,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))))"
         ],
         "filename": ""
     },
@@ -14717,7 +14754,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))))"
         ],
         "filename": ""
     },
@@ -15058,7 +15095,7 @@
     {
         "title": "HackTool - EfsPotato Named Pipe Creation",
         "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -15460,7 +15497,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pixeldrain.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
         ],
         "filename": ""
     },
@@ -17284,7 +17321,7 @@
     {
         "title": "HackTool - NoFilter Execution",
         "id": "7b14c76a-c602-4ae6-9717-eff868153fc0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
         "author": "Stamatis Chatzimangou (st0pp3r)",
         "tags": [
@@ -20472,7 +20509,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -20638,7 +20675,7 @@
         "title": "Suspicious Windows Service Tampering",
         "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330",
         "status": "test",
-        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts",
+        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior",
         "tags": [
             "attack.defense-evasion",
@@ -20649,7 +20686,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%WSearch%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -21910,7 +21947,7 @@
     {
         "title": "Suspicious Process Execution From Fake Recycle.Bin Folder",
         "id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -22988,7 +23025,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -24782,7 +24819,7 @@
     {
         "title": "HackTool - EDRSilencer Execution",
         "id": "eb2d07d4-49cb-4523-801a-da002df36602",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n",
         "author": "@gott_cyber",
         "tags": [
@@ -24861,7 +24898,7 @@
     {
         "title": "Forfiles.EXE Child Process Masquerading",
         "id": "f53714ec-5077-420e-ad20-907ff9bb2958",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati",
         "tags": [
@@ -26435,7 +26472,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -27186,7 +27223,7 @@
     {
         "title": "Renamed Cloudflared.EXE Execution",
         "id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of a renamed \"cloudflared\" binary.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -28450,7 +28487,7 @@
     {
         "title": "Suspicious Greedy Compression Using Rar.EXE",
         "id": "afe52666-401e-4a02-b4ff-5d128990b8cb",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes",
         "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)",
         "tags": [
@@ -31007,10 +31044,29 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Command Executed Via Run Dialog Box - Registry",
+        "id": "f9d091f6-f1c7-4873-a24f-050b4a02b4dd",
+        "status": "experimental",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "detection.threat-hunting",
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (NOT TargetObject LIKE '%\\\\MRUList' ESCAPE '\\') AND (NOT (Details LIKE '%ping%' ESCAPE '\\' OR (Details LIKE '\\%appdata\\%\\\\1' ESCAPE '\\' OR Details LIKE '\\%localappdata\\%\\\\1' ESCAPE '\\' OR Details LIKE '\\%public\\%\\\\1' ESCAPE '\\' OR Details LIKE '\\%temp\\%\\\\1' ESCAPE '\\' OR Details LIKE 'calc\\\\1' ESCAPE '\\' OR Details LIKE 'dxdiag\\\\1' ESCAPE '\\' OR Details LIKE 'explorer\\\\1' ESCAPE '\\' OR Details LIKE 'gpedit.msc\\\\1' ESCAPE '\\' OR Details LIKE 'mmc\\\\1' ESCAPE '\\' OR Details LIKE 'notepad\\\\1' ESCAPE '\\' OR Details LIKE 'regedit\\\\1' ESCAPE '\\' OR Details LIKE 'services.msc\\\\1' ESCAPE '\\' OR Details LIKE 'winver\\\\1' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Amsi.DLL Load By Uncommon Process",
         "id": "facd1549-e416-48e0-b8c4-41d7215eedc8",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects loading of Amsi.dll by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -31484,6 +31540,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Access To Browser Credential Files By Uncommon Applications - Security",
+        "id": "4b60e527-ec73-4b47-8cb3-f02ad927ca65",
+        "status": "experimental",
+        "description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n",
+        "author": "Daniel Koifman (@Koifsec), Nasreddine Bencherchali",
+        "tags": [
+            "attack.credential-access",
+            "attack.t1555.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4663 AND ObjectType='File' AND AccessMask='0x1') AND ((ObjectName LIKE '%\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Local State%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\') OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%\\\\places.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND (NOT (ProcessName='System' OR (ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))) AND (NOT (ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Scheduled Task Deletion",
         "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617",
@@ -32049,7 +32125,7 @@
     {
         "title": "Compressed File Extraction Via Tar.EXE",
         "id": "bf361876-6620-407a-812f-bfe11e51e924",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n",
         "author": "AdmU3",
         "tags": [
@@ -32165,7 +32241,7 @@
     {
         "title": "Firewall Configuration Discovery Via Netsh.EXE",
         "id": "0e4164da-94bc-450d-a7be-a4b176179f1f",
-        "status": "experimental",
+        "status": "test",
         "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems",
         "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
         "tags": [
@@ -32456,7 +32532,7 @@
     {
         "title": "Compressed File Creation Via Tar.EXE",
         "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3",
         "tags": [
@@ -33224,7 +33300,7 @@
     {
         "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer",
         "id": "b86852fb-4c77-48f9-8519-eb1b2c308b59",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33495,7 +33571,7 @@
     {
         "title": "Potential PowerShell Execution Policy Tampering",
         "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33762,7 +33838,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Via Registry",
         "id": "85b88e05-dadc-430b-8a9e-53ff1cd30aae",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -35010,7 +35086,7 @@
     {
         "title": "DLL Names Used By SVR For GraphicalProton Backdoor",
         "id": "e64c8ef3-9f98-40c8-b71e-96110991cb4c",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts known SVR-specific DLL names.",
         "author": "CISA",
         "tags": [
@@ -35109,7 +35185,7 @@
     {
         "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE",
         "id": "e5144106-8198-4f6e-bfc2-0a551cc8dd94",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of concatenated commands via \"cmd.exe\". Pikabot often executes a combination of multiple commands via the command handler \"cmd /c\" in order to download and execute additional payloads.\nCommands such as \"curl\", \"wget\" in order to download extra payloads. \"ping\" and \"timeout\" are abused to introduce delays in the command execution and \"Rundll32\" is also used to execute malicious DLL files.\nIn the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.\n",
         "author": "Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -35463,7 +35539,7 @@
     {
         "title": "Potential Direct Syscall of NtOpenProcess",
         "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potential calls to NtOpenProcess directly from NTDLL.",
         "author": "Christian Burkard (Nextron Systems), Tim Shelton (FP)",
         "tags": [
@@ -37630,25 +37706,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Powershell Exfiltration Over SMTP",
-        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
-        "status": "test",
-        "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.exfiltration",
-            "attack.t1048.003"
-        ],
-        "falsepositives": [
-            "Legitimate script"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND (ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND (NOT ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Certificate Exported Via PowerShell - ScriptBlock",
         "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c",
@@ -38501,7 +38558,7 @@
     {
         "title": "Cloudflared Tunnels Related DNS Requests",
         "id": "a1d9eec5-33b2-4177-8d24-27fe754d0812",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects DNS requests to Cloudflared tunnels domains.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -39271,7 +39328,7 @@
     {
         "title": "PSScriptPolicyTest Creation By Uncommon Process",
         "id": "1027d292-dd87-4a1a-8701-2abe04d7783c",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -40165,7 +40222,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -40331,7 +40388,7 @@
     {
         "title": "Suspicious Wordpad Outbound Connections",
         "id": "786cdae8-fefb-4eb2-9227-04e34060db01",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -42586,7 +42643,7 @@
     {
         "title": "Potentially Suspicious AccessMask Requested From LSASS",
         "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process handle on LSASS process with certain access mask",
         "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)",
         "tags": [
@@ -43187,6 +43244,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet",
+        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
+        "status": "test",
+        "description": "Detects the execution of a PowerShell script with a call to the \"Send-MailMessage\" cmdlet along with the \"-Attachments\" flag. This could be a potential sign of data exfiltration via Email.\nAdversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n",
+        "author": "frack113",
+        "tags": [
+            "attack.exfiltration",
+            "attack.t1048.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND ScriptBlockText LIKE '%Send-MailMessage%-Attachments%' ESCAPE '\\')"
+        ],
+        "filename": ""
+    },
     {
         "title": "SMB over QUIC Via PowerShell Script",
         "id": "6df07c3b-8456-4f8b-87bb-fe31ec964cae",
@@ -43293,7 +43370,7 @@
     {
         "title": "Access To Sysvol Policies Share By Uncommon Process",
         "id": "8344c19f-a023-45ff-ad63-a01c5396aea0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file access requests to the Windows Sysvol Policies Share by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -45919,7 +45996,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE",
         "id": "8cbc9475-8d05-4e27-9c32-df960716c701",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -46211,7 +46288,7 @@
     {
         "title": "Potentially Suspicious Command Targeting Teams Sensitive Files",
         "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.\n",
         "author": "@SerkinValery",
         "tags": [
@@ -46459,7 +46536,7 @@
     {
         "title": "Cloudflared Tunnel Execution",
         "id": "9a019ffc-3580-4c9d-8d87-079f7e8d3fd4",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.",
         "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -47764,7 +47841,7 @@
     {
         "title": "Uncommon Child Process Of Conhost.EXE",
         "id": "7dc2dedd-7603-461a-bc13-15803d132355",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.",
         "author": "omkar72",
         "tags": [
@@ -49089,7 +49166,7 @@
     {
         "title": "Cloudflared Tunnel Connections Cleanup",
         "id": "7050bba1-1aed-454e-8f73-3f46f09ce56a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -49110,7 +49187,7 @@
     {
         "title": "Uncommon System Information Discovery Via Wmic.EXE",
         "id": "9d5a1274-922a-49d0-87f3-8c653483b909",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n",
         "author": "TropChaud",
         "tags": [
@@ -49750,7 +49827,7 @@
     {
         "title": "PUA - Process Hacker Execution",
         "id": "811e0002-b13b-4a15-9d00-a613fce66e42",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.\n",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -50320,7 +50397,7 @@
     {
         "title": "Binary Proxy Execution Via Dotnet-Trace.EXE",
         "id": "9257c05b-4a4a-48e5-a670-b7b073cf401b",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects commandline arguments for executing a child process via dotnet-trace.exe",
         "author": "Jimmy Bayne (@bohops)",
         "tags": [
@@ -52335,7 +52412,7 @@
     {
         "title": "Cscript/Wscript Potentially Suspicious Child Process",
         "id": "b6676963-0353-4f88-90f5-36c20d443c6a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -52488,7 +52565,7 @@
     {
         "title": "Cloudflared Portable Execution",
         "id": "fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of the \"cloudflared\" binary from a non standard location.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -53282,7 +53359,7 @@
     {
         "title": "Cloudflared Quick Tunnel Execution",
         "id": "222129f7-f4dc-4568-b0d2-22440a9639ba",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.\n",
         "author": "Sajid Nawaz Khan",
         "tags": [
@@ -53720,7 +53797,7 @@
         "filename": ""
     },
     {
-        "title": "Suspicious Schtasks From Env Var Folder",
+        "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE",
         "id": "81325ce1-be01-4250-944f-b4789644556f",
         "status": "test",
         "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware",
@@ -53735,7 +53812,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT ((ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\' OR CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\') OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\' OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
diff --git a/rules/rules_windows_sysmon_high.json b/rules/rules_windows_sysmon_high.json
index 771dac4..df9e082 100644
--- a/rules/rules_windows_sysmon_high.json
+++ b/rules/rules_windows_sysmon_high.json
@@ -562,7 +562,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\')) AND ((Details LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\\\%' ESCAPE '\\')) AND ((Details LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_persistence_com_hijacking_builtin.yml"
     },
@@ -1379,7 +1379,7 @@
     {
         "title": "Enable LM Hash Storage",
         "id": "c420410f-c2d8-4010-856b-dffe21866437",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -2102,6 +2102,25 @@
         ],
         "filename": "registry_set_chrome_extension.yml"
     },
+    {
+        "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry",
+        "id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d",
+        "status": "test",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "attack.execution",
+            "attack.t1059.001"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (((Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\') AND (Details LIKE '% -e %' ESCAPE '\\' OR Details LIKE '% -ec %' ESCAPE '\\' OR Details LIKE '% -en %' ESCAPE '\\' OR Details LIKE '% -enc %' ESCAPE '\\' OR Details LIKE '% -enco%' ESCAPE '\\' OR Details LIKE '%ftp%' ESCAPE '\\' OR Details LIKE '%Hidden%' ESCAPE '\\' OR Details LIKE '%http%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\')) OR (Details LIKE '%wmic%' ESCAPE '\\' AND (Details LIKE '%shadowcopy%' ESCAPE '\\' OR Details LIKE '%process call create%' ESCAPE '\\'))))"
+        ],
+        "filename": "registry_set_runmru_susp_command_execution.yml"
+    },
     {
         "title": "Macro Enabled In A Potentially Suspicious Document",
         "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd",
@@ -6321,7 +6340,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler",
         "id": "2bfc1373-0220-4fbd-8b10-33ddafd2a142",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -6339,7 +6358,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor",
         "id": "8fa65166-f463-4fd2-ad4f-1436133c52e1",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -10952,7 +10971,7 @@
     {
         "title": "Tamper Windows Defender - ScriptBlockLogging",
         "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -11782,7 +11801,7 @@
     {
         "title": "Tamper Windows Defender - PSClassic",
         "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c",
-        "status": "experimental",
+        "status": "test",
         "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -12306,7 +12325,7 @@
     {
         "title": "Suspicious File Creation Activity From Fake Recycle.Bin Folder",
         "id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -13160,10 +13179,10 @@
         "filename": "file_event_win_tsclient_filewrite_startup.yml"
     },
     {
-        "title": "RDP File Creation From Suspicious Application",
+        "title": ".RDP File Created By Uncommon Application",
         "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d",
         "status": "test",
-        "description": "Detects Rclone config file being created",
+        "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense-evasion"
@@ -13173,7 +13192,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetFilename LIKE '%.rdp' ESCAPE '\\' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\olk.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\'))"
         ],
         "filename": "file_event_win_rdp_file_susp_creation.yml"
     },
@@ -13548,7 +13567,7 @@
     {
         "title": "Uncommon File Created In Office Startup Folder",
         "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -13661,6 +13680,24 @@
         ],
         "filename": "file_event_win_susp_desktopimgdownldr_file.yml"
     },
+    {
+        "title": ".RDP File Created by Outlook Process",
+        "id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
+        "status": "experimental",
+        "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n",
+        "author": "Florian Roth",
+        "tags": [
+            "attack.defense-evasion"
+        ],
+        "falsepositives": [
+            "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.rdp' ESCAPE '\\' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.Outlook\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Olk\\\\Attachments\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\')))"
+        ],
+        "filename": "file_event_win_office_outlook_rdp_file_creation.yml"
+    },
     {
         "title": "HackTool - Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -13843,7 +13880,7 @@
     {
         "title": "HackTool Named File Stream Created",
         "id": "19b041f6-e583-40dc-b842-d6fa8011493f",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -13895,7 +13932,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (EventID = '15' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\'))"
         ],
         "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml"
     },
@@ -14054,7 +14091,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND Initiated = 'true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND Initiated = 'true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))"
         ],
         "filename": "net_connection_win_susp_file_sharing_domains_susp_folders.yml"
     },
@@ -14075,7 +14112,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR (Image = '') OR (Image = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '3' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT (((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR (Image = '') OR (Image = '')))"
         ],
         "filename": "net_connection_win_domain_dead_drop_resolvers.yml"
     },
@@ -14381,7 +14418,7 @@
     {
         "title": "HackTool - EfsPotato Named Pipe Creation",
         "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -14897,7 +14934,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pixeldrain.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
         ],
         "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml"
     },
@@ -16925,7 +16962,7 @@
     {
         "title": "HackTool - NoFilter Execution",
         "id": "7b14c76a-c602-4ae6-9717-eff868153fc0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
         "author": "Stamatis Chatzimangou (st0pp3r)",
         "tags": [
@@ -20108,7 +20145,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName = 'curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName = 'curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_curl_download_susp_file_sharing_domains.yml"
     },
@@ -20274,7 +20311,7 @@
         "title": "Suspicious Windows Service Tampering",
         "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330",
         "status": "test",
-        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts",
+        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior",
         "tags": [
             "attack.defense-evasion",
@@ -20285,7 +20322,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('net.exe', 'net1.exe', 'PowerShell.EXE', 'psservice.exe', 'pwsh.dll', 'sc.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('net.exe', 'net1.exe', 'PowerShell.EXE', 'psservice.exe', 'pwsh.dll', 'sc.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%WSearch%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_susp_service_tamper.yml"
     },
@@ -21686,7 +21723,7 @@
     {
         "title": "Suspicious Process Execution From Fake Recycle.Bin Folder",
         "id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -22722,7 +22759,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_powershell_download_susp_file_sharing_domains.yml"
     },
@@ -24554,7 +24591,7 @@
     {
         "title": "HackTool - EDRSilencer Execution",
         "id": "eb2d07d4-49cb-4523-801a-da002df36602",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n",
         "author": "@gott_cyber",
         "tags": [
@@ -24654,7 +24691,7 @@
     {
         "title": "Forfiles.EXE Child Process Masquerading",
         "id": "f53714ec-5077-420e-ad20-907ff9bb2958",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati",
         "tags": [
@@ -26244,7 +26281,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName = 'wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName = 'wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_wget_download_susp_file_sharing_domains.yml"
     },
@@ -26995,7 +27032,7 @@
     {
         "title": "Renamed Cloudflared.EXE Execution",
         "id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of a renamed \"cloudflared\" binary.",
         "tags": [
             "attack.command-and-control",
@@ -28335,7 +28372,7 @@
     {
         "title": "Suspicious Greedy Compression Using Rar.EXE",
         "id": "afe52666-401e-4a02-b4ff-5d128990b8cb",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes",
         "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)",
         "tags": [
diff --git a/rules/rules_windows_sysmon_medium.json b/rules/rules_windows_sysmon_medium.json
index f5e9e5d..35ef17f 100644
--- a/rules/rules_windows_sysmon_medium.json
+++ b/rules/rules_windows_sysmon_medium.json
@@ -3585,7 +3585,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\')) AND ((Details LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\\\%' ESCAPE '\\')) AND ((Details LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -4402,7 +4402,7 @@
     {
         "title": "Enable LM Hash Storage",
         "id": "c420410f-c2d8-4010-856b-dffe21866437",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -5125,6 +5125,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry",
+        "id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d",
+        "status": "test",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "attack.execution",
+            "attack.t1059.001"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (((Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\') AND (Details LIKE '% -e %' ESCAPE '\\' OR Details LIKE '% -ec %' ESCAPE '\\' OR Details LIKE '% -en %' ESCAPE '\\' OR Details LIKE '% -enc %' ESCAPE '\\' OR Details LIKE '% -enco%' ESCAPE '\\' OR Details LIKE '%ftp%' ESCAPE '\\' OR Details LIKE '%Hidden%' ESCAPE '\\' OR Details LIKE '%http%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\')) OR (Details LIKE '%wmic%' ESCAPE '\\' AND (Details LIKE '%shadowcopy%' ESCAPE '\\' OR Details LIKE '%process call create%' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Macro Enabled In A Potentially Suspicious Document",
         "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd",
@@ -8068,7 +8087,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler",
         "id": "2bfc1373-0220-4fbd-8b10-33ddafd2a142",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -8086,7 +8105,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor",
         "id": "8fa65166-f463-4fd2-ad4f-1436133c52e1",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -11764,7 +11783,7 @@
     {
         "title": "Tamper Windows Defender - ScriptBlockLogging",
         "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -12575,7 +12594,7 @@
     {
         "title": "Tamper Windows Defender - PSClassic",
         "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c",
-        "status": "experimental",
+        "status": "test",
         "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -13042,7 +13061,7 @@
     {
         "title": "Suspicious File Creation Activity From Fake Recycle.Bin Folder",
         "id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -13837,10 +13856,10 @@
         "filename": ""
     },
     {
-        "title": "RDP File Creation From Suspicious Application",
+        "title": ".RDP File Created By Uncommon Application",
         "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d",
         "status": "test",
-        "description": "Detects Rclone config file being created",
+        "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense-evasion"
@@ -13850,7 +13869,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND ((Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND (TargetFilename LIKE '%.rdp' ESCAPE '\\' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\olk.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -14187,7 +14206,7 @@
     {
         "title": "Uncommon File Created In Office Startup Folder",
         "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -14300,6 +14319,24 @@
         ],
         "filename": ""
     },
+    {
+        "title": ".RDP File Created by Outlook Process",
+        "id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
+        "status": "experimental",
+        "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n",
+        "author": "Florian Roth",
+        "tags": [
+            "attack.defense-evasion"
+        ],
+        "falsepositives": [
+            "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND (TargetFilename LIKE '%.rdp' ESCAPE '\\' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.Outlook\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Olk\\\\Attachments\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "HackTool - Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -14463,7 +14500,7 @@
     {
         "title": "HackTool Named File Stream Created",
         "id": "19b041f6-e583-40dc-b842-d6fa8011493f",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -14515,7 +14552,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -14696,7 +14733,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))))"
         ],
         "filename": ""
     },
@@ -14717,7 +14754,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))))"
         ],
         "filename": ""
     },
@@ -15058,7 +15095,7 @@
     {
         "title": "HackTool - EfsPotato Named Pipe Creation",
         "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -15460,7 +15497,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pixeldrain.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
         ],
         "filename": ""
     },
@@ -17284,7 +17321,7 @@
     {
         "title": "HackTool - NoFilter Execution",
         "id": "7b14c76a-c602-4ae6-9717-eff868153fc0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
         "author": "Stamatis Chatzimangou (st0pp3r)",
         "tags": [
@@ -20472,7 +20509,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -20638,7 +20675,7 @@
         "title": "Suspicious Windows Service Tampering",
         "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330",
         "status": "test",
-        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts",
+        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior",
         "tags": [
             "attack.defense-evasion",
@@ -20649,7 +20686,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%WSearch%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -21910,7 +21947,7 @@
     {
         "title": "Suspicious Process Execution From Fake Recycle.Bin Folder",
         "id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -22988,7 +23025,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -24782,7 +24819,7 @@
     {
         "title": "HackTool - EDRSilencer Execution",
         "id": "eb2d07d4-49cb-4523-801a-da002df36602",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n",
         "author": "@gott_cyber",
         "tags": [
@@ -24861,7 +24898,7 @@
     {
         "title": "Forfiles.EXE Child Process Masquerading",
         "id": "f53714ec-5077-420e-ad20-907ff9bb2958",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati",
         "tags": [
@@ -26435,7 +26472,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -27186,7 +27223,7 @@
     {
         "title": "Renamed Cloudflared.EXE Execution",
         "id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of a renamed \"cloudflared\" binary.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -28450,7 +28487,7 @@
     {
         "title": "Suspicious Greedy Compression Using Rar.EXE",
         "id": "afe52666-401e-4a02-b4ff-5d128990b8cb",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes",
         "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)",
         "tags": [
@@ -31007,10 +31044,29 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Command Executed Via Run Dialog Box - Registry",
+        "id": "f9d091f6-f1c7-4873-a24f-050b4a02b4dd",
+        "status": "experimental",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "detection.threat-hunting",
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (NOT TargetObject LIKE '%\\\\MRUList' ESCAPE '\\') AND (NOT (Details LIKE '%ping%' ESCAPE '\\' OR (Details LIKE '\\%appdata\\%\\\\1' ESCAPE '\\' OR Details LIKE '\\%localappdata\\%\\\\1' ESCAPE '\\' OR Details LIKE '\\%public\\%\\\\1' ESCAPE '\\' OR Details LIKE '\\%temp\\%\\\\1' ESCAPE '\\' OR Details LIKE 'calc\\\\1' ESCAPE '\\' OR Details LIKE 'dxdiag\\\\1' ESCAPE '\\' OR Details LIKE 'explorer\\\\1' ESCAPE '\\' OR Details LIKE 'gpedit.msc\\\\1' ESCAPE '\\' OR Details LIKE 'mmc\\\\1' ESCAPE '\\' OR Details LIKE 'notepad\\\\1' ESCAPE '\\' OR Details LIKE 'regedit\\\\1' ESCAPE '\\' OR Details LIKE 'services.msc\\\\1' ESCAPE '\\' OR Details LIKE 'winver\\\\1' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Amsi.DLL Load By Uncommon Process",
         "id": "facd1549-e416-48e0-b8c4-41d7215eedc8",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects loading of Amsi.dll by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -31484,6 +31540,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Access To Browser Credential Files By Uncommon Applications - Security",
+        "id": "4b60e527-ec73-4b47-8cb3-f02ad927ca65",
+        "status": "experimental",
+        "description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n",
+        "author": "Daniel Koifman (@Koifsec), Nasreddine Bencherchali",
+        "tags": [
+            "attack.credential-access",
+            "attack.t1555.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4663 AND ObjectType='File' AND AccessMask='0x1') AND ((ObjectName LIKE '%\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Local State%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\') OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%\\\\places.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND (NOT (ProcessName='System' OR (ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))) AND (NOT (ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Scheduled Task Deletion",
         "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617",
@@ -32049,7 +32125,7 @@
     {
         "title": "Compressed File Extraction Via Tar.EXE",
         "id": "bf361876-6620-407a-812f-bfe11e51e924",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n",
         "author": "AdmU3",
         "tags": [
@@ -32165,7 +32241,7 @@
     {
         "title": "Firewall Configuration Discovery Via Netsh.EXE",
         "id": "0e4164da-94bc-450d-a7be-a4b176179f1f",
-        "status": "experimental",
+        "status": "test",
         "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems",
         "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
         "tags": [
@@ -32456,7 +32532,7 @@
     {
         "title": "Compressed File Creation Via Tar.EXE",
         "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3",
         "tags": [
@@ -33224,7 +33300,7 @@
     {
         "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer",
         "id": "b86852fb-4c77-48f9-8519-eb1b2c308b59",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33495,7 +33571,7 @@
     {
         "title": "Potential PowerShell Execution Policy Tampering",
         "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33762,7 +33838,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Via Registry",
         "id": "85b88e05-dadc-430b-8a9e-53ff1cd30aae",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -35010,7 +35086,7 @@
     {
         "title": "DLL Names Used By SVR For GraphicalProton Backdoor",
         "id": "e64c8ef3-9f98-40c8-b71e-96110991cb4c",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts known SVR-specific DLL names.",
         "author": "CISA",
         "tags": [
@@ -35109,7 +35185,7 @@
     {
         "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE",
         "id": "e5144106-8198-4f6e-bfc2-0a551cc8dd94",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of concatenated commands via \"cmd.exe\". Pikabot often executes a combination of multiple commands via the command handler \"cmd /c\" in order to download and execute additional payloads.\nCommands such as \"curl\", \"wget\" in order to download extra payloads. \"ping\" and \"timeout\" are abused to introduce delays in the command execution and \"Rundll32\" is also used to execute malicious DLL files.\nIn the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.\n",
         "author": "Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -35463,7 +35539,7 @@
     {
         "title": "Potential Direct Syscall of NtOpenProcess",
         "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potential calls to NtOpenProcess directly from NTDLL.",
         "author": "Christian Burkard (Nextron Systems), Tim Shelton (FP)",
         "tags": [
@@ -37630,25 +37706,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Powershell Exfiltration Over SMTP",
-        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
-        "status": "test",
-        "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.exfiltration",
-            "attack.t1048.003"
-        ],
-        "falsepositives": [
-            "Legitimate script"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND (ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND (NOT ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Certificate Exported Via PowerShell - ScriptBlock",
         "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c",
@@ -38501,7 +38558,7 @@
     {
         "title": "Cloudflared Tunnels Related DNS Requests",
         "id": "a1d9eec5-33b2-4177-8d24-27fe754d0812",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects DNS requests to Cloudflared tunnels domains.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -39271,7 +39328,7 @@
     {
         "title": "PSScriptPolicyTest Creation By Uncommon Process",
         "id": "1027d292-dd87-4a1a-8701-2abe04d7783c",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -40165,7 +40222,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -40331,7 +40388,7 @@
     {
         "title": "Suspicious Wordpad Outbound Connections",
         "id": "786cdae8-fefb-4eb2-9227-04e34060db01",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -42586,7 +42643,7 @@
     {
         "title": "Potentially Suspicious AccessMask Requested From LSASS",
         "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process handle on LSASS process with certain access mask",
         "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)",
         "tags": [
@@ -43187,6 +43244,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet",
+        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
+        "status": "test",
+        "description": "Detects the execution of a PowerShell script with a call to the \"Send-MailMessage\" cmdlet along with the \"-Attachments\" flag. This could be a potential sign of data exfiltration via Email.\nAdversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n",
+        "author": "frack113",
+        "tags": [
+            "attack.exfiltration",
+            "attack.t1048.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND ScriptBlockText LIKE '%Send-MailMessage%-Attachments%' ESCAPE '\\')"
+        ],
+        "filename": ""
+    },
     {
         "title": "SMB over QUIC Via PowerShell Script",
         "id": "6df07c3b-8456-4f8b-87bb-fe31ec964cae",
@@ -43293,7 +43370,7 @@
     {
         "title": "Access To Sysvol Policies Share By Uncommon Process",
         "id": "8344c19f-a023-45ff-ad63-a01c5396aea0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file access requests to the Windows Sysvol Policies Share by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -45919,7 +45996,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE",
         "id": "8cbc9475-8d05-4e27-9c32-df960716c701",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -46211,7 +46288,7 @@
     {
         "title": "Potentially Suspicious Command Targeting Teams Sensitive Files",
         "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.\n",
         "author": "@SerkinValery",
         "tags": [
@@ -46459,7 +46536,7 @@
     {
         "title": "Cloudflared Tunnel Execution",
         "id": "9a019ffc-3580-4c9d-8d87-079f7e8d3fd4",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.",
         "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -47764,7 +47841,7 @@
     {
         "title": "Uncommon Child Process Of Conhost.EXE",
         "id": "7dc2dedd-7603-461a-bc13-15803d132355",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.",
         "author": "omkar72",
         "tags": [
@@ -49089,7 +49166,7 @@
     {
         "title": "Cloudflared Tunnel Connections Cleanup",
         "id": "7050bba1-1aed-454e-8f73-3f46f09ce56a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -49110,7 +49187,7 @@
     {
         "title": "Uncommon System Information Discovery Via Wmic.EXE",
         "id": "9d5a1274-922a-49d0-87f3-8c653483b909",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n",
         "author": "TropChaud",
         "tags": [
@@ -49750,7 +49827,7 @@
     {
         "title": "PUA - Process Hacker Execution",
         "id": "811e0002-b13b-4a15-9d00-a613fce66e42",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.\n",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -50320,7 +50397,7 @@
     {
         "title": "Binary Proxy Execution Via Dotnet-Trace.EXE",
         "id": "9257c05b-4a4a-48e5-a670-b7b073cf401b",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects commandline arguments for executing a child process via dotnet-trace.exe",
         "author": "Jimmy Bayne (@bohops)",
         "tags": [
@@ -52335,7 +52412,7 @@
     {
         "title": "Cscript/Wscript Potentially Suspicious Child Process",
         "id": "b6676963-0353-4f88-90f5-36c20d443c6a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -52488,7 +52565,7 @@
     {
         "title": "Cloudflared Portable Execution",
         "id": "fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of the \"cloudflared\" binary from a non standard location.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -53282,7 +53359,7 @@
     {
         "title": "Cloudflared Quick Tunnel Execution",
         "id": "222129f7-f4dc-4568-b0d2-22440a9639ba",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.\n",
         "author": "Sajid Nawaz Khan",
         "tags": [
@@ -53720,7 +53797,7 @@
         "filename": ""
     },
     {
-        "title": "Suspicious Schtasks From Env Var Folder",
+        "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE",
         "id": "81325ce1-be01-4250-944f-b4789644556f",
         "status": "test",
         "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware",
@@ -53735,7 +53812,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT ((ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\' OR CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\') OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\' OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
diff --git a/rules/rules_windows_sysmon_pysigma.json b/rules/rules_windows_sysmon_pysigma.json
index f5e9e5d..35ef17f 100644
--- a/rules/rules_windows_sysmon_pysigma.json
+++ b/rules/rules_windows_sysmon_pysigma.json
@@ -3585,7 +3585,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\')) AND ((Details LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\CLSID\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\')) AND (TargetObject LIKE '%\\\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{2155fee3-2419-4373-b102-6843707eb41f}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\\\%' ESCAPE '\\')) AND ((Details LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR Details LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%appdata\\%%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%%' ESCAPE '\\') OR ((Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favorites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Favourites\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Contacts\\\\%' ESCAPE '\\') OR (Details LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Pictures\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -4402,7 +4402,7 @@
     {
         "title": "Enable LM Hash Storage",
         "id": "c420410f-c2d8-4010-856b-dffe21866437",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -5125,6 +5125,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry",
+        "id": "a7df0e9e-91a5-459a-a003-4cde67c2ff5d",
+        "status": "test",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "attack.execution",
+            "attack.t1059.001"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (((Details LIKE '%powershell%' ESCAPE '\\' OR Details LIKE '%pwsh%' ESCAPE '\\') AND (Details LIKE '% -e %' ESCAPE '\\' OR Details LIKE '% -ec %' ESCAPE '\\' OR Details LIKE '% -en %' ESCAPE '\\' OR Details LIKE '% -enc %' ESCAPE '\\' OR Details LIKE '% -enco%' ESCAPE '\\' OR Details LIKE '%ftp%' ESCAPE '\\' OR Details LIKE '%Hidden%' ESCAPE '\\' OR Details LIKE '%http%' ESCAPE '\\' OR Details LIKE '%iex%' ESCAPE '\\' OR Details LIKE '%Invoke-%' ESCAPE '\\')) OR (Details LIKE '%wmic%' ESCAPE '\\' AND (Details LIKE '%shadowcopy%' ESCAPE '\\' OR Details LIKE '%process call create%' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Macro Enabled In A Potentially Suspicious Document",
         "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd",
@@ -8068,7 +8087,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler",
         "id": "2bfc1373-0220-4fbd-8b10-33ddafd2a142",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -8086,7 +8105,7 @@
     {
         "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor",
         "id": "8fa65166-f463-4fd2-ad4f-1436133c52e1",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts for known SVR-specific scheduled task names",
         "author": "CISA",
         "tags": [
@@ -11764,7 +11783,7 @@
     {
         "title": "Tamper Windows Defender - ScriptBlockLogging",
         "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -12575,7 +12594,7 @@
     {
         "title": "Tamper Windows Defender - PSClassic",
         "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c",
-        "status": "experimental",
+        "status": "test",
         "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -13042,7 +13061,7 @@
     {
         "title": "Suspicious File Creation Activity From Fake Recycle.Bin Folder",
         "id": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -13837,10 +13856,10 @@
         "filename": ""
     },
     {
-        "title": "RDP File Creation From Suspicious Application",
+        "title": ".RDP File Created By Uncommon Application",
         "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d",
         "status": "test",
-        "description": "Detects Rclone config file being created",
+        "description": "Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense-evasion"
@@ -13850,7 +13869,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND ((Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND (TargetFilename LIKE '%.rdp' ESCAPE '\\' AND (Image LIKE '%\\\\brave.exe' ESCAPE '\\' OR Image LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR Image LIKE '%\\\\chromium.exe' ESCAPE '\\' OR Image LIKE '%\\\\firefox.exe' ESCAPE '\\' OR Image LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\Opera.exe' ESCAPE '\\' OR Image LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR Image LIKE '%\\\\Whale.exe' ESCAPE '\\' OR Image LIKE '%\\\\olk.exe' ESCAPE '\\' OR Image LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR Image LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR Image LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR Image LIKE '%\\\\Discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\Slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\teams.exe' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -14187,7 +14206,7 @@
     {
         "title": "Uncommon File Created In Office Startup Folder",
         "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
         "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -14300,6 +14319,24 @@
         ],
         "filename": ""
     },
+    {
+        "title": ".RDP File Created by Outlook Process",
+        "id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
+        "status": "experimental",
+        "description": "Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use RDP files as attachments.\n",
+        "author": "Florian Roth",
+        "tags": [
+            "attack.defense-evasion"
+        ],
+        "falsepositives": [
+            "Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND (TargetFilename LIKE '%.rdp' ESCAPE '\\' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.Outlook\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Olk\\\\Attachments\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "HackTool - Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -14463,7 +14500,7 @@
     {
         "title": "HackTool Named File Stream Created",
         "id": "19b041f6-e583-40dc-b842-d6fa8011493f",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -14515,7 +14552,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -14696,7 +14733,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Image LIKE '%:\\\\$Recycle.bin%' ESCAPE '\\' OR Image LIKE '%:\\\\Perflogs\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (Initiated='true' AND (DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%glitch.me' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onrender.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%storjshare.io' ESCAPE '\\' OR DestinationHostname LIKE '%supabase.co' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\'))))"
         ],
         "filename": ""
     },
@@ -14717,7 +14754,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=3 AND ((Initiated='true' AND (DestinationHostname LIKE '%.t.me' ESCAPE '\\' OR DestinationHostname LIKE '%4shared.com' ESCAPE '\\' OR DestinationHostname LIKE '%abuse.ch' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%drive.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropbox.com' ESCAPE '\\' OR DestinationHostname LIKE '%dropmefiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%ghostbin.co/' ESCAPE '\\' OR DestinationHostname LIKE '%githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%gofile.io' ESCAPE '\\' OR DestinationHostname LIKE '%hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%onedrive.com' ESCAPE '\\' OR DestinationHostname LIKE '%pages.dev' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%pixeldrain.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%storage.googleapis.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%temp.sh' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%trycloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\' OR DestinationHostname LIKE '%vimeo.com' ESCAPE '\\' OR DestinationHostname LIKE '%w3spaces.com' ESCAPE '\\' OR DestinationHostname LIKE '%wetransfer.com' ESCAPE '\\' OR DestinationHostname LIKE '%workers.dev' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND (NOT ((Image LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files (x86)\\\\Safari\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Safari\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\safari.exe' ESCAPE '\\') OR ((Image LIKE '%C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR Image LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files\\\\PRTG Network Monitor\\\\PRTG Probe.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Program Files\\\\BraveSoftware\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\brave.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Maxthon\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\opera.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SeaMonkey\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SeaMonkey\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Vivaldi\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Naver\\\\Naver Whale\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\whale.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Waterfox\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Waterfox\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\Waterfox.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\midori-ng\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Midori Next Generation.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\SlimBrowser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\SlimBrowser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\slimbrowser.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Flock\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Flock.exe' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Phoebe\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Phoebe.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files\\\\Falkon\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\Falkon\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\falkon.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\QtWeb\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\QtWeb\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\QtWeb.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Avant Browser\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Avant Browser\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\avant.exe' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\WindowsApps\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') AND Image LIKE '%\\\\WhatsApp.exe' ESCAPE '\\' AND DestinationHostname LIKE '%facebook.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Roaming\\\\Telegram Desktop\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Telegram.exe' ESCAPE '\\' AND DestinationHostname LIKE '%.t.me' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\OneDrive.exe' ESCAPE '\\' AND DestinationHostname LIKE '%onedrive.com' ESCAPE '\\') OR ((Image LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Dropbox.exe' ESCAPE '\\' OR Image LIKE '%\\\\DropboxInstaller.exe' ESCAPE '\\') AND DestinationHostname LIKE '%dropbox.com' ESCAPE '\\') OR ((Image LIKE '%\\\\MEGAsync.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32\\_%RC.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup32.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAsyncSetup64.exe' ESCAPE '\\' OR Image LIKE '%\\\\MEGAupdater.exe' ESCAPE '\\') AND (DestinationHostname LIKE '%mega.co.nz' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\')) OR ((Image LIKE '%C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR Image LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\') AND Image LIKE '%GoogleDriveFS.exe' ESCAPE '\\' AND DestinationHostname LIKE '%drive.google.com' ESCAPE '\\') OR (Image LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\Discord.exe' ESCAPE '\\' AND (DestinationHostname LIKE '%discord.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\')) OR Image IS NULL OR Image=''))))"
         ],
         "filename": ""
     },
@@ -15058,7 +15095,7 @@
     {
         "title": "HackTool - EfsPotato Named Pipe Creation",
         "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -15460,7 +15497,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Bits-Client/Operational' AND (EventID=16403 AND (RemoteName LIKE '%.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%ghostbin.co%' ESCAPE '\\' OR RemoteName LIKE '%glitch.me%' ESCAPE '\\' OR RemoteName LIKE '%gofile.io%' ESCAPE '\\' OR RemoteName LIKE '%hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%onrender.com%' ESCAPE '\\' OR RemoteName LIKE '%pages.dev%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%pixeldrain.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%storjshare.io%' ESCAPE '\\' OR RemoteName LIKE '%supabase.co%' ESCAPE '\\' OR RemoteName LIKE '%temp.sh%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%trycloudflare.com%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\' OR RemoteName LIKE '%w3spaces.com%' ESCAPE '\\' OR RemoteName LIKE '%workers.dev%' ESCAPE '\\'))"
         ],
         "filename": ""
     },
@@ -17284,7 +17321,7 @@
     {
         "title": "HackTool - NoFilter Execution",
         "id": "7b14c76a-c602-4ae6-9717-eff868153fc0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
         "author": "Stamatis Chatzimangou (st0pp3r)",
         "tags": [
@@ -20472,7 +20509,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\curl.exe' ESCAPE '\\' OR OriginalFileName='curl.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -20638,7 +20675,7 @@
         "title": "Suspicious Windows Service Tampering",
         "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330",
         "status": "test",
-        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts",
+        "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior",
         "tags": [
             "attack.defense-evasion",
@@ -20649,7 +20686,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((OriginalFileName='net.exe' OR OriginalFileName='net1.exe' OR OriginalFileName='PowerShell.EXE' OR OriginalFileName='psservice.exe' OR OriginalFileName='pwsh.dll' OR OriginalFileName='sc.exe') OR (Image LIKE '%\\\\net.exe' ESCAPE '\\' OR Image LIKE '%\\\\net1.exe' ESCAPE '\\' OR Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService.exe' ESCAPE '\\' OR Image LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR Image LIKE '%\\\\sc.exe' ESCAPE '\\')) AND ((CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')) AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%AdobeARMservice%' ESCAPE '\\' OR CommandLine LIKE '%AHS Service%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%Apache4%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%AteraAgent%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%CASLicenceServer%' ESCAPE '\\' OR CommandLine LIKE '%CASWebServer%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%dwmrcs%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FontCache3.0.0.0%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%HostControllerService%' ESCAPE '\\' OR CommandLine LIKE '%hvdsvc%' ESCAPE '\\' OR CommandLine LIKE '%IAStorDataMgrSvc%' ESCAPE '\\' OR CommandLine LIKE '%IBMHPS%' ESCAPE '\\' OR CommandLine LIKE '%ibmspsvc%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%instance2%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%KeyIso%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MSComplianceAudit%' ESCAPE '\\' OR CommandLine LIKE '%MSDTC%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$SQLEXPRESS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%mssecflt%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MSSQLFDLauncher$%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetPipeActivator%' ESCAPE '\\' OR CommandLine LIKE '%netprofm%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpActivator%' ESCAPE '\\' OR CommandLine LIKE '%NetTcpPortSharing%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%nvspwmi%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%OracleDBConsole%' ESCAPE '\\' OR CommandLine LIKE '%OracleMTSRecoveryService%' ESCAPE '\\' OR CommandLine LIKE '%OracleOraDb11g\\_home1%' ESCAPE '\\' OR CommandLine LIKE '%OracleService%' ESCAPE '\\' OR CommandLine LIKE '%OracleVssWriter%' ESCAPE '\\' OR CommandLine LIKE '%osppsvc%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%postgresql-x64-9.4%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SearchExchangeTracing%' ESCAPE '\\' OR CommandLine LIKE '%sense%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLANYs\\_Sage\\_FAS\\_Fixed\\_Assets%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%storflt%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%TeamViewer%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Tomcat%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UFNet%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UniFi%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%vds%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeeamDeploySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%vmic%' ESCAPE '\\' OR CommandLine LIKE '%VMTools%' ESCAPE '\\' OR CommandLine LIKE '%vmvss%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wmms%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WPFFontCache\\_v0400%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%wsbexchange%' ESCAPE '\\' OR CommandLine LIKE '%WSearch%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -21910,7 +21947,7 @@
     {
         "title": "Suspicious Process Execution From Fake Recycle.Bin Folder",
         "id": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -22988,7 +23025,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((Image LIKE '%\\\\powershell.exe' ESCAPE '\\' OR Image LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (OriginalFileName='PowerShell.EXE' OR OriginalFileName='pwsh.dll')) AND (CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -24782,7 +24819,7 @@
     {
         "title": "HackTool - EDRSilencer Execution",
         "id": "eb2d07d4-49cb-4523-801a-da002df36602",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n",
         "author": "@gott_cyber",
         "tags": [
@@ -24861,7 +24898,7 @@
     {
         "title": "Forfiles.EXE Child Process Masquerading",
         "id": "f53714ec-5077-420e-ad20-907ff9bb2958",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati",
         "tags": [
@@ -26435,7 +26472,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\wget.exe' ESCAPE '\\' OR OriginalFileName='wget.exe') AND (CommandLine LIKE '%.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%ghostbin.co%' ESCAPE '\\' OR CommandLine LIKE '%glitch.me%' ESCAPE '\\' OR CommandLine LIKE '%gofile.io%' ESCAPE '\\' OR CommandLine LIKE '%hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%onrender.com%' ESCAPE '\\' OR CommandLine LIKE '%pages.dev%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%pixeldrain.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%storjshare.io%' ESCAPE '\\' OR CommandLine LIKE '%supabase.co%' ESCAPE '\\' OR CommandLine LIKE '%temp.sh%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%trycloudflare.com%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\' OR CommandLine LIKE '%w3spaces.com%' ESCAPE '\\' OR CommandLine LIKE '%workers.dev%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND (CommandLine LIKE '%.ps1' ESCAPE '\\' OR CommandLine LIKE '%.ps1''' ESCAPE '\\' OR CommandLine LIKE '%.ps1\"' ESCAPE '\\' OR CommandLine LIKE '%.dat' ESCAPE '\\' OR CommandLine LIKE '%.dat''' ESCAPE '\\' OR CommandLine LIKE '%.dat\"' ESCAPE '\\' OR CommandLine LIKE '%.msi' ESCAPE '\\' OR CommandLine LIKE '%.msi''' ESCAPE '\\' OR CommandLine LIKE '%.msi\"' ESCAPE '\\' OR CommandLine LIKE '%.bat' ESCAPE '\\' OR CommandLine LIKE '%.bat''' ESCAPE '\\' OR CommandLine LIKE '%.bat\"' ESCAPE '\\' OR CommandLine LIKE '%.exe' ESCAPE '\\' OR CommandLine LIKE '%.exe''' ESCAPE '\\' OR CommandLine LIKE '%.exe\"' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\' OR CommandLine LIKE '%.vbs''' ESCAPE '\\' OR CommandLine LIKE '%.vbs\"' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbe''' ESCAPE '\\' OR CommandLine LIKE '%.vbe\"' ESCAPE '\\' OR CommandLine LIKE '%.hta' ESCAPE '\\' OR CommandLine LIKE '%.hta''' ESCAPE '\\' OR CommandLine LIKE '%.hta\"' ESCAPE '\\' OR CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.dll''' ESCAPE '\\' OR CommandLine LIKE '%.dll\"' ESCAPE '\\' OR CommandLine LIKE '%.psm1' ESCAPE '\\' OR CommandLine LIKE '%.psm1''' ESCAPE '\\' OR CommandLine LIKE '%.psm1\"' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -27186,7 +27223,7 @@
     {
         "title": "Renamed Cloudflared.EXE Execution",
         "id": "e0c69ebd-b54f-4aed-8ae3-e3467843f3f0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of a renamed \"cloudflared\" binary.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -28450,7 +28487,7 @@
     {
         "title": "Suspicious Greedy Compression Using Rar.EXE",
         "id": "afe52666-401e-4a02-b4ff-5d128990b8cb",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes",
         "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)",
         "tags": [
@@ -31007,10 +31044,29 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Command Executed Via Run Dialog Box - Registry",
+        "id": "f9d091f6-f1c7-4873-a24f-050b4a02b4dd",
+        "status": "experimental",
+        "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n",
+        "author": "Ahmed Farouk, Nasreddine Bencherchali",
+        "tags": [
+            "detection.threat-hunting",
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Likely"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU%' ESCAPE '\\' AND (NOT TargetObject LIKE '%\\\\MRUList' ESCAPE '\\') AND (NOT (Details LIKE '%ping%' ESCAPE '\\' OR (Details LIKE '\\%appdata\\%\\\\1' ESCAPE '\\' OR Details LIKE '\\%localappdata\\%\\\\1' ESCAPE '\\' OR Details LIKE '\\%public\\%\\\\1' ESCAPE '\\' OR Details LIKE '\\%temp\\%\\\\1' ESCAPE '\\' OR Details LIKE 'calc\\\\1' ESCAPE '\\' OR Details LIKE 'dxdiag\\\\1' ESCAPE '\\' OR Details LIKE 'explorer\\\\1' ESCAPE '\\' OR Details LIKE 'gpedit.msc\\\\1' ESCAPE '\\' OR Details LIKE 'mmc\\\\1' ESCAPE '\\' OR Details LIKE 'notepad\\\\1' ESCAPE '\\' OR Details LIKE 'regedit\\\\1' ESCAPE '\\' OR Details LIKE 'services.msc\\\\1' ESCAPE '\\' OR Details LIKE 'winver\\\\1' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Amsi.DLL Load By Uncommon Process",
         "id": "facd1549-e416-48e0-b8c4-41d7215eedc8",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects loading of Amsi.dll by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -31484,6 +31540,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Access To Browser Credential Files By Uncommon Applications - Security",
+        "id": "4b60e527-ec73-4b47-8cb3-f02ad927ca65",
+        "status": "experimental",
+        "description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n",
+        "author": "Daniel Koifman (@Koifsec), Nasreddine Bencherchali",
+        "tags": [
+            "attack.credential-access",
+            "attack.t1555.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4663 AND ObjectType='File' AND AccessMask='0x1') AND ((ObjectName LIKE '%\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Local State%' ESCAPE '\\' OR ObjectName LIKE '%\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\') OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%\\\\places.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\')) AND (NOT (ProcessName='System' OR (ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))) AND (NOT (ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Scheduled Task Deletion",
         "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617",
@@ -32049,7 +32125,7 @@
     {
         "title": "Compressed File Extraction Via Tar.EXE",
         "id": "bf361876-6620-407a-812f-bfe11e51e924",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n",
         "author": "AdmU3",
         "tags": [
@@ -32165,7 +32241,7 @@
     {
         "title": "Firewall Configuration Discovery Via Netsh.EXE",
         "id": "0e4164da-94bc-450d-a7be-a4b176179f1f",
-        "status": "experimental",
+        "status": "test",
         "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems",
         "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
         "tags": [
@@ -32456,7 +32532,7 @@
     {
         "title": "Compressed File Creation Via Tar.EXE",
         "id": "418a3163-3247-4b7b-9933-dcfcb7c52ea9",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3",
         "tags": [
@@ -33224,7 +33300,7 @@
     {
         "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer",
         "id": "b86852fb-4c77-48f9-8519-eb1b2c308b59",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33495,7 +33571,7 @@
     {
         "title": "Potential PowerShell Execution Policy Tampering",
         "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -33762,7 +33838,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Via Registry",
         "id": "85b88e05-dadc-430b-8a9e-53ff1cd30aae",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -35010,7 +35086,7 @@
     {
         "title": "DLL Names Used By SVR For GraphicalProton Backdoor",
         "id": "e64c8ef3-9f98-40c8-b71e-96110991cb4c",
-        "status": "experimental",
+        "status": "test",
         "description": "Hunts known SVR-specific DLL names.",
         "author": "CISA",
         "tags": [
@@ -35109,7 +35185,7 @@
     {
         "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE",
         "id": "e5144106-8198-4f6e-bfc2-0a551cc8dd94",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of concatenated commands via \"cmd.exe\". Pikabot often executes a combination of multiple commands via the command handler \"cmd /c\" in order to download and execute additional payloads.\nCommands such as \"curl\", \"wget\" in order to download extra payloads. \"ping\" and \"timeout\" are abused to introduce delays in the command execution and \"Rundll32\" is also used to execute malicious DLL files.\nIn the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.\n",
         "author": "Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -35463,7 +35539,7 @@
     {
         "title": "Potential Direct Syscall of NtOpenProcess",
         "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potential calls to NtOpenProcess directly from NTDLL.",
         "author": "Christian Burkard (Nextron Systems), Tim Shelton (FP)",
         "tags": [
@@ -37630,25 +37706,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Powershell Exfiltration Over SMTP",
-        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
-        "status": "test",
-        "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.exfiltration",
-            "attack.t1048.003"
-        ],
-        "falsepositives": [
-            "Legitimate script"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND (ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND (NOT ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Certificate Exported Via PowerShell - ScriptBlock",
         "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c",
@@ -38501,7 +38558,7 @@
     {
         "title": "Cloudflared Tunnels Related DNS Requests",
         "id": "a1d9eec5-33b2-4177-8d24-27fe754d0812",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects DNS requests to Cloudflared tunnels domains.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -39271,7 +39328,7 @@
     {
         "title": "PSScriptPolicyTest Creation By Uncommon Process",
         "id": "1027d292-dd87-4a1a-8701-2abe04d7783c",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -40165,7 +40222,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=15 AND ((Contents LIKE '%.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%dl.dropboxusercontent.com%' ESCAPE '\\' OR Contents LIKE '%ghostbin.co%' ESCAPE '\\' OR Contents LIKE '%glitch.me%' ESCAPE '\\' OR Contents LIKE '%gofile.io%' ESCAPE '\\' OR Contents LIKE '%hastebin.com%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%onrender.com%' ESCAPE '\\' OR Contents LIKE '%pages.dev%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pixeldrain.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%storjshare.io%' ESCAPE '\\' OR Contents LIKE '%supabase.co%' ESCAPE '\\' OR Contents LIKE '%temp.sh%' ESCAPE '\\' OR Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%trycloudflare.com%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%w3spaces.com%' ESCAPE '\\' OR Contents LIKE '%workers.dev%' ESCAPE '\\') AND (TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -40331,7 +40388,7 @@
     {
         "title": "Suspicious Wordpad Outbound Connections",
         "id": "786cdae8-fefb-4eb2-9227-04e34060db01",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n",
         "author": "X__Junior (Nextron Systems)",
         "tags": [
@@ -42586,7 +42643,7 @@
     {
         "title": "Potentially Suspicious AccessMask Requested From LSASS",
         "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects process handle on LSASS process with certain access mask",
         "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)",
         "tags": [
@@ -43187,6 +43244,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet",
+        "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b",
+        "status": "test",
+        "description": "Detects the execution of a PowerShell script with a call to the \"Send-MailMessage\" cmdlet along with the \"-Attachments\" flag. This could be a potential sign of data exfiltration via Email.\nAdversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n",
+        "author": "frack113",
+        "tags": [
+            "attack.exfiltration",
+            "attack.t1048.003",
+            "detection.threat-hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (Channel='Microsoft-Windows-PowerShell/Operational' OR Channel='PowerShellCore/Operational') AND (EventID=4104 AND ScriptBlockText LIKE '%Send-MailMessage%-Attachments%' ESCAPE '\\')"
+        ],
+        "filename": ""
+    },
     {
         "title": "SMB over QUIC Via PowerShell Script",
         "id": "6df07c3b-8456-4f8b-87bb-fe31ec964cae",
@@ -43293,7 +43370,7 @@
     {
         "title": "Access To Sysvol Policies Share By Uncommon Process",
         "id": "8344c19f-a023-45ff-ad63-a01c5396aea0",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects file access requests to the Windows Sysvol Policies Share by uncommon processes",
         "author": "frack113",
         "tags": [
@@ -45919,7 +45996,7 @@
     {
         "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE",
         "id": "8cbc9475-8d05-4e27-9c32-df960716c701",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n",
         "author": "Stephen Lincoln @slincoln-aiq (AttackIQ)",
         "tags": [
@@ -46211,7 +46288,7 @@
     {
         "title": "Potentially Suspicious Command Targeting Teams Sensitive Files",
         "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.\n",
         "author": "@SerkinValery",
         "tags": [
@@ -46459,7 +46536,7 @@
     {
         "title": "Cloudflared Tunnel Execution",
         "id": "9a019ffc-3580-4c9d-8d87-079f7e8d3fd4",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.",
         "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -47764,7 +47841,7 @@
     {
         "title": "Uncommon Child Process Of Conhost.EXE",
         "id": "7dc2dedd-7603-461a-bc13-15803d132355",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.",
         "author": "omkar72",
         "tags": [
@@ -49089,7 +49166,7 @@
     {
         "title": "Cloudflared Tunnel Connections Cleanup",
         "id": "7050bba1-1aed-454e-8f73-3f46f09ce56a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -49110,7 +49187,7 @@
     {
         "title": "Uncommon System Information Discovery Via Wmic.EXE",
         "id": "9d5a1274-922a-49d0-87f3-8c653483b909",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n",
         "author": "TropChaud",
         "tags": [
@@ -49750,7 +49827,7 @@
     {
         "title": "PUA - Process Hacker Execution",
         "id": "811e0002-b13b-4a15-9d00-a613fce66e42",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.\n",
         "author": "Florian Roth (Nextron Systems)",
         "tags": [
@@ -50320,7 +50397,7 @@
     {
         "title": "Binary Proxy Execution Via Dotnet-Trace.EXE",
         "id": "9257c05b-4a4a-48e5-a670-b7b073cf401b",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects commandline arguments for executing a child process via dotnet-trace.exe",
         "author": "Jimmy Bayne (@bohops)",
         "tags": [
@@ -52335,7 +52412,7 @@
     {
         "title": "Cscript/Wscript Potentially Suspicious Child Process",
         "id": "b6676963-0353-4f88-90f5-36c20d443c6a",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')",
         "tags": [
@@ -52488,7 +52565,7 @@
     {
         "title": "Cloudflared Portable Execution",
         "id": "fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects the execution of the \"cloudflared\" binary from a non standard location.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
@@ -53282,7 +53359,7 @@
     {
         "title": "Cloudflared Quick Tunnel Execution",
         "id": "222129f7-f4dc-4568-b0d2-22440a9639ba",
-        "status": "experimental",
+        "status": "test",
         "description": "Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.\n",
         "author": "Sajid Nawaz Khan",
         "tags": [
@@ -53720,7 +53797,7 @@
         "filename": ""
     },
     {
-        "title": "Suspicious Schtasks From Env Var Folder",
+        "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE",
         "id": "81325ce1-be01-4250-944f-b4789644556f",
         "status": "test",
         "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware",
@@ -53735,7 +53812,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\'))) AND (NOT ((ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\' OR CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\') OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\' OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\') AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
diff --git a/zircolite.py b/zircolite.py
index b8c4c5e..ff99068 100755
--- a/zircolite.py
+++ b/zircolite.py
@@ -25,7 +25,8 @@
 from sys import platform as _platform
 
 # External libs (Mandatory)
-import orjson as json
+import orjson
+import psutil
 import xxhash
 from colorama import Fore
 from tqdm import tqdm
@@ -37,13 +38,13 @@
 from RestrictedPython.Guards import guarded_iter_unpack_sequence
 
 # External libs (Optional)
-updateDisabled = False
+update_disabled = False
 try:
     import requests
 except ImportError:
-    updateDisabled = True
+    update_disabled = True
 
-sigmaConversionDisabled = False
+sigma_conversion_disabled = False
 try:
     from sigma.collection import SigmaCollection
     from sigma.backends.sqlite import sqlite
@@ -51,25 +52,25 @@
     from sigma.plugins import InstalledSigmaPlugins
     import yaml
 except ImportError:
-    sigmaConversionDisabled = True
+    sigma_conversion_disabled = True
 
-pyevtxDisabled = False
+pyevtx_disabled = False
 try:
     from evtx import PyEvtxParser
 except ImportError:
-    pyevtxDisabled = True
+    pyevtx_disabled = True
 
-jinja2Disabled = False
+jinja2_disabled = False
 try:
     from jinja2 import Template
 except ImportError:
-    jinja2Disabled = True
+    jinja2_disabled = True
 
-xmlImportDisabled = False
+xml_import_disabled = False
 try:
     from lxml import etree
 except ImportError:
-    xmlImportDisabled = True
+    xml_import_disabled = True
 
 
 def signal_handler(sig, frame):
@@ -77,17 +78,17 @@ def signal_handler(sig, frame):
     sys.exit(0)
 
 
-def quitOnError(message):
+def quit_on_error(message):
     """Log an error message and exit the program."""
     logger = logging.getLogger(__name__)
     logger.error(message)
     sys.exit(1)
 
 
-def checkIfExists(path, errorMessage):
+def check_if_exists(path, error_message):
     """Test if path provided is a file"""
     if not (Path(path).is_file()):
-        quitOnError(errorMessage)
+        quit_on_error(error_message)
 
 
 def setup_logging(debug_mode, log_file=None):
@@ -134,9 +135,9 @@ def default_guarded_getitem(ob, index):
 
 
 class template_engine:
-    def __init__(self, templates=[], template_outputs=[], timeField=""):
+    def __init__(self, templates=[], template_outputs=[], time_field=""):
         self.logger = logging.getLogger(__name__)
-        self.timeField = timeField
+        self.time_field = time_field
         self.compiled_templates = {}
         # Flatten templates and outputs if they are nested lists
         self.template_paths = [
@@ -146,19 +147,19 @@ def __init__(self, templates=[], template_outputs=[], timeField=""):
             out[0] if isinstance(out, list) else out for out in template_outputs
         ]
 
-    def generate_from_template(self, template_file, outputFilename, data):
+    def generate_from_template(self, template_file, output_filename, data):
         """Use Jinja2 to output data in a specific format"""
         try:
             with open(template_file, "r", encoding="utf-8") as tmpl:
                 # Use the compiled template if available, otherwise compile it
                 if template_file in self.compiled_templates:
-                    template = self.compiled_templates["templateFile"]
+                    template = self.compiled_templates["template_file"]
                 else:
                     template = Template(tmpl.read())
-                    self.compiled_templates["templateFile"] = template
+                    self.compiled_templates["template_file"] = template
             # Render the template and write to the output file
-            with open(outputFilename, "a", encoding="utf-8") as tpl:
-                tpl.write(template.render(data=data, timeField=self.timeField))
+            with open(output_filename, "a", encoding="utf-8") as tpl:
+                tpl.write(template.render(data=data, time_field=self.time_field))
         except Exception as e:
             self.logger.error(
                 f"{Fore.RED}   [-] Template error, activate debug mode with '--debug' to check for errors{Fore.RESET}"
@@ -180,22 +181,22 @@ class json_flattener:
 
     def __init__(
         self,
-        configFile,
-        timeAfter="1970-01-01T00:00:00",
-        timeBefore="9999-12-12T23:59:59",
-        timeField=None,
+        config_file,
+        time_after="1970-01-01T00:00:00",
+        time_before="9999-12-12T23:59:59",
+        time_field=None,
         hashes=False,
         input_format=None,
     ):
         self.logger = logging.getLogger(__name__)
-        self.keyDict = {}
-        self.fieldStmt = ""
-        self.valuesStmt = []
-        self.timeAfter = timeAfter
-        self.timeBefore = timeBefore
-        self.timeField = timeField
+        self.key_dict = {}
+        self.field_stmt = ""
+        self.values_stmt = []
+        self.time_after = time_after
+        self.time_before = time_before
+        self.time_field = time_field
         self.hashes = hashes
-        self.JSONArray = False
+        self.json_array = False
 
         # Initialize the cache for compiled code
         self.compiled_code_cache = {}
@@ -205,19 +206,19 @@ def __init__(
             self.chosen_input = "evtx_input"  # Since evtx is the default input, we force it no chosen input has been found
 
         if self.chosen_input == "json_array_input":
-            self.JSONArray = True
-
-        with open(configFile, "r", encoding="UTF-8") as fieldMappingsFile:
-            self.fieldMappingsDict = json.loads(fieldMappingsFile.read())
-            self.fieldExclusions = self.fieldMappingsDict["exclusions"]
-            self.fieldMappings = self.fieldMappingsDict["mappings"]
-            self.uselessValues = self.fieldMappingsDict["useless"]
-            self.aliases = self.fieldMappingsDict["alias"]
-            self.fieldSplitList = self.fieldMappingsDict["split"]
-            self.transforms = self.fieldMappingsDict["transforms"]
-            self.transforms_enabled = self.fieldMappingsDict["transforms_enabled"]
-
-        self.RestrictedPython_BUILTINS = {
+            self.json_array = True
+
+        with open(config_file, "r", encoding="UTF-8") as field_mappings_file:
+            self.field_mappings_dict = orjson.loads(field_mappings_file.read())
+            self.field_exclusions = self.field_mappings_dict["exclusions"]
+            self.field_mappings = self.field_mappings_dict["mappings"]
+            self.useless_values = self.field_mappings_dict["useless"]
+            self.aliases = self.field_mappings_dict["alias"]
+            self.field_split_list = self.field_mappings_dict["split"]
+            self.transforms = self.field_mappings_dict["transforms"]
+            self.transforms_enabled = self.field_mappings_dict["transforms_enabled"]
+
+        self.restricted_python_builtins = {
             "__name__": "script",
             "_getiter_": default_guarded_getiter,
             "_getattr_": getattr,
@@ -227,28 +228,27 @@ def __init__(
             "chardet": chardet,
             "_iter_unpack_sequence_": guarded_iter_unpack_sequence,
         }
-        self.RestrictedPython_BUILTINS.update(safe_builtins)
-        self.RestrictedPython_BUILTINS.update(limited_builtins)
-        self.RestrictedPython_BUILTINS.update(utility_builtins)
+        self.restricted_python_builtins.update(safe_builtins)
+        self.restricted_python_builtins.update(limited_builtins)
+        self.restricted_python_builtins.update(utility_builtins)
 
     def transform_value(self, code, param):
         try:
-            # Check if the code has already been compiled
-            if code in self.compiled_code_cache:
-                byte_code = self.compiled_code_cache[code]
-            else:
-                # Compile the code and store it in the cache
-                byte_code = compile_restricted(
-                    code, filename="<inline code>", mode="exec"
-                )
-                self.compiled_code_cache[code] = byte_code
-            # Prepare the execution environment
-            TransformFunction = {}
-            exec(byte_code, self.RestrictedPython_BUILTINS, TransformFunction)
-            return TransformFunction["transform"](param)
+            # Get or compile bytecode using cache
+            byte_code = self.compiled_code_cache.get(
+                code
+            ) or self.compiled_code_cache.setdefault(
+                code, compile_restricted(code, filename="<inline code>", mode="exec")
+            )
+
+            # Execute transform in restricted environment
+            transform_env = {}
+            exec(byte_code, self.restricted_python_builtins, transform_env)
+            return transform_env["transform"](param)
+
         except Exception as e:
             self.logger.debug(f"ERROR: Couldn't apply transform: {e}")
-            return param  # Return the original parameter if transform fails
+            return param
 
     def process_file(self, file):
         """
@@ -256,12 +256,12 @@ def process_file(self, file):
         Returns the flattened json object
         """
         self.logger.debug(f"FLATTENING : {file}")
-        JSONLine = {}
-        JSONOutput = []
-        fieldStmt = ""
+        json_line = {}
+        json_output = []
+        field_stmt = ""
 
         def flatten(x, name=""):
-            nonlocal fieldStmt
+            nonlocal field_stmt
             # If it is a Dict go deeper
             if isinstance(x, dict):
                 for a in x:
@@ -269,166 +269,150 @@ def flatten(x, name=""):
             else:
                 # Applying exclusions. Be careful, the key/value pair is discarded if there is a partial match
                 if not any(
-                    exclusion in name[:-1] for exclusion in self.fieldExclusions
+                    exclusion in name[:-1] for exclusion in self.field_exclusions
                 ):
                     # Arrays are not expanded
-                    if isinstance(x, list):
-                        value = "".join(str(x))
-                    else:
-                        value = x
+                    value = "".join(str(x)) if isinstance(x, list) else x
                     # Excluding useless values (e.g. "null"). The value must be an exact match.
-                    if value not in self.uselessValues:
+                    if value not in self.useless_values:
 
                         # Applying field mappings
-                        rawFieldName = name[:-1]
-                        if rawFieldName in self.fieldMappings:
-                            key = self.fieldMappings[rawFieldName]
-                        else:
-                            # Removing all annoying character from field name
-                            key = "".join(
-                                e for e in rawFieldName.split(".")[-1] if e.isalnum()
-                            )
+                        raw_field_name = name[:-1]
+                        key = self.field_mappings.get(
+                            raw_field_name,
+                            "".join(
+                                e for e in raw_field_name.split(".")[-1] if e.isalnum()
+                            ),
+                        )
 
                         # Preparing aliases (work on original field name and Mapped field name)
                         keys = [key]
-                        for fieldName in [key, rawFieldName]:
-                            if fieldName in self.aliases:
+                        for field_name in (key, raw_field_name):
+                            if field_name in self.aliases:
                                 keys.append(self.aliases[key])
 
                         # Applying field transforms (work on original field name and Mapped field name)
-                        keysThatNeedTransformedValues = []
-                        transformedValuesByKeys = {}
+                        keys_that_need_transformed_values = []
+                        transformed_values_by_keys = {}
                         if self.transforms_enabled:
-                            for fieldName in [key, rawFieldName]:
-                                if fieldName in self.transforms:
-                                    for transform in self.transforms[fieldName]:
+                            for field_name in [key, raw_field_name]:
+                                if field_name in self.transforms:
+                                    for transform in self.transforms[field_name]:
                                         if (
                                             transform["enabled"]
                                             and self.chosen_input
                                             in transform["source_condition"]
                                         ):
-                                            transformCode = transform["code"]
+                                            transform_code = transform["code"]
                                             # If the transform rule ask for a dedicated alias
                                             if transform["alias"]:
                                                 keys.append(transform["alias_name"])
-                                                keysThatNeedTransformedValues.append(
+                                                keys_that_need_transformed_values.append(
                                                     transform["alias_name"]
                                                 )
-                                                transformedValuesByKeys[
+                                                transformed_values_by_keys[
                                                     transform["alias_name"]
                                                 ] = self.transform_value(
-                                                    transformCode, value
+                                                    transform_code, value
                                                 )
                                             else:
                                                 value = self.transform_value(
-                                                    transformCode, value
+                                                    transform_code, value
                                                 )
 
                         # Applying field splitting
-                        fieldsToSplit = []
-                        if rawFieldName in self.fieldSplitList:
-                            fieldsToSplit.append(rawFieldName)
-                        if key in self.fieldSplitList:
-                            fieldsToSplit.append(key)
-
-                        if len(fieldsToSplit) > 0:
-                            for field in fieldsToSplit:
-                                try:
-                                    splittedFields = value.split(
-                                        self.fieldSplitList[field]["separator"]
-                                    )
-                                    for splittedField in splittedFields:
-                                        k, v = splittedField.split(
-                                            self.fieldSplitList[field]["equal"]
-                                        )
-                                        keyLower = k.lower()
-                                        JSONLine[k] = v
-                                        if keyLower not in self.keyDict:
-                                            self.keyDict[keyLower] = k
-                                            fieldStmt += f"'{k}' TEXT COLLATE NOCASE,\n"
-                                except Exception as e:
-                                    self.logger.debug(
-                                        f"ERROR : Couldn't apply field splitting, value(s) {str(splittedFields)} : {e}"
-                                    )
+                        fields_to_split = set(
+                            field
+                            for field in (raw_field_name, key)
+                            if field in self.field_split_list
+                        )
+
+                        for field in fields_to_split:
+                            try:
+                                separator = self.field_split_list[field]["separator"]
+                                equal = self.field_split_list[field]["equal"]
+                                for splitted_field in value.split(separator):
+                                    k, v = splitted_field.split(equal)
+                                    json_line[k] = v
+                                    key_lower = k.lower()
+                                    if key_lower not in self.key_dict:
+                                        self.key_dict[key_lower] = k
+                                        field_stmt += f"'{k}' TEXT COLLATE NOCASE,\n"
+                            except Exception as e:
+                                self.logger.debug(
+                                    f"ERROR : Couldn't apply field splitting for {field}: {e}"
+                                )
 
                         # Applying aliases
                         for key in keys:
-                            if key in keysThatNeedTransformedValues:
-                                JSONLine[key] = transformedValuesByKeys[key]
-                            else:
-                                JSONLine[key] = value
-                            # Creating the CREATE TABLE SQL statement
-                            keyLower = key.lower()
-                            if keyLower not in self.keyDict:
-                                self.keyDict[keyLower] = key
-                                if isinstance(value, int):
-                                    fieldStmt += f"'{key}' INTEGER,\n"
-                                else:
-                                    fieldStmt += f"'{key}' TEXT COLLATE NOCASE,\n"
+                            # Set value in json_line
+                            json_line[key] = transformed_values_by_keys.get(key, value)
+                            # Only process schema if key not seen before
+                            key_lower = key.lower()
+                            if key_lower not in self.key_dict:
+                                self.key_dict[key_lower] = key
+                                # Determine column type
+                                col_type = (
+                                    "INTEGER"
+                                    if isinstance(value, int)
+                                    else "TEXT COLLATE NOCASE"
+                                )
+                                field_stmt += f"'{key}' {col_type},\n"
 
         # If filesize is not zero
         if os.stat(file).st_size != 0:
-            with open(str(file), "r", encoding="utf-8") as JSONFile:
-                filename = os.path.basename(file)
-                logs = JSONFile
-                # If the file is a json array
-                if self.JSONArray:
-                    try:
-                        logs = json.loads(JSONFile.read())
-                    except Exception as e:
-                        self.logger.debug(f"JSON ARRAY ERROR : {e}")
-                        logs = []
+            filename = os.path.basename(file)
+            with open(str(file), "r", encoding="utf-8") as json_file:
+                logs = orjson.loads(json_file.read()) if self.json_array else json_file
                 for line in logs:
                     try:
-                        if self.JSONArray:
-                            dictToFlatten = line
-                        else:
-                            dictToFlatten = json.loads(line)
-                        dictToFlatten.update({"OriginalLogfile": filename})
+                        dict_to_flatten = (
+                            line if self.json_array else orjson.loads(line)
+                        )
+                        dict_to_flatten["OriginalLogfile"] = filename
                         if self.hashes:
-                            dictToFlatten.update(
-                                {
-                                    "OriginalLogLinexxHash": xxhash.xxh64_hexdigest(
-                                        line[:-1]
-                                    )
-                                }
+                            dict_to_flatten["OriginalLogLinexxHash"] = (
+                                xxhash.xxh64_hexdigest(line[:-1])
                             )
-                        flatten(dictToFlatten)
+                        flatten(dict_to_flatten)
                     except Exception as e:
                         self.logger.debug(f"JSON ERROR : {e}")
-                    # Handle timestamp filters
+                        continue
+
                     if (
-                        self.timeAfter != "1970-01-01T00:00:00"
-                        or self.timeBefore != "9999-12-12T23:59:59"
-                    ) and (self.timeField in JSONLine):
-                        try:
-                            timestamp = time.strptime(
-                                JSONLine[self.timeField].split(".")[0].replace("Z", ""),
-                                "%Y-%m-%dT%H:%M:%S",
-                            )
-                            if (
-                                timestamp > self.timeAfter
-                                and timestamp < self.timeBefore
-                            ):
-                                JSONOutput.append(JSONLine)
-                        except Exception:
-                            JSONOutput.append(JSONLine)
+                        self.time_after != "1970-01-01T00:00:00"
+                        or self.time_before != "9999-12-12T23:59:59"
+                    ):
+                        if self.time_field in json_line:
+                            try:
+                                timestamp = time.strptime(
+                                    json_line[self.time_field]
+                                    .split(".")[0]
+                                    .replace("Z", ""),
+                                    "%Y-%m-%dT%H:%M:%S",
+                                )
+                                if self.time_after < timestamp < self.time_before:
+                                    json_output.append(json_line)
+                            except Exception:
+                                json_output.append(json_line)
+                        else:
+                            continue
                     else:
-                        JSONOutput.append(JSONLine)
-                    JSONLine = {}
-        return {"dbFields": fieldStmt, "dbValues": JSONOutput}
+                        json_output.append(json_line)
+                    json_line = {}
+        return {"db_fields": field_stmt, "db_values": json_output}
 
-    def save_to_file(self, outputFile):
-        with open(outputFile, "w", encoding="utf-8") as file:
-            for JSONLine in tqdm(self.valuesStmt, colour="yellow"):
-                file.write(f'{json.dumps(JSONLine).decode("utf-8")}\n')
+    def save_to_file(self, output_file):
+        with open(output_file, "w", encoding="utf-8") as file:
+            for json_line in tqdm(self.values_stmt, colour="yellow"):
+                file.write(f'{orjson.dumps(json_line).decode("utf-8")}\n')
 
-    def run(self, EVTXJSONList):
-        for evtxJSON in EVTXJSONList:
-            if os.stat(evtxJSON).st_size != 0:
-                results = self.process_file(evtxJSON)
-                self.fieldStmt += results["dbFields"]
-                self.valuesStmt += results["dbValues"]
+    def run(self, evtx_json_list):
+        for evtx_json in evtx_json_list:
+            if os.stat(evtx_json).st_size != 0:
+                results = self.process_file(evtx_json)
+                self.field_stmt += results["db_fields"]
+                self.values_stmt += results["db_values"]
 
 
 class zircore:
@@ -436,7 +420,7 @@ class zircore:
 
     def __init__(
         self,
-        noOutput=False,
+        no_output=False,
         limit=-1,
         csv_output=False,
         db_location=":memory:",
@@ -449,10 +433,10 @@ def __init__(
         self.tmp_directory = tmp_directory
         self.tmp_directory_db = tmp_directory_db
         self.db_connection = self.create_connection(db_location)
-        self.fullResults = []
+        self.full_results = []
         self.rule_results = []
         self.ruleset = {}
-        self.noOutput = noOutput
+        self.no_output = no_output
         self.limit = limit
         self.csv_output = csv_output
         self.delimiter = delimiter
@@ -501,10 +485,10 @@ def udf_regex(x, y):
             self.logger.error(f"{Fore.RED}   [-] {e}")
         return conn
 
-    def create_db(self, fieldStmt):
-        createTableStmt = f"CREATE TABLE logs ( row_id INTEGER, {fieldStmt} PRIMARY KEY(row_id AUTOINCREMENT) );"
-        self.logger.debug(f" CREATE : {createTableStmt}")
-        if not self.execute_simple_query(createTableStmt):
+    def create_db(self, field_stmt):
+        create_table_stmt = f"CREATE TABLE logs ( row_id INTEGER, {field_stmt} PRIMARY KEY(row_id AUTOINCREMENT) );"
+        self.logger.debug(f" CREATE : {create_table_stmt}")
+        if not self.execute_simple_query(create_table_stmt):
             self.logger.error(f"{Fore.RED}   [-] Unable to create table{Fore.RESET}")
             sys.exit(1)
 
@@ -518,10 +502,10 @@ def execute_simple_query(self, query):
             self.logger.error(f"{Fore.RED}   [-] No connection to Db{Fore.RESET}")
             return False
         else:
-            dbHandle = self.db_connection.cursor()
+            db_handle = self.db_connection.cursor()
             self.logger.debug(f"EXECUTING : {query}")
             try:
-                dbHandle.execute(query)
+                db_handle.execute(query)
                 self.db_connection.commit()
             except Error as e:
                 self.logger.debug(f"   [-] {e}")
@@ -549,44 +533,44 @@ def execute_select_query(self, query):
 
     def load_db_in_memory(self, db):
         """In db only mode it is possible to restore an on disk Db to avoid EVTX extraction and flattening"""
-        dbfileConnection = self.create_connection(db)
-        dbfileConnection.backup(self.db_connection)
-        dbfileConnection.close()
+        dbfile_connection = self.create_connection(db)
+        dbfile_connection.backup(self.db_connection)
+        dbfile_connection.close()
 
     def escape_identifier(self, identifier):
         """Escape SQL identifiers like table or column names."""
         return identifier.replace('"', '""')
 
-    def insert_data_to_db(self, JSONLine):
+    def insert_data_to_db(self, json_line):
         """Build a parameterized INSERT INTO query and insert data into the database."""
-        columns = JSONLine.keys()
-        columnsEscaped = ", ".join([self.escape_identifier(col) for col in columns])
+        columns = json_line.keys()
+        columns_escaped = ", ".join([self.escape_identifier(col) for col in columns])
         placeholders = ", ".join(["?"] * len(columns))
         values = []
         for col in columns:
-            value = JSONLine[col]
+            value = json_line[col]
             if isinstance(value, int):
                 # Check if value exceeds SQLite INTEGER limits
                 if abs(value) > 9223372036854775807:
                     value = str(value)  # Convert to string
             values.append(value)
-        insertStmt = f"INSERT INTO logs ({columnsEscaped}) VALUES ({placeholders})"
+        insert_stmt = f"INSERT INTO logs ({columns_escaped}) VALUES ({placeholders})"
         try:
-            self.db_connection.execute(insertStmt, values)
+            self.db_connection.execute(insert_stmt, values)
             return True
         except Exception as e:
             self.logger.debug(f"   [-] {e}")
             return False
 
-    def insert_flat_json_to_db(self, flattenedJSON):
-        for JSONLine in flattenedJSON:
-            self.insert_data_to_db(JSONLine)
+    def insert_flat_json_to_db(self, flattened_json):
+        for json_line in flattened_json:
+            self.insert_data_to_db(json_line)
 
-    def save_db_to_disk(self, dbFilename):
+    def save_db_to_disk(self, db_filename):
         self.logger.info("[+] Saving working data to disk as a SQLite DB")
-        onDiskDb = sqlite3.connect(dbFilename)
-        self.db_connection.backup(onDiskDb)
-        onDiskDb.close()
+        on_disk_db = sqlite3.connect(db_filename)
+        self.db_connection.backup(on_disk_db)
+        on_disk_db.close()
 
     def execute_rule(self, rule):
         """
@@ -605,33 +589,28 @@ def execute_rule(self, rule):
         rule_id = rule.get("id", "")
         sigma_queries = rule["rule"]
 
-        filteredRows = []
+        filtered_rows = []
 
         # Process each SQL query in the rule
-        for SQLQuery in sigma_queries:
-            data = self.execute_select_query(SQLQuery)
+        for sql_query in sigma_queries:
+            data = self.execute_select_query(sql_query)
             if data:
                 if self.csv_output:
                     # Clean values for CSV output
-                    cleaned_rows = [
+                    filtered_rows.extend(
                         {
-                            k: str(v)
-                            .replace("\n", "")
-                            .replace("\r", "")
-                            .replace("None", "")
-                            for k, v in dict(row).items()
+                            k: str(v).replace("\n", "").replace("\r", "") or ""
+                            for k, v in row.items()
                         }
                         for row in data
-                    ]
+                    )
                 else:
                     # Remove None values
-                    cleaned_rows = [
-                        {k: v for k, v in dict(row).items() if v is not None}
-                        for row in data
-                    ]
-                filteredRows.extend(cleaned_rows)
+                    filtered_rows.extend(
+                        {k: v for k, v in row.items() if v is not None} for row in data
+                    )
 
-        if filteredRows:
+        if filtered_rows:
             results = {
                 "title": title,
                 "id": rule_id,
@@ -644,33 +623,33 @@ def execute_rule(self, rule):
                 "sigma": sigma_queries,
                 "rule_level": rule_level,
                 "tags": tags,
-                "count": len(filteredRows),
-                "matches": filteredRows,
+                "count": len(filtered_rows),
+                "matches": filtered_rows,
             }
 
             if not self.csv_output:
-                json_bytes = json.dumps(results)
+                json_bytes = orjson.dumps(results)
                 self.tmp_file.write(f"{json_bytes.decode('utf-8')}\n")
 
             self.logger.debug(
-                f"DETECTED: {title} - Matches: {len(filteredRows)} events"
+                f"DETECTED: {title} - Matches: {len(filtered_rows)} events"
             )
             return results
         else:
             return {}
 
-    def load_ruleset_from_var(self, ruleset, ruleFilters):
+    def load_ruleset_from_var(self, ruleset, rule_filters):
         self.ruleset = ruleset
-        self.apply_ruleset_filters(ruleFilters)
+        self.apply_ruleset_filters(rule_filters)
 
-    def apply_ruleset_filters(self, ruleFilters=None):
+    def apply_ruleset_filters(self, rule_filters=None):
         # Remove empty rule and remove filtered rules
         self.ruleset = list(filter(None, self.ruleset))
-        if ruleFilters is not None:
+        if rule_filters is not None:
             self.ruleset = [
                 rule
                 for rule in self.ruleset
-                if not any(ruleFilter in rule["title"] for ruleFilter in ruleFilters)
+                if not any(rule_filter in rule["title"] for rule_filter in rule_filters)
             ]
 
     def execute_ruleset(self):
@@ -681,24 +660,24 @@ def execute_ruleset(self):
         for rule in self.ruleset:
 
             # Execute the rule
-            ruleResults = self.execute_rule(rule)
-            if not ruleResults:
+            rule_results = self.execute_rule(rule)
+            if not rule_results:
                 continue  # No matches, skip to next rule
 
             # Apply limit if set
-            if self.limit != -1 and ruleResults["count"] > self.limit:
+            if self.limit != -1 and rule_results["count"] > self.limit:
                 continue  # Exceeds limit, skip this result
 
             # Store if the rule has matched : title, level, count only
             self.rule_results.append(
                 {
-                    "rule_title": ruleResults["title"],
-                    "rule_level": ruleResults["rule_level"],
-                    "rule_count": ruleResults["count"],
+                    "rule_title": rule_results["title"],
+                    "rule_level": rule_results["rule_level"],
+                    "rule_count": rule_results["count"],
                 }
             )
 
-            # self.fullResults.append(ruleResults)
+            # self.full_results.append(rule_results)
 
         self.tmp_file.close()
 
@@ -707,7 +686,7 @@ class evtx_extractor:
 
     def __init__(
         self,
-        providedTmpDir=None,
+        provided_tmp_dir=None,
         cores=None,
         use_external_binaries=True,
         binaries_path=None,
@@ -716,50 +695,50 @@ def __init__(
     ):
         self.logger = logging.getLogger(__name__)
 
-        if Path(str(providedTmpDir)).is_dir():
-            self.tmpDir = f"tmp-{self.rand_string()}"
+        if Path(str(provided_tmp_dir)).is_dir():
+            self.tmp_dir = f"tmp-{self.rand_string()}"
             self.logger.error(
-                f"{Fore.RED}   [-] Provided directory already exists using '{self.tmpDir}' instead{Fore.RESET}"
+                f"{Fore.RED}   [-] Provided directory already exists using '{self.tmp_dir}' instead{Fore.RESET}"
             )
         else:
-            self.tmpDir = providedTmpDir or f"tmp-{self.rand_string()}"
-            os.mkdir(self.tmpDir)
+            self.tmp_dir = provided_tmp_dir or f"tmp-{self.rand_string()}"
+            os.mkdir(self.tmp_dir)
 
         self.cores = cores or os.cpu_count()
         self.use_external_binaries = use_external_binaries
-        self.sysmon4linux = False
-        self.xmlLogs = False
-        self.csvInput = False
-        self.auditdLogs = False
+        self.sysmon_4_linux = False
+        self.xml_logs = False
+        self.csv_input = False
+        self.auditd_logs = False
         self.evtxtract = False
 
         if input_format == "sysmon_linux_input":
-            self.sysmon4linux = True
+            self.sysmon_4_linux = True
         elif input_format == "xml_input":
-            self.xmlLogs = True
+            self.xml_logs = True
         elif input_format == "csv_input":
-            self.csvInput = True
+            self.csv_input = True
         elif input_format == "auditd_input":
-            self.auditdLogs = True
+            self.auditd_logs = True
         elif input_format == "evtxtract_input":
             self.evtxtract = True
 
         # Hardcoded hash list of evtx_dump binaries
-        self.validHashList = [
+        self.valid_hash_list = [
             "bbcce464533e0364",
             "e642f5c23e156deb",
             "5a7a1005885a1a11",
         ]
 
         # Sysmon 4 Linux default encoding is ISO-8859-1, Auditd is UTF-8
-        if not encoding and self.sysmon4linux:
+        if not encoding and self.sysmon_4_linux:
             self.encoding = "ISO-8859-1"
-        elif not encoding and (self.auditdLogs or self.evtxtract or self.xmlLogs):
+        elif not encoding and (self.auditd_logs or self.evtxtract or self.xml_logs):
             self.encoding = "utf-8"
         else:
             self.encoding = encoding
 
-        self.evtx_dump_cmd = self.getOSExternalTools(binaries_path)
+        self.evtx_dump_cmd = self.get_os_external_tools(binaries_path)
 
     def rand_string(self, length=8):
         return "".join(
@@ -767,9 +746,9 @@ def rand_string(self, length=8):
             for _ in range(length)
         )
 
-    def getOSExternalTools(self, binPath):
+    def get_os_external_tools(self, bin_path):
         """Determine which binaries to run depending on host OS : 32Bits is NOT supported for now since evtx_dump is 64bits only"""
-        if binPath is None:
+        if bin_path is None:
             if _platform == "linux" or _platform == "linux2":
                 return "bin/evtx_dump_lin"
             elif _platform == "darwin":
@@ -777,44 +756,39 @@ def getOSExternalTools(self, binPath):
             elif _platform == "win32":
                 return "bin\\evtx_dump_win.exe"
         else:
-            return binPath
+            return bin_path
 
-    def runUsingBindings(self, file):
+    def run_using_bindings(self, file):
         """
         Convert EVTX to JSON using evtx_dump bindings (slower)
         Drop resulting JSON files in a tmp folder.
         """
-        if not self.use_external_binaries:
-            try:
-                filepath = Path(file)
-                filename = filepath.name
-                parser = PyEvtxParser(str(filepath))
-                with open(
-                    f"{self.tmpDir}/{str(filename)}-{self.rand_string()}.json",
-                    "w",
-                    encoding="utf-8",
-                ) as f:
-                    for record in parser.records_json():
-                        f.write(
-                            f'{json.dumps(json.loads(record["data"])).decode("utf-8")}\n'
-                        )
-            except Exception as e:
-                self.logger.error(
-                    f"{Fore.RED}   [-] Cannot use PyEvtxParser : {e}{Fore.RESET}"
-                )
-        else:
+        if self.use_external_binaries:
             self.logger.error(
                 f"{Fore.RED}   [-] Cannot use PyEvtxParser and evtx_dump is disabled or missing{Fore.RESET}"
             )
+            return
+
+        try:
+            filepath = Path(file)
+            output_file = f"{self.tmp_dir}/{filepath.name}-{self.rand_string()}.json"
+            parser = PyEvtxParser(str(filepath))
+            with open(output_file, "w", encoding="utf-8") as f:
+                for record in parser.records_json():
+                    f.write(record["data"].replace("\n", "") + "\n")
+        except Exception as e:
+            self.logger.error(
+                f"{Fore.RED}   [-] Cannot use PyEvtxParser : {e}{Fore.RESET}"
+            )
 
-    def getTime(self, line):
+    def get_time(self, line):
         timestamp = line.replace("msg=audit(", "").replace("):", "").split(":")
         timestamp = time.strftime(
             "%Y-%m-%d %H:%M:%S", time.localtime(float(timestamp[0]))
         )
         return timestamp
 
-    def auditdLine2JSON(self, auditdLine):
+    def auditd_line_to_json(self, auditd_line):
         """
         Convert auditd logs to JSON : code from https://github.com/csark/audit2json
         """
@@ -822,10 +796,10 @@ def auditdLine2JSON(self, auditdLine):
         # According to auditd specs https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment
         # a GS ASCII character, 0x1D, will be inserted to separate original and translated fields
         # Best way to deal with it is to remove it.
-        attributes = auditdLine.replace("\x1d", " ").split(" ")
+        attributes = auditd_line.replace("\x1d", " ").split(" ")
         for attribute in attributes:
             if "msg=audit" in attribute:
-                event["timestamp"] = self.getTime(attribute)
+                event["timestamp"] = self.get_time(attribute)
             else:
                 try:
                     attribute = (
@@ -841,50 +815,50 @@ def auditdLine2JSON(self, auditdLine):
             event["host"] = "offline"
         return event
 
-    def SysmonXMLLine2JSON(self, xmlLine):
+    def sysmon_xml_line_to_json(self, xml_line):
         """
         Remove syslog header and convert xml data to json : code from ZikyHD (https://github.com/ZikyHD)
         """
-        if "Event" not in xmlLine:
+        if "Event" not in xml_line:
             return None
-        xmlLine = "<Event>" + xmlLine.split("<Event>")[1]
+        xml_line = "<Event>" + xml_line.split("<Event>")[1]
         try:  # isolate individual line parsing errors
-            root = etree.fromstring(xmlLine)
-            return self.xml2dict(root)
+            root = etree.fromstring(xml_line)
+            return self.xml_to_dict(root)
         except Exception as ex:
-            self.logger.debug(f'Unable to parse line "{xmlLine}": {ex}')
+            self.logger.debug(f'Unable to parse line "{xml_line}": {ex}')
             return None
 
-    def XMLLine2JSON(self, xmlLine):
+    def xml_line_to_json(self, xml_line):
         """
         Remove "Events" header and convert xml data to json : code from ZikyHD (https://github.com/ZikyHD)
         """
-        if "<Event " not in xmlLine:
+        if "<Event " not in xml_line:
             return None
         try:  # isolate individual line parsing errors
-            root = etree.fromstring(xmlLine)
-            return self.xml2dict(
+            root = etree.fromstring(xml_line)
+            return self.xml_to_dict(
                 root, "{http://schemas.microsoft.com/win/2004/08/events/event}"
             )
         except Exception as ex:
-            self.logger.debug(f'Unable to parse line "{xmlLine}": {ex}')
+            self.logger.debug(f'Unable to parse line "{xml_line}": {ex}')
             return None
 
-    def xml2dict(
-        self, eventRoot, ns="http://schemas.microsoft.com/win/2004/08/events/event"
+    def xml_to_dict(
+        self, event_root, ns="http://schemas.microsoft.com/win/2004/08/events/event"
     ):
 
-        def cleanTag(tag, ns):
+        def clean_tag(tag, ns):
             if ns in tag:
                 return tag[len(ns) :]
             return tag
 
         child = {"#attributes": {"xmlns": ns}}
-        for appt in eventRoot.getchildren():
-            nodename = cleanTag(appt.tag, ns)
+        for appt in event_root.getchildren():
+            nodename = clean_tag(appt.tag, ns)
             nodevalue = {}
             for elem in appt.getchildren():
-                cleanedTag = cleanTag(elem.tag, ns)
+                cleaned_tag = clean_tag(elem.tag, ns)
                 if not elem.text:
                     text = ""
                 else:
@@ -892,12 +866,12 @@ def cleanTag(tag, ns):
                         text = int(elem.text)
                     except Exception:
                         text = elem.text
-                if cleanedTag == "Data":
+                if cleaned_tag == "Data":
                     childnode = elem.get("Name")
-                elif cleanedTag == "Qualifiers":
+                elif cleaned_tag == "Qualifiers":
                     text = elem.text
                 else:
-                    childnode = cleanedTag
+                    childnode = cleaned_tag
                     if elem.attrib:
                         text = {"#attributes": dict(elem.attrib)}
                 obj = {str(childnode): text}
@@ -907,12 +881,12 @@ def cleanTag(tag, ns):
         event = {"Event": child}
         return event
 
-    def Logs2JSON(self, func, datasource, outfile, isFile=True):
+    def logs_to_json(self, func, datasource, outfile, is_file=True):
         """
         Use multiprocessing to convert supported log formats to JSON
         """
 
-        if isFile:
+        if is_file:
             with open(datasource, "r", encoding=self.encoding) as fp:
                 data = fp.readlines()
         else:
@@ -925,21 +899,21 @@ def Logs2JSON(self, func, datasource, outfile, isFile=True):
         with open(outfile, "w", encoding="UTF-8") as fp:
             for element in result:
                 if element is not None:
-                    fp.write(json.dumps(element).decode("utf-8") + "\n")
+                    fp.write(orjson.dumps(element).decode("utf-8") + "\n")
 
-    def csv2JSON(self, CSVPath, JSONPath):
+    def csv_to_json(self, csv_path, json_path):
         """
         Convert CSV Logs to JSON
         """
-        with open(CSVPath, encoding="utf-8") as CSVFile:
-            csvReader = csv.DictReader(CSVFile)
-            with open(JSONPath, "w", encoding="utf-8") as JSONFile:
-                for row in csvReader:
-                    JSONFile.write(json.dumps(row).decode("utf-8") + "\n")
+        with open(csv_path, encoding="utf-8") as csv_file:
+            csv_reader = csv.DictReader(csv_file)
+            with open(json_path, "w", encoding="utf-8") as json_file:
+                for row in csv_reader:
+                    json_file.write(orjson.dumps(row).decode("utf-8") + "\n")
 
-    def evtxtract2JSON(self, file, outfile):
+    def evtxtract_to_json(self, file, outfile):
         """
-        Convert EXVTXtract Logs to JSON using xml2dict and "dumps" it to a file
+        Convert EXVTXtract Logs to JSON using xml_to_dict and "dumps" it to a file
         """
         # Load file as a string to add enclosing document since XML doesn't support multiple documents
         with open(file, "r", encoding=self.encoding) as fp:
@@ -957,22 +931,22 @@ def evtxtract2JSON(self, file, outfile):
         with open(outfile, "w", encoding="UTF-8") as fp:
             for event in root.getchildren():
                 if "Event" in event.tag:
-                    extractedEvent = self.xml2dict(
+                    extracted_event = self.xml_to_dict(
                         event, "{http://schemas.microsoft.com/win/2004/08/events/event}"
                     )
-                    fp.write(json.dumps(extractedEvent).decode("utf-8") + "\n")
+                    fp.write(orjson.dumps(extracted_event).decode("utf-8") + "\n")
 
-    def verifyBinHash(self, binPath):
+    def verify_bin_hash(self, bin_path):
         """
         Verify the hash of a binary (Hashes are hardcoded)
         """
         hasher = xxhash.xxh64()
         try:
             # Open the file in binary mode and read chunks to hash
-            with open(binPath, "rb") as f:
+            with open(bin_path, "rb") as f:
                 while chunk := f.read(4096):  # Read chunks of 4096 bytes
                     hasher.update(chunk)  # Update the hash with the chunk
-            if hasher.hexdigest() in self.validHashList:
+            if hasher.hexdigest() in self.valid_hash_list:
                 return True
         except Exception as e:
             self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
@@ -986,45 +960,47 @@ def run(self, file):
         """
         self.logger.debug(f"EXTRACTING : {file}")
         filename = Path(file).name
-        outputJSONFilename = f"{self.tmpDir}/{str(filename)}-{self.rand_string()}.json"
+        output_json_filename = (
+            f"{self.tmp_dir}/{str(filename)}-{self.rand_string()}.json"
+        )
         # Auditd or Sysmon4Linux logs
-        if self.sysmon4linux or self.auditdLogs:
+        if self.sysmon_4_linux or self.auditd_logs:
             # Choose which log backend to use
-            if self.sysmon4linux:
-                func = self.SysmonXMLLine2JSON
-            elif self.auditdLogs:
-                func = self.auditdLine2JSON
+            if self.sysmon_4_linux:
+                func = self.sysmon_xml_line_to_json
+            elif self.auditd_logs:
+                func = self.auditd_line_to_json
             try:
-                self.Logs2JSON(func, str(file), outputJSONFilename)
+                self.logs_to_json(func, str(file), output_json_filename)
             except Exception as e:
                 self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
         # XML logs
-        elif self.xmlLogs:
+        elif self.xml_logs:
             try:
                 data = ""
                 # We need to read the entire file to remove annoying newlines and fields with newlines (System.evtx Logs for example...)
-                with open(str(file), "r", encoding="utf-8") as XMLFile:
+                with open(str(file), "r", encoding="utf-8") as xml_file:
                     data = (
-                        XMLFile.read()
+                        xml_file.read()
                         .replace("\n", "")
                         .replace("</Event>", "</Event>\n")
                         .replace("<Event ", "\n<Event ")
                     )
-                self.Logs2JSON(
-                    self.XMLLine2JSON, data, outputJSONFilename, isFile=False
+                self.logs_to_json(
+                    self.xml_line_to_json, data, output_json_filename, is_file=False
                 )
             except Exception as e:
                 self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
         # EVTXtract
         elif self.evtxtract:
             try:
-                self.evtxtract2JSON(str(file), outputJSONFilename)
+                self.evtxtract_to_json(str(file), output_json_filename)
             except Exception as e:
                 self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
         # CSV
-        elif self.csvInput:
+        elif self.csv_input:
             try:
-                self.csv2JSON(str(file), outputJSONFilename)
+                self.csv_to_json(str(file), output_json_filename)
             except Exception as e:
                 self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
         # EVTX
@@ -1033,10 +1009,10 @@ def run(self, file):
                 self.logger.debug(
                     "   [-] No external binaries args or evtx_dump is missing"
                 )
-                self.runUsingBindings(file)
+                self.run_using_bindings(file)
             else:
                 # Check if the binary is valid does not avoid TOCTOU
-                if self.verifyBinHash(self.evtx_dump_cmd):
+                if self.verify_bin_hash(self.evtx_dump_cmd):
                     try:
                         cmd = [
                             self.evtx_dump_cmd,
@@ -1045,7 +1021,7 @@ def run(self, file):
                             "jsonl",
                             str(file),
                             "-f",
-                            outputJSONFilename,
+                            output_json_filename,
                             "-t",
                             str(self.cores),
                         ]
@@ -1056,7 +1032,7 @@ def run(self, file):
                         self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
 
     def cleanup(self):
-        shutil.rmtree(self.tmpDir)
+        shutil.rmtree(self.tmp_dir)
 
 
 class gui_generator:
@@ -1118,9 +1094,9 @@ def __init__(self):
             "https://github.com/wagga40/Zircolite-Rules/archive/refs/heads/main.zip"
         )
         self.logger = logging.getLogger(__name__)
-        self.tempFile = f"tmp-rules-{self.rand_string()}.zip"
-        self.tmpDir = f"tmp-rules-{self.rand_string()}"
-        self.updatedRulesets = []
+        self.temp_file = f"tmp-rules-{self.rand_string()}.zip"
+        self.tmp_dir = f"tmp-rules-{self.rand_string()}"
+        self.updated_rulesets = []
 
     def rand_string(self, length=4):
         return "".join(
@@ -1131,8 +1107,8 @@ def rand_string(self, length=4):
     def download(self):
         resp = requests.get(self.url, stream=True)
         total = int(resp.headers.get("content-length", 0))
-        with open(self.tempFile, "wb") as file, tqdm(
-            desc=self.tempFile,
+        with open(self.temp_file, "wb") as file, tqdm(
+            desc=self.temp_file,
             total=total,
             unit="iB",
             unit_scale=True,
@@ -1144,11 +1120,11 @@ def download(self):
                 bar.update(size)
 
     def unzip(self):
-        shutil.unpack_archive(self.tempFile, self.tmpDir, "zip")
+        shutil.unpack_archive(self.temp_file, self.tmp_dir, "zip")
 
-    def checkIfNewerAndMove(self):
+    def check_if_newer_and_move(self):
         count = 0
-        rulesets = Path(self.tmpDir).rglob("*.json")
+        rulesets = Path(self.tmp_dir).rglob("*.json")
         for ruleset in rulesets:
             hash_new = hashlib.md5(open(ruleset, "rb").read()).hexdigest()
             if Path(f"rules/{ruleset.name}").is_file():
@@ -1162,7 +1138,7 @@ def checkIfNewerAndMove(self):
                 if not Path("rules/").exists():
                     Path("rules/").mkdir()
                 shutil.move(ruleset, f"rules/{ruleset.name}")
-                self.updatedRulesets.append(f"rules/{ruleset.name}")
+                self.updated_rulesets.append(f"rules/{ruleset.name}")
                 self.logger.info(
                     f"{Fore.CYAN}   [+] Updated : rules/{ruleset.name}{Fore.RESET}"
                 )
@@ -1170,14 +1146,14 @@ def checkIfNewerAndMove(self):
             self.logger.info(f"{Fore.CYAN}   [+] No newer rulesets found")
 
     def clean(self):
-        os.remove(self.tempFile)
-        shutil.rmtree(self.tmpDir)
+        os.remove(self.temp_file)
+        shutil.rmtree(self.tmp_dir)
 
     def run(self):
         try:
             self.download()
             self.unzip()
-            self.checkIfNewerAndMove()
+            self.check_if_newer_and_move()
             self.clean()
         except Exception as e:
             self.logger.error(f"   [-] {e}")
@@ -1185,15 +1161,15 @@ def run(self):
 
 class ruleset_handler:
 
-    def __init__(self, config=None, listPipelineOnly=False):
+    def __init__(self, config=None, list_pipeline_only=False):
         self.logger = logging.getLogger(__name__)
-        self.saveRuleset = config.save_ruleset
-        self.rulesetPathList = config.ruleset
+        self.save_ruleset = config.save_ruleset
+        self.ruleset_path_list = config.ruleset
         self.cores = config.cores or os.cpu_count()
-        self.sigmaConversionDisabled = config.no_sigma_conversion
+        self.sigma_conversion_disabled = config.no_sigma_conversion
         self.pipelines = []
 
-        if self.sigmaConversionDisabled:
+        if self.sigma_conversion_disabled:
             self.logger.info(
                 f"{Fore.LIGHTYELLOW_EX}   [i] Sigma conversion is disabled (missing imports) ! {Fore.RESET}"
             )
@@ -1203,7 +1179,7 @@ def __init__(self, config=None, listPipelineOnly=False):
             pipeline_resolver = plugins.get_pipeline_resolver()
             pipeline_list = list(pipeline_resolver.pipelines.keys())
 
-            if listPipelineOnly:
+            if list_pipeline_only:
                 self.logger.info(
                     "[+] Installed pipelines : "
                     + ", ".join(pipeline_list)
@@ -1213,28 +1189,28 @@ def __init__(self, config=None, listPipelineOnly=False):
             else:
                 # Resolving pipelines
                 if config.pipeline:
-                    for pipelineName in [
+                    for pipeline_name in [
                         item for pipeline in config.pipeline for item in pipeline
                     ]:  # Flatten the list of pipeline names list
-                        if pipelineName in pipeline_list:
-                            self.pipelines.append(plugins.pipelines[pipelineName]())
+                        if pipeline_name in pipeline_list:
+                            self.pipelines.append(plugins.pipelines[pipeline_name]())
                         else:
                             self.logger.error(
-                                f"{Fore.RED}   [-] {pipelineName} not found. You can list installed pipelines with '--pipeline-list'{Fore.RESET}"
+                                f"{Fore.RED}   [-] {pipeline_name} not found. You can list installed pipelines with '--pipeline-list'{Fore.RESET}"
                             )
 
-        # Parse & (if necessary) convert ruleset, final list is stored in self.Rulesets
-        self.Rulesets = self.rulesetParsing()
+        # Parse & (if necessary) convert ruleset, final list is stored in self.rulesets
+        self.rulesets = self.ruleset_parsing()
 
         # Combining Rulesets
         # if config.combine_rulesets:
-        self.Rulesets = [
-            item for subRuleset in self.Rulesets if subRuleset for item in subRuleset
+        self.rulesets = [
+            item for sub_ruleset in self.rulesets if sub_ruleset for item in sub_ruleset
         ]
         # Remove duplicates based on 'id' or 'title'
         unique_rules = []
         seen_keys = set()
-        for rule in self.Rulesets:
+        for rule in self.rulesets:
             # Use 'id' or 'title' as the unique key
             rule_key = rule.get("id") or rule.get("title")
             if rule_key and rule_key not in seen_keys:
@@ -1248,52 +1224,50 @@ def __init__(self, config=None, listPipelineOnly=False):
             "low": 4,
             "informational": 5,
         }
-        self.Rulesets = sorted(
+        self.rulesets = sorted(
             unique_rules,
             key=lambda d: level_order.get(
                 d.get("level", "informational"), float("inf")
             ),
         )  # Sorting by level
 
-        if len(self.Rulesets) == 0:
+        if len(self.rulesets) == 0:
             self.logger.error(f"{Fore.RED}   [-] No rules to execute !{Fore.RESET}")
 
-    def isYAML(self, filepath):
+    def is_yaml(self, filepath):
         """Test if the file is a YAML file"""
-        if filepath.suffix == ".yml" or filepath.suffix == ".yaml":
-            with open(filepath, "r", encoding="utf-8") as file:
-                content = file.read()
-                try:
-                    yaml.safe_load(content)
-                    return True
-                except yaml.YAMLError:
-                    return False
+        if filepath.suffix in {".yml", ".yaml"}:
+            try:
+                with open(filepath, "r", encoding="utf-8") as file:
+                    yaml.safe_load(file)
+                return True
+            except yaml.YAMLError:
+                return False
 
-    def isJSON(self, filepath):
+    def is_json(self, filepath):
         """Test if the file is a JSON file"""
         if filepath.suffix == ".json":
-            with open(filepath, "r", encoding="utf-8") as file:
-                content = file.read()
-                try:
-                    json.loads(content)
-                    return True
-                except json.JSONDecodeError:
-                    return False
+            try:
+                with open(filepath, "r", encoding="utf-8") as file:
+                    orjson.loads(file.read())
+                return True
+            except orjson.JSONDecodeError:
+                return False
 
-    def randRulesetName(self, sigmaRules):
+    def rand_ruleset_name(self, sigma_rules):
         # Clean the ruleset name
-        cleanedName = "".join(
-            char if char.isalnum() else "-" for char in sigmaRules
+        cleaned_name = "".join(
+            char if char.isalnum() else "-" for char in sigma_rules
         ).strip("-")
-        cleanedName = re.sub(r"-+", "-", cleanedName)
+        cleaned_name = re.sub(r"-+", "-", cleaned_name)
         # Generate a random string
-        randomString = "".join(
+        random_string = "".join(
             random.SystemRandom().choice(string.ascii_uppercase + string.digits)
             for _ in range(8)
         )
-        return f"ruleset-{cleanedName}-{randomString}.json"
+        return f"ruleset-{cleaned_name}-{random_string}.json"
 
-    def convertSigmaRules(self, backend, rule):
+    def convert_sigma_rules(self, backend, rule):
         try:
             return backend.convert_rule(rule, "zircolite")[0]
         except Exception as e:
@@ -1301,8 +1275,8 @@ def convertSigmaRules(self, backend, rule):
                 f"{Fore.RED}   [-] Cannot convert rule '{str(rule)}' : {e}{Fore.RESET}"
             )
 
-    def sigmaRulesToRuleset(self, SigmaRulesList, pipelines):
-        for sigmaRules in SigmaRulesList:
+    def sigma_rules_to_ruleset(self, sigma_rules_list, pipelines):
+        for sigma_rules in sigma_rules_list:
             # Create the pipeline resolver
             piperesolver = ProcessingPipelineResolver()
             # Add pipelines
@@ -1313,7 +1287,7 @@ def sigmaRulesToRuleset(self, SigmaRulesList, pipelines):
             # Instantiate backend, using our resolved pipeline
             sqlite_backend = sqlite.sqliteBackend(combined_pipeline)
 
-            rules = Path(sigmaRules)
+            rules = Path(sigma_rules)
             if rules.is_dir():
                 rule_list = list(rules.rglob("*.yml")) + list(rules.rglob("*.yaml"))
             else:
@@ -1324,7 +1298,7 @@ def sigmaRulesToRuleset(self, SigmaRulesList, pipelines):
 
             pool = mp.Pool(self.cores)
             ruleset = pool.map(
-                functools.partial(self.convertSigmaRules, sqlite_backend),
+                functools.partial(self.convert_sigma_rules, sqlite_backend),
                 tqdm(rule_collection, colour="yellow"),
             )
             pool.close()
@@ -1334,120 +1308,122 @@ def sigmaRulesToRuleset(self, SigmaRulesList, pipelines):
             ]  # Removing empty results
             ruleset = sorted(ruleset, key=lambda d: d["level"])  # Sorting by level
 
-            if self.saveRuleset:
-                tempRulesetName = self.randRulesetName(str(sigmaRules))
-                with open(tempRulesetName, "w") as outfile:
+            if self.save_ruleset:
+                temp_ruleset_name = self.rand_ruleset_name(str(sigma_rules))
+                with open(temp_ruleset_name, "w") as outfile:
                     outfile.write(
-                        json.dumps(ruleset, option=json.OPT_INDENT_2).decode("utf-8")
+                        orjson.dumps(ruleset, option=orjson.OPT_INDENT_2).decode(
+                            "utf-8"
+                        )
                     )
                     self.logger.info(
-                        f"{Fore.CYAN}   [+] Saved ruleset as : {tempRulesetName}{Fore.RESET}"
+                        f"{Fore.CYAN}   [+] Saved ruleset as : {temp_ruleset_name}{Fore.RESET}"
                     )
 
         return ruleset
 
-    def rulesetParsing(self):
-        rulesetList = []
-        for ruleset in self.rulesetPathList:
-            rulesetPath = Path(ruleset)
-            if rulesetPath.exists():
-                if rulesetPath.is_file():
-                    if self.isJSON(rulesetPath):  # JSON Ruleset
+    def ruleset_parsing(self):
+        ruleset_list = []
+        for ruleset in self.ruleset_path_list:
+            ruleset_path = Path(ruleset)
+            if ruleset_path.exists():
+                if ruleset_path.is_file():
+                    if self.is_json(ruleset_path):  # JSON Ruleset
                         try:
-                            with open(rulesetPath, encoding="utf-8") as f:
-                                rulesetList.append(json.loads(f.read()))
+                            with open(ruleset_path, encoding="utf-8") as f:
+                                ruleset_list.append(orjson.loads(f.read()))
                             self.logger.info(
-                                f"{Fore.CYAN}   [+] Loaded JSON/Zircolite ruleset : {str(rulesetPath)}{Fore.RESET}"
+                                f"{Fore.CYAN}   [+] Loaded JSON/Zircolite ruleset : {str(ruleset_path)}{Fore.RESET}"
                             )
                         except Exception as e:
                             self.logger.error(
-                                f"{Fore.RED}   [-] Cannot load {str(rulesetPath)} {e}{Fore.RESET}"
+                                f"{Fore.RED}   [-] Cannot load {str(ruleset_path)} {e}{Fore.RESET}"
                             )
                     else:  # YAML Ruleset
-                        if not self.sigmaConversionDisabled and self.isYAML(
-                            rulesetPath
+                        if not self.sigma_conversion_disabled and self.is_yaml(
+                            ruleset_path
                         ):
                             try:
                                 self.logger.info(
-                                    f"{Fore.CYAN}   [+] Converting Native Sigma to Zircolite ruleset : {str(rulesetPath)}{Fore.RESET}"
+                                    f"{Fore.CYAN}   [+] Converting Native Sigma to Zircolite ruleset : {str(ruleset_path)}{Fore.RESET}"
                                 )
-                                rulesetList.append(
-                                    self.sigmaRulesToRuleset(
-                                        [rulesetPath], self.pipelines
+                                ruleset_list.append(
+                                    self.sigma_rules_to_ruleset(
+                                        [ruleset_path], self.pipelines
                                     )
                                 )
                             except Exception as e:
                                 self.logger.error(
-                                    f"{Fore.RED}   [-] Cannot convert {str(rulesetPath)} {e}{Fore.RESET}"
+                                    f"{Fore.RED}   [-] Cannot convert {str(ruleset_path)} {e}{Fore.RESET}"
                                 )
                 elif (
-                    not self.sigmaConversionDisabled and rulesetPath.is_dir()
+                    not self.sigma_conversion_disabled and ruleset_path.is_dir()
                 ):  # Directory
                     try:
                         self.logger.info(
-                            f"{Fore.CYAN}   [+] Converting Native Sigma to Zircolite ruleset : {str(rulesetPath)}{Fore.RESET}"
+                            f"{Fore.CYAN}   [+] Converting Native Sigma to Zircolite ruleset : {str(ruleset_path)}{Fore.RESET}"
                         )
-                        rulesetList.append(
-                            self.sigmaRulesToRuleset([rulesetPath], self.pipelines)
+                        ruleset_list.append(
+                            self.sigma_rules_to_ruleset([ruleset_path], self.pipelines)
                         )
                     except Exception as e:
                         self.logger.error(
-                            f"{Fore.RED}   [-] Cannot convert {str(rulesetPath)} {e}{Fore.RESET}"
+                            f"{Fore.RED}   [-] Cannot convert {str(ruleset_path)} {e}{Fore.RESET}"
                         )
-        return rulesetList
+        return ruleset_list
 
 
-def selectFiles(pathList, selectFilesList):
-    if selectFilesList is not None:
+def select_files(path_list, select_files_list):
+    if select_files_list is not None:
         return [
             logs
-            for logs in [str(element) for element in list(pathList)]
+            for logs in [str(element) for element in list(path_list)]
             if any(
-                fileFilters[0].lower() in logs.lower()
-                for fileFilters in selectFilesList
+                file_filters[0].lower() in logs.lower()
+                for file_filters in select_files_list
             )
         ]
-    return pathList
+    return path_list
 
 
-def avoidFiles(pathList, avoidFilesList):
-    if avoidFilesList is not None:
+def avoid_files(path_list, avoid_files_list):
+    if avoid_files_list is not None:
         return [
             logs
-            for logs in [str(element) for element in list(pathList)]
+            for logs in [str(element) for element in list(path_list)]
             if all(
-                fileFilters[0].lower() not in logs.lower()
-                for fileFilters in avoidFilesList
+                file_filters[0].lower() not in logs.lower()
+                for file_filters in avoid_files_list
             )
         ]
-    return pathList
+    return path_list
 
 
-def ImportErrorHandler(config):
-    importErrorList = []
+def import_error_handler(config):
+    import_error_list = []
 
-    if updateDisabled:
-        importErrorList.append(
+    if update_disabled:
+        import_error_list.append(
             f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'requests', events update is disabled{Fore.RESET}"
         )
         config.update_rules = False
-    if sigmaConversionDisabled:
-        importErrorList.append(
+    if sigma_conversion_disabled:
+        import_error_list.append(
             f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'sigma' from pySigma, ruleset conversion YAML -> JSON is disabled{Fore.RESET}"
         )
         config.no_sigma_conversion = True
-    if pyevtxDisabled:
-        importErrorList.append(
+    if pyevtx_disabled:
+        import_error_list.append(
             f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'evtx' from pyevtx-rs, use of external binaries is mandatory{Fore.RESET}"
         )
         config.noexternal = False
-    if jinja2Disabled:
-        importErrorList.append(
+    if jinja2_disabled:
+        import_error_list.append(
             f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'jinja2', templating is disabled{Fore.RESET}"
         )
         config.template = None
-    if xmlImportDisabled:
-        importErrorList.append(
+    if xml_import_disabled:
+        import_error_list.append(
             f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'lxml', cannot use XML logs as input{Fore.RESET}"
         )
         if config.xml:
@@ -1458,9 +1434,9 @@ def ImportErrorHandler(config):
             )
 
     if config.debug or config.imports:
-        return "\n".join(importErrorList), config, False
+        return "\n".join(import_error_list), config, False
 
-    if importErrorList == []:
+    if import_error_list == []:
         return "", config, False
 
     return (
@@ -1474,10 +1450,10 @@ def runner(file, params):
     """Runner function to flatten events and apply rules with multiprocessing"""
 
     flattener = json_flattener(
-        configFile=params["config"],
-        timeAfter=params["events_after"],
-        timeBefore=params["events_before"],
-        timeField=params["timefield"],
+        config_file=params["config"],
+        time_after=params["events_after"],
+        time_before=params["events_before"],
+        time_field=params["timefield"],
         hashes=params["hashes"],
         input_format=params["input_format"],
     )
@@ -1490,10 +1466,11 @@ def runner(file, params):
 
     # Initialize zircore
     filename = os.path.basename(file)
-    if params["on_disk_db"]:
-        db_location = f"{filename}-{rand_string(4)}.db"
-    else:
-        db_location = f"file:{filename}?mode=memory&cache=shared"
+    db_location = (
+        f"{filename}-{rand_string(4)}.db"
+        if params["on_disk_db"]
+        else f"file:{filename}?mode=memory&cache=shared"
+    )
 
     zircolite_core = zircore(
         limit=params["limit"],
@@ -1504,19 +1481,17 @@ def runner(file, params):
         tmp_directory_db=params["tmp_directory_db"],
     )
 
-    zircolite_core.create_db(flattener.fieldStmt)
-    zircolite_core.insert_flat_json_to_db(flattener.valuesStmt)
+    zircolite_core.create_db(flattener.field_stmt)
+    zircolite_core.insert_flat_json_to_db(flattener.values_stmt)
     del flattener
     zircolite_core.create_index()
-
-    ruleset = params["rulesets"]
     zircolite_core.load_ruleset_from_var(
-        ruleset=ruleset, ruleFilters=params["rulefilter"]
+        ruleset=params["rulesets"], rule_filters=params["rulefilter"]
     )
     zircolite_core.execute_ruleset()
     zircolite_core.close()
 
-    return zircolite_core.fullResults, zircolite_core.rule_results
+    return zircolite_core.full_results, zircolite_core.rule_results
 
 
 def runner_wrapper(args):
@@ -1560,6 +1535,47 @@ def concatenate_files(input_dir, output_file, buffer_size=1024 * 1024):
                     outfile.write(buffer)
 
 
+def calculate_files_total_size(file_list):
+    total_size = 0
+    for file in file_list:
+        total_size += file.stat().st_size
+    return total_size
+
+
+def get_machine_ram():
+    return psutil.virtual_memory().available
+
+
+def format_size(size_in_bytes):
+    if size_in_bytes < 1024:
+        return f"{size_in_bytes} B"
+    elif size_in_bytes < 1024**2:
+        return f"{size_in_bytes / 1024:.2f} KB"
+    elif size_in_bytes < 1024**3:
+        return f"{size_in_bytes / 1024**2:.2f} MB"
+    else:
+        return f"{size_in_bytes / 1024**3:.2f} GB"
+
+
+def calculate_system_resources(file_list):
+    total_size = calculate_files_total_size(file_list)
+    machine_ram = get_machine_ram()
+    machine_cores = os.cpu_count()
+
+    max_memory_usage = total_size * 2
+
+    # Calculate memory usage per core
+    per_core_usage = max_memory_usage / machine_cores
+    max_cores_to_use = min(machine_cores, int(machine_ram // per_core_usage))
+
+    return {
+        "total_size": total_size,
+        "machine_ram": machine_ram,
+        "machine_cores": machine_cores,
+        "max_cores_to_use": max_cores_to_use,
+    }
+
+
 ################################################################
 # MAIN()
 ################################################################
@@ -1576,25 +1592,25 @@ def main():
         "-e",
         "--events",
         "--evtx",
-        help="Log file or directory where log files are stored in supported format",
+        help="Specify a log file or directory containing log files in supported formats",
         type=str,
     )
     logsInputArgs.add_argument(
         "-s",
         "--select",
-        help="Only files with filenames containing the provided string will be used. If there is/are exclusion(s) (--avoid) they will be handled after selection",
+        help="Select only files with filenames containing the provided string. Exclusions (--avoid) will be applied after selection",
         action="append",
         nargs="+",
     )
     logsInputArgs.add_argument(
         "-a",
         "--avoid",
-        help="Files files with filenames containing the provided string will NOT be used",
+        help="Exclude files with filenames containing the provided string",
         action="append",
         nargs="+",
     )
     logsInputArgs.add_argument(
-        "-f", "--fileext", help="Extension of the log files", type=str
+        "-f", "--fileext", help="Specify the extension of the log files", type=str
     )
     logsInputArgs.add_argument(
         "-fp",
@@ -1604,7 +1620,7 @@ def main():
     )
     logsInputArgs.add_argument(
         "--no-recursion",
-        help="By default Zircolite search log/event files recursively, by using this option only the provided directory will be used",
+        help="Disable recursive search for log/event files. Only search in the provided directory",
         action="store_true",
     )
     # Events filtering options
@@ -1614,19 +1630,19 @@ def main():
     eventArgs.add_argument(
         "-A",
         "--after",
-        help="Limit to events that happened after the provided timestamp (UTC). Format : 1970-01-01T00:00:00",
+        help="Limit to events that occurred after the provided timestamp (UTC). Format: 1970-01-01T00:00:00",
         type=str,
         default="1970-01-01T00:00:00",
     )
     eventArgs.add_argument(
         "-B",
         "--before",
-        help="Limit to events that happened before the provided timestamp (UTC). Format : 1970-01-01T00:00:00",
+        help="Limit to events that occurred before the provided timestamp (UTC). Format: 1970-01-01T00:00:00",
         type=str,
         default="9999-12-12T23:59:59",
     )
     # Event and log formats options
-    # /!\ an option name containing '-input' must exists (It is used in JSON flattening mechanism)
+    # /!\ an option name containing '-input' must exist (It is used in JSON flattening mechanism)
     eventFormatsArgs = parser.add_mutually_exclusive_group()
     eventFormatsArgs.add_argument(
         "-j",
@@ -1634,14 +1650,14 @@ def main():
         "--jsononly",
         "--jsonline",
         "--jsonl",
-        help="If logs files are already in JSON lines format ('jsonl' in evtx_dump) ",
+        help="Specify if log files are already in JSON lines format ('jsonl' in evtx_dump)",
         action="store_true",
     )
     eventFormatsArgs.add_argument(
         "--json-array-input",
         "--jsonarray",
         "--json-array",
-        help="Source logs are in JSON but as an array",
+        help="Specify if source logs are in JSON format as an array",
         action="store_true",
     )
     eventFormatsArgs.add_argument(
@@ -1649,33 +1665,33 @@ def main():
         "--sysmon-linux-input",
         "--sysmon4linux",
         "--sysmon-linux",
-        help="Use this option if your log file is a Sysmon for linux log file, default file extension is '.log'",
+        help="Use this option for Sysmon for Linux log files. Default file extension is '.log'",
         action="store_true",
     )
     eventFormatsArgs.add_argument(
         "-AU",
         "--auditd-input",
         "--auditd",
-        help="Use this option if your log file is a Auditd log file, default file extension is '.log'",
+        help="Use this option for Auditd log files. Default file extension is '.log'",
         action="store_true",
     )
     eventFormatsArgs.add_argument(
         "-x",
         "--xml-input",
         "--xml",
-        help="Use this option if your log file is a EVTX converted to XML log file, default file extension is '.xml'",
+        help="Use this option for EVTX files converted to XML format. Default file extension is '.xml'",
         action="store_true",
     )
     eventFormatsArgs.add_argument(
         "--evtxtract-input",
         "--evtxtract",
-        help="Use this option if your log file was extracted with EVTXtract, default file extension is '.log'",
+        help="Use this option for log files extracted with EVTXtract. Default file extension is '.log'",
         action="store_true",
     )
     eventFormatsArgs.add_argument(
         "--csv-input",
         "--csvonly",
-        help="You log file is in CSV format '.csv'",
+        help="Specify if your log file is in CSV format '.csv'",
         action="store_true",
     )
     # Ruleset options
@@ -1685,7 +1701,7 @@ def main():
     rulesetsFormatsArgs.add_argument(
         "-r",
         "--ruleset",
-        help="Sigma ruleset : JSON (Zircolite format) or YAML/Directory containing YAML files (Native Sigma format)",
+        help="Specify Sigma ruleset: JSON (Zircolite format) or YAML/Directory containing YAML files (Native Sigma format)",
         action="append",
         nargs="+",
     )
@@ -1701,7 +1717,7 @@ def main():
     rulesetsFormatsArgs.add_argument(
         "-p",
         "--pipeline",
-        help="For all the native Sigma rulesets (YAML) use this pipeline. Multiple can be used. Examples : 'sysmon', 'windows-logsources', 'windows-audit'. You can list installed pipelines with '--pipeline-list'.",
+        help="Specify pipeline(s) for native Sigma rulesets (YAML). Multiple can be used. Examples: 'sysmon', 'windows-logsources', 'windows-audit'. Use '--pipeline-list' to see available pipelines",
         action="append",
         nargs="+",
     )
@@ -1714,62 +1730,63 @@ def main():
     rulesetsFormatsArgs.add_argument(
         "-pn",
         "--pipeline-null",
-        help="For all the native Sigma rulesets (YAML) don't use any pipeline (Default)",
+        help="Do not use any pipeline for native Sigma rulesets (YAML). This is the default behavior",
         action="store_true",
     )
     rulesetsFormatsArgs.add_argument(
         "-R",
         "--rulefilter",
-        help="Remove rule from ruleset, comparison is done on rule title (case sensitive)",
+        help="Remove rules from ruleset based on rule title (case sensitive)",
         action="append",
         nargs="*",
     )
-    # Ouput formats and output files options
+    # Output formats and output files options
     outputFormatsArgs = parser.add_argument_group(
-        f"{Fore.BLUE}OUPUT FORMATS AND OUTPUT FILES OPTIONS{Fore.RESET}"
+        f"{Fore.BLUE}OUTPUT FORMATS AND OUTPUT FILES OPTIONS{Fore.RESET}"
     )
     outputFormatsArgs.add_argument(
         "-o",
         "--outfile",
-        help="File that will contains all detected events",
+        help="Specify the file to store all detected events",
         type=str,
         default="detected_events.json",
     )
     outputFormatsArgs.add_argument(
         "--csv",
         "--csv-output",
-        help="The output will be in CSV. You should note that in this mode empty fields will not be discarded from results",
+        help="Output results in CSV format. Note that in this mode, empty fields will not be discarded from results",
         action="store_true",
     )
     outputFormatsArgs.add_argument(
         "--csv-delimiter",
-        help="Choose the delimiter for CSV ouput",
+        help="Specify the delimiter for CSV output",
         type=str,
         default=";",
     )
     outputFormatsArgs.add_argument(
         "-t",
         "--tmpdir",
-        help="Temp directory that will contains events converted as JSON (parent directories must exist)",
+        help="Specify the temporary directory to store events converted to JSON (parent directories must exist)",
         type=str,
     )
     outputFormatsArgs.add_argument(
         "-k",
         "--keeptmp",
-        help="Do not remove the temp directory containing events converted in JSON format",
+        help="Retain the temporary directory containing events converted to JSON format",
         action="store_true",
     )
     outputFormatsArgs.add_argument(
         "--keepflat", help="Save flattened events as JSON", action="store_true"
     )
     outputFormatsArgs.add_argument(
-        "-d",
-        "--dbfile",
-        help="Save all logs in a SQLite Db to the specified file",
-        type=str,
+        "-d", "--dbfile", help="Save all logs in a SQLite database file", type=str
     )
     outputFormatsArgs.add_argument(
-        "-l", "--logfile", help="Log file name", default="zircolite.log", type=str
+        "-l",
+        "--logfile",
+        help="Specify the log file name",
+        default="zircolite.log",
+        type=str,
     )
     outputFormatsArgs.add_argument(
         "--hashes",
@@ -1780,7 +1797,7 @@ def main():
         "-L",
         "--limit",
         "--limit-results",
-        help="Discard results that are above the provided limit",
+        help="Discard results that exceed the specified limit",
         type=int,
         default=-1,
     )
@@ -1791,53 +1808,50 @@ def main():
     configFormatsArgs.add_argument(
         "-c",
         "--config",
-        help="JSON File containing field mappings and exclusions",
+        help="Specify a JSON file containing field mappings and exclusions",
         type=str,
         default="config/fieldMappings.json",
     )
     eventFormatsArgs.add_argument(
         "-LE",
         "--logs-encoding",
-        help="Specify log encoding when dealing with Sysmon for Linux or Auditd files",
+        help="Specify log encoding when processing Sysmon for Linux or Auditd files",
         type=str,
     )
-    configFormatsArgs.add_argument(
-        "--fieldlist", help="Get all events fields", action="store_true"
-    )
     configFormatsArgs.add_argument(
         "--evtx_dump",
-        help="Tell Zircolite to use this binary for EVTX conversion, on Linux and MacOS the path must be valid to launch the binary (eg. './evtx_dump' and not 'evtx_dump')",
+        help="Specify the binary to use for EVTX conversion. On Linux and MacOS, provide a valid path to launch the binary (e.g., './evtx_dump' instead of 'evtx_dump')",
         type=str,
         default=None,
     )
     configFormatsArgs.add_argument(
         "--noexternal",
         "--bindings",
-        help="Don't use evtx_dump external binaries (slower)",
+        help="Disable the use of evtx_dump external binaries (slower processing)",
         action="store_true",
     )
     configFormatsArgs.add_argument(
         "--cores",
-        help="Specify how many cores you want to use, default is all cores, works only for EVTX extraction",
-        default=os.cpu_count(),
+        help="Specify the number of cores to use. Default is all available cores",
+        default=-1,
         type=int,
     )
     configFormatsArgs.add_argument(
-        "--debug", help="Activate debug logging", action="store_true"
+        "--debug", help="Enable debug logging", action="store_true"
     )
     configFormatsArgs.add_argument(
-        "--imports", help="Show detailed module import errors", action="store_true"
+        "--imports", help="Display detailed module import errors", action="store_true"
     )
     configFormatsArgs.add_argument(
         "--ondiskdb",
         "--on-disk-db",
-        help="Use an on-disk database instead of the in-memory one (much slower !). Use if your system has limited RAM or if your dataset is very large and you cannot split it",
+        help="Use an on-disk database instead of an in-memory one (significantly slower). Use this option if your system has limited RAM or if your dataset is very large and cannot be split",
         action="store_true",
     )
     configFormatsArgs.add_argument(
         "-RE",
         "--remove-events",
-        help="Zircolite will try to remove events/logs submitted if analysis is successful (use at your own risk)",
+        help="Attempt to remove submitted events/logs if analysis is successful (use at your own risk)",
         action="store_true",
     )
     configFormatsArgs.add_argument(
@@ -1847,13 +1861,13 @@ def main():
         action="store_true",
     )
     configFormatsArgs.add_argument(
-        "-v", "--version", help="Show Zircolite version", action="store_true"
+        "-v", "--version", help="Display Zircolite version", action="store_true"
     )
     configFormatsArgs.add_argument(
         "--timefield",
-        help="Use this option to provide timestamp field name, default is 'SystemTime'",
+        help="Specify the timestamp field name. Default is 'SystemTime'",
         default="SystemTime",
-        action="store_true",
+        type=str,
     )
 
     # Templating and Mini GUI options
@@ -1862,20 +1876,20 @@ def main():
     )
     templatingFormatsArgs.add_argument(
         "--template",
-        help="If a Jinja2 template is specified it will be used to generated output",
+        help="Specify a Jinja2 template to generate output",
         type=str,
         action="append",
         nargs="+",
     )
     templatingFormatsArgs.add_argument(
         "--templateOutput",
-        help="If a Jinja2 template is specified it will be used to generate a crafted output",
+        help="Specify the output file for the Jinja2 template",
         type=str,
         action="append",
         nargs="+",
     )
     templatingFormatsArgs.add_argument(
-        "--package", help="Create a ZircoGui/Mini Gui package", action="store_true"
+        "--package", help="Create a ZircoGui/Mini GUI package", action="store_true"
     )
     args = parser.parse_args()
 
@@ -1903,12 +1917,12 @@ def main():
         sys.exit(0)
 
     # Show imports status
-    importsMessage, args, mustQuit = ImportErrorHandler(args)
-    if importsMessage != "":
-        logger.info(f"[+] Modules imports status: \n{importsMessage}")
+    imports_message, args, must_quit = import_error_handler(args)
+    if imports_message != "":
+        logger.info(f"[+] Modules imports status: \n{imports_message}")
     else:
         logger.info("[+] Modules imports status: OK")
-    if mustQuit:
+    if must_quit:
         sys.exit(1)
 
     # Update rulesets
@@ -1924,12 +1938,6 @@ def main():
     else:
         args.ruleset = ["rules/rules_windows_generic_pysigma.json"]
 
-    # Loading rulesets
-    logger.info("[+] Loading ruleset(s)")
-    rulesetsManager = ruleset_handler(args, args.pipeline_list)
-    if args.pipeline_list:
-        sys.exit(0)
-
     # Check mandatory CLI options
     if not args.events:
         logger.error(
@@ -1947,33 +1955,33 @@ def main():
         events_after = time.strptime(args.after, "%Y-%m-%dT%H:%M:%S")
         events_before = time.strptime(args.before, "%Y-%m-%dT%H:%M:%S")
     except Exception:
-        quitOnError(
+        quit_on_error(
             f"{Fore.RED}   [-] Wrong timestamp format. Please use 'AAAA-MM-DDTHH:MM:SS'"
         )
 
     # Check templates args
-    readyForTemplating = False
+    ready_for_templating = False
     if args.template is not None:
         if args.csv:
-            quitOnError(
+            quit_on_error(
                 f"{Fore.RED}   [-] You cannot use templates in CSV mode{Fore.RESET}"
             )
         if (args.templateOutput is None) or (
             len(args.template) != len(args.templateOutput)
         ):
-            quitOnError(
+            quit_on_error(
                 f"{Fore.RED}   [-] Number of templates output must match number of templates{Fore.RESET}"
             )
         for template in args.template:
-            checkIfExists(
+            check_if_exists(
                 template[0],
-                f"{Fore.RED}   [-] Cannot find template : {template[0]}. DEfault templates are available here : https://github.com/wagga40/Zircolite/tree/master/templates{Fore.RESET}",
+                f"{Fore.RED}   [-] Cannot find template : {template[0]}. Default templates are available here : https://github.com/wagga40/Zircolite/tree/master/templates{Fore.RESET}",
             )
-        readyForTemplating = True
+        ready_for_templating = True
 
     # Change output filename in CSV mode
     if args.csv:
-        readyForTemplating = False
+        ready_for_templating = False
         # If outfile is not provided, default to 'detected_events.csv' instead of 'detected_events.json'
         if args.outfile == "detected_events.json":
             args.outfile = "detected_events.csv"
@@ -1994,32 +2002,51 @@ def main():
         else:
             args.fileext = "evtx"
 
-    LogPath = Path(args.events)
-    if LogPath.is_dir():
-        # Log recursive search in given directory with given file extension or pattern
-        pattern = f"*.{args.fileext}"
-        # If a Glob pattern is provided
-        if args.file_pattern not in [None, ""]:
-            pattern = args.file_pattern
-        fnGlob = LogPath.rglob
-        # If directory recursion is not wanted
-        if args.no_recursion:
-            fnGlob = LogPath.glob
-        LogList = list(fnGlob(pattern))
-    elif LogPath.is_file():
-        LogList = [LogPath]
+    # Get list of log files to process:
+    # - If events path is a directory, get all matching files using glob/rglob based on recursion flag
+    # - If events path is a single file, use that file directly
+    # - Otherwise error out since no valid files found
+    log_path = Path(args.events)
+    pattern = args.file_pattern if args.file_pattern else f"*.{args.fileext}"
+    if log_path.is_dir():
+        # Use glob or rglob based on recursion flag
+        glob_fn = log_path.glob if args.no_recursion else log_path.rglob
+        log_list = list(glob_fn(pattern))
+    elif log_path.is_file():
+        log_list = [log_path]
     else:
-        quitOnError(
+        quit_on_error(
             f"{Fore.RED}   [-] Unable to find events from submitted path{Fore.RESET}"
         )
 
     # Applying file filters in this order : "select" than "avoid"
-    FileList = avoidFiles(selectFiles(LogList, args.select), args.avoid)
-    if len(FileList) <= 0:
-        quitOnError(
+    file_list = avoid_files(select_files(log_list, args.select), args.avoid)
+    if len(file_list) <= 0:
+        quit_on_error(
             f"{Fore.RED}   [-] No file found. Please verify filters, directory or the extension with '--fileext' or '--file-pattern'{Fore.RESET}"
         )
 
+    # If cores is not provided, calculate the number of cores to use
+    system_resources = calculate_system_resources(file_list)
+    logger.info(
+        f"[+] File(s) size: {Fore.CYAN}{format_size(system_resources['total_size'])}{Fore.RESET} | Available RAM: {Fore.CYAN}{format_size(system_resources['machine_ram'])}{Fore.RESET}"
+    )
+    if args.cores == -1:
+        args.cores = system_resources["max_cores_to_use"]
+        logger.info(
+            f"[+] CPU Cores / CPU Cores used: {Fore.CYAN}{system_resources['machine_cores']}{Fore.RESET} / {Fore.CYAN}{system_resources['machine_cores'] if args.cores > system_resources['machine_cores'] else args.cores}{Fore.RESET}"
+        )
+    else:
+        logger.info(
+            f"[+] CPU Cores used (Forced): {Fore.CYAN}{system_resources['machine_cores']}{Fore.RESET} / {Fore.CYAN}{args.cores}{Fore.RESET}"
+        )
+
+    # Loading rulesets
+    logger.info("[+] Loading ruleset(s)")
+    rulesets_manager = ruleset_handler(args, args.pipeline_list)
+    if args.pipeline_list:
+        sys.exit(0)
+
     args_dict = vars(args)
     # Find the chosen input format
     chosen_input = next(
@@ -2029,31 +2056,31 @@ def main():
     if not args.json_input and not args.json_array_input:
         # Init EVTX extractor object
         extractor = evtx_extractor(
-            providedTmpDir=args.tmpdir,
+            provided_tmp_dir=args.tmpdir,
             cores=args.cores,
             use_external_binaries=(not args.noexternal),
             binaries_path=args.evtx_dump,
             encoding=args.logs_encoding,
             input_format=chosen_input,
         )
-        logger.info(f"[+] Extracting events using '{extractor.tmpDir}' directory ")
-        for evtx in tqdm(FileList, colour="yellow"):
+        logger.info(f"[+] Extracting events using '{extractor.tmp_dir}' directory ")
+        for evtx in tqdm(file_list, colour="yellow"):
             extractor.run(evtx)
         # Set the path for the next step
-        LogJSONList = list(Path(extractor.tmpDir).rglob("*.json"))
+        log_json_list = list(Path(extractor.tmp_dir).rglob("*.json"))
     else:
-        LogJSONList = FileList
+        log_json_list = file_list
 
-    checkIfExists(
+    check_if_exists(
         args.config,
         f"{Fore.RED}   [-] Cannot find mapping file, you can get the default one here : https://github.com/wagga40/Zircolite/blob/master/config/fieldMappings.json {Fore.RESET}",
     )
-    if LogJSONList == []:
-        quitOnError(f"{Fore.RED}   [-] No files containing logs found.{Fore.RESET}")
+    if log_json_list == []:
+        quit_on_error(f"{Fore.RED}   [-] No files containing logs found.{Fore.RESET}")
 
     # TODO : Add option for already flattened event
     logger.info(
-        f"[+] Processing events and applying {Fore.CYAN}{len(rulesetsManager.Rulesets)}{Fore.RESET} rules"
+        f"[+] Processing events and applying {Fore.CYAN}{len(rulesets_manager.rulesets)}{Fore.RESET} rules"
     )
 
     # flatten array of "rulefilter" arguments
@@ -2077,28 +2104,26 @@ def main():
         "delimiter": args.csv_delimiter,
         "keepflat": args.keepflat,
         "rulefilter": args.rulefilter,
-        "rulesets": rulesetsManager.Rulesets,
+        "rulesets": rulesets_manager.rulesets,
         "tmp_directory": tmp_directory,
         "tmp_directory_db": tmp_directory_db,
     }
 
     params_map = []
-    for file in LogJSONList:
+    for file in log_json_list:
         params_map.append((file, param_list))
 
     all_full_results = []
     all_rule_results = []
     # Perform the JSON flattening and the detection process with multiprocessing
-    pool = mp.Pool(args.cores)
-    with tqdm(total=len(params_map), colour="yellow") as pbar:
-        for full_results, rule_results in pool.imap_unordered(
-            runner_wrapper, params_map
-        ):
-            all_full_results.extend(full_results)
-            all_rule_results.extend(rule_results)
-            pbar.update()
-    pool.close()
-    pool.join()
+    with mp.Pool(processes=args.cores) as pool:
+        with tqdm(total=len(params_map), colour="yellow") as pbar:
+            for full_results, rule_results in pool.imap_unordered(
+                runner_wrapper, params_map
+            ):
+                all_full_results.extend(full_results)
+                all_rule_results.extend(rule_results)
+                pbar.update()
 
     # Merge the rule results from all processes
     aggregated_rules = {}
@@ -2169,7 +2194,7 @@ def main():
     #                     writer.writerow(dictCSV)
 
     # Templating
-    if readyForTemplating and all_full_results != []:
+    if ready_for_templating and all_full_results != []:
         template_generator = template_engine(
             args.template, args.templateOutput, args.timefield
         )
@@ -2200,7 +2225,7 @@ def main():
 
     # Remove files submitted for analysis
     if args.remove_events:
-        for logs in LogList:
+        for logs in log_list:
             try:
                 os.remove(logs)
             except OSError as e:
diff --git a/zircolite_dev.py b/zircolite_dev.py
index 7413940..547ac47 100755
--- a/zircolite_dev.py
+++ b/zircolite_dev.py
@@ -25,7 +25,8 @@
 from sys import platform as _platform
 
 # External libs (Mandatory)
-import orjson as json
+import orjson
+import psutil
 import xxhash
 from colorama import Fore
 from tqdm import tqdm
@@ -37,13 +38,13 @@
 from RestrictedPython.Guards import guarded_iter_unpack_sequence
 
 # External libs (Optional)
-updateDisabled = False
+update_disabled = False
 try:
     import requests
 except ImportError:
-    updateDisabled =  True
+    update_disabled = True
 
-sigmaConversionDisabled = False
+sigma_conversion_disabled = False
 try:
     from sigma.collection import SigmaCollection
     from sigma.backends.sqlite import sqlite
@@ -51,40 +52,40 @@
     from sigma.plugins import InstalledSigmaPlugins
     import yaml 
 except ImportError: 
-    sigmaConversionDisabled = True
+    sigma_conversion_disabled = True
 
-pyevtxDisabled = False
+pyevtx_disabled = False
 try:
     from evtx import PyEvtxParser
 except ImportError: 
-    pyevtxDisabled = True
+    pyevtx_disabled = True
 
-jinja2Disabled = False
+jinja2_disabled = False
 try:
     from jinja2 import Template
 except ImportError: 
-    jinja2Disabled = True
+    jinja2_disabled = True
 
-xmlImportDisabled = False
+xml_import_disabled = False
 try:
     from lxml import etree
 except ImportError:
-    xmlImportDisabled = True
+    xml_import_disabled = True
 
 def signal_handler(sig, frame):
     print("[-] Execution interrupted !")
     sys.exit(0)
 
-def quitOnError(message):
+def quit_on_error(message):
     """Log an error message and exit the program."""
     logger = logging.getLogger(__name__)
     logger.error(message)
     sys.exit(1)
 
-def checkIfExists(path, errorMessage):
+def check_if_exists(path, error_message):
     """Test if path provided is a file"""
     if not (Path(path).is_file()):
-        quitOnError(errorMessage)
+        quit_on_error(error_message)
 
 def setup_logging(debug_mode, log_file=None):
     """Set up logging configuration."""
@@ -130,27 +131,27 @@ def default_guarded_getitem(ob, index):
     return ob[index]
 
 class template_engine:
-    def __init__(self, templates=[], template_outputs=[], timeField=""):
+    def __init__(self, templates=[], template_outputs=[], time_field=""):
         self.logger = logging.getLogger(__name__)
-        self.timeField = timeField
+        self.time_field = time_field
         self.compiled_templates = {}
         # Flatten templates and outputs if they are nested lists
         self.template_paths = [tpl[0] if isinstance(tpl, list) else tpl for tpl in templates]
         self.template_outputs = [out[0] if isinstance(out, list) else out for out in template_outputs]
     
-    def generate_from_template(self, template_file, outputFilename, data):
+    def generate_from_template(self, template_file, output_filename, data):
         """ Use Jinja2 to output data in a specific format """
         try:
             with open(template_file, 'r', encoding='utf-8') as tmpl:
                 # Use the compiled template if available, otherwise compile it
                 if template_file in self.compiled_templates:
-                    template = self.compiled_templates["templateFile"]
+                    template = self.compiled_templates["template_file"]
                 else: 
                     template = Template(tmpl.read())
-                    self.compiled_templates["templateFile"] = template
+                    self.compiled_templates["template_file"] = template
             # Render the template and write to the output file
-            with open(outputFilename, 'a', encoding='utf-8') as tpl:
-                tpl.write(template.render(data=data, timeField=self.timeField))
+            with open(output_filename, 'a', encoding='utf-8') as tpl:
+                tpl.write(template.render(data=data, time_field=self.time_field))
         except Exception as e:
             self.logger.error(f"{Fore.RED}   [-] Template error, activate debug mode with '--debug' to check for errors{Fore.RESET}")
             self.logger.debug(f"   [-] {e}")
@@ -163,16 +164,16 @@ def run(self, data):
 class json_flattener:
     """ Perform JSON Flattening """
 
-    def __init__(self, configFile, timeAfter="1970-01-01T00:00:00", timeBefore="9999-12-12T23:59:59", timeField=None, hashes=False, input_format=None):
+    def __init__(self, config_file, time_after="1970-01-01T00:00:00", time_before="9999-12-12T23:59:59", time_field=None, hashes=False, input_format=None):
         self.logger = logging.getLogger(__name__)
-        self.keyDict = {}
-        self.fieldStmt = ""
-        self.valuesStmt = []
-        self.timeAfter = timeAfter
-        self.timeBefore = timeBefore
-        self.timeField = timeField
+        self.key_dict = {}
+        self.field_stmt = ""
+        self.values_stmt = []
+        self.time_after = time_after
+        self.time_before = time_before
+        self.time_field = time_field
         self.hashes = hashes
-        self.JSONArray = False
+        self.json_array = False
 
         # Initialize the cache for compiled code
         self.compiled_code_cache = {}
@@ -182,19 +183,19 @@ def __init__(self, configFile, timeAfter="1970-01-01T00:00:00", timeBefore="9999
             self.chosen_input = "evtx_input" # Since evtx is the default input, we force it no chosen input has been found
         
         if self.chosen_input == "json_array_input":
-            self.JSONArray = True
-
-        with open(configFile, 'r', encoding='UTF-8') as fieldMappingsFile:
-            self.fieldMappingsDict = json.loads(fieldMappingsFile.read())
-            self.fieldExclusions = self.fieldMappingsDict["exclusions"]
-            self.fieldMappings = self.fieldMappingsDict["mappings"]
-            self.uselessValues = self.fieldMappingsDict["useless"]
-            self.aliases = self.fieldMappingsDict["alias"]
-            self.fieldSplitList = self.fieldMappingsDict["split"]
-            self.transforms = self.fieldMappingsDict["transforms"]
-            self.transforms_enabled = self.fieldMappingsDict["transforms_enabled"]
+            self.json_array = True
+
+        with open(config_file, 'r', encoding='UTF-8') as field_mappings_file:
+            self.field_mappings_dict = orjson.loads(field_mappings_file.read())
+            self.field_exclusions = self.field_mappings_dict["exclusions"]
+            self.field_mappings = self.field_mappings_dict["mappings"]
+            self.useless_values = self.field_mappings_dict["useless"]
+            self.aliases = self.field_mappings_dict["alias"]
+            self.field_split_list = self.field_mappings_dict["split"]
+            self.transforms = self.field_mappings_dict["transforms"]
+            self.transforms_enabled = self.field_mappings_dict["transforms_enabled"]
         
-        self.RestrictedPython_BUILTINS = {
+        self.restricted_python_builtins = {
             '__name__': 'script',
             "_getiter_": default_guarded_getiter,
             '_getattr_': getattr,
@@ -204,26 +205,25 @@ def __init__(self, configFile, timeAfter="1970-01-01T00:00:00", timeBefore="9999
             'chardet': chardet,
             '_iter_unpack_sequence_': guarded_iter_unpack_sequence
         }
-        self.RestrictedPython_BUILTINS.update(safe_builtins)
-        self.RestrictedPython_BUILTINS.update(limited_builtins)
-        self.RestrictedPython_BUILTINS.update(utility_builtins)
+        self.restricted_python_builtins.update(safe_builtins)
+        self.restricted_python_builtins.update(limited_builtins)
+        self.restricted_python_builtins.update(utility_builtins)
     
     def transform_value(self, code, param):
         try:
-            # Check if the code has already been compiled
-            if code in self.compiled_code_cache:
-                byte_code = self.compiled_code_cache[code]
-            else:
-                # Compile the code and store it in the cache
-                byte_code = compile_restricted(code, filename='<inline code>', mode='exec')
-                self.compiled_code_cache[code] = byte_code
-            # Prepare the execution environment
-            TransformFunction = {}
-            exec(byte_code, self.RestrictedPython_BUILTINS, TransformFunction)
-            return TransformFunction["transform"](param)
+            # Get or compile bytecode using cache
+            byte_code = self.compiled_code_cache.get(code) or self.compiled_code_cache.setdefault(
+                code, compile_restricted(code, filename='<inline code>', mode='exec')
+            )
+            
+            # Execute transform in restricted environment
+            transform_env = {}
+            exec(byte_code, self.restricted_python_builtins, transform_env)
+            return transform_env["transform"](param)
+
         except Exception as e:
             self.logger.debug(f"ERROR: Couldn't apply transform: {e}")
-            return param  # Return the original parameter if transform fails
+            return param
 
     def process_file(self, file):
         """
@@ -231,147 +231,127 @@ def process_file(self, file):
             Returns the flattened json object
         """
         self.logger.debug(f"FLATTENING : {file}")
-        JSONLine = {}
-        JSONOutput = []
-        fieldStmt = ""
+        json_line = {}
+        json_output = []
+        field_stmt = ""
 
         def flatten(x, name=''):
-            nonlocal fieldStmt
+            nonlocal field_stmt
             # If it is a Dict go deeper
             if isinstance(x, dict):
                 for a in x:
                     flatten(x[a], name + a + '.')
             else:
                 # Applying exclusions. Be careful, the key/value pair is discarded if there is a partial match
-                if not any(exclusion in name[:-1] for exclusion in self.fieldExclusions):
+                if not any(exclusion in name[:-1] for exclusion in self.field_exclusions):
                     # Arrays are not expanded
-                    if isinstance(x, list):
-                        value = ''.join(str(x))
-                    else:
-                        value = x
+                    value = ''.join(str(x)) if isinstance(x, list) else x
                     # Excluding useless values (e.g. "null"). The value must be an exact match.
-                    if value not in self.uselessValues:
+                    if value not in self.useless_values:
 
                         # Applying field mappings
-                        rawFieldName = name[:-1]
-                        if rawFieldName in self.fieldMappings:
-                            key = self.fieldMappings[rawFieldName]
-                        else:
-                            # Removing all annoying character from field name
-                            key = ''.join(e for e in rawFieldName.split(".")[-1] if e.isalnum())
+                        raw_field_name = name[:-1]
+                        key = self.field_mappings.get(raw_field_name, ''.join(e for e in raw_field_name.split(".")[-1] if e.isalnum()))
 
                         # Preparing aliases (work on original field name and Mapped field name)
                         keys = [key]
-                        for fieldName in [key, rawFieldName]:
-                            if fieldName in self.aliases: 
+                        for field_name in (key, raw_field_name):
+                            if field_name in self.aliases:
                                 keys.append(self.aliases[key])
 
                         # Applying field transforms (work on original field name and Mapped field name)
-                        keysThatNeedTransformedValues = []
-                        transformedValuesByKeys = {}
+                        keys_that_need_transformed_values = []
+                        transformed_values_by_keys = {}
                         if self.transforms_enabled:
-                            for fieldName in [key, rawFieldName]:
-                                if fieldName in self.transforms:
-                                    for transform in self.transforms[fieldName]:
+                            for field_name in [key, raw_field_name]:
+                                if field_name in self.transforms:
+                                    for transform in self.transforms[field_name]:
                                         if transform["enabled"] and self.chosen_input in transform["source_condition"] :
-                                            transformCode = transform["code"]
+                                            transform_code = transform["code"]
                                             # If the transform rule ask for a dedicated alias
                                             if transform["alias"]:
                                                 keys.append(transform["alias_name"])
-                                                keysThatNeedTransformedValues.append(transform["alias_name"])
-                                                transformedValuesByKeys[transform["alias_name"]] = self.transform_value(transformCode, value)
+                                                keys_that_need_transformed_values.append(transform["alias_name"])
+                                                transformed_values_by_keys[transform["alias_name"]] = self.transform_value(transform_code, value)
                                             else:
-                                                value = self.transform_value(transformCode, value)
+                                                value = self.transform_value(transform_code, value)
 
                         # Applying field splitting
-                        fieldsToSplit = []
-                        if rawFieldName in self.fieldSplitList: 
-                            fieldsToSplit.append(rawFieldName)
-                        if key in self.fieldSplitList: 
-                            fieldsToSplit.append(key)
+                        fields_to_split = set(field for field in (raw_field_name, key) if field in self.field_split_list)
                         
-                        if len(fieldsToSplit) > 0:
-                            for field in fieldsToSplit:
-                                try:
-                                    splittedFields = value.split(self.fieldSplitList[field]["separator"])
-                                    for splittedField in splittedFields:
-                                        k,v = splittedField.split(self.fieldSplitList[field]["equal"])
-                                        keyLower = k.lower()
-                                        JSONLine[k] = v
-                                        if keyLower not in self.keyDict:
-                                            self.keyDict[keyLower] = k
-                                            fieldStmt += f"'{k}' TEXT COLLATE NOCASE,\n"
-                                except Exception as e:
-                                    self.logger.debug(f"ERROR : Couldn't apply field splitting, value(s) {str(splittedFields)} : {e}")
+                        for field in fields_to_split:
+                            try:
+                                separator = self.field_split_list[field]["separator"]
+                                equal = self.field_split_list[field]["equal"]
+                                for splitted_field in value.split(separator):
+                                    k, v = splitted_field.split(equal)
+                                    json_line[k] = v
+                                    key_lower = k.lower()
+                                    if key_lower not in self.key_dict:
+                                        self.key_dict[key_lower] = k
+                                        field_stmt += f"'{k}' TEXT COLLATE NOCASE,\n"
+                            except Exception as e:
+                                self.logger.debug(f"ERROR : Couldn't apply field splitting for {field}: {e}")
 
                         # Applying aliases
                         for key in keys:
-                            if key in keysThatNeedTransformedValues:
-                                JSONLine[key] = transformedValuesByKeys[key]
-                            else:
-                                JSONLine[key] = value
-                            # Creating the CREATE TABLE SQL statement
-                            keyLower = key.lower()
-                            if keyLower not in self.keyDict:
-                                self.keyDict[keyLower] = key
-                                if isinstance(value, int):
-                                    fieldStmt += f"'{key}' INTEGER,\n"
-                                else:
-                                    fieldStmt += f"'{key}' TEXT COLLATE NOCASE,\n"
+                            # Set value in json_line
+                            json_line[key] = transformed_values_by_keys.get(key, value)
+                            # Only process schema if key not seen before
+                            key_lower = key.lower()
+                            if key_lower not in self.key_dict:
+                                self.key_dict[key_lower] = key
+                                # Determine column type
+                                col_type = 'INTEGER' if isinstance(value, int) else 'TEXT COLLATE NOCASE'
+                                field_stmt += f"'{key}' {col_type},\n"
         
         # If filesize is not zero
         if os.stat(file).st_size != 0:
-            with open(str(file), 'r', encoding='utf-8') as JSONFile:
-                filename = os.path.basename(file)
-                logs = JSONFile
-                # If the file is a json array
-                if self.JSONArray:
-                    try:
-                        logs = json.loads(JSONFile.read())
-                    except Exception as e:
-                        self.logger.debug(f'JSON ARRAY ERROR : {e}')
-                        logs = []
+            filename = os.path.basename(file)
+            with open(str(file), 'r', encoding='utf-8') as json_file:
+                logs = orjson.loads(json_file.read()) if self.json_array else json_file
                 for line in logs:
                     try:
-                        if self.JSONArray:
-                            dictToFlatten = line
-                        else:
-                            dictToFlatten = json.loads(line)
-                        dictToFlatten.update({"OriginalLogfile": filename})
-                        if self.hashes: 
-                            dictToFlatten.update({"OriginalLogLinexxHash": xxhash.xxh64_hexdigest(line[:-1])})
-                        flatten(dictToFlatten)
+                        dict_to_flatten = line if self.json_array else orjson.loads(line)
+                        dict_to_flatten["OriginalLogfile"] = filename
+                        if self.hashes:
+                            dict_to_flatten["OriginalLogLinexxHash"] = xxhash.xxh64_hexdigest(line[:-1])
+                        flatten(dict_to_flatten)
                     except Exception as e:
                         self.logger.debug(f'JSON ERROR : {e}')
-                    # Handle timestamp filters
-                    if (self.timeAfter != "1970-01-01T00:00:00" or self.timeBefore != "9999-12-12T23:59:59") and (self.timeField in JSONLine):
-                        try:
-                            timestamp = time.strptime(JSONLine[self.timeField].split(".")[0].replace("Z",""), '%Y-%m-%dT%H:%M:%S')
-                            if timestamp > self.timeAfter and timestamp < self.timeBefore:
-                               JSONOutput.append(JSONLine)
-                        except Exception:
-                            JSONOutput.append(JSONLine)
+                        continue
+
+                    if self.time_after != "1970-01-01T00:00:00" or self.time_before != "9999-12-12T23:59:59":
+                        if self.time_field in json_line:
+                            try:
+                                timestamp = time.strptime(json_line[self.time_field].split(".")[0].replace("Z",""), '%Y-%m-%dT%H:%M:%S')
+                                if self.time_after < timestamp < self.time_before:
+                                    json_output.append(json_line)
+                            except Exception:
+                                json_output.append(json_line)
+                        else:
+                            continue
                     else:
-                        JSONOutput.append(JSONLine)
-                    JSONLine = {}
-        return {"dbFields": fieldStmt, "dbValues": JSONOutput}
-
-    def save_to_file(self, outputFile):
-        with open(outputFile, 'w', encoding='utf-8') as file:
-            for JSONLine in tqdm(self.valuesStmt, colour="yellow"):
-                file.write(f'{json.dumps(JSONLine).decode("utf-8")}\n')
-
-    def run(self, EVTXJSONList):
-        for evtxJSON in EVTXJSONList:
-            if os.stat(evtxJSON).st_size != 0:
-                results = self.process_file(evtxJSON)
-                self.fieldStmt += results["dbFields"]
-                self.valuesStmt += results["dbValues"]
+                        json_output.append(json_line)
+                    json_line = {}
+        return {"db_fields": field_stmt, "db_values": json_output}
+
+    def save_to_file(self, output_file):
+        with open(output_file, 'w', encoding='utf-8') as file:
+            for json_line in tqdm(self.values_stmt, colour="yellow"):
+                file.write(f'{orjson.dumps(json_line).decode("utf-8")}\n')
+
+    def run(self, evtx_json_list):
+        for evtx_json in evtx_json_list:
+            if os.stat(evtx_json).st_size != 0:
+                results = self.process_file(evtx_json)
+                self.field_stmt += results["db_fields"]
+                self.values_stmt += results["db_values"]
 
 class zircore:
     """ Load data into database and apply detection rules  """
 
-    def __init__(self, noOutput=False, limit=-1, csv_output=False, db_location=":memory:", delimiter=";", 
+    def __init__(self, no_output=False, limit=-1, csv_output=False, db_location=":memory:", delimiter=";", 
                  tmp_directory=".",
                  tmp_directory_db="."
     ):
@@ -380,10 +360,10 @@ def __init__(self, noOutput=False, limit=-1, csv_output=False, db_location=":mem
         self.tmp_directory = tmp_directory
         self.tmp_directory_db = tmp_directory_db
         self.db_connection = self.create_connection(db_location)
-        self.fullResults = []
+        self.full_results = []
         self.rule_results = []
         self.ruleset = {}
-        self.noOutput = noOutput
+        self.no_output = no_output
         self.limit = limit
         self.csv_output = csv_output
         self.delimiter = delimiter
@@ -430,10 +410,10 @@ def udf_regex(x, y):
             self.logger.error(f"{Fore.RED}   [-] {e}")
         return conn
 
-    def create_db(self, fieldStmt):
-        createTableStmt = f"CREATE TABLE logs ( row_id INTEGER, {fieldStmt} PRIMARY KEY(row_id AUTOINCREMENT) );"
-        self.logger.debug(f" CREATE : {createTableStmt}")
-        if not self.execute_simple_query(createTableStmt):
+    def create_db(self, field_stmt):
+        create_table_stmt = f"CREATE TABLE logs ( row_id INTEGER, {field_stmt} PRIMARY KEY(row_id AUTOINCREMENT) );"
+        self.logger.debug(f" CREATE : {create_table_stmt}")
+        if not self.execute_simple_query(create_table_stmt):
             self.logger.error(f"{Fore.RED}   [-] Unable to create table{Fore.RESET}")
             sys.exit(1)
 
@@ -447,10 +427,10 @@ def execute_simple_query(self, query):
             self.logger.error(f"{Fore.RED}   [-] No connection to Db{Fore.RESET}")
             return False
         else:
-            dbHandle = self.db_connection.cursor()
+            db_handle = self.db_connection.cursor()
             self.logger.debug(f"EXECUTING : {query}")
             try:
-                dbHandle.execute(query)
+                db_handle.execute(query)
                 self.db_connection.commit()
             except Error as e:
                 self.logger.debug(f"   [-] {e}")
@@ -478,44 +458,44 @@ def execute_select_query(self, query):
 
     def load_db_in_memory(self, db):
         """ In db only mode it is possible to restore an on disk Db to avoid EVTX extraction and flattening """
-        dbfileConnection = self.create_connection(db)
-        dbfileConnection.backup(self.db_connection)
-        dbfileConnection.close()
+        dbfile_connection = self.create_connection(db)
+        dbfile_connection.backup(self.db_connection)
+        dbfile_connection.close()
 
     def escape_identifier(self, identifier):
         """Escape SQL identifiers like table or column names."""
         return identifier.replace("\"", "\"\"")
 
-    def insert_data_to_db(self, JSONLine):
+    def insert_data_to_db(self, json_line):
         """Build a parameterized INSERT INTO query and insert data into the database."""
-        columns = JSONLine.keys()
-        columnsEscaped = ', '.join([self.escape_identifier(col) for col in columns])
+        columns = json_line.keys()
+        columns_escaped = ', '.join([self.escape_identifier(col) for col in columns])
         placeholders = ', '.join(['?'] * len(columns))
         values = []
         for col in columns:
-            value = JSONLine[col]
+            value = json_line[col]
             if isinstance(value, int):
                 # Check if value exceeds SQLite INTEGER limits
                 if abs(value) > 9223372036854775807:
                     value = str(value)  # Convert to string
             values.append(value)
-        insertStmt = f'INSERT INTO logs ({columnsEscaped}) VALUES ({placeholders})'
+        insert_stmt = f'INSERT INTO logs ({columns_escaped}) VALUES ({placeholders})'
         try:
-            self.db_connection.execute(insertStmt, values)
+            self.db_connection.execute(insert_stmt, values)
             return True
         except Exception as e:
             self.logger.debug(f"   [-] {e}")
             return False
 
-    def insert_flat_json_to_db(self, flattenedJSON):
-        for JSONLine in flattenedJSON:
-            self.insert_data_to_db(JSONLine)
+    def insert_flat_json_to_db(self, flattened_json):
+        for json_line in flattened_json:
+            self.insert_data_to_db(json_line)
 
-    def save_db_to_disk(self, dbFilename):
+    def save_db_to_disk(self, db_filename):
         self.logger.info("[+] Saving working data to disk as a SQLite DB")
-        onDiskDb = sqlite3.connect(dbFilename)
-        self.db_connection.backup(onDiskDb)
-        onDiskDb.close()
+        on_disk_db = sqlite3.connect(db_filename)
+        self.db_connection.backup(on_disk_db)
+        on_disk_db.close()
 
     def execute_rule(self, rule):
         """
@@ -534,27 +514,26 @@ def execute_rule(self, rule):
         rule_id = rule.get("id", "")
         sigma_queries = rule["rule"]
 
-        filteredRows = []
+        filtered_rows = []
 
         # Process each SQL query in the rule
-        for SQLQuery in sigma_queries:
-            data = self.execute_select_query(SQLQuery)
+        for sql_query in sigma_queries:
+            data = self.execute_select_query(sql_query)
             if data:
                 if self.csv_output:
                     # Clean values for CSV output
-                    cleaned_rows = [
-                        {k: str(v).replace("\n", "").replace("\r", "").replace("None", "") for k, v in dict(row).items()}
+                    filtered_rows.extend(
+                        {k: str(v).replace("\n", "").replace("\r", "") or "" for k, v in row.items()}
                         for row in data
-                    ]
+                    )
                 else:
                     # Remove None values
-                    cleaned_rows = [
-                        {k: v for k, v in dict(row).items() if v is not None}
+                    filtered_rows.extend(
+                        {k: v for k, v in row.items() if v is not None}
                         for row in data
-                    ]
-                filteredRows.extend(cleaned_rows)
+                    )
 
-        if filteredRows:
+        if filtered_rows:
             results = {
                 "title": title,
                 "id": rule_id,
@@ -563,28 +542,28 @@ def execute_rule(self, rule):
                 "sigma": sigma_queries,
                 "rule_level": rule_level,
                 "tags": tags,
-                "count": len(filteredRows),
-                "matches": filteredRows
+                "count": len(filtered_rows),
+                "matches": filtered_rows
             }
 
             if not self.csv_output:
-                json_bytes = json.dumps(results)
+                json_bytes = orjson.dumps(results)
                 self.tmp_file.write(f"{json_bytes.decode('utf-8')}\n")
 
-            self.logger.debug(f'DETECTED: {title} - Matches: {len(filteredRows)} events')
+            self.logger.debug(f'DETECTED: {title} - Matches: {len(filtered_rows)} events')
             return results
         else:
             return {}
 
-    def load_ruleset_from_var(self, ruleset, ruleFilters):
+    def load_ruleset_from_var(self, ruleset, rule_filters):
         self.ruleset = ruleset
-        self.apply_ruleset_filters(ruleFilters)
+        self.apply_ruleset_filters(rule_filters)
     
-    def apply_ruleset_filters(self, ruleFilters=None):
+    def apply_ruleset_filters(self, rule_filters=None):
         # Remove empty rule and remove filtered rules
         self.ruleset = list(filter(None, self.ruleset))
-        if ruleFilters is not None:
-            self.ruleset = [rule for rule in self.ruleset if not any(ruleFilter in rule["title"] for ruleFilter in ruleFilters)]
+        if rule_filters is not None:
+            self.ruleset = [rule for rule in self.ruleset if not any(rule_filter in rule["title"] for rule_filter in rule_filters)]
 
     def execute_ruleset(self):
         """
@@ -594,75 +573,75 @@ def execute_ruleset(self):
         for rule in self.ruleset:
 
             # Execute the rule
-            ruleResults = self.execute_rule(rule)
-            if not ruleResults:
+            rule_results = self.execute_rule(rule)
+            if not rule_results:
                 continue  # No matches, skip to next rule
 
             # Apply limit if set
-            if self.limit != -1 and ruleResults["count"] > self.limit:
+            if self.limit != -1 and rule_results["count"] > self.limit:
                 continue  # Exceeds limit, skip this result
 
             # Store if the rule has matched : title, level, count only
             self.rule_results.append({
-                            "rule_title": ruleResults["title"],
-                            "rule_level": ruleResults["rule_level"],
-                            "rule_count": ruleResults["count"],
+                            "rule_title": rule_results["title"],
+                            "rule_level": rule_results["rule_level"],
+                            "rule_count": rule_results["count"],
                         })
 
-            #self.fullResults.append(ruleResults)
+            #self.full_results.append(rule_results)
 
         self.tmp_file.close()
 
 class evtx_extractor:
 
-    def __init__(self, providedTmpDir=None, cores=None, use_external_binaries=True, binaries_path = None, encoding=None, input_format=None):
+    def __init__(self, provided_tmp_dir=None, cores=None, use_external_binaries=True, binaries_path=None, encoding=None, input_format=None):
         self.logger = logging.getLogger(__name__)
 
-        if Path(str(providedTmpDir)).is_dir():
-            self.tmpDir = f"tmp-{self.rand_string()}"
-            self.logger.error(f"{Fore.RED}   [-] Provided directory already exists using '{self.tmpDir}' instead{Fore.RESET}")
+        if Path(str(provided_tmp_dir)).is_dir():
+            self.tmp_dir = f"tmp-{self.rand_string()}"
+            self.logger.error(f"{Fore.RED}   [-] Provided directory already exists using '{self.tmp_dir}' instead{Fore.RESET}")
         else:
-            self.tmpDir = providedTmpDir or f"tmp-{self.rand_string()}"
-            os.mkdir(self.tmpDir)
+            self.tmp_dir = provided_tmp_dir or f"tmp-{self.rand_string()}"
+            os.mkdir(self.tmp_dir)
 
         self.cores = cores or os.cpu_count()
         self.use_external_binaries = use_external_binaries
-        self.sysmon4linux = False
-        self.xmlLogs = False
-        self.csvInput = False
-        self.auditdLogs = False
+        self.sysmon_4_linux = False
+        self.xml_logs = False
+        self.csv_input = False
+        self.auditd_logs = False
         self.evtxtract = False
 
         if input_format == "sysmon_linux_input":
-            self.sysmon4linux = True
+            self.sysmon_4_linux = True
         elif input_format == "xml_input":
-            self.xmlLogs = True
+            self.xml_logs = True
         elif input_format == "csv_input":
-            self.csvInput = True
+            self.csv_input = True
         elif input_format == "auditd_input":
-            self.auditdLogs = True
+            self.auditd_logs = True
         elif input_format == "evtxtract_input":
             self.evtxtract = True
 
         # Hardcoded hash list of evtx_dump binaries
-        self.validHashList = ["bbcce464533e0364", "e642f5c23e156deb", "5a7a1005885a1a11"]
+        self.valid_hash_list = ["bbcce464533e0364", "e642f5c23e156deb", "5a7a1005885a1a11"]
 
         # Sysmon 4 Linux default encoding is ISO-8859-1, Auditd is UTF-8
-        if not encoding and self.sysmon4linux: 
+        if not encoding and self.sysmon_4_linux: 
             self.encoding = "ISO-8859-1"
-        elif not encoding and (self.auditdLogs or self.evtxtract or self.xmlLogs): 
+        elif not encoding and (self.auditd_logs or self.evtxtract or self.xml_logs): 
             self.encoding = "utf-8"
         else: 
             self.encoding = encoding
         
-        self.evtx_dump_cmd = self.getOSExternalTools(binaries_path)
+        self.evtx_dump_cmd = self.get_os_external_tools(binaries_path)
         
     def rand_string(self, length=8):
         return ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(length))
 
-    def getOSExternalTools(self, binPath):
+    def get_os_external_tools(self, bin_path):
         """ Determine which binaries to run depending on host OS : 32Bits is NOT supported for now since evtx_dump is 64bits only"""
-        if binPath is None:
+        if bin_path is None:
             if _platform == "linux" or _platform == "linux2":
                 return "bin/evtx_dump_lin"
             elif _platform == "darwin":
@@ -670,32 +649,33 @@ def getOSExternalTools(self, binPath):
             elif _platform == "win32":
                 return "bin\\evtx_dump_win.exe"
         else:
-            return binPath
+            return bin_path
 
-    def runUsingBindings(self, file):
+    def run_using_bindings(self, file):
         """
         Convert EVTX to JSON using evtx_dump bindings (slower)
         Drop resulting JSON files in a tmp folder.
         """
-        if not self.use_external_binaries:
-            try:
-                filepath = Path(file)
-                filename = filepath.name
-                parser = PyEvtxParser(str(filepath))
-                with open(f"{self.tmpDir}/{str(filename)}-{self.rand_string()}.json", "w", encoding="utf-8") as f:
-                    for record in parser.records_json():
-                        f.write(f'{json.dumps(json.loads(record["data"])).decode("utf-8")}\n')
-            except Exception as e:
-                self.logger.error(f"{Fore.RED}   [-] Cannot use PyEvtxParser : {e}{Fore.RESET}")
-        else:
+        if self.use_external_binaries:
             self.logger.error(f"{Fore.RED}   [-] Cannot use PyEvtxParser and evtx_dump is disabled or missing{Fore.RESET}")
+            return
 
-    def getTime(self, line):
+        try:
+            filepath = Path(file)
+            output_file = f"{self.tmp_dir}/{filepath.name}-{self.rand_string()}.json"
+            parser = PyEvtxParser(str(filepath))
+            with open(output_file, "w", encoding="utf-8") as f:
+                for record in parser.records_json():
+                    f.write(record["data"].replace('\n', '') + '\n')
+        except Exception as e:
+            self.logger.error(f"{Fore.RED}   [-] Cannot use PyEvtxParser : {e}{Fore.RESET}")
+
+    def get_time(self, line):
         timestamp = line.replace('msg=audit(','').replace('):','').split(':')
         timestamp = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(float(timestamp[0])))
         return timestamp
 
-    def auditdLine2JSON(self, auditdLine):
+    def auditd_line_to_json(self, auditd_line):
         """
         Convert auditd logs to JSON : code from https://github.com/csark/audit2json
         """
@@ -703,10 +683,10 @@ def auditdLine2JSON(self, auditdLine):
         # According to auditd specs https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment
         # a GS ASCII character, 0x1D, will be inserted to separate original and translated fields
         # Best way to deal with it is to remove it.
-        attributes = auditdLine.replace('\x1d',' ').split(' ')
+        attributes = auditd_line.replace('\x1d',' ').split(' ')
         for attribute in attributes:
             if 'msg=audit' in attribute:
-                event['timestamp'] = self.getTime(attribute)
+                event['timestamp'] = self.get_time(attribute)
             else:
                 try:
                     attribute = attribute.replace('msg=','').replace('\'','').replace('"','').split('=')
@@ -717,46 +697,46 @@ def auditdLine2JSON(self, auditdLine):
             event['host'] = 'offline'
         return event
 
-    def SysmonXMLLine2JSON(self, xmlLine):
+    def sysmon_xml_line_to_json(self, xml_line):
         """
         Remove syslog header and convert xml data to json : code from ZikyHD (https://github.com/ZikyHD)
         """
-        if 'Event' not in xmlLine:
+        if 'Event' not in xml_line:
             return None
-        xmlLine = "<Event>" + xmlLine.split("<Event>")[1]
+        xml_line = "<Event>" + xml_line.split("<Event>")[1]
         try: # isolate individual line parsing errors
-            root = etree.fromstring(xmlLine)
-            return self.xml2dict(root)
+            root = etree.fromstring(xml_line)
+            return self.xml_to_dict(root)
         except Exception as ex:
-            self.logger.debug(f"Unable to parse line \"{xmlLine}\": {ex}")
+            self.logger.debug(f"Unable to parse line \"{xml_line}\": {ex}")
             return None
 
-    def XMLLine2JSON(self, xmlLine):
+    def xml_line_to_json(self, xml_line):
         """
         Remove "Events" header and convert xml data to json : code from ZikyHD (https://github.com/ZikyHD)
         """
-        if '<Event ' not in xmlLine:
+        if '<Event ' not in xml_line:
             return None
         try: # isolate individual line parsing errors
-            root = etree.fromstring(xmlLine)
-            return self.xml2dict(root, u'{http://schemas.microsoft.com/win/2004/08/events/event}')
+            root = etree.fromstring(xml_line)
+            return self.xml_to_dict(root, u'{http://schemas.microsoft.com/win/2004/08/events/event}')
         except Exception as ex:
-            self.logger.debug(f"Unable to parse line \"{xmlLine}\": {ex}")
+            self.logger.debug(f"Unable to parse line \"{xml_line}\": {ex}")
             return None
 
-    def xml2dict(self, eventRoot, ns=u'http://schemas.microsoft.com/win/2004/08/events/event'):
+    def xml_to_dict(self, event_root, ns=u'http://schemas.microsoft.com/win/2004/08/events/event'):
 
-        def cleanTag(tag, ns):
+        def clean_tag(tag, ns):
             if ns in tag: 
                 return tag[len(ns):]
             return tag
 
         child = {"#attributes": {"xmlns": ns}}
-        for appt in eventRoot.getchildren():
-            nodename = cleanTag(appt.tag,ns)
+        for appt in event_root.getchildren():
+            nodename = clean_tag(appt.tag,ns)
             nodevalue = {}
             for elem in appt.getchildren():
-                cleanedTag = cleanTag(elem.tag,ns)
+                cleaned_tag = clean_tag(elem.tag,ns)
                 if not elem.text:
                     text = ""
                 else:
@@ -764,12 +744,12 @@ def cleanTag(tag, ns):
                         text = int(elem.text)
                     except Exception:
                         text = elem.text
-                if cleanedTag == 'Data':
+                if cleaned_tag == 'Data':
                     childnode = elem.get("Name")
-                elif cleanedTag == 'Qualifiers':
+                elif cleaned_tag == 'Qualifiers':
                     text = elem.text
                 else:
-                    childnode = cleanedTag
+                    childnode = cleaned_tag
                     if elem.attrib:
                         text = {"#attributes": dict(elem.attrib)}
                 obj={str(childnode):text}
@@ -779,12 +759,12 @@ def cleanTag(tag, ns):
         event = { "Event": child }
         return event
 
-    def Logs2JSON(self, func, datasource, outfile, isFile=True):
+    def logs_to_json(self, func, datasource, outfile, is_file=True):
         """
         Use multiprocessing to convert supported log formats to JSON
         """
         
-        if isFile:
+        if is_file:
             with open(datasource, "r", encoding=self.encoding) as fp: 
                 data = fp.readlines()
         else : 
@@ -797,21 +777,21 @@ def Logs2JSON(self, func, datasource, outfile, isFile=True):
         with open(outfile, "w", encoding="UTF-8") as fp:
             for element in result:
                 if element is not None:
-                    fp.write(json.dumps(element).decode("utf-8") + '\n')
+                    fp.write(orjson.dumps(element).decode("utf-8") + '\n')
 
-    def csv2JSON(self, CSVPath, JSONPath):  
+    def csv_to_json(self, csv_path, json_path):  
         """
         Convert CSV Logs to JSON
         """      
-        with open(CSVPath, encoding='utf-8') as CSVFile: 
-            csvReader = csv.DictReader(CSVFile) 
-            with open(JSONPath, 'w', encoding='utf-8') as JSONFile: 
-                for row in csvReader: 
-                    JSONFile.write(json.dumps(row).decode("utf-8") + '\n')
+        with open(csv_path, encoding='utf-8') as csv_file: 
+            csv_reader = csv.DictReader(csv_file) 
+            with open(json_path, 'w', encoding='utf-8') as json_file: 
+                for row in csv_reader: 
+                    json_file.write(orjson.dumps(row).decode("utf-8") + '\n')
 
-    def evtxtract2JSON(self, file, outfile):
+    def evtxtract_to_json(self, file, outfile):
         """
-        Convert EXVTXtract Logs to JSON using xml2dict and "dumps" it to a file
+        Convert EXVTXtract Logs to JSON using xml_to_dict and "dumps" it to a file
         """
         # Load file as a string to add enclosing document since XML doesn't support multiple documents
         with open(file, "r", encoding=self.encoding) as fp:
@@ -825,20 +805,20 @@ def evtxtract2JSON(self, file, outfile):
         with open(outfile, "w", encoding="UTF-8") as fp:
             for event in root.getchildren():
                 if "Event" in event.tag:
-                    extractedEvent = self.xml2dict(event, u'{http://schemas.microsoft.com/win/2004/08/events/event}')
-                    fp.write(json.dumps(extractedEvent).decode("utf-8") + '\n')
+                    extracted_event = self.xml_to_dict(event, u'{http://schemas.microsoft.com/win/2004/08/events/event}')
+                    fp.write(orjson.dumps(extracted_event).decode("utf-8") + '\n')
 
-    def verifyBinHash(self, binPath):
+    def verify_bin_hash(self, bin_path):
         """
         Verify the hash of a binary (Hashes are hardcoded)
         """
         hasher =  xxhash.xxh64()
         try:
             # Open the file in binary mode and read chunks to hash
-            with open(binPath, 'rb') as f:
+            with open(bin_path, 'rb') as f:
                 while chunk := f.read(4096):  # Read chunks of 4096 bytes
                     hasher.update(chunk)  # Update the hash with the chunk
-            if hasher.hexdigest() in self.validHashList:
+            if hasher.hexdigest() in self.valid_hash_list:
                 return True
         except Exception as e:
             self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
@@ -852,56 +832,56 @@ def run(self, file):
         """
         self.logger.debug(f"EXTRACTING : {file}")
         filename = Path(file).name
-        outputJSONFilename = f"{self.tmpDir}/{str(filename)}-{self.rand_string()}.json"
+        output_json_filename = f"{self.tmp_dir}/{str(filename)}-{self.rand_string()}.json"
         # Auditd or Sysmon4Linux logs
-        if self.sysmon4linux or self.auditdLogs:
+        if self.sysmon_4_linux or self.auditd_logs:
             # Choose which log backend to use
-            if self.sysmon4linux: 
-                func = self.SysmonXMLLine2JSON
-            elif self.auditdLogs: 
-                func = self.auditdLine2JSON 
+            if self.sysmon_4_linux: 
+                func = self.sysmon_xml_line_to_json
+            elif self.auditd_logs: 
+                func = self.auditd_line_to_json 
             try:
-                self.Logs2JSON(func, str(file), outputJSONFilename)
+                self.logs_to_json(func, str(file), output_json_filename)
             except Exception as e:
                 self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
         # XML logs
-        elif self.xmlLogs:
+        elif self.xml_logs:
             try:
                 data = ""
                 # We need to read the entire file to remove annoying newlines and fields with newlines (System.evtx Logs for example...)
-                with open(str(file), 'r', encoding="utf-8") as XMLFile:
-                    data = XMLFile.read().replace("\n","").replace("</Event>","</Event>\n").replace("<Event ","\n<Event ")
-                self.Logs2JSON(self.XMLLine2JSON, data, outputJSONFilename, isFile=False)
+                with open(str(file), 'r', encoding="utf-8") as xml_file:
+                    data = xml_file.read().replace("\n","").replace("</Event>","</Event>\n").replace("<Event ","\n<Event ")
+                self.logs_to_json(self.xml_line_to_json, data, output_json_filename, is_file=False)
             except Exception as e:
                 self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
         # EVTXtract
         elif self.evtxtract:
             try:
-                self.evtxtract2JSON(str(file), outputJSONFilename)
+                self.evtxtract_to_json(str(file), output_json_filename)
             except Exception as e:
                 self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
         # CSV
-        elif self.csvInput:
+        elif self.csv_input:
             try:
-                self.csv2JSON(str(file), outputJSONFilename)
+                self.csv_to_json(str(file), output_json_filename)
             except Exception as e:
                 self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
         # EVTX
         else:
             if not self.use_external_binaries or not Path(self.evtx_dump_cmd).is_file(): 
                 self.logger.debug("   [-] No external binaries args or evtx_dump is missing")
-                self.runUsingBindings(file)
+                self.run_using_bindings(file)
             else:
                 # Check if the binary is valid does not avoid TOCTOU 
-                if self.verifyBinHash(self.evtx_dump_cmd):
+                if self.verify_bin_hash(self.evtx_dump_cmd):
                     try:
-                        cmd = [self.evtx_dump_cmd, "--no-confirm-overwrite", "-o", "jsonl", str(file), "-f", outputJSONFilename, "-t", str(self.cores)]
+                        cmd = [self.evtx_dump_cmd, "--no-confirm-overwrite", "-o", "jsonl", str(file), "-f", output_json_filename, "-t", str(self.cores)]
                         subprocess.call(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
                     except Exception as e:
                         self.logger.error(f"{Fore.RED}   [-] {e}{Fore.RESET}")
   
     def cleanup(self):
-        shutil.rmtree(self.tmpDir)
+        shutil.rmtree(self.tmp_dir)
         
 class gui_generator:
     """
@@ -951,9 +931,9 @@ class rules_updater:
     def __init__(self):
         self.url = "https://github.com/wagga40/Zircolite-Rules/archive/refs/heads/main.zip"
         self.logger = logging.getLogger(__name__)
-        self.tempFile = f'tmp-rules-{self.rand_string()}.zip'
-        self.tmpDir = f'tmp-rules-{self.rand_string()}'
-        self.updatedRulesets = []
+        self.temp_file = f'tmp-rules-{self.rand_string()}.zip'
+        self.tmp_dir = f'tmp-rules-{self.rand_string()}'
+        self.updated_rulesets = []
 
     def rand_string(self, length=4):
         return ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(length))
@@ -961,17 +941,17 @@ def rand_string(self, length=4):
     def download(self):
         resp = requests.get(self.url, stream=True)
         total = int(resp.headers.get('content-length', 0))
-        with open(self.tempFile, 'wb') as file, tqdm(desc=self.tempFile, total=total, unit='iB', unit_scale=True, unit_divisor=1024, colour="yellow") as bar:
+        with open(self.temp_file, 'wb') as file, tqdm(desc=self.temp_file, total=total, unit='iB', unit_scale=True, unit_divisor=1024, colour="yellow") as bar:
             for data in resp.iter_content(chunk_size=1024):
                 size = file.write(data)
                 bar.update(size)
     
     def unzip(self):
-        shutil.unpack_archive(self.tempFile, self.tmpDir, "zip")
+        shutil.unpack_archive(self.temp_file, self.tmp_dir, "zip")
     
-    def checkIfNewerAndMove(self):
+    def check_if_newer_and_move(self):
         count = 0
-        rulesets = Path(self.tmpDir).rglob("*.json")
+        rulesets = Path(self.tmp_dir).rglob("*.json")
         for ruleset in rulesets:
             hash_new = hashlib.md5(open(ruleset,'rb').read()).hexdigest()
             if Path(f'rules/{ruleset.name}').is_file():
@@ -983,35 +963,35 @@ def checkIfNewerAndMove(self):
                 if not Path('rules/').exists():
                     Path('rules/').mkdir()
                 shutil.move(ruleset, f'rules/{ruleset.name}')
-                self.updatedRulesets.append(f'rules/{ruleset.name}')
+                self.updated_rulesets.append(f'rules/{ruleset.name}')
                 self.logger.info(f"{Fore.CYAN}   [+] Updated : rules/{ruleset.name}{Fore.RESET}")
         if count == 0: 
             self.logger.info(f"{Fore.CYAN}   [+] No newer rulesets found")
     
     def clean(self):
-        os.remove(self.tempFile)
-        shutil.rmtree(self.tmpDir)
+        os.remove(self.temp_file)
+        shutil.rmtree(self.tmp_dir)
     
     def run(self):
         try: 
             self.download()
             self.unzip()
-            self.checkIfNewerAndMove()
+            self.check_if_newer_and_move()
             self.clean()
         except Exception as e: 
             self.logger.error(f"   [-] {e}")
 
 class ruleset_handler:
 
-    def __init__(self, config=None, listPipelineOnly=False):
+    def __init__(self, config=None, list_pipeline_only=False):
         self.logger = logging.getLogger(__name__)
-        self.saveRuleset = config.save_ruleset
-        self.rulesetPathList = config.ruleset
+        self.save_ruleset = config.save_ruleset
+        self.ruleset_path_list = config.ruleset
         self.cores = config.cores or os.cpu_count()
-        self.sigmaConversionDisabled = config.no_sigma_conversion
+        self.sigma_conversion_disabled = config.no_sigma_conversion
         self.pipelines = []
 
-        if self.sigmaConversionDisabled:
+        if self.sigma_conversion_disabled:
             self.logger.info(f"{Fore.LIGHTYELLOW_EX}   [i] Sigma conversion is disabled (missing imports) ! {Fore.RESET}")
         else:
             # Init pipelines
@@ -1019,7 +999,7 @@ def __init__(self, config=None, listPipelineOnly=False):
             pipeline_resolver = plugins.get_pipeline_resolver()
             pipeline_list = list(pipeline_resolver.pipelines.keys())
 
-            if listPipelineOnly:
+            if list_pipeline_only:
                 self.logger.info("[+] Installed pipelines : " 
                                 + ", ".join(pipeline_list) 
                                 + "\n    You can install pipelines with your Python package manager"
@@ -1028,22 +1008,22 @@ def __init__(self, config=None, listPipelineOnly=False):
             else : 
                 # Resolving pipelines
                 if config.pipeline:
-                    for pipelineName in [item for pipeline in config.pipeline for item in pipeline]: # Flatten the list of pipeline names list
-                        if pipelineName in pipeline_list:
-                            self.pipelines.append(plugins.pipelines[pipelineName]())
+                    for pipeline_name in [item for pipeline in config.pipeline for item in pipeline]: # Flatten the list of pipeline names list
+                        if pipeline_name in pipeline_list:
+                            self.pipelines.append(plugins.pipelines[pipeline_name]())
                         else:
-                            self.logger.error(f"{Fore.RED}   [-] {pipelineName} not found. You can list installed pipelines with '--pipeline-list'{Fore.RESET}")
+                            self.logger.error(f"{Fore.RED}   [-] {pipeline_name} not found. You can list installed pipelines with '--pipeline-list'{Fore.RESET}")
 
-        # Parse & (if necessary) convert ruleset, final list is stored in self.Rulesets
-        self.Rulesets = self.rulesetParsing()
+        # Parse & (if necessary) convert ruleset, final list is stored in self.rulesets
+        self.rulesets = self.ruleset_parsing()
 
         # Combining Rulesets 
         #if config.combine_rulesets:
-        self.Rulesets = [item for subRuleset in self.Rulesets if subRuleset for item in subRuleset]
+        self.rulesets = [item for sub_ruleset in self.rulesets if sub_ruleset for item in sub_ruleset]
         # Remove duplicates based on 'id' or 'title'
         unique_rules = []
         seen_keys = set()
-        for rule in self.Rulesets:
+        for rule in self.rulesets:
             # Use 'id' or 'title' as the unique key
             rule_key = rule.get('id') or rule.get('title')
             if rule_key and rule_key not in seen_keys:
@@ -1057,49 +1037,47 @@ def __init__(self, config=None, listPipelineOnly=False):
             "low": 4,
             "informational": 5
         }
-        self.Rulesets = sorted(unique_rules, key=lambda d: level_order.get(d.get('level', 'informational'), float('inf'))) # Sorting by level
+        self.rulesets = sorted(unique_rules, key=lambda d: level_order.get(d.get('level', 'informational'), float('inf'))) # Sorting by level
 
-        if len(self.Rulesets) == 0:
+        if len(self.rulesets) == 0:
             self.logger.error(f"{Fore.RED}   [-] No rules to execute !{Fore.RESET}")
 
-    def isYAML(self, filepath): 
+    def is_yaml(self, filepath): 
         """ Test if the file is a YAML file """
-        if (filepath.suffix == ".yml" or filepath.suffix == ".yaml"):
-            with open(filepath, 'r', encoding="utf-8") as file:
-                content = file.read()
-                try:
-                    yaml.safe_load(content)
-                    return True
-                except yaml.YAMLError:
-                    return False
+        if filepath.suffix in {".yml", ".yaml"}:
+            try:
+                with open(filepath, 'r', encoding="utf-8") as file:
+                    yaml.safe_load(file)
+                return True
+            except yaml.YAMLError:
+                return False
 
-    def isJSON(self, filepath): 
+    def is_json(self, filepath): 
         """ Test if the file is a JSON file """
-        if (filepath.suffix == ".json"):
-            with open(filepath, 'r', encoding="utf-8") as file:
-                content = file.read()
-                try:
-                    json.loads(content)
-                    return True
-                except json.JSONDecodeError:
-                    return False
+        if filepath.suffix == ".json":
+            try:
+                with open(filepath, 'r', encoding="utf-8") as file:
+                    orjson.loads(file.read())
+                return True
+            except orjson.JSONDecodeError:
+                return False
 
-    def randRulesetName(self, sigmaRules):
+    def rand_ruleset_name(self, sigma_rules):
         # Clean the ruleset name
-        cleanedName = ''.join(char if char.isalnum() else '-' for char in sigmaRules).strip('-')
-        cleanedName = re.sub(r'-+', '-', cleanedName)
+        cleaned_name = ''.join(char if char.isalnum() else '-' for char in sigma_rules).strip('-')
+        cleaned_name = re.sub(r'-+', '-', cleaned_name)
         # Generate a random string 
-        randomString = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(8))
-        return f"ruleset-{cleanedName}-{randomString}.json"
+        random_string = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(8))
+        return f"ruleset-{cleaned_name}-{random_string}.json"
 
-    def convertSigmaRules(self, backend, rule):
+    def convert_sigma_rules(self, backend, rule):
         try: 
             return backend.convert_rule(rule, "zircolite")[0]
         except Exception as e:
             self.logger.debug(f"{Fore.RED}   [-] Cannot convert rule '{str(rule)}' : {e}{Fore.RESET}")
 
-    def sigmaRulesToRuleset(self, SigmaRulesList, pipelines):
-        for sigmaRules in SigmaRulesList:
+    def sigma_rules_to_ruleset(self, sigma_rules_list, pipelines):
+        for sigma_rules in sigma_rules_list:
             # Create the pipeline resolver
             piperesolver = ProcessingPipelineResolver()
             # Add pipelines
@@ -1110,7 +1088,7 @@ def sigmaRulesToRuleset(self, SigmaRulesList, pipelines):
             # Instantiate backend, using our resolved pipeline
             sqlite_backend = sqlite.sqliteBackend(combined_pipeline)
 
-            rules = Path(sigmaRules)
+            rules = Path(sigma_rules)
             if rules.is_dir():
                 rule_list = list(rules.rglob("*.yml")) + list(rules.rglob("*.yaml"))
             else:
@@ -1120,82 +1098,82 @@ def sigmaRulesToRuleset(self, SigmaRulesList, pipelines):
             ruleset = []
 
             pool = mp.Pool(self.cores)
-            ruleset = pool.map(functools.partial(self.convertSigmaRules, sqlite_backend), tqdm(rule_collection, colour="yellow"))
+            ruleset = pool.map(functools.partial(self.convert_sigma_rules, sqlite_backend), tqdm(rule_collection, colour="yellow"))
             pool.close()
             pool.join()
             ruleset = [rule for rule in ruleset if rule is not None] # Removing empty results
             ruleset = sorted(ruleset, key=lambda d: d['level']) # Sorting by level
 
-            if self.saveRuleset:
-                tempRulesetName = self.randRulesetName(str(sigmaRules))
-                with open(tempRulesetName, 'w') as outfile:
-                    outfile.write(json.dumps(ruleset, option=json.OPT_INDENT_2).decode('utf-8'))
-                    self.logger.info(f"{Fore.CYAN}   [+] Saved ruleset as : {tempRulesetName}{Fore.RESET}")
+            if self.save_ruleset:
+                temp_ruleset_name = self.rand_ruleset_name(str(sigma_rules))
+                with open(temp_ruleset_name, 'w') as outfile:
+                    outfile.write(orjson.dumps(ruleset, option=orjson.OPT_INDENT_2).decode('utf-8'))
+                    self.logger.info(f"{Fore.CYAN}   [+] Saved ruleset as : {temp_ruleset_name}{Fore.RESET}")
 
         return ruleset
     
-    def rulesetParsing(self):
-        rulesetList = []
-        for ruleset in self.rulesetPathList:
-            rulesetPath = Path(ruleset)
-            if rulesetPath.exists():
-                if rulesetPath.is_file():
-                    if self.isJSON(rulesetPath): # JSON Ruleset
+    def ruleset_parsing(self):
+        ruleset_list = []
+        for ruleset in self.ruleset_path_list:
+            ruleset_path = Path(ruleset)
+            if ruleset_path.exists():
+                if ruleset_path.is_file():
+                    if self.is_json(ruleset_path): # JSON Ruleset
                         try:
-                            with open(rulesetPath, encoding='utf-8') as f:
-                                rulesetList.append(json.loads(f.read()))
-                            self.logger.info(f"{Fore.CYAN}   [+] Loaded JSON/Zircolite ruleset : {str(rulesetPath)}{Fore.RESET}")
+                            with open(ruleset_path, encoding='utf-8') as f:
+                                ruleset_list.append(orjson.loads(f.read()))
+                            self.logger.info(f"{Fore.CYAN}   [+] Loaded JSON/Zircolite ruleset : {str(ruleset_path)}{Fore.RESET}")
                         except Exception as e:
-                            self.logger.error(f"{Fore.RED}   [-] Cannot load {str(rulesetPath)} {e}{Fore.RESET}")
+                            self.logger.error(f"{Fore.RED}   [-] Cannot load {str(ruleset_path)} {e}{Fore.RESET}")
                     else: # YAML Ruleset
-                        if not self.sigmaConversionDisabled and self.isYAML(rulesetPath):
+                        if not self.sigma_conversion_disabled and self.is_yaml(ruleset_path):
                             try:
-                                self.logger.info(f"{Fore.CYAN}   [+] Converting Native Sigma to Zircolite ruleset : {str(rulesetPath)}{Fore.RESET}")
-                                rulesetList.append(self.sigmaRulesToRuleset([rulesetPath], self.pipelines))
+                                self.logger.info(f"{Fore.CYAN}   [+] Converting Native Sigma to Zircolite ruleset : {str(ruleset_path)}{Fore.RESET}")
+                                ruleset_list.append(self.sigma_rules_to_ruleset([ruleset_path], self.pipelines))
                             except Exception as e:
-                                self.logger.error(f"{Fore.RED}   [-] Cannot convert {str(rulesetPath)} {e}{Fore.RESET}")
-                elif not self.sigmaConversionDisabled and rulesetPath.is_dir(): # Directory
+                                self.logger.error(f"{Fore.RED}   [-] Cannot convert {str(ruleset_path)} {e}{Fore.RESET}")
+                elif not self.sigma_conversion_disabled and ruleset_path.is_dir(): # Directory
                     try:
-                        self.logger.info(f"{Fore.CYAN}   [+] Converting Native Sigma to Zircolite ruleset : {str(rulesetPath)}{Fore.RESET}")
-                        rulesetList.append(self.sigmaRulesToRuleset([rulesetPath], self.pipelines))
+                        self.logger.info(f"{Fore.CYAN}   [+] Converting Native Sigma to Zircolite ruleset : {str(ruleset_path)}{Fore.RESET}")
+                        ruleset_list.append(self.sigma_rules_to_ruleset([ruleset_path], self.pipelines))
                     except Exception as e:
-                        self.logger.error(f"{Fore.RED}   [-] Cannot convert {str(rulesetPath)} {e}{Fore.RESET}")
-        return rulesetList
+                        self.logger.error(f"{Fore.RED}   [-] Cannot convert {str(ruleset_path)} {e}{Fore.RESET}")
+        return ruleset_list
 
-def selectFiles(pathList, selectFilesList):
-    if selectFilesList is not None:
-        return [logs for logs in [str(element) for element in list(pathList)] if any(fileFilters[0].lower() in logs.lower() for fileFilters in selectFilesList)]
-    return pathList
+def select_files(path_list, select_files_list):
+    if select_files_list is not None:
+        return [logs for logs in [str(element) for element in list(path_list)] if any(file_filters[0].lower() in logs.lower() for file_filters in select_files_list)]
+    return path_list
 
-def avoidFiles(pathList, avoidFilesList):
-    if avoidFilesList is not None:
-        return [logs for logs in [str(element) for element in list(pathList)] if all(fileFilters[0].lower() not in logs.lower() for fileFilters in avoidFilesList)]
-    return pathList
+def avoid_files(path_list, avoid_files_list):
+    if avoid_files_list is not None:
+        return [logs for logs in [str(element) for element in list(path_list)] if all(file_filters[0].lower() not in logs.lower() for file_filters in avoid_files_list)]
+    return path_list
 
-def ImportErrorHandler(config):
-    importErrorList = []
+def import_error_handler(config):
+    import_error_list = []
 
-    if updateDisabled:
-        importErrorList.append(f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'requests', events update is disabled{Fore.RESET}")
+    if update_disabled:
+        import_error_list.append(f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'requests', events update is disabled{Fore.RESET}")
         config.update_rules = False
-    if sigmaConversionDisabled:
-        importErrorList.append(f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'sigma' from pySigma, ruleset conversion YAML -> JSON is disabled{Fore.RESET}")
+    if sigma_conversion_disabled:
+        import_error_list.append(f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'sigma' from pySigma, ruleset conversion YAML -> JSON is disabled{Fore.RESET}")
         config.no_sigma_conversion = True
-    if pyevtxDisabled:
-        importErrorList.append(f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'evtx' from pyevtx-rs, use of external binaries is mandatory{Fore.RESET}")
+    if pyevtx_disabled:
+        import_error_list.append(f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'evtx' from pyevtx-rs, use of external binaries is mandatory{Fore.RESET}")
         config.noexternal = False
-    if jinja2Disabled:
-        importErrorList.append(f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'jinja2', templating is disabled{Fore.RESET}")
+    if jinja2_disabled:
+        import_error_list.append(f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'jinja2', templating is disabled{Fore.RESET}")
         config.template = None
-    if xmlImportDisabled:
-        importErrorList.append(f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'lxml', cannot use XML logs as input{Fore.RESET}")
+    if xml_import_disabled:
+        import_error_list.append(f"{Fore.LIGHTYELLOW_EX}   [i] Cannot import 'lxml', cannot use XML logs as input{Fore.RESET}")
         if config.xml:
             return f"{Fore.RED}   [-] Cannot import 'lxml', but according to command line provided it is needed{Fore.RESET}", config, True
 
     if config.debug or config.imports: 
-        return "\n".join(importErrorList), config, False
+        return "\n".join(import_error_list), config, False
         
-    if importErrorList == []:
+    if import_error_list == []:
         return "", config, False
     
     return f"{Fore.LIGHTYELLOW_EX}   [i] Import errors, certain functionalities may be disabled ('--imports' for details)\n       Supplemental imports can be installed with 'requirements.full.txt'{Fore.RESET}", config, False
@@ -1204,11 +1182,11 @@ def runner(file, params):
     """ Runner function to flatten events and apply rules with multiprocessing """
 
     flattener = json_flattener(
-        configFile=params["config"], 
-        timeAfter=params["events_after"], 
-        timeBefore=params["events_before"], 
-        timeField=params["timefield"], 
-        hashes=params["hashes"], 
+        config_file=params["config"],
+        time_after=params["events_after"],
+        time_before=params["events_before"], 
+        time_field=params["timefield"],
+        hashes=params["hashes"],
         input_format=params["input_format"]
     )
 
@@ -1220,10 +1198,7 @@ def runner(file, params):
 
     # Initialize zircore
     filename = os.path.basename(file)
-    if params["on_disk_db"]:
-        db_location = f"{filename}-{rand_string(4)}.db"
-    else:
-        db_location = f"file:{filename}?mode=memory&cache=shared"
+    db_location = f"{filename}-{rand_string(4)}.db" if params["on_disk_db"] else f"file:{filename}?mode=memory&cache=shared"
 
     zircolite_core = zircore(
         limit=params["limit"], 
@@ -1234,17 +1209,15 @@ def runner(file, params):
         tmp_directory_db=params["tmp_directory_db"]
     )
 
-    zircolite_core.create_db(flattener.fieldStmt)
-    zircolite_core.insert_flat_json_to_db(flattener.valuesStmt)
+    zircolite_core.create_db(flattener.field_stmt)
+    zircolite_core.insert_flat_json_to_db(flattener.values_stmt)
     del flattener
     zircolite_core.create_index()
-
-    ruleset = params["rulesets"]
-    zircolite_core.load_ruleset_from_var(ruleset=ruleset, ruleFilters=params["rulefilter"])
+    zircolite_core.load_ruleset_from_var(ruleset=params["rulesets"], rule_filters=params["rulefilter"])
     zircolite_core.execute_ruleset()
     zircolite_core.close()
 
-    return zircolite_core.fullResults, zircolite_core.rule_results
+    return zircolite_core.full_results, zircolite_core.rule_results
 
 def runner_wrapper(args):
     """ Helper function to allow TQDM to display a progress bar"""
@@ -1280,6 +1253,43 @@ def concatenate_files(input_dir, output_file, buffer_size=1024*1024):
                         break
                     outfile.write(buffer)
 
+def calculate_files_total_size(file_list):
+    total_size = 0
+    for file in file_list:
+        total_size += file.stat().st_size
+    return total_size
+
+def get_machine_ram():
+    return psutil.virtual_memory().available
+
+def format_size(size_in_bytes):
+    if size_in_bytes < 1024:
+        return f"{size_in_bytes} B"
+    elif size_in_bytes < 1024**2:
+        return f"{size_in_bytes / 1024:.2f} KB"
+    elif size_in_bytes < 1024**3:
+        return f"{size_in_bytes / 1024**2:.2f} MB"
+    else:
+        return f"{size_in_bytes / 1024**3:.2f} GB"
+
+def calculate_system_resources(file_list):
+    total_size = calculate_files_total_size(file_list)
+    machine_ram = get_machine_ram()
+    machine_cores = os.cpu_count()
+
+    max_memory_usage = total_size * 2
+
+    # Calculate memory usage per core
+    per_core_usage = max_memory_usage / machine_cores
+    max_cores_to_use = min(machine_cores, int(machine_ram // per_core_usage))
+
+    return{
+        "total_size": total_size,
+        "machine_ram": machine_ram,
+        "machine_cores": machine_cores,
+        "max_cores_to_use": max_cores_to_use
+    }
+
 ################################################################
 # MAIN()
 ################################################################
@@ -1290,68 +1300,67 @@ def main():
     parser = argparse.ArgumentParser()
     # Input files and filtering/selection options
     logsInputArgs = parser.add_argument_group(f'{Fore.BLUE}INPUT FILES AND FILTERING/SELECTION OPTIONS{Fore.RESET}')
-    logsInputArgs.add_argument("-e", "--events", "--evtx", help="Log file or directory where log files are stored in supported format", type=str)
-    logsInputArgs.add_argument("-s", "--select", help="Only files with filenames containing the provided string will be used. If there is/are exclusion(s) (--avoid) they will be handled after selection", action='append', nargs='+')
-    logsInputArgs.add_argument("-a", "--avoid", help="Files files with filenames containing the provided string will NOT be used", action='append', nargs='+')
-    logsInputArgs.add_argument("-f", "--fileext", help="Extension of the log files", type=str)    
+    logsInputArgs.add_argument("-e", "--events", "--evtx", help="Specify a log file or directory containing log files in supported formats", type=str)
+    logsInputArgs.add_argument("-s", "--select", help="Select only files with filenames containing the provided string. Exclusions (--avoid) will be applied after selection", action='append', nargs='+')
+    logsInputArgs.add_argument("-a", "--avoid", help="Exclude files with filenames containing the provided string", action='append', nargs='+')
+    logsInputArgs.add_argument("-f", "--fileext", help="Specify the extension of the log files", type=str)    
     logsInputArgs.add_argument("-fp", "--file-pattern", help="Use a Python Glob pattern to select files. This option only works with directories", type=str)
-    logsInputArgs.add_argument("--no-recursion", help="By default Zircolite search log/event files recursively, by using this option only the provided directory will be used", action="store_true")
+    logsInputArgs.add_argument("--no-recursion", help="Disable recursive search for log/event files. Only search in the provided directory", action="store_true")
     # Events filtering options
     eventArgs = parser.add_argument_group(f'{Fore.BLUE}EVENTS FILTERING OPTIONS{Fore.RESET}')
-    eventArgs.add_argument("-A", "--after", help="Limit to events that happened after the provided timestamp (UTC). Format : 1970-01-01T00:00:00", type=str, default="1970-01-01T00:00:00")
-    eventArgs.add_argument("-B", "--before", help="Limit to events that happened before the provided timestamp (UTC). Format : 1970-01-01T00:00:00", type=str, default="9999-12-12T23:59:59")
+    eventArgs.add_argument("-A", "--after", help="Limit to events that occurred after the provided timestamp (UTC). Format: 1970-01-01T00:00:00", type=str, default="1970-01-01T00:00:00")
+    eventArgs.add_argument("-B", "--before", help="Limit to events that occurred before the provided timestamp (UTC). Format: 1970-01-01T00:00:00", type=str, default="9999-12-12T23:59:59")
     # Event and log formats options
-    # /!\ an option name containing '-input' must exists (It is used in JSON flattening mechanism)
+    # /!\ an option name containing '-input' must exist (It is used in JSON flattening mechanism)
     eventFormatsArgs = parser.add_mutually_exclusive_group()
-    eventFormatsArgs.add_argument("-j", "--json-input", "--jsononly", "--jsonline", "--jsonl", help="If logs files are already in JSON lines format ('jsonl' in evtx_dump) ", action='store_true')
-    eventFormatsArgs.add_argument("--json-array-input", "--jsonarray", "--json-array", help="Source logs are in JSON but as an array", action='store_true')
-    eventFormatsArgs.add_argument("-S", "--sysmon-linux-input", "--sysmon4linux", "--sysmon-linux", help="Use this option if your log file is a Sysmon for linux log file, default file extension is '.log'", action='store_true')
-    eventFormatsArgs.add_argument("-AU", "--auditd-input", "--auditd", help="Use this option if your log file is a Auditd log file, default file extension is '.log'", action='store_true')
-    eventFormatsArgs.add_argument("-x", "--xml-input", "--xml", help="Use this option if your log file is a EVTX converted to XML log file, default file extension is '.xml'", action='store_true')
-    eventFormatsArgs.add_argument("--evtxtract-input", "--evtxtract", help="Use this option if your log file was extracted with EVTXtract, default file extension is '.log'", action='store_true')
-    eventFormatsArgs.add_argument("--csv-input", "--csvonly", help="You log file is in CSV format '.csv'", action='store_true')
+    eventFormatsArgs.add_argument("-j", "--json-input", "--jsononly", "--jsonline", "--jsonl", help="Specify if log files are already in JSON lines format ('jsonl' in evtx_dump)", action='store_true')
+    eventFormatsArgs.add_argument("--json-array-input", "--jsonarray", "--json-array", help="Specify if source logs are in JSON format as an array", action='store_true')
+    eventFormatsArgs.add_argument("-S", "--sysmon-linux-input", "--sysmon4linux", "--sysmon-linux", help="Use this option for Sysmon for Linux log files. Default file extension is '.log'", action='store_true')
+    eventFormatsArgs.add_argument("-AU", "--auditd-input", "--auditd", help="Use this option for Auditd log files. Default file extension is '.log'", action='store_true')
+    eventFormatsArgs.add_argument("-x", "--xml-input", "--xml", help="Use this option for EVTX files converted to XML format. Default file extension is '.xml'", action='store_true')
+    eventFormatsArgs.add_argument("--evtxtract-input", "--evtxtract", help="Use this option for log files extracted with EVTXtract. Default file extension is '.log'", action='store_true')
+    eventFormatsArgs.add_argument("--csv-input", "--csvonly", help="Specify if your log file is in CSV format '.csv'", action='store_true')
     # Ruleset options
     rulesetsFormatsArgs = parser.add_argument_group(f'{Fore.BLUE}RULES AND RULESETS OPTIONS{Fore.RESET}')  
-    rulesetsFormatsArgs.add_argument("-r", "--ruleset", help="Sigma ruleset : JSON (Zircolite format) or YAML/Directory containing YAML files (Native Sigma format)", action='append', nargs='+')
+    rulesetsFormatsArgs.add_argument("-r", "--ruleset", help="Specify Sigma ruleset: JSON (Zircolite format) or YAML/Directory containing YAML files (Native Sigma format)", action='append', nargs='+')
     rulesetsFormatsArgs.add_argument("-nsc", "--no-sigma-conversion", help=argparse.SUPPRESS, action='store_true')
     rulesetsFormatsArgs.add_argument("-sr", "--save-ruleset", help="Save converted ruleset (Sigma to Zircolite format) to disk", action='store_true')
-    rulesetsFormatsArgs.add_argument("-p", "--pipeline", help="For all the native Sigma rulesets (YAML) use this pipeline. Multiple can be used. Examples : 'sysmon', 'windows-logsources', 'windows-audit'. You can list installed pipelines with '--pipeline-list'.", action='append', nargs='+')
+    rulesetsFormatsArgs.add_argument("-p", "--pipeline", help="Specify pipeline(s) for native Sigma rulesets (YAML). Multiple can be used. Examples: 'sysmon', 'windows-logsources', 'windows-audit'. Use '--pipeline-list' to see available pipelines", action='append', nargs='+')
     rulesetsFormatsArgs.add_argument("-pl", "--pipeline-list", help="List installed pysigma pipelines", action='store_true')
-    rulesetsFormatsArgs.add_argument("-pn", "--pipeline-null", help="For all the native Sigma rulesets (YAML) don't use any pipeline (Default)", action='store_true')
-    rulesetsFormatsArgs.add_argument("-R", "--rulefilter", help="Remove rule from ruleset, comparison is done on rule title (case sensitive)", action='append', nargs='*')
-    # Ouput formats and output files options
-    outputFormatsArgs = parser.add_argument_group(f'{Fore.BLUE}OUPUT FORMATS AND OUTPUT FILES OPTIONS{Fore.RESET}')
-    outputFormatsArgs.add_argument("-o", "--outfile", help="File that will contains all detected events", type=str, default="detected_events.json")
-    outputFormatsArgs.add_argument("--csv", "--csv-output", help="The output will be in CSV. You should note that in this mode empty fields will not be discarded from results", action='store_true')
-    outputFormatsArgs.add_argument("--csv-delimiter", help="Choose the delimiter for CSV ouput", type=str, default=";")
-    outputFormatsArgs.add_argument("-t", "--tmpdir", help="Temp directory that will contains events converted as JSON (parent directories must exist)", type=str)
-    outputFormatsArgs.add_argument("-k", "--keeptmp", help="Do not remove the temp directory containing events converted in JSON format", action='store_true')
+    rulesetsFormatsArgs.add_argument("-pn", "--pipeline-null", help="Do not use any pipeline for native Sigma rulesets (YAML). This is the default behavior", action='store_true')
+    rulesetsFormatsArgs.add_argument("-R", "--rulefilter", help="Remove rules from ruleset based on rule title (case sensitive)", action='append', nargs='*')
+    # Output formats and output files options
+    outputFormatsArgs = parser.add_argument_group(f'{Fore.BLUE}OUTPUT FORMATS AND OUTPUT FILES OPTIONS{Fore.RESET}')
+    outputFormatsArgs.add_argument("-o", "--outfile", help="Specify the file to store all detected events", type=str, default="detected_events.json")
+    outputFormatsArgs.add_argument("--csv", "--csv-output", help="Output results in CSV format. Note that in this mode, empty fields will not be discarded from results", action='store_true')
+    outputFormatsArgs.add_argument("--csv-delimiter", help="Specify the delimiter for CSV output", type=str, default=";")
+    outputFormatsArgs.add_argument("-t", "--tmpdir", help="Specify the temporary directory to store events converted to JSON (parent directories must exist)", type=str)
+    outputFormatsArgs.add_argument("-k", "--keeptmp", help="Retain the temporary directory containing events converted to JSON format", action='store_true')
     outputFormatsArgs.add_argument("--keepflat", help="Save flattened events as JSON", action='store_true')
-    outputFormatsArgs.add_argument("-d", "--dbfile", help="Save all logs in a SQLite Db to the specified file", type=str)
-    outputFormatsArgs.add_argument("-l", "--logfile", help="Log file name", default="zircolite.log", type=str)
+    outputFormatsArgs.add_argument("-d", "--dbfile", help="Save all logs in a SQLite database file", type=str)
+    outputFormatsArgs.add_argument("-l", "--logfile", help="Specify the log file name", default="zircolite.log", type=str)
     outputFormatsArgs.add_argument("--hashes", help="Add an xxhash64 of the original log event to each event", action='store_true')
-    outputFormatsArgs.add_argument("-L", "--limit", "--limit-results", help="Discard results that are above the provided limit", type=int, default=-1)
+    outputFormatsArgs.add_argument("-L", "--limit", "--limit-results", help="Discard results that exceed the specified limit", type=int, default=-1)
     # Advanced configuration options
     configFormatsArgs = parser.add_argument_group(f'{Fore.BLUE}ADVANCED CONFIGURATION OPTIONS{Fore.RESET}')  
-    configFormatsArgs.add_argument("-c", "--config", help="JSON File containing field mappings and exclusions", type=str, default="config/fieldMappings.json")
-    eventFormatsArgs.add_argument("-LE", "--logs-encoding",  help="Specify log encoding when dealing with Sysmon for Linux or Auditd files", type=str)
-    configFormatsArgs.add_argument("--fieldlist", help="Get all events fields", action='store_true')
-    configFormatsArgs.add_argument("--evtx_dump", help="Tell Zircolite to use this binary for EVTX conversion, on Linux and MacOS the path must be valid to launch the binary (eg. './evtx_dump' and not 'evtx_dump')", type=str, default=None)
-    configFormatsArgs.add_argument("--noexternal", "--bindings", help="Don't use evtx_dump external binaries (slower)", action='store_true')
-    configFormatsArgs.add_argument("--cores", help="Specify how many cores you want to use, default is all cores, works only for EVTX extraction", default=os.cpu_count(), type=int)
-    configFormatsArgs.add_argument("--debug", help="Activate debug logging", action='store_true')
-    configFormatsArgs.add_argument("--imports", help="Show detailed module import errors", action='store_true')
-    configFormatsArgs.add_argument("--ondiskdb", "--on-disk-db", help="Use an on-disk database instead of the in-memory one (much slower !). Use if your system has limited RAM or if your dataset is very large and you cannot split it", action='store_true')
-    configFormatsArgs.add_argument("-RE", "--remove-events", help="Zircolite will try to remove events/logs submitted if analysis is successful (use at your own risk)", action='store_true')
+    configFormatsArgs.add_argument("-c", "--config", help="Specify a JSON file containing field mappings and exclusions", type=str, default="config/fieldMappings.json")
+    eventFormatsArgs.add_argument("-LE", "--logs-encoding", help="Specify log encoding when processing Sysmon for Linux or Auditd files", type=str)
+    configFormatsArgs.add_argument("--evtx_dump", help="Specify the binary to use for EVTX conversion. On Linux and MacOS, provide a valid path to launch the binary (e.g., './evtx_dump' instead of 'evtx_dump')", type=str, default=None)
+    configFormatsArgs.add_argument("--noexternal", "--bindings", help="Disable the use of evtx_dump external binaries (slower processing)", action='store_true')
+    configFormatsArgs.add_argument("--cores", help="Specify the number of cores to use. Default is all available cores", default=-1, type=int)
+    configFormatsArgs.add_argument("--debug", help="Enable debug logging", action='store_true')
+    configFormatsArgs.add_argument("--imports", help="Display detailed module import errors", action='store_true')
+    configFormatsArgs.add_argument("--ondiskdb", "--on-disk-db", help="Use an on-disk database instead of an in-memory one (significantly slower). Use this option if your system has limited RAM or if your dataset is very large and cannot be split", action='store_true')
+    configFormatsArgs.add_argument("-RE", "--remove-events", help="Attempt to remove submitted events/logs if analysis is successful (use at your own risk)", action='store_true')
     configFormatsArgs.add_argument("-U", "--update-rules", help="Update rulesets located in the 'rules' directory", action='store_true')
-    configFormatsArgs.add_argument("-v", "--version", help="Show Zircolite version", action='store_true')
-    configFormatsArgs.add_argument("--timefield", help="Use this option to provide timestamp field name, default is 'SystemTime'", default="SystemTime", action="store_true")
+    configFormatsArgs.add_argument("-v", "--version", help="Display Zircolite version", action='store_true')
+    configFormatsArgs.add_argument("--timefield", help="Specify the timestamp field name. Default is 'SystemTime'", default="SystemTime", type=str)
 
     # Templating and Mini GUI options
     templatingFormatsArgs = parser.add_argument_group(f'{Fore.BLUE}TEMPLATING AND MINI GUI OPTIONS{Fore.RESET}')
-    templatingFormatsArgs.add_argument("--template", help="If a Jinja2 template is specified it will be used to generated output", type=str, action='append', nargs='+')
-    templatingFormatsArgs.add_argument("--templateOutput", help="If a Jinja2 template is specified it will be used to generate a crafted output", type=str, action='append', nargs='+')
-    templatingFormatsArgs.add_argument("--package", help="Create a ZircoGui/Mini Gui package", action='store_true')
+    templatingFormatsArgs.add_argument("--template", help="Specify a Jinja2 template to generate output", type=str, action='append', nargs='+')
+    templatingFormatsArgs.add_argument("--templateOutput", help="Specify the output file for the Jinja2 template", type=str, action='append', nargs='+')
+    templatingFormatsArgs.add_argument("--package", help="Create a ZircoGui/Mini GUI package", action='store_true')
     args = parser.parse_args()
 
     signal.signal(signal.SIGINT, signal_handler) 
@@ -1376,12 +1385,12 @@ def main():
         sys.exit(0)
 
     # Show imports status
-    importsMessage, args, mustQuit = ImportErrorHandler(args)
-    if importsMessage != "": 
-        logger.info(f"[+] Modules imports status: \n{importsMessage}")
+    imports_message, args, must_quit = import_error_handler(args)
+    if imports_message != "": 
+        logger.info(f"[+] Modules imports status: \n{imports_message}")
     else:
         logger.info("[+] Modules imports status: OK")
-    if mustQuit: 
+    if must_quit: 
         sys.exit(1)
 
     # Update rulesets
@@ -1397,12 +1406,6 @@ def main():
     else: 
         args.ruleset = ["rules/rules_windows_generic_pysigma.json"]
 
-    # Loading rulesets
-    logger.info("[+] Loading ruleset(s)")
-    rulesetsManager = ruleset_handler(args, args.pipeline_list)
-    if args.pipeline_list:
-        sys.exit(0)
-
     # Check mandatory CLI options
     if not args.events: 
         logger.error(f"{Fore.RED}   [-] No events source path provided. Use '-e <PATH TO LOGS>', '--events <PATH TO LOGS>'{Fore.RESET}"), sys.exit(2)
@@ -1416,22 +1419,22 @@ def main():
         events_after = time.strptime(args.after, '%Y-%m-%dT%H:%M:%S')
         events_before = time.strptime(args.before, '%Y-%m-%dT%H:%M:%S')
     except Exception:
-        quitOnError(f"{Fore.RED}   [-] Wrong timestamp format. Please use 'AAAA-MM-DDTHH:MM:SS'")
+        quit_on_error(f"{Fore.RED}   [-] Wrong timestamp format. Please use 'AAAA-MM-DDTHH:MM:SS'")
 
     # Check templates args
-    readyForTemplating = False
+    ready_for_templating = False
     if (args.template is not None):
         if args.csv: 
-            quitOnError(f"{Fore.RED}   [-] You cannot use templates in CSV mode{Fore.RESET}")
+            quit_on_error(f"{Fore.RED}   [-] You cannot use templates in CSV mode{Fore.RESET}")
         if (args.templateOutput is None) or (len(args.template) != len(args.templateOutput)):
-            quitOnError(f"{Fore.RED}   [-] Number of templates output must match number of templates{Fore.RESET}")
+            quit_on_error(f"{Fore.RED}   [-] Number of templates output must match number of templates{Fore.RESET}")
         for template in args.template:
-            checkIfExists(template[0], f"{Fore.RED}   [-] Cannot find template : {template[0]}. DEfault templates are available here : https://github.com/wagga40/Zircolite/tree/master/templates{Fore.RESET}")
-        readyForTemplating = True
+            check_if_exists(template[0], f"{Fore.RED}   [-] Cannot find template : {template[0]}. Default templates are available here : https://github.com/wagga40/Zircolite/tree/master/templates{Fore.RESET}")
+        ready_for_templating = True
     
     # Change output filename in CSV mode
     if args.csv: 
-        readyForTemplating = False
+        ready_for_templating = False
         # If outfile is not provided, default to 'detected_events.csv' instead of 'detected_events.json'
         if args.outfile == "detected_events.json":
             args.outfile = "detected_events.csv"
@@ -1452,27 +1455,40 @@ def main():
         else:
             args.fileext = "evtx"
     
-    LogPath = Path(args.events)
-    if LogPath.is_dir():
-        # Log recursive search in given directory with given file extension or pattern
-        pattern = f"*.{args.fileext}"
-        # If a Glob pattern is provided
-        if args.file_pattern not in [None, ""]: 
-            pattern = args.file_pattern
-        fnGlob = LogPath.rglob
-        # If directory recursion is not wanted 
-        if args.no_recursion: 
-            fnGlob = LogPath.glob
-        LogList = list(fnGlob(pattern))
-    elif LogPath.is_file():
-        LogList = [LogPath]
+    # Get list of log files to process:
+    # - If events path is a directory, get all matching files using glob/rglob based on recursion flag
+    # - If events path is a single file, use that file directly
+    # - Otherwise error out since no valid files found
+    log_path = Path(args.events)
+    pattern = args.file_pattern if args.file_pattern else f"*.{args.fileext}"
+    if log_path.is_dir():
+        # Use glob or rglob based on recursion flag
+        glob_fn = log_path.glob if args.no_recursion else log_path.rglob
+        log_list = list(glob_fn(pattern))
+    elif log_path.is_file():
+        log_list = [log_path] 
     else:
-        quitOnError(f"{Fore.RED}   [-] Unable to find events from submitted path{Fore.RESET}")
+        quit_on_error(f"{Fore.RED}   [-] Unable to find events from submitted path{Fore.RESET}")
 
     # Applying file filters in this order : "select" than "avoid"
-    FileList = avoidFiles(selectFiles(LogList, args.select), args.avoid)
-    if len(FileList) <= 0:
-        quitOnError(f"{Fore.RED}   [-] No file found. Please verify filters, directory or the extension with '--fileext' or '--file-pattern'{Fore.RESET}")
+    file_list = avoid_files(select_files(log_list, args.select), args.avoid)
+    if len(file_list) <= 0:
+        quit_on_error(f"{Fore.RED}   [-] No file found. Please verify filters, directory or the extension with '--fileext' or '--file-pattern'{Fore.RESET}")
+
+    # If cores is not provided, calculate the number of cores to use
+    system_resources = calculate_system_resources(file_list)
+    logger.info(f"[+] File(s) size: {Fore.CYAN}{format_size(system_resources['total_size'])}{Fore.RESET} | Available RAM: {Fore.CYAN}{format_size(system_resources['machine_ram'])}{Fore.RESET}")
+    if args.cores == -1:
+        args.cores = system_resources["max_cores_to_use"]
+        logger.info(f"[+] CPU Cores / CPU Cores used: {Fore.CYAN}{system_resources['machine_cores']}{Fore.RESET} / {Fore.CYAN}{system_resources['machine_cores'] if args.cores > system_resources['machine_cores'] else args.cores}{Fore.RESET}")
+    else:
+        logger.info(f"[+] CPU Cores used (Forced): {Fore.CYAN}{system_resources['machine_cores']}{Fore.RESET} / {Fore.CYAN}{args.cores}{Fore.RESET}")
+    
+    # Loading rulesets
+    logger.info("[+] Loading ruleset(s)")
+    rulesets_manager = ruleset_handler(args, args.pipeline_list)
+    if args.pipeline_list:
+        sys.exit(0)
 
     args_dict = vars(args)
     # Find the chosen input format
@@ -1480,21 +1496,21 @@ def main():
 
     if not args.json_input and not args.json_array_input:
         # Init EVTX extractor object
-        extractor = evtx_extractor(providedTmpDir=args.tmpdir, cores=args.cores, use_external_binaries=(not args.noexternal), binaries_path=args.evtx_dump, encoding=args.logs_encoding, input_format=chosen_input)
-        logger.info(f"[+] Extracting events using '{extractor.tmpDir}' directory ")
-        for evtx in tqdm(FileList, colour="yellow"):
+        extractor = evtx_extractor(provided_tmp_dir=args.tmpdir, cores=args.cores, use_external_binaries=(not args.noexternal), binaries_path=args.evtx_dump, encoding=args.logs_encoding, input_format=chosen_input)
+        logger.info(f"[+] Extracting events using '{extractor.tmp_dir}' directory ")
+        for evtx in tqdm(file_list, colour="yellow"):
             extractor.run(evtx)
         # Set the path for the next step
-        LogJSONList = list(Path(extractor.tmpDir).rglob("*.json"))
+        log_json_list = list(Path(extractor.tmp_dir).rglob("*.json"))
     else:
-        LogJSONList = FileList
+        log_json_list = file_list
 
-    checkIfExists(args.config, f"{Fore.RED}   [-] Cannot find mapping file, you can get the default one here : https://github.com/wagga40/Zircolite/blob/master/config/fieldMappings.json {Fore.RESET}")
-    if LogJSONList == []:
-        quitOnError(f"{Fore.RED}   [-] No files containing logs found.{Fore.RESET}")
+    check_if_exists(args.config, f"{Fore.RED}   [-] Cannot find mapping file, you can get the default one here : https://github.com/wagga40/Zircolite/blob/master/config/fieldMappings.json {Fore.RESET}")
+    if log_json_list == []:
+        quit_on_error(f"{Fore.RED}   [-] No files containing logs found.{Fore.RESET}")
 
     # TODO : Add option for already flattened event
-    logger.info(f"[+] Processing events and applying {Fore.CYAN}{len(rulesetsManager.Rulesets)}{Fore.RESET} rules")
+    logger.info(f"[+] Processing events and applying {Fore.CYAN}{len(rulesets_manager.rulesets)}{Fore.RESET} rules")
 
     # flatten array of "rulefilter" arguments
     if args.rulefilter: 
@@ -1517,26 +1533,24 @@ def main():
         "delimiter": args.csv_delimiter,
         "keepflat": args.keepflat,
         "rulefilter": args.rulefilter,
-        "rulesets": rulesetsManager.Rulesets,
+        "rulesets": rulesets_manager.rulesets,
         "tmp_directory": tmp_directory,
         "tmp_directory_db": tmp_directory_db
     }
 
     params_map = []
-    for file in LogJSONList:
+    for file in log_json_list:
         params_map.append((file, param_list))
 
     all_full_results = []
     all_rule_results = []
     # Perform the JSON flattening and the detection process with multiprocessing
-    pool = mp.Pool(args.cores)
-    with tqdm(total=len(params_map), colour='yellow') as pbar:
-        for full_results, rule_results in pool.imap_unordered(runner_wrapper, params_map):
-            all_full_results.extend(full_results)
-            all_rule_results.extend(rule_results)
-            pbar.update()
-    pool.close()
-    pool.join()
+    with mp.Pool(processes=args.cores) as pool:
+        with tqdm(total=len(params_map), colour='yellow') as pbar:
+            for full_results, rule_results in pool.imap_unordered(runner_wrapper, params_map):
+                all_full_results.extend(full_results)
+                all_rule_results.extend(rule_results)
+                pbar.update()
 
     # Merge the rule results from all processes
     aggregated_rules = {}
@@ -1606,7 +1620,7 @@ def main():
     #                     writer.writerow(dictCSV)
 
     # Templating
-    if readyForTemplating and all_full_results != []:
+    if ready_for_templating and all_full_results != []:
        template_generator = template_engine(args.template, args.templateOutput, args.timefield)
        template_generator.run(all_full_results)
 
@@ -1627,7 +1641,7 @@ def main():
 
     # Remove files submitted for analysis
     if args.remove_events:
-        for logs in LogList:
+        for logs in log_list:
             try:
                 os.remove(logs)
             except OSError as e: