Samirbous · October 22, 2022 15:16
diff --git a/atomic_endpoint_behavior_rules b/atomic_endpoint_behavior_rules
 "Top 1000 values of rule.name","Count of records"
 "Connection to WebService by a Signed Binary Proxy",342
 "Managed .NET Code Execution via PowerShell",79
 "Execution via a Suspicious WMI Client",57
 "Credential Access via Known Utilities",40
 "Regsvr32 Scriptlet Execution",39
 "Suspicious Bitsadmin Activity",34
 "Suspicious Windows Command Shell Execution",32
 "Script Execution via Microsoft HTML Application",28
 "Suspicious Execution via Windows Management Instrumentation",27
 "Execution via Renamed Signed Binary Proxy",26
 "Suspicious Scheduled Task Creation",21
 "Privilege Escalation via Named Pipe Impersonation",19
 "Binary Masquerading via Untrusted Path",15
 "Regsvr32 with Unusual Arguments",13
 "RunDLL32 with Unusual Arguments",13
 "Suspicious Execution via Compiled HTML File",10
 "Potential Masquerading as SVCHOST",9
 "Suspicious Windows Script Interpreter Child Process",8
 "Potential Privilege Escalation via Token Impersonation",7
 "Suspicious Parent-Child Relationship",6
 "UAC Bypass via ICMLuaUtil Elevated COM Interface",6
 "Command Shell Activity Started via RunDLL32",5
 "Security Account Manager (SAM) Registry Access",5
 "Startup Persistence via Windows Script Interpreter",5
 "Suspicious Windows Script Process Execution",5
 "UAC Bypass via FodHelper Execution Hijack",5
 "Execution from Unusual Directory",4
 "Indirect Command Execution via ForFiles",4
 "Ingress Tool Transfer via CURL",4
 "Potential Discovery of Windows Credential Manager Store",4
 "Suspicious Execution via MSIEXEC",4
 "Binary Proxy Execution via Rundll32",3
 "Indirect Command Execution via Console Window Host",3
 "Privilege Escalation via Windir or SystemRoot Environment Variable",3
 "UAC Bypass via ComputerDefaults Execution Hijack",3
 "UAC Bypass via DiskCleanup Scheduled Task Hijack",3
 "Unusual File Written or Modified in Startup Folder",3
 "Connection to Dynamic DNS Provider by an Unsigned Binary",2
 "MSBuild with Unusual Arguments",2
 "Managed .NET Code Execution via Windows Script Interpreter",2
 "Scriptlet Execution via Rundll32",2
 "Sensitive File Access - Unattended Panther",2
 "Suspicious ImageLoad via ODBC Driver Configuration Program",2
 "Suspicious WMIC XSL Script Execution",2
 "UAC Bypass via Control Panel Execution Hijack",2
 "Execution of Commonly Abused Utilities via Explorer Trampoline",1
 "Inhibit System Recovery via Windows Command Shell",1
 "Parent Process PID Spoofing",1
 "Potential Credential Access via Mimikatz",1
 "Potential Discovery of DPAPI Master Keys",1
 "Potential Privilege Escalation via Missing DLL",1
 "Remote File Execution via MSIEXEC",1
 "Scheduled Task Creation via Microsoft Office",1
 "Scriptlet Execution via CMSTP",1
 "Scriptlet Proxy Execution via PubPrn",1
	"Top 1000 values of rule.name","Count of records"
	"Connection to WebService by a Signed Binary Proxy",342
	"Managed .NET Code Execution via PowerShell",79
	"Execution via a Suspicious WMI Client",57
	"Credential Access via Known Utilities",40
	"Regsvr32 Scriptlet Execution",39
	"Suspicious Bitsadmin Activity",34
	"Suspicious Windows Command Shell Execution",32
	"Script Execution via Microsoft HTML Application",28
	"Suspicious Execution via Windows Management Instrumentation",27
	"Execution via Renamed Signed Binary Proxy",26
	"Suspicious Scheduled Task Creation",21
	"Privilege Escalation via Named Pipe Impersonation",19
	"Binary Masquerading via Untrusted Path",15
	"Regsvr32 with Unusual Arguments",13
	"RunDLL32 with Unusual Arguments",13
	"Suspicious Execution via Compiled HTML File",10
	"Potential Masquerading as SVCHOST",9
	"Suspicious Windows Script Interpreter Child Process",8
	"Potential Privilege Escalation via Token Impersonation",7
	"Suspicious Parent-Child Relationship",6
	"UAC Bypass via ICMLuaUtil Elevated COM Interface",6
	"Command Shell Activity Started via RunDLL32",5
	"Security Account Manager (SAM) Registry Access",5
	"Startup Persistence via Windows Script Interpreter",5
	"Suspicious Windows Script Process Execution",5
	"UAC Bypass via FodHelper Execution Hijack",5
	"Execution from Unusual Directory",4
	"Indirect Command Execution via ForFiles",4
	"Ingress Tool Transfer via CURL",4
	"Potential Discovery of Windows Credential Manager Store",4
	"Suspicious Execution via MSIEXEC",4
	"Binary Proxy Execution via Rundll32",3
	"Indirect Command Execution via Console Window Host",3
	"Privilege Escalation via Windir or SystemRoot Environment Variable",3
	"UAC Bypass via ComputerDefaults Execution Hijack",3
	"UAC Bypass via DiskCleanup Scheduled Task Hijack",3
	"Unusual File Written or Modified in Startup Folder",3
	"Connection to Dynamic DNS Provider by an Unsigned Binary",2
	"MSBuild with Unusual Arguments",2
	"Managed .NET Code Execution via Windows Script Interpreter",2
	"Scriptlet Execution via Rundll32",2
	"Sensitive File Access - Unattended Panther",2
	"Suspicious ImageLoad via ODBC Driver Configuration Program",2
	"Suspicious WMIC XSL Script Execution",2
	"UAC Bypass via Control Panel Execution Hijack",2
	"Execution of Commonly Abused Utilities via Explorer Trampoline",1
	"Inhibit System Recovery via Windows Command Shell",1
	"Parent Process PID Spoofing",1
	"Potential Credential Access via Mimikatz",1
	"Potential Discovery of DPAPI Master Keys",1
	"Potential Privilege Escalation via Missing DLL",1
	"Remote File Execution via MSIEXEC",1
	"Scheduled Task Creation via Microsoft Office",1
	"Scriptlet Execution via CMSTP",1
	"Scriptlet Proxy Execution via PubPrn",1
No results found