hisashiyamaguchi · January 29, 2025 04:07
diff --git a/Sigma detection rule list which is related with Persistence b/Sigma detection rule list which is related with Persistence
 macos/file_event/file_event_macos_susp_startup_item_created.yml:19:    category: file_event
 macos/file_event/file_event_macos_susp_startup_item_created.yml:20:    product: macos
 macos/file_event/file_event_macos_emond_launch_daemon.yml:16:    category: file_event
 macos/file_event/file_event_macos_emond_launch_daemon.yml:17:    product: macos
 macos/process_creation/proc_creation_macos_launchctl_execution.yml:20:    category: process_creation
 macos/process_creation/proc_creation_macos_launchctl_execution.yml:21:    product: macos
 macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml:15:    category: process_creation
 macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml:16:    product: macos
 macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml:18:    category: process_creation
 macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml:19:    product: macos
 macos/process_creation/proc_creation_macos_create_account.yml:15:    category: process_creation
 macos/process_creation/proc_creation_macos_create_account.yml:16:    product: macos
 macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml:12:    category: process_creation
 macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml:13:    product: macos
 macos/process_creation/proc_creation_macos_office_susp_child_processes.yml:18:    product: macos
 macos/process_creation/proc_creation_macos_office_susp_child_processes.yml:19:    category: process_creation
 category/antivirus/av_webshell.yml:26:    category: antivirus
 macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml:16:    category: process_creation
 macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml:17:    product: macos
 web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml:18:    category: proxy
 web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml:19:    category: proxy
 web/webserver_generic/web_webshell_regeorg.yml:15:    category: webserver
 web/webserver_generic/web_susp_windows_path_uri.yml:15:    category: webserver
 web/webserver_generic/web_win_webshells_in_access_logs.yml:15:    category: webserver
 network/huawei/bgp/huawei_bgp_auth_failed.yml:21:    product: huawei
 network/huawei/bgp/huawei_bgp_auth_failed.yml:22:    service: bgp
 network/cisco/aaa/cisco_cli_modify_config.yml:16:    product: cisco
 network/cisco/aaa/cisco_cli_modify_config.yml:17:    service: aaa
 network/cisco/aaa/cisco_cli_local_accounts.yml:13:    product: cisco
 network/cisco/aaa/cisco_cli_local_accounts.yml:14:    service: aaa
 network/cisco/ldp/cisco_ldp_md5_auth_failed.yml:20:    product: cisco
 network/cisco/ldp/cisco_ldp_md5_auth_failed.yml:21:    service: ldp
 network/cisco/bgp/cisco_bgp_md5_auth_failed.yml:21:    product: cisco
 network/cisco/bgp/cisco_bgp_md5_auth_failed.yml:22:    service: bgp
 network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml:14:    product: zeek
 network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml:15:    service: dce_rpc
 network/juniper/bgp/juniper_bgp_missing_md5.yml:21:    product: juniper
 network/juniper/bgp/juniper_bgp_missing_md5.yml:22:    service: bgp
 network/zeek/zeek_smb_converted_win_atsvc_task.yml:20:    product: zeek
 network/zeek/zeek_smb_converted_win_atsvc_task.yml:21:    service: smb_files
 linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml:16:    product: linux
 linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml:17:    category: file_event
 linux/file_event/file_event_lnx_persistence_sudoers_files.yml:14:    product: linux
 linux/file_event/file_event_lnx_persistence_sudoers_files.yml:15:    category: file_event
 linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml:15:    product: linux
 linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml:16:    category: file_event
 linux/file_event/file_event_lnx_persistence_cron_files.yml:14:    product: linux
 linux/file_event/file_event_lnx_persistence_cron_files.yml:15:    category: file_event
 linux/auditd/lnx_auditd_systemd_service_creation.yml:14:    product: linux
 linux/auditd/lnx_auditd_systemd_service_creation.yml:15:    service: auditd
 linux/auditd/lnx_auditd_pers_systemd_reload.yml:14:    product: linux
 linux/auditd/lnx_auditd_pers_systemd_reload.yml:15:    service: auditd
 linux/auditd/lnx_auditd_load_module_insmod.yml:20:    product: linux
 linux/auditd/lnx_auditd_load_module_insmod.yml:21:    service: auditd
 linux/auditd/lnx_auditd_create_account.yml:16:    product: linux
 linux/auditd/lnx_auditd_create_account.yml:17:    service: auditd
 linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml:19:    product: linux
 linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml:20:    service: auditd
 linux/auditd/lnx_auditd_web_rce.yml:14:    product: linux
 linux/auditd/lnx_auditd_web_rce.yml:15:    service: auditd
 linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml:16:    category: process_creation
 linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml:17:    product: linux
 linux/process_creation/proc_creation_lnx_at_command.yml:16:    product: linux
 linux/process_creation/proc_creation_lnx_at_command.yml:17:    category: process_creation
 linux/process_creation/proc_creation_lnx_webshell_detection.yml:15:    product: linux
 linux/process_creation/proc_creation_lnx_webshell_detection.yml:16:    category: process_creation
 linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml:16:    category: process_creation
 linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml:17:    product: linux
 linux/process_creation/proc_creation_lnx_setgid_setuid.yml:15:    product: linux
 linux/process_creation/proc_creation_lnx_setgid_setuid.yml:16:    category: process_creation
 linux/process_creation/proc_creation_lnx_usermod_susp_group.yml:14:    product: linux
 linux/process_creation/proc_creation_lnx_usermod_susp_group.yml:15:    category: process_creation
 linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml:13:    category: process_creation
 linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml:14:    product: linux
 linux/builtin/lnx_shellshock.yml:14:    product: linux
 linux/builtin/lnx_privileged_user_creation.yml:17:    product: linux
 linux/builtin/lnx_ldso_preload_injection.yml:15:    product: linux
 linux/builtin/cron/lnx_cron_crontab_file_modification.yml:13:    product: linux
 linux/builtin/cron/lnx_cron_crontab_file_modification.yml:14:    service: cron
 linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml:22:    category: network_connection
 linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml:23:    product: linux
 linux/builtin/lnx_potential_susp_ebpf_activity.yml:14:    product: linux
 cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml:17:    product: azure
 cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml:18:    service: riskdetection
 cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml:18:    product: azure
 cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml:19:    service: riskdetection
 cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml:17:    product: azure
 cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml:18:    service: riskdetection
 cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml:17:    product: azure
 cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml:18:    service: riskdetection
 cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml:17:    product: azure
 cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml:18:    service: riskdetection
 cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml:17:    product: azure
 cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml:18:    service: riskdetection
 cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml:14:    product: azure
 cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml:15:    service: riskdetection
 cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml:14:    product: azure
 cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml:15:    service: pim
 cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml:14:    product: azure
 cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml:15:    service: pim
 cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml:14:    product: azure
 cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml:15:    service: pim
 cloud/azure/audit_logs/azure_user_password_change.yml:14:    product: azure
 cloud/azure/audit_logs/azure_user_password_change.yml:15:    service: auditlogs
 cloud/azure/audit_logs/azure_user_password_change.yml:18:        Category: 'UserManagement'
 cloud/azure/audit_logs/azure_pim_change_settings.yml:14:    product: azure
 cloud/azure/audit_logs/azure_pim_change_settings.yml:15:    service: auditlogs
 cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml:14:    product: azure
 cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml:15:    service: pim
 cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml:16:    product: azure
 cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml:17:    service: auditlogs
 cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml:17:    product: azure
 cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml:18:    service: riskdetection
 cloud/azure/privileged_identity_management/azure_pim_account_stale.yml:14:    product: azure
 cloud/azure/privileged_identity_management/azure_pim_account_stale.yml:15:    service: pim
 cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml:14:    product: azure
 cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml:15:    service: pim
 cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml:14:    product: azure
 cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml:15:    service: pim
 cloud/azure/audit_logs/azure_privileged_account_creation.yml:15:    product: azure
 cloud/azure/audit_logs/azure_privileged_account_creation.yml:16:    service: auditlogs
 cloud/azure/audit_logs/azure_tap_added.yml:13:    product: azure
 cloud/azure/audit_logs/azure_tap_added.yml:14:    service: auditlogs
 cloud/azure/audit_logs/azure_user_account_mfa_disable.yml:15:    product: azure
 cloud/azure/audit_logs/azure_user_account_mfa_disable.yml:16:    service: auditlogs
 cloud/azure/audit_logs/azure_user_account_mfa_disable.yml:20:        LoggedByService: 'Core Directory'
 cloud/azure/audit_logs/azure_user_account_mfa_disable.yml:21:        Category: 'UserManagement'
 cloud/azure/audit_logs/azure_app_credential_added.yml:13:    product: azure
 cloud/azure/audit_logs/azure_app_credential_added.yml:14:    service: auditlogs
 cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml:13:    product: azure
 cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml:14:    service: auditlogs
 cloud/azure/audit_logs/azure_change_to_authentication_method.yml:17:    product: azure
 cloud/azure/audit_logs/azure_change_to_authentication_method.yml:18:    service: auditlogs
 cloud/azure/audit_logs/azure_change_to_authentication_method.yml:21:        LoggedByService: 'Authentication Methods'
 cloud/azure/audit_logs/azure_change_to_authentication_method.yml:22:        Category: 'UserManagement'
 cloud/azure/audit_logs/azure_app_uri_modifications.yml:18:    product: azure
 cloud/azure/audit_logs/azure_app_uri_modifications.yml:19:    service: auditlogs
 cloud/azure/audit_logs/azure_app_appid_uri_changes.yml:16:    product: azure
 cloud/azure/audit_logs/azure_app_appid_uri_changes.yml:17:    service: auditlogs
 cloud/azure/audit_logs/azure_app_privileged_permissions.yml:18:    product: azure
 cloud/azure/audit_logs/azure_app_privileged_permissions.yml:19:    service: auditlogs
 cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml:15:    product: azure
 cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml:16:    service: auditlogs
 cloud/azure/audit_logs/azure_guest_invite_failure.yml:14:    product: azure
 cloud/azure/audit_logs/azure_guest_invite_failure.yml:15:    service: auditlogs
 cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml:15:    product: azure
 cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml:16:    service: auditlogs
 cloud/azure/audit_logs/azure_app_role_added.yml:15:    product: azure
 cloud/azure/audit_logs/azure_app_role_added.yml:16:    service: auditlogs
 cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml:15:    product: azure
 cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml:16:    service: auditlogs
 cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml:15:    product: azure
 cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml:16:    service: auditlogs
 cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml:19:        LoggedByService: 'AAD Management UX'
 cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml:20:        Category: 'Policy'
 cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml:15:    product: azure
 cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml:16:    service: auditlogs
 cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml:15:    product: azure
 cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml:16:    service: auditlogs
 cloud/azure/audit_logs/azure_pim_alerts_disabled.yml:14:    product: azure
 cloud/azure/audit_logs/azure_pim_alerts_disabled.yml:15:    service: auditlogs
 cloud/azure/signin_logs/azure_app_device_code_authentication.yml:19:    product: azure
 cloud/azure/signin_logs/azure_app_device_code_authentication.yml:20:    service: signinlogs
 cloud/azure/signin_logs/azure_app_ropc_authentication.yml:18:    product: azure
 cloud/azure/signin_logs/azure_app_ropc_authentication.yml:19:    service: signinlogs
 cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml:14:    product: azure
 cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml:15:    service: activitylogs
 cloud/azure/activity_logs/azure_kubernetes_cronjob.yml:22:    product: azure
 cloud/azure/activity_logs/azure_kubernetes_cronjob.yml:23:    service: activitylogs
 cloud/azure/activity_logs/azure_mfa_disabled.yml:13:    product: azure
 cloud/azure/activity_logs/azure_mfa_disabled.yml:14:    service: activitylogs
 cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml:16:    product: azure
 cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml:17:    service: activitylogs
 cloud/azure/activity_logs/azure_granting_permission_detection.yml:14:    product: azure
 cloud/azure/activity_logs/azure_granting_permission_detection.yml:15:    service: activitylogs
 cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml:24:    product: azure
 cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml:25:    service: activitylogs
 cloud/gcp/audit/gcp_kubernetes_admission_controller.yml:23:    product: gcp
 cloud/gcp/audit/gcp_kubernetes_admission_controller.yml:24:    service: gcp.audit
 cloud/gcp/audit/gcp_access_policy_deleted.yml:18:    product: gcp
 cloud/gcp/audit/gcp_access_policy_deleted.yml:19:    service: gcp.audit
 cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml:15:    product: gcp
 cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml:16:    service: google_workspace.admin
 cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml:19:        eventService: admin.googleapis.com
 cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml:18:    product: gcp
 cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml:19:    service: google_workspace.admin
 cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml:22:        eventService: 'admin.googleapis.com'
 cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml:15:    product: gcp
 cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml:16:    service: google_workspace.admin
 cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml:19:        eventService: admin.googleapis.com
 cloud/gcp/audit/gcp_kubernetes_cronjob.yml:20:    product: gcp
 cloud/gcp/audit/gcp_kubernetes_cronjob.yml:21:    service: gcp.audit
 cloud/github/github_new_secret_created.yml:16:    product: github
 cloud/github/github_new_secret_created.yml:17:    service: audit
 cloud/github/github_outside_collaborator_detected.yml:18:    product: github
 cloud/github/github_outside_collaborator_detected.yml:19:    service: audit
 cloud/github/github_disable_high_risk_configuration.yml:19:    product: github
 cloud/github/github_disable_high_risk_configuration.yml:20:    service: audit
 cloud/github/github_repo_or_org_transferred.yml:17:    product: github
 cloud/github/github_repo_or_org_transferred.yml:18:    service: audit
 cloud/github/github_fork_private_repos_enabled_or_cleared.yml:15:    product: github
 cloud/github/github_fork_private_repos_enabled_or_cleared.yml:16:    service: audit
 cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml:20:    service: exchange
 cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml:21:    product: m365
 cloud/github/github_new_org_member.yml:13:    product: github
 cloud/github/github_new_org_member.yml:14:    service: audit
 cloud/github/github_ssh_certificate_config_changed.yml:15:    product: github
 cloud/github/github_ssh_certificate_config_changed.yml:16:    service: audit
 cloud/github/github_self_hosted_runner_changes_detected.yml:25:    product: github
 cloud/github/github_self_hosted_runner_changes_detected.yml:26:    service: audit
 cloud/m365/audit/microsoft365_disabling_mfa.yml:13:    service: audit
 cloud/m365/audit/microsoft365_disabling_mfa.yml:14:    product: m365
 cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml:17:    service: audit
 cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml:18:    product: m365
 cloud/okta/okta_admin_role_assigned_to_user_or_group.yml:15:    product: okta
 cloud/okta/okta_admin_role_assigned_to_user_or_group.yml:16:    service: okta
 cloud/okta/okta_mfa_reset_or_deactivated.yml:17:    product: okta
 cloud/okta/okta_mfa_reset_or_deactivated.yml:18:    service: okta
 cloud/okta/okta_api_token_created.yml:14:    product: okta
 cloud/okta/okta_api_token_created.yml:15:    service: okta
 cloud/okta/okta_identity_provider_created.yml:14:    product: okta
 cloud/okta/okta_identity_provider_created.yml:15:    service: okta
 cloud/okta/okta_admin_role_assignment_created.yml:13:    product: okta
 cloud/okta/okta_admin_role_assignment_created.yml:14:    service: okta
 cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml:16:    product: aws
 cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml:17:    service: cloudtrail
 cloud/aws/cloudtrail/aws_sso_idp_change.yml:17:    product: aws
 cloud/aws/cloudtrail/aws_sso_idp_change.yml:18:    service: cloudtrail
 cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml:15:    product: aws
 cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml:16:    service: cloudtrail
 cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml:15:    product: aws
 cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml:16:    service: cloudtrail
 cloud/aws/cloudtrail/aws_update_login_profile.yml:16:    product: aws
 cloud/aws/cloudtrail/aws_update_login_profile.yml:17:    service: cloudtrail
 cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml:16:    product: aws
 cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml:17:    service: cloudtrail
 cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml:17:    product: aws
 cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml:18:    service: cloudtrail
 cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml:18:    product: aws
 cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml:19:    service: cloudtrail
 cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml:17:    product: aws
 cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml:18:    service: cloudtrail
 cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml:15:    product: bitbucket
 cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml:16:    service: audit
 cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml:20:        auditType.category: 'Permissions'
 cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml:15:    product: aws
 cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml:16:    service: cloudtrail
 cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml:15:    product: aws
 cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml:16:    service: cloudtrail
 application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml:21:    product: kubernetes
 application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml:22:    service: audit
 application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml:21:    product: kubernetes
 application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml:22:    service: audit
 application/opencanary/opencanary_ssh_login_attempt.yml:18:    category: application
 application/opencanary/opencanary_ssh_login_attempt.yml:19:    product: opencanary
 application/opencanary/opencanary_ssh_new_connection.yml:18:    category: application
 application/opencanary/opencanary_ssh_new_connection.yml:19:    product: opencanary
 windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml:18:    category: file_event
 windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml:19:    product: windows
 windows/file/file_event/file_event_win_errorhandler_persistence.yml:16:    category: file_event
 windows/file/file_event/file_event_win_errorhandler_persistence.yml:17:    product: windows
 windows/file/file_event/file_event_win_susp_task_write.yml:15:    product: windows
 windows/file/file_event/file_event_win_susp_task_write.yml:16:    category: file_event
 windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml:14:    product: windows
 windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml:15:    category: file_event
 windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml:21:    category: file_event
 windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml:22:    product: windows
 windows/file/file_event/file_event_win_ripzip_attack.yml:17:    category: file_event
 windows/file/file_event/file_event_win_ripzip_attack.yml:18:    product: windows
 windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml:15:    product: windows
 windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml:16:    category: file_event
 windows/file/file_event/file_event_win_webshell_creation_detect.yml:15:    product: windows
 windows/file/file_event/file_event_win_webshell_creation_detect.yml:16:    category: file_event
 windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml:14:    product: windows
 windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml:15:    category: file_event
 windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml:13:    product: windows
 windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml:14:    category: file_event
 windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml:17:    product: windows
 windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml:18:    category: file_event
 windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml:19:    category: file_event
 windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml:20:    product: windows
 windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml:13:    product: windows
 windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml:14:    category: file_event
 windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml:14:    product: windows
 windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml:15:    category: file_event
 windows/file/file_event/file_event_win_creation_unquoted_service_path.yml:15:    product: windows
 windows/file/file_event/file_event_win_creation_unquoted_service_path.yml:16:    category: file_event
 windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml:17:    category: file_event
 windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml:18:    product: windows
 windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml:16:    category: file_event
 windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml:17:    product: windows
 windows/file/file_event/file_event_win_creation_new_shim_database.yml:19:    product: windows
 windows/file/file_event/file_event_win_creation_new_shim_database.yml:20:    category: file_event
 windows/file/file_event/file_event_win_office_addin_persistence.yml:16:    category: file_event
 windows/file/file_event/file_event_win_office_addin_persistence.yml:17:    product: windows
 windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml:14:    category: file_event
 windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml:15:    product: windows
 windows/file/file_event/file_event_win_powershell_drop_powershell.yml:12:    product: windows
 windows/file/file_event/file_event_win_powershell_drop_powershell.yml:13:    category: file_event
 windows/file/file_event/file_event_win_office_startup_persistence.yml:15:    category: file_event
 windows/file/file_event/file_event_win_office_startup_persistence.yml:16:    product: windows
 windows/file/file_event/file_event_win_exchange_webshell_drop.yml:18:    product: windows
 windows/file/file_event/file_event_win_exchange_webshell_drop.yml:19:    category: file_event
 windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml:18:    product: windows
 windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml:19:    category: file_event
 windows/file/file_event/file_event_win_startup_folder_file_write.yml:18:    product: windows
 windows/file/file_event/file_event_win_startup_folder_file_write.yml:19:    category: file_event
 windows/file/file_event/file_event_win_create_non_existent_dlls.yml:27:    product: windows
 windows/file/file_event/file_event_win_create_non_existent_dlls.yml:28:    category: file_event
 windows/file/file_event/file_event_win_wpbbin_persistence.yml:15:    product: windows
 windows/file/file_event/file_event_win_wpbbin_persistence.yml:16:    category: file_event
 windows/file/file_event/file_event_win_powershell_module_susp_creation.yml:13:    category: file_event
 windows/file/file_event/file_event_win_powershell_module_susp_creation.yml:14:    product: windows
 windows/file/file_event/file_event_win_werfault_dll_hijacking.yml:15:    product: windows
 windows/file/file_event/file_event_win_werfault_dll_hijacking.yml:16:    category: file_event
 windows/file/file_event/file_event_win_susp_get_variable.yml:19:    product: windows
 windows/file/file_event/file_event_win_susp_get_variable.yml:20:    category: file_event
 windows/file/file_event/file_event_win_office_outlook_macro_creation.yml:20:    category: file_event
 windows/file/file_event/file_event_win_office_outlook_macro_creation.yml:21:    product: windows
 windows/file/file_event/file_event_win_susp_powershell_profile.yml:16:    product: windows
 windows/file/file_event/file_event_win_susp_powershell_profile.yml:17:    category: file_event
 windows/file/file_event/file_event_win_powershell_module_creation.yml:13:    category: file_event
 windows/file/file_event/file_event_win_powershell_module_creation.yml:14:    product: windows
 windows/file/file_event/file_event_win_susp_desktop_ini.yml:14:    product: windows
 windows/file/file_event/file_event_win_susp_desktop_ini.yml:15:    category: file_event
 windows/file/file_event/file_event_win_dll_sideloading_space_path.yml:18:    category: file_event
 windows/file/file_event/file_event_win_dll_sideloading_space_path.yml:19:    product: windows
 windows/file/file_event/file_event_win_msdt_susp_directories.yml:16:    category: file_event
 windows/file/file_event/file_event_win_msdt_susp_directories.yml:17:    product: windows
 windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml:19:    product: windows
 windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml:20:    category: file_event
 windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml:20:    product: windows
 windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml:21:    category: file_event
 windows/file/file_event/file_event_win_creation_scr_binary_file.yml:16:    product: windows
 windows/file/file_event/file_event_win_creation_scr_binary_file.yml:17:    category: file_event
 windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml:19:    product: windows
 windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml:20:    category: file_event
 windows/file/file_event/file_event_win_office_outlook_newform.yml:17:    product: windows
 windows/file/file_event/file_event_win_office_outlook_newform.yml:18:    category: file_event
 windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml:21:    category: file_event
 windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml:22:    product: windows
 windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml:18:    category: file_delete
 windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml:19:    product: windows
 windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml:16:    product: windows
 windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml:17:    category: wmi_event
 windows/wmi_event/sysmon_wmi_event_subscription.yml:16:    product: windows
 windows/wmi_event/sysmon_wmi_event_subscription.yml:17:    category: wmi_event
 windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml:19:    product: windows
 windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml:20:    category: ps_script
 windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml:27:    selection_set_service:
 windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml:15:    product: windows
 windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml:16:    category: ps_script
 windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml:19:    product: windows
 windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml:20:    category: ps_script
 windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml:18:    product: windows
 windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml:19:    category: ps_script
 windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml:14:    product: windows
 windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml:15:    category: ps_script
 windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml:17:    product: windows
 windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml:18:    category: ps_script
 windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml:14:    product: windows
 windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml:15:    category: ps_script
 windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml:15:    product: windows
 windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml:16:    category: ps_script
 windows/powershell/powershell_script/posh_ps_localuser.yml:16:    product: windows
 windows/powershell/powershell_script/posh_ps_localuser.yml:17:    category: ps_script
 windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml:15:    product: windows
 windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml:16:    category: ps_script
 windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml:16:    product: windows
 windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml:17:    category: ps_script
 windows/powershell/powershell_script/posh_ps_cor_profiler.yml:18:    product: windows
 windows/powershell/powershell_script/posh_ps_cor_profiler.yml:19:    category: ps_script
 windows/powershell/powershell_script/posh_ps_create_local_user.yml:16:    product: windows
 windows/powershell/powershell_script/posh_ps_create_local_user.yml:17:    category: ps_script
 windows/powershell/powershell_script/posh_ps_get_acl_service.yml:18:    product: windows
 windows/powershell/powershell_script/posh_ps_get_acl_service.yml:19:    category: ps_script
 windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml:14:    product: windows
 windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml:15:    category: ps_script
 windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml:18:    category: image_load
 windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml:19:    product: windows
 windows/image_load/image_load_side_load_wazuh.yml:17:    category: image_load
 windows/image_load/image_load_side_load_wazuh.yml:18:    product: windows
 windows/image_load/image_load_side_load_comctl32.yml:18:    category: image_load
 windows/image_load/image_load_side_load_comctl32.yml:19:    product: windows
 windows/image_load/image_load_side_load_non_existent_dlls.yml:29:    category: image_load
 windows/image_load/image_load_side_load_non_existent_dlls.yml:30:    product: windows
 windows/image_load/image_load_side_load_7za.yml:16:    category: image_load
 windows/image_load/image_load_side_load_7za.yml:17:    product: windows
 windows/image_load/image_load_side_load_ualapi.yml:16:    category: image_load
 windows/image_load/image_load_side_load_ualapi.yml:17:    product: windows
 windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml:13:    category: image_load
 windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml:14:    product: windows
 windows/image_load/image_load_side_load_ccleaner_reactivator.yml:16:    category: image_load
 windows/image_load/image_load_side_load_ccleaner_reactivator.yml:17:    product: windows
 windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml:16:    category: image_load
 windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml:17:    product: windows
 windows/image_load/image_load_side_load_gup_libcurl.yml:16:    category: image_load
 windows/image_load/image_load_side_load_gup_libcurl.yml:17:    product: windows
 windows/image_load/image_load_side_load_libvlc.yml:17:    category: image_load
 windows/image_load/image_load_side_load_libvlc.yml:18:    product: windows
 windows/image_load/image_load_side_load_dbghelp.yml:17:    category: image_load
 windows/image_load/image_load_side_load_dbghelp.yml:18:    product: windows
 windows/image_load/image_load_side_load_classicexplorer32.yml:17:    category: image_load
 windows/image_load/image_load_side_load_classicexplorer32.yml:18:    product: windows
 windows/image_load/image_load_uac_bypass_via_dism.yml:17:    category: image_load
 windows/image_load/image_load_uac_bypass_via_dism.yml:18:    product: windows
 windows/image_load/image_load_side_load_antivirus.yml:17:    category: image_load
 windows/image_load/image_load_side_load_antivirus.yml:18:    product: windows
 windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml:20:    category: image_load
 windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml:21:    product: windows
 windows/image_load/image_load_side_load_from_non_system_location.yml:21:    category: image_load
 windows/image_load/image_load_side_load_from_non_system_location.yml:22:    product: windows
 windows/image_load/image_load_side_load_vmguestlib.yml:16:    category: image_load
 windows/image_load/image_load_side_load_vmguestlib.yml:17:    product: windows
 windows/image_load/image_load_spoolsv_dll_load.yml:19:    category: image_load
 windows/image_load/image_load_spoolsv_dll_load.yml:20:    product: windows
 windows/image_load/image_load_side_load_ccleaner_du.yml:16:    category: image_load
 windows/image_load/image_load_side_load_ccleaner_du.yml:17:    product: windows
 windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml:14:    category: image_load
 windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml:15:    product: windows
 windows/image_load/image_load_side_load_office_dlls.yml:17:    category: image_load
 windows/image_load/image_load_side_load_office_dlls.yml:18:    product: windows
 windows/image_load/image_load_side_load_jsschhlp.yml:17:    category: image_load
 windows/image_load/image_load_side_load_jsschhlp.yml:18:    product: windows
 windows/image_load/image_load_side_load_third_party.yml:16:    category: image_load
 windows/image_load/image_load_side_load_third_party.yml:17:    product: windows
 windows/image_load/image_load_side_load_chrome_frame_helper.yml:17:    category: image_load
 windows/image_load/image_load_side_load_chrome_frame_helper.yml:18:    product: windows
 windows/image_load/image_load_side_load_dbgcore.yml:17:    category: image_load
 windows/image_load/image_load_side_load_dbgcore.yml:18:    product: windows
 windows/image_load/image_load_side_load_shell_chrome_api.yml:22:    category: image_load
 windows/image_load/image_load_side_load_shell_chrome_api.yml:23:    product: windows
 windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml:19:    category: image_load
 windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml:20:    product: windows
 windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml:17:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml:18:    product: windows
 windows/registry/registry_set/registry_set_persistence_appx_debugger.yml:15:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_appx_debugger.yml:16:    product: windows
 windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml:16:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml:17:    product: windows
 windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml:15:    category: registry_set
 windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml:16:    product: windows
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml:20:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml:21:    product: windows
 windows/registry/registry_set/registry_set_suspicious_env_variables.yml:14:    product: windows
 windows/registry/registry_set/registry_set_suspicious_env_variables.yml:15:    category: registry_set
 windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml:14:    product: windows
 windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml:15:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml:20:    product: windows
 windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml:23:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml:24:    product: windows
 windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml:16:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml:17:    product: windows
 windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml:20:    product: windows
 windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml:21:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml:20:    product: windows
 windows/registry/registry_set/registry_set_treatas_persistence.yml:15:    category: registry_set
 windows/registry/registry_set/registry_set_treatas_persistence.yml:16:    product: windows
 windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml:20:    category: registry_set
 windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml:21:    product: windows
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml:20:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml:21:    product: windows
 windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml:20:    category: registry_set
 windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml:21:    product: windows
 windows/registry/registry_set/registry_set_persistence_mycomputer.yml:13:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_mycomputer.yml:14:    product: windows
 windows/registry/registry_set/registry_set_persistence_xll.yml:15:    product: windows
 windows/registry/registry_set/registry_set_persistence_xll.yml:16:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml:20:    product: windows
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml:20:    product: windows
 windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml:12:    category: registry_set
 windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml:13:    product: windows
 windows/registry/registry_set/registry_set_terminal_server_suspicious.yml:26:    category: registry_set
 windows/registry/registry_set/registry_set_terminal_server_suspicious.yml:27:    product: windows
 windows/registry/registry_set/registry_set_change_rdp_port.yml:17:    category: registry_set
 windows/registry/registry_set/registry_set_change_rdp_port.yml:18:    product: windows
 windows/registry/registry_set/registry_set_office_outlook_security_settings.yml:18:    category: registry_set
 windows/registry/registry_set/registry_set_office_outlook_security_settings.yml:19:    product: windows
 windows/registry/registry_set/registry_set_persistence_shim_database.yml:18:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_shim_database.yml:19:    product: windows
 windows/registry/registry_set/registry_set_persistence_office_vsto.yml:15:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_office_vsto.yml:16:    product: windows
 windows/registry/registry_set/registry_set_winlogon_notify_key.yml:16:    category: registry_set
 windows/registry/registry_set/registry_set_winlogon_notify_key.yml:17:    product: windows
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml:20:    product: windows
 windows/registry/registry_set/registry_set_servicedll_hijack.yml:18:    category: registry_set
 windows/registry/registry_set/registry_set_servicedll_hijack.yml:19:    product: windows
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml:20:    product: windows
 windows/registry/registry_set/registry_set_persistence_globalflags.yml:21:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_globalflags.yml:22:    product: windows
 windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml:15:    product: windows
 windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml:15:    product: windows
 windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml:20:    category: registry_set
 windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml:21:    product: windows
 windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml:20:    product: windows
 windows/registry/registry_set/registry_set_timeproviders_dllname.yml:18:    category: registry_set
 windows/registry/registry_set/registry_set_timeproviders_dllname.yml:19:    product: windows
 windows/registry/registry_set/registry_set_persistence_typed_paths.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_typed_paths.yml:15:    product: windows
 windows/registry/registry_set/registry_set_chrome_extension.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_chrome_extension.yml:15:    product: windows
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml:20:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml:21:    product: windows
 windows/registry/registry_set/registry_set_hidden_extention.yml:16:    category: registry_set
 windows/registry/registry_set/registry_set_hidden_extention.yml:17:    product: windows
 windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml:15:    product: windows
 windows/registry/registry_set/registry_set_persistence_autodial_dll.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_autodial_dll.yml:15:    product: windows
 windows/registry/registry_set/registry_set_dsrm_tampering.yml:24:    category: registry_set
 windows/registry/registry_set/registry_set_dsrm_tampering.yml:25:    product: windows
 windows/registry/registry_set/registry_set_persistence_natural_language.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_natural_language.yml:15:    product: windows
 windows/registry/registry_set/registry_set_terminal_server_tampering.yml:33:    category: registry_set
 windows/registry/registry_set/registry_set_terminal_server_tampering.yml:34:    product: windows
 windows/registry/registry_set/registry_set_vbs_payload_stored.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_vbs_payload_stored.yml:15:    product: windows
 windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml:15:    product: windows
 windows/registry/registry_set/registry_set_susp_user_shell_folders.yml:15:    product: windows
 windows/registry/registry_set/registry_set_susp_user_shell_folders.yml:16:    category: registry_set
 windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml:15:    product: windows
 windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml:16:    category: registry_set
 windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml:18:    category: registry_set
 windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml:19:    product: windows
 windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml:21:    product: windows
 windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml:22:    category: registry_set
 windows/registry/registry_set/registry_set_add_port_monitor.yml:16:    category: registry_set
 windows/registry/registry_set/registry_set_add_port_monitor.yml:17:    product: windows
 windows/registry/registry_set/registry_set_persistence_app_paths.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_app_paths.yml:20:    product: windows
 windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml:15:    product: windows
 windows/registry/registry_set/registry_set_powershell_in_run_keys.yml:15:    category: registry_set
 windows/registry/registry_set/registry_set_powershell_in_run_keys.yml:16:    product: windows
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml:20:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml:21:    product: windows
 windows/registry/registry_set/registry_set_persistence_chm.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_chm.yml:15:    product: windows
 windows/registry/registry_set/registry_set_persistence_lsa_extension.yml:16:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_lsa_extension.yml:17:    product: windows
 windows/registry/registry_set/registry_set_hhctrl_persistence.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_hhctrl_persistence.yml:15:    product: windows
 windows/registry/registry_set/registry_set_taskcache_entry.yml:16:    category: registry_set
 windows/registry/registry_set/registry_set_taskcache_entry.yml:17:    product: windows
 windows/registry/registry_set/registry_set_odbc_driver_registered.yml:13:    category: registry_set
 windows/registry/registry_set/registry_set_odbc_driver_registered.yml:14:    product: windows
 windows/registry/registry_set/registry_set_aedebug_persistence.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_aedebug_persistence.yml:15:    product: windows
 windows/registry/registry_set/registry_set_persistence_ifilter.yml:18:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_ifilter.yml:19:    product: windows
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml:20:    product: windows
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml:20:    product: windows
 windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml:15:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml:16:    product: windows
 windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml:18:    category: registry_set
 windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml:19:    product: windows
 windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml:18:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml:19:    product: windows
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml:19:    category: registry_set
 windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml:20:    product: windows
 windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml:18:    category: registry_set
 windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml:19:    product: windows
 windows/registry/registry_set/registry_set_telemetry_persistence.yml:21:    category: registry_set
 windows/registry/registry_set/registry_set_telemetry_persistence.yml:22:    product: windows
 windows/registry/registry_set/registry_set_sip_persistence.yml:17:    category: registry_set
 windows/registry/registry_set/registry_set_sip_persistence.yml:18:    product: windows
 windows/registry/registry_set/registry_set_change_security_zones.yml:18:    category: registry_set
 windows/registry/registry_set/registry_set_change_security_zones.yml:19:    product: windows
 windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml:15:    category: registry_set
 windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml:16:    product: windows
 windows/registry/registry_set/registry_set_persistence_mpnotify.yml:14:    category: registry_set
 windows/registry/registry_set/registry_set_persistence_mpnotify.yml:15:    product: windows
 windows/registry/registry_add/registry_add_persistence_com_key_linking.yml:14:    category: registry_add
 windows/registry/registry_add/registry_add_persistence_com_key_linking.yml:15:    product: windows
 windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml:20:    product: windows
 windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml:21:    category: registry_add
 windows/registry/registry_add/registry_add_persistence_amsi_providers.yml:14:    category: registry_add
 windows/registry/registry_add/registry_add_persistence_amsi_providers.yml:15:    product: windows
 windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml:15:    category: registry_add
 windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml:16:    product: windows
 windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml:14:    category: registry_event
 windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml:15:    product: windows
 windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml:17:    category: registry_event
 windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml:18:    product: windows
 windows/registry/registry_event/registry_event_runkey_winekey.yml:14:    category: registry_event
 windows/registry/registry_event/registry_event_runkey_winekey.yml:15:    product: windows
 windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml:14:    category: registry_event
 windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml:15:    product: windows
 windows/registry/registry_event/registry_event_office_test_regadd.yml:14:    category: registry_event
 windows/registry/registry_event/registry_event_office_test_regadd.yml:15:    product: windows
 windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml:16:    category: registry_event
 windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml:17:    product: windows
 windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml:18:    category: registry_event
 windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml:19:    product: windows
 windows/registry/registry_event/registry_event_susp_download_run_key.yml:14:    category: registry_event
 windows/registry/registry_event/registry_event_susp_download_run_key.yml:15:    product: windows
 windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml:16:    category: registry_event
 windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml:17:    product: windows
 windows/registry/registry_event/registry_event_susp_atbroker_change.yml:17:    category: registry_event
 windows/registry/registry_event/registry_event_susp_atbroker_change.yml:18:    product: windows
 windows/registry/registry_event/registry_event_add_local_hidden_user.yml:14:    product: windows
 windows/registry/registry_event/registry_event_add_local_hidden_user.yml:15:    category: registry_event
 windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml:16:    category: registry_event
 windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml:17:    product: windows
 windows/registry/registry_event/registry_event_persistence_recycle_bin.yml:16:    category: registry_event
 windows/registry/registry_event/registry_event_persistence_recycle_bin.yml:17:    product: windows
 windows/process_creation/proc_creation_win_mssql_susp_child_process.yml:20:    category: process_creation
 windows/process_creation/proc_creation_win_mssql_susp_child_process.yml:21:    product: windows
 windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml:20:    category: process_creation
 windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml:21:    product: windows
 windows/process_creation/proc_creation_win_hktl_sharpersist.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_hktl_sharpersist.yml:16:    product: windows
 windows/process_creation/proc_creation_win_hktl_sharpersist.yml:20:        - Product: 'SharPersist'
 windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml:19:    product: windows
 windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml:18:    product: windows
 windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml:27:    selection_set_service:
 windows/process_creation/proc_creation_win_pua_system_informer.yml:22:    category: process_creation
 windows/process_creation/proc_creation_win_pua_system_informer.yml:23:    product: windows
 windows/process_creation/proc_creation_win_pua_system_informer.yml:29:        - Product: 'System Informer'
 windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml:20:    product: windows
 windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml:21:    category: process_creation
 windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml:22:    category: process_creation
 windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml:23:    product: windows
 windows/process_creation/proc_creation_win_sc_create_service.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_sc_create_service.yml:18:    product: windows
 windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml:16:    product: windows
 windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml:20:    product: windows
 windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml:21:    category: process_creation
 windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml:22:    product: windows
 windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml:16:    product: windows
 windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml:24:    category: process_creation
 windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml:25:    product: windows
 windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml:16:    product: windows
 windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml:24:    category: process_creation
 windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml:25:    product: windows
 windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml:16:    product: windows
 windows/process_creation/proc_creation_win_sysinternals_psservice.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_sysinternals_psservice.yml:16:    product: windows
 windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml:20:    product: windows
 windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml:20:    category: process_creation
 windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml:21:    product: windows
 windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml:20:    product: windows
 windows/process_creation/proc_creation_win_net_user_add.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_net_user_add.yml:19:    product: windows
 windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml:22:    product: windows
 windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml:23:    category: process_creation
 windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml:13:    category: process_creation
 windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml:14:    product: windows
 windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml:21:    category: process_creation
 windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml:22:    product: windows
 windows/process_creation/proc_creation_win_java_susp_child_process.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_java_susp_child_process.yml:19:    product: windows
 windows/process_creation/proc_creation_win_webshell_chopper.yml:16:    category: process_creation
 windows/process_creation/proc_creation_win_webshell_chopper.yml:17:    product: windows
 windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml:16:    product: windows
 windows/process_creation/proc_creation_win_java_susp_child_process_2.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_java_susp_child_process_2.yml:19:    product: windows
 windows/process_creation/proc_creation_win_control_panel_item.yml:17:    product: windows
 windows/process_creation/proc_creation_win_control_panel_item.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_webshell_tool_recon.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_webshell_tool_recon.yml:16:    product: windows
 windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml:19:    product: windows
 windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml:20:    category: process_creation
 windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml:22:    category: process_creation
 windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml:23:    product: windows
 windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml:17:    product: windows
 windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml:20:    product: windows
 windows/process_creation/proc_creation_win_iis_susp_module_registration.yml:14:    category: process_creation
 windows/process_creation/proc_creation_win_iis_susp_module_registration.yml:15:    product: windows
 windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml:16:    product: windows
 windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml:20:    category: process_creation
 windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml:21:    product: windows
 windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml:18:    product: windows
 windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml:16:    product: windows
 windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_susp_service_creation.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_susp_service_creation.yml:20:    product: windows
 windows/process_creation/proc_creation_win_sc_service_path_modification.yml:16:    category: process_creation
 windows/process_creation/proc_creation_win_sc_service_path_modification.yml:17:    product: windows
 windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml:16:    category: process_creation
 windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml:17:    product: windows
 windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml:20:    product: windows
 windows/process_creation/proc_creation_win_reg_add_run_key.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_reg_add_run_key.yml:16:    product: windows
 windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml:14:    category: process_creation
 windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml:15:    product: windows
 windows/process_creation/proc_creation_win_bitsadmin_download.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_bitsadmin_download.yml:20:    product: windows
 windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml:23:    category: process_creation
 windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml:24:    product: windows
 windows/process_creation/proc_creation_win_secedit_execution.yml:32:    category: process_creation
 windows/process_creation/proc_creation_win_secedit_execution.yml:33:    product: windows
 windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml:19:    product: windows
 windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml:16:    category: process_creation
 windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml:17:    product: windows
 windows/process_creation/proc_creation_win_ssm_agent_abuse.yml:16:    category: process_creation
 windows/process_creation/proc_creation_win_ssm_agent_abuse.yml:17:    product: windows
 windows/process_creation/proc_creation_win_registry_logon_script.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_registry_logon_script.yml:18:    product: windows
 windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml:18:    product: windows
 windows/process_creation/proc_creation_win_net_use_password_plaintext.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_net_use_password_plaintext.yml:20:    product: windows
 windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml:21:    category: process_creation
 windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml:22:    product: windows
 windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml:18:    product: windows
 windows/process_creation/proc_creation_win_schtasks_system.yml:16:    product: windows
 windows/process_creation/proc_creation_win_schtasks_system.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml:16:    product: windows
 windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml:16:    category: process_creation
 windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml:17:    product: windows
 windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml:16:    product: windows
 windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_sc_sdset_modification.yml:24:    category: process_creation
 windows/process_creation/proc_creation_win_sc_sdset_modification.yml:25:    product: windows
 windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml:19:    product: windows
 windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml:20:    category: process_creation
 windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml:19:    product: windows
 windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml:16:    product: windows
 windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml:19:    product: windows
 windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml:19:    product: windows
 windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml:17:    product: windows
 windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml:18:    product: windows
 windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml:19:    product: windows
 windows/process_creation/proc_creation_win_schtasks_reg_loader.yml:18:    product: windows
 windows/process_creation/proc_creation_win_schtasks_reg_loader.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml:16:    product: windows
 windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_winrm_susp_child_process.yml:16:    category: process_creation
 windows/process_creation/proc_creation_win_winrm_susp_child_process.yml:17:    product: windows
 windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml:20:    category: process_creation
 windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml:21:    product: windows
 windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml:16:    product: windows
 windows/process_creation/proc_creation_win_pua_process_hacker.yml:26:    category: process_creation
 windows/process_creation/proc_creation_win_pua_process_hacker.yml:27:    product: windows
 windows/process_creation/proc_creation_win_pua_process_hacker.yml:36:        - Product: 'Process Hacker'
 windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml:16:    category: process_creation
 windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml:17:    product: windows
 windows/process_creation/proc_creation_win_powershell_create_service.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_powershell_create_service.yml:18:    product: windows
 windows/process_creation/proc_creation_win_schtasks_creation.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_schtasks_creation.yml:20:    product: windows
 windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml:20:    product: windows
 windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml:16:    product: windows
 windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml:15:    category: process_creation
 windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml:16:    product: windows
 windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml:26:    category: process_creation
 windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml:27:    product: windows
 windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml:18:    product: windows
 windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml:18:    product: windows
 windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml:15:    product: windows
 windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml:16:    category: process_creation
 windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml:13:    category: process_creation
 windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml:14:    product: windows
 windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml:18:    product: windows
 windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml:16:    category: process_creation
 windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml:17:    product: windows
 windows/process_creation/proc_creation_win_cmd_assoc_execution.yml:19:    category: process_creation
 windows/process_creation/proc_creation_win_cmd_assoc_execution.yml:20:    product: windows
 windows/process_creation/proc_creation_win_webshell_hacking.yml:18:    category: process_creation
 windows/process_creation/proc_creation_win_webshell_hacking.yml:19:    product: windows
 windows/process_creation/proc_creation_win_net_user_add_never_expire.yml:17:    category: process_creation
 windows/process_creation/proc_creation_win_net_user_add_never_expire.yml:18:    product: windows
 windows/driver_load/driver_load_win_susp_temp_use.yml:15:    category: driver_load
 windows/driver_load/driver_load_win_susp_temp_use.yml:16:    product: windows
 windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml:14:    product: windows
 windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml:15:    service: microsoft-servicebus-client # Change to servicebus-client once validators are up to date
 windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml:14:    product: windows
 windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml:15:    service: taskscheduler
 windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml:14:    product: windows
 windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml:15:    service: taskscheduler
 windows/builtin/security/win_security_user_added_to_local_administrators.yml:17:    product: windows
 windows/builtin/security/win_security_user_added_to_local_administrators.yml:18:    service: security
 windows/builtin/security/win_security_hidden_user_creation.yml:14:    product: windows
 windows/builtin/security/win_security_hidden_user_creation.yml:15:    service: security
 windows/builtin/security/win_security_registry_permissions_weakness_check.yml:19:    product: windows
 windows/builtin/security/win_security_registry_permissions_weakness_check.yml:20:    service: security
 windows/builtin/security/win_security_service_install_remote_access_software.yml:18:    product: windows
 windows/builtin/security/win_security_service_install_remote_access_software.yml:19:    service: security
 windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml:20:    product: windows
 windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml:21:    service: security
 windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml:17:    product: windows
 windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml:18:    service: security
 windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml:20:    product: windows
 windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml:21:    service: security
 windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml:20:    product: windows
 windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml:21:    service: security
 windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml:14:    product: windows
 windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml:15:    service: security
 windows/builtin/security/win_security_svcctl_remote_service.yml:15:    product: windows
 windows/builtin/security/win_security_svcctl_remote_service.yml:16:    service: security
 windows/builtin/security/win_security_gpo_scheduledtasks.yml:17:    product: windows
 windows/builtin/security/win_security_gpo_scheduledtasks.yml:18:    service: security
 windows/builtin/security/win_security_susp_scheduled_task_creation.yml:16:    product: windows
 windows/builtin/security/win_security_susp_scheduled_task_creation.yml:17:    service: security
 windows/builtin/security/win_security_susp_add_domain_trust.yml:14:    product: windows
 windows/builtin/security/win_security_susp_add_domain_trust.yml:15:    service: security
 windows/builtin/security/win_security_wmi_persistence.yml:19:    product: windows
 windows/builtin/security/win_security_wmi_persistence.yml:20:    service: security
 windows/builtin/security/win_security_susp_computer_name.yml:19:    service: security
 windows/builtin/security/win_security_susp_computer_name.yml:20:    product: windows
 windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml:14:    product: windows
 windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml:15:    service: security
 windows/builtin/security/win_security_atsvc_task.yml:17:    product: windows
 windows/builtin/security/win_security_atsvc_task.yml:18:    service: security
 windows/builtin/security/win_security_susp_failed_logon_reasons.yml:18:    product: windows
 windows/builtin/security/win_security_susp_failed_logon_reasons.yml:19:    service: security
 windows/builtin/security/win_security_susp_local_anon_logon_created.yml:15:    product: windows
 windows/builtin/security/win_security_susp_local_anon_logon_created.yml:16:    service: security
 windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml:15:    product: windows
 windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml:16:    service: security
 windows/builtin/security/win_security_user_creation.yml:15:    product: windows
 windows/builtin/security/win_security_user_creation.yml:16:    service: security
 windows/builtin/security/win_security_susp_add_sid_history.yml:14:    product: windows
 windows/builtin/security/win_security_susp_add_sid_history.yml:15:    service: security
 windows/builtin/security/win_security_alert_ad_user_backdoors.yml:16:    product: windows
 windows/builtin/security/win_security_alert_ad_user_backdoors.yml:17:    service: security
 windows/builtin/security/win_security_susp_dsrm_password_change.yml:21:    product: windows
 windows/builtin/security/win_security_susp_dsrm_password_change.yml:22:    service: security
 windows/builtin/security/win_security_alert_active_directory_user_control.yml:14:    product: windows
 windows/builtin/security/win_security_alert_active_directory_user_control.yml:15:    service: security
 windows/builtin/wmi/win_wmi_persistence.yml:16:    product: windows
 windows/builtin/wmi/win_wmi_persistence.yml:17:    service: wmi
 windows/builtin/security/win_security_susp_scheduled_task_update.yml:18:    product: windows
 windows/builtin/security/win_security_susp_scheduled_task_update.yml:19:    service: security
 windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml:15:    product: windows
 windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml:16:    service: bits-client
 windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml:15:    product: windows
 windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml:16:    service: bits-client
 windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml:24:    product: windows
 windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml:25:    service: security
 windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml:21:    product: windows
 windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml:22:    service: bits-client
 windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml:15:    product: windows
 windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml:16:    service: bits-client
 windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml:18:    product: windows
 windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml:19:    service: bits-client
 windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml:16:    product: windows
 windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml:17:    service: bits-client
 windows/builtin/iis-configuration/win_iis_module_removed.yml:18:    product: windows
 windows/builtin/iis-configuration/win_iis_module_removed.yml:19:    service: iis-configuration
 windows/builtin/iis-configuration/win_iis_module_added.yml:18:    product: windows
 windows/builtin/iis-configuration/win_iis_module_added.yml:19:    service: iis-configuration
 windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml:15:    product: windows
 windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml:16:    service: bits-client
 windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml:22:    product: windows
 windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml:23:    service: system
 windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml:12:    product: windows
 windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml:13:    service: system
 windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml:16:    product: windows
 windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml:17:    service: system
 windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml:12:    product: windows
 windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml:13:    service: system
 windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml:26:    selection_service:
 windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml:16:    product: windows
 windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml:17:    service: system
 windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml:16:    product: windows
 windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml:17:    service: system
 windows/builtin/system/service_control_manager/win_system_service_install_susp.yml:21:    product: windows
 windows/builtin/system/service_control_manager/win_system_service_install_susp.yml:22:    service: system
 windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml:12:    product: windows
 windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml:13:    service: system
 windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml:15:    product: windows
 windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml:16:    service: system
 windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml:12:    product: windows
 windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml:13:    service: system
 windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml:26:    selection_service:
 windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml:18:    product: windows
 windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml:19:    service: system
 windows/builtin/msexchange/win_exchange_transportagent_failed.yml:14:    service: msexchange-management
 windows/builtin/msexchange/win_exchange_transportagent_failed.yml:15:    product: windows
 windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml:14:    product: windows
 windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml:15:    service: msexchange-management
 windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml:14:    service: msexchange-management
 windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml:15:    product: windows
 windows/builtin/msexchange/win_exchange_transportagent.yml:17:    product: windows
 windows/builtin/msexchange/win_exchange_transportagent.yml:18:    service: msexchange-management
 windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml:14:    service: msexchange-management
 windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml:15:    product: windows
 windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml:13:    product: windows
 windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml:14:    service: application
 windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml:14:    product: windows
 windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml:15:    service: application
 windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml:14:    product: windows
 windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml:15:    category: dns_query
 windows/network_connection/net_connection_win_susp_malware_callback_port.yml:19:    category: network_connection
 windows/network_connection/net_connection_win_susp_malware_callback_port.yml:20:    product: windows
 windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml:18:    category: network_connection
 windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml:19:    product: windows
 windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml:16:    category: network_connection
 windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml:17:    product: windows
 windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml:13:    product: windows
 windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml:14:    category: create_stream_hash