diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md
index 37618cbbe..4089624d2 100644
--- a/.github/latest_archiver_output.md
+++ b/.github/latest_archiver_output.md
@@ -1,6 +1,6 @@
 # Reference Archiver Results
 
-Last Execution: 2024-01-15 01:53:03
+Last Execution: 2024-02-01 01:50:02
 
 ### Archiver Script Results
 
@@ -11,185 +11,237 @@ N/A
 
 #### Already Archived References
 
-- https://github.com/deepinstinct/NoFilter
-- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
-- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
-- https://github.com/outflanknl/NetshHelperBeacon
-- https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
-- https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
-- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt
-- https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
-- https://ss64.com/osx/csrutil.html
-- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
-- https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
-- https://github.com/cloudflare/cloudflared/releases
-- https://github.com/poweradminllc/PAExec
-- https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
-- https://ss64.com/mac/system_profiler.html
+- https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
+- https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
+- https://pentestlab.blog/tag/sharpmove/
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
+- https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
+- https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
+- https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
+- https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
+- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
+- https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware
+- https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
+- https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
+- https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)
+- https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
+- https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
 
 #### Error While Archiving References
 
-- https://linux.die.net/man/1/arecord
-- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
-- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
-- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
-- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
-- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
-- https://lolbas-project.github.io/lolbas/Binaries/Tar/
-- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
-- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
-- https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
-- https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
-- https://paper.seebug.org/1495/
-- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
-- https://github.com/gentilkiwi/mimikatz
-- https://support.google.com/a/answer/9261439
-- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
-- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
-- https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
-- https://unit42.paloaltonetworks.com/chromeloader-malware/
-- https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
-- https://github.com/xuanxuan0/DripLoader
-- https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
-- https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
-- https://www.x86matthew.com/view_post?id=create_svc_rpc
-- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
-- https://github.com/fortra/nanodump
-- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
-- https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
-- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
-- https://github.com/grayhatkiller/SharpExShell
-- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
-- https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
-- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
-- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
-- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
-- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
-- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
-- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
-- https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
-- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
-- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
-- https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
-- https://objective-see.org/blog/blog_0x6D.html
-- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
-- https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
-- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
-- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
-- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
-- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
-- https://cloud.google.com/binary-authorization
-- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
-- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
-- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
-- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
-- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
-- https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
-- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
-- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
-- https://www.tarasco.org/security/pwdump_7/
-- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
-- https://megatools.megous.com/
-- https://github.com/antonioCoco/RoguePotato
-- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
-- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
-- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
-- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
 - https://www.group-ib.com/resources/threat-research/red-curl-2.html
-- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
-- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
-- https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
-- https://x.com/_st0pp3r_/status/1742203752361128162?s=20
-- https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
-- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
-- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
-- https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
-- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
-- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
-- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
-- https://twitter.com/bohops/status/1740022869198037480
-- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
-- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
-- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
-- https://cydefops.com/devtunnels-unleashed
-- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010
-- https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
-- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
-- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
-- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
-- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
-- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
-- https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
-- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
-- https://github.com/wavestone-cdt/EDRSandblast
-- https://objective-see.org/blog/blog_0x62.html
-- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
-- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001
-- https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
-- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
-- https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
-- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
-- https://ss64.com/osx/sw_vers.html
-- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
-- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
-- https://www.cyberciti.biz/faq/linux-remove-user-command/
-- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
-- https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
-- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
+- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
 - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
-- https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
-- https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
-- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
-- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
-- https://www.attackiq.com/2023/09/20/emulating-rhysida/
-- https://linux.die.net/man/8/useradd
+- https://github.com/yarrick/iodine
 - https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
+- https://www.tarasco.org/security/pwdump_7/
+- https://blog.router-switch.com/2013/11/show-running-config/
 - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
-- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
-- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
-- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
-- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
-- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
-- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
-- https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
-- https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
-- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
-- https://www.group-ib.com/blog/apt41-world-tour-2021/
-- https://github.com/amjcyber/EDRNoiseMaker
-- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
-- https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
-- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
-- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
-- https://cloud.google.com/access-context-manager/docs/audit-logging
-- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
-- https://ngrok.com/blog-post/new-ngrok-domains
-- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
-- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
-- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
-- https://www.sans.org/cyber-security-summit/archives
-- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
-- https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
-- https://www.pingcastle.com/documentation/scanner/
-- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
-- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
-- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
-- https://www.intrinsec.com/akira_ransomware/
-- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
-- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
-- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
-- https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
-- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
-- https://news.ycombinator.com/item?id=29504755
-- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
-- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
-- https://github.com/netero1010/EDRSilencer
-- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
-- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
-- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
-- https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
-- https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
+- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
+- https://support.google.com/a/answer/9261439
 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
-- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
+- https://x.com/_st0pp3r_/status/1742203752361128162?s=20
+- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
+- https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
+- https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
+- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
+- https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
+- https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
+- https://github.com/gentilkiwi/mimikatz
+- https://twitter.com/MsftSecIntel/status/1737895710169628824
+- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
+- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
+- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
+- https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
+- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
+- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml
+- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
+- https://github.com/xuanxuan0/DripLoader
+- https://tria.ge/231023-lpw85she57/behavioral2
+- https://objective-see.org/blog/blog_0x62.html
+- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
+- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
+- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+- https://www.cyberciti.biz/faq/linux-remove-user-command/
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
+- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
+- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
+- https://megatools.megous.com/
+- https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
+- https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
+- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
+- https://tria.ge/231004-tp8k6sch9t/behavioral2
+- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4
+- https://github.com/antonioCoco/RoguePotato
+- https://cloud.google.com/access-context-manager/docs/audit-logging
+- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
+- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
+- https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
+- https://twitter.com/ReneFreingruber/status/1172244989335810049
+- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
+- https://github.com/grayhatkiller/SharpExShell
+- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
+- https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
+- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
+- https://redcanary.com/blog/gootloader/
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
+- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
+- https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
+- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
+- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
+- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
+- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
+- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
+- https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
+- https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
+- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
+- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
+- https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
+- https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
+- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
+- https://www.pingcastle.com/documentation/scanner/
+- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
+- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
 - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
+- https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
+- https://www.intrinsec.com/akira_ransomware/
+- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
+- https://unit42.paloaltonetworks.com/chromeloader-malware/
+- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
+- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
+- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
+- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
+- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
+- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
+- https://lolbas-project.github.io/lolbas/Binaries/Tar/
+- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
+- https://hatching.io/blog/powershell-analysis/
+- https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
+- https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
+- https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
+- https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
+- https://twitter.com/bohops/status/1740022869198037480
+- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
+- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
+- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
+- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
+- https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
+- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
+- https://www.sans.org/cyber-security-summit/archives
+- https://ss64.com/nt/net-service.html
+- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
+- https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf
+- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+- https://github.com/EmpireProject/PSInject
+- https://github.com/0xthirteen/SharpMove/
+- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
+- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
+- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
+- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
+- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
+- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
+- https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281
+- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
+- https://ngrok.com/blog-post/new-ngrok-domains
+- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
+- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
+- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
+- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
+- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
+- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
+- https://www.group-ib.com/blog/apt41-world-tour-2021/
+- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
+- https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html
+- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
+- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+- https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
+- https://lab52.io/blog/winter-vivern-all-summer/
+- https://github.com/iagox86/dnscat2
+- https://tria.ge/231212-r1bpgaefar/behavioral2
+- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
+- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36
+- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
+- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
+- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
+- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
+- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
+- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
+- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+- https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
+- https://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
+- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
+- https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
+- https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
+- https://objective-see.org/blog/blog_0x6D.html
+- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010
+- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
+- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
+- https://github.com/amjcyber/EDRNoiseMaker
+- https://cydefops.com/devtunnels-unleashed
+- https://github.com/wavestone-cdt/EDRSandblast
+- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
+- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
+- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
+- https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
+- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
+- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
+- https://github.com/fortra/nanodump
+- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
+- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
+- https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
+- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
+- https://news.ycombinator.com/item?id=29504755
+- https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
+- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
+- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected
+- https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
+- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
+- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
 - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
+- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
+- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
+- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
+- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
+- https://www.attackiq.com/2023/09/20/emulating-rhysida/
+- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
+- https://cloud.google.com/binary-authorization
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038
+- https://paper.seebug.org/1495/
+- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
+- https://www.x86matthew.com/view_post?id=create_svc_rpc
+- https://github.com/pr0xylife/Pikabot
+- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected
+- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
+- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
+- https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
+- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
+- https://ss64.com/osx/sw_vers.html
+- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
+- https://github.com/netero1010/EDRSilencer
+- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
+- https://linux.die.net/man/8/useradd
+- https://linux.die.net/man/1/arecord
+- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
+- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
diff --git a/tests/rule-references.txt b/tests/rule-references.txt
index ae661db85..8e31b3e1f 100644
--- a/tests/rule-references.txt
+++ b/tests/rule-references.txt
@@ -3509,3 +3509,20 @@ https://github.com/cloudflare/cloudflared/releases
 https://github.com/poweradminllc/PAExec
 https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
 https://ss64.com/mac/system_profiler.html
+https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
+https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
+https://pentestlab.blog/tag/sharpmove/
+https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
+https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
+https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
+https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
+https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
+https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
+https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware
+https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
+https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
+https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
+https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
+https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)
+https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
+https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf