Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2

chore: update evtx baseline to v0.8.2 and fix FPs --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
2025-10-09 13:03:39 +02:00
parent 90fe2d9e81
commit b242175fe4
63 changed files with 850 additions and 382 deletions
@@ -39,7 +39,7 @@ on:
  workflow_dispatch:

 env:
-  EVTX_BASELINE_VERSION: v0.8.1
+  EVTX_BASELINE_VERSION: v0.8.2

 jobs:
  check-baseline-win7:
@@ -3,11 +3,10 @@ RuleId;RuleName;MatchString
 ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;.*
 db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3
 db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe
-96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient
-96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen
+96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;.*
 1277f594-a7d1-4f28-a2d3-73af5cbeab43;Windows Shell File Write to Suspicious Folder;Computer: Agamemnon
 e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell
-8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml
+8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;(sysmon-intense\.xml|sysmonconfig-trace\.xml)
 8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: (evtx-PC|Agamemnon)
 4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_
 36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR
@@ -17,8 +16,8 @@ e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell
 162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer(_Service)?\.exe
 cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.241
 bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223
+bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;146\.75\.117\.55
 9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe
-96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe
 9494479d-d994-40bf-a8b1-eea890237021;Scheduled Task Creation From Potential Suspicious Parent Location;.*
 81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore
 6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey
@@ -37,6 +36,7 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe
 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe
 7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe
 949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon
+949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: WinDev2310Eval
 fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.*
 100ef69e-3327-481c-8e5c-6d80d9507556;System Eventlog Cleared;.*
 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon
@@ -48,8 +48,8 @@ b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\.exe
 b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\.exe 
 b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe
 65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe
-a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: DESKTOP-A8CALR3
-a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35
+65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: WIN-FPV0DSIC9O6.sigma.fr
+a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: .*
 4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.exe
 4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.tmp
 48bfd177-7cf2-412b-ad77-baf923489e82;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd.exe
@@ -59,3 +59,14 @@ e9d4ab66-a532-4ef7-a502-66a9e4a34f5d;NTLMv1 Logon Between Client and Server;.*
 ccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;httpd\.exe
 9ae01559-cf7e-4f8e-8e14-4c290a1b4784;CredUI.DLL Load By Uncommon Process;Spotify\.exe
 52182dfb-afb7-41db-b4bc-5336cb29b464;Suspicious File Download From File Sharing Websites;objects\.githubusercontent\.com
+ce72ef99-22f1-43d4-8695-419dcb5d9330;Suspicious Windows Service Tampering;TeamViewer
+dae8171c-5ec6-4396-b210-8466585b53e9;SCM Database Privileged Operation;0x277c6
+3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781;OpenSSH Server Listening On Socket;.*
+b69888d4-380c-45ce-9cf9-d9ce46e67821;Hidden Executable In NTFS Alternate Data Stream;.*
+4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76;Potentially Suspicious AccessMask Requested From LSASS;\\setup\.exe
+d99b79d2-0a6f-4f46-ad8b-260b6e17f982;Security Eventlog Cleared;Computer: WinDevEval
+b28e58e4-2a72-4fae-bdee-0fbe904db642;Windows Defender Real-time Protection Disabled;Computer: WinDev2310Eval
+ef9dcfed-690c-4c5d-a9d1-482cd422225c;Browser Execution In Headless Mode;.*
+65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: (DESKTOP-6D0DBMB|WinDev2310Eval)
+de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys Using Reg.EXE;\\Discord\\
+24357373-078f-44ed-9ac4-6d334a668a11;Direct Autorun Keys Modification;Discord\.exe
@@ -0,0 +1,68 @@
+title: Use Short Name Path in Command Line
+id: 349d891d-fef0-4fe4-bc53-eee623a15969
+related:
+    - id: a96970af-f126-420d-90e1-d37bf25e50e1
+      type: similar
+status: test
+description: |
+    Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations.
+    Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs.
+    When investigating, examine:
+    - Commands using short paths to access sensitive directories or files
+    - Web servers on Windows (especially Apache) where short filenames could bypass security controls
+    - Correlation with other suspicious behaviors
+    - baseline of short name usage in your environment and look for deviations
+references:
+    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
+    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
+    - https://twitter.com/frack113/status/1555830623633375232
+author: frack113, Nasreddine Bencherchali
+date: 2022-08-07
+modified: 2025-10-07
+tags:
+    - attack.defense-evasion
+    - attack.t1564.004
+    - detection.threat-hunting
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - '~1\'
+            - '~2\'
+    filter_main_system_process:
+        ParentImage:
+            - 'C:\Windows\System32\Dism.exe'
+            - 'C:\Windows\System32\cleanmgr.exe'
+    filter_main_winget:
+        - ParentImage|endswith: '\winget.exe'
+        - ParentImage|contains: '\AppData\Local\Temp\WinGet\'
+    filter_main_installers:
+        - Image|contains|all:
+              - '\AppData\'
+              - '\Temp\'
+        - CommandLine|contains: '\AppData\Local\Temp\' # sometimes installers spawn other installers from temp folder
+    filter_optional_dopus:
+        ParentImage: 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe'
+    filter_optional_aurora:
+        ParentImage|endswith:
+            - '\aurora-agent-64.exe'
+            - '\aurora-agent.exe'
+    filter_optional_thor:
+        ParentImage|endswith: '\thor\thor64.exe'
+    filter_optional_git:
+        CommandLine|contains:
+            - 'C:\Program Files\Git\post-install.bat'
+            - 'C:\Program Files\Git\cmd\scalar.exe'
+    filter_optional_webex:
+        - ParentImage|endswith: '\WebEx\webexhost.exe'
+        - CommandLine|contains: '\appdata\local\webex\webex64\meetings\wbxreport.exe'
+    filter_optional_veeam:
+        ParentImage|endswith: '\veeam.backup.shell.exe'
+    filter_optional_everything:
+        ParentImage|endswith: '\Everything\Everything.exe'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.
+level: medium
@@ -9,7 +9,7 @@ references:
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-01-11
-modified: 2025-03-07
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
 logsource:
@@ -28,6 +28,7 @@ detection:
            - 'C:\Windows\ImmersiveControlPanel\'
            - 'x-windowsupdate://'
            - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
+            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
    filter_main_specific:
        Path|contains:
            - 'https://statics.teams.cdn.live.net/'
@@ -6,7 +6,7 @@ references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 author: frack113
 date: 2022-02-19
-modified: 2024-08-29
+modified: 2025-10-08
 tags:
    - attack.defense-evasion
    - attack.t1562.004
@@ -28,9 +28,6 @@ detection:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
-    filter_optional_msmpeng:
-        ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
-        ModifyingApplication|endswith: '\MsMpEng.exe'
    filter_main_covered_paths:
        # This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
        ApplicationPath|contains:
@@ -41,13 +38,28 @@ detection:
            - 'C:\Windows\Tasks\'
            - 'C:\Windows\Temp\'
            - '\AppData\Local\Temp\'
+    filter_main_system_dllhost:
+        ApplicationPath: 'System'
+        ModifyingApplication: 'C:\Windows\System32\dllhost.exe'
+    filter_main_tiworker:
+        ModifyingApplication|startswith: 'C:\Windows\WinSxS\'
+        ModifyingApplication|endswith: '\TiWorker.exe'
+    filter_main_null:
+        ApplicationPath: null
    filter_optional_no_path:
        # This filter filters a lot of FPs related to Windows Services
        ModifyingApplication:
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\System32\dllhost.exe'
        ApplicationPath: ''
-    filter_main_null:
-        ApplicationPath: null
+    filter_optional_msmpeng:
+        - ModifyingApplication|startswith:
+              - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+              - 'C:\Program Files\Windows Defender\'
+          ModifyingApplication|endswith: '\MsMpEng.exe'
+        - ApplicationPath|startswith:
+              - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+              - 'C:\Program Files\Windows Defender\'
+          ApplicationPath|endswith: '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 level: medium
@@ -12,7 +12,7 @@ references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
 author: xknow (@xknow_infosec), xorxes (@xor_xes)
 date: 2019-04-08
-modified: 2023-01-20
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1562.001
@@ -24,7 +24,7 @@ detection:
        EventID: 4673
        PrivilegeList: 'SeLoadDriverPrivilege'
        Service: '-'
-    filter_exact:
+    filter_main_exact:
        ProcessName:
            - 'C:\Windows\System32\Dism.exe'
            - 'C:\Windows\System32\rundll32.exe'
@@ -36,7 +36,7 @@ detection:
            - 'C:\Windows\System32\RuntimeBroker.exe'
            - 'C:\Windows\System32\SystemSettingsBroker.exe'
            - 'C:\Windows\explorer.exe'
-    filter_endswith:
+    filter_optional_others:
        ProcessName|endswith:
            - '\procexp64.exe'
            - '\procexp.exe'
@@ -44,9 +44,14 @@ detection:
            - '\procmon.exe'
            - '\Google\Chrome\Application\chrome.exe'
            - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
-    filter_startswith:
+    filter_main_startswith:
        ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft'
-    condition: selection_1 and not 1 of filter_*
+    filter_optional_dropbox:
+        ProcessName|startswith:
+            - 'C:\Program Files (x86)\Dropbox\'
+            - 'C:\Program Files\Dropbox\'
+        ProcessName|endswith: '\Dropbox.exe'
+    condition: selection_1 and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.
 level: medium
@@ -8,7 +8,7 @@ references:
    - Internal Research
 author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2020-05-26
-modified: 2024-06-24
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1036.005
@@ -102,19 +102,29 @@ detection:
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\uus\'
    filter_main_svchost:
-        Image|endswith: 'C:\Windows\system32\svchost.exe'
-        TargetFilename|contains: 'C:\Program Files\WindowsApps\'
+        Image|endswith:
+            - 'C:\Windows\system32\svchost.exe'
+            - 'C:\Windows\SysWOW64\svchost.exe'
+        TargetFilename|contains:
+            - 'C:\Program Files\WindowsApps\'
+            - 'C:\Program Files (x86)\WindowsApps\'
+            - '\AppData\Local\Microsoft\WindowsApps\'
    filter_main_wuauclt:
-        Image|endswith: 'C:\Windows\System32\wuauclt.exe'
+        Image|endswith:
+            - 'C:\Windows\System32\wuauclt.exe'
+            - 'C:\Windows\SysWOW64\wuauclt.exe'
    filter_main_explorer:
        TargetFilename|endswith: 'C:\Windows\explorer.exe'
    filter_main_msiexec:
        # This filter handles system processes who are updated/installed using misexec.
-        Image|endswith: 'C:\WINDOWS\system32\msiexec.exe'
+        Image|endswith:
+            - 'C:\WINDOWS\system32\msiexec.exe'
+            - 'C:\WINDOWS\SysWOW64\msiexec.exe'
        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
-        TargetFilename|endswith:
+        TargetFilename|startswith:
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
+            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
    filter_main_healtray:
        TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
        TargetFilename|endswith: '\SecurityHealthSystray.exe'
@@ -7,7 +7,7 @@ references:
    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-05-09
-modified: 2023-10-18
+modified: 2025-10-07
 tags:
    - attack.persistence
 logsource:
@@ -28,6 +28,10 @@ detection:
            - ':\Windows\SysWOW64\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
+    filter_main_msiexec:
+        Image:
+            - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
@@ -6,7 +6,7 @@ references:
    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-06-01
-modified: 2023-12-11
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
 logsource:
@@ -15,19 +15,26 @@ logsource:
 detection:
    selection:
        TargetFilename|contains: '__PSScriptPolicyTest_'
+    filter_main_powershell:
+        Image:
+            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
+            - 'C:\Program Files\PowerShell\7\pwsh.exe'
+            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
+            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
+            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
+            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
+    filter_main_pwsh_preview:
+        Image|contains:
+            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
+            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
+        Image|endswith: '\pwsh.exe'
    filter_main_generic:
-        Image|endswith:
-            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
-            - ':\Program Files\PowerShell\7\pwsh.exe'
-            - ':\Windows\System32\dsac.exe'
-            - ':\Windows\System32\sdiagnhost.exe'
-            - ':\Windows\System32\ServerManager.exe'
-            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
-            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
-            - ':\Windows\System32\wsmprovhost.exe'
-            - ':\Windows\SysWOW64\sdiagnhost.exe'
-            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
-            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
+        Image:
+            - 'C:\Windows\System32\dsac.exe'
+            - 'C:\Windows\System32\sdiagnhost.exe'
+            - 'C:\Windows\System32\ServerManager.exe'
+            - 'C:\Windows\System32\wsmprovhost.exe'
+            - 'C:\Windows\SysWOW64\sdiagnhost.exe'
    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
@@ -9,7 +9,7 @@ references:
    - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-12
-modified: 2025-08-05
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1036
@@ -69,6 +69,14 @@ detection:
        TargetFilename|contains|all:
            - 'C:\Program Files\WindowsApps\Clipchamp'
            - '.ps1'
+    filter_main_powershell_preview:
+        Image:
+            - 'C:\Windows\system32\svchost.exe'
+            - 'C:\Windows\SysWOW64\svchost.exe'
+        TargetFilename|startswith:
+            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
+            - 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
+        TargetFilename|endswith: '.ps1'
    condition: 1 of selection_* and not 1 of filter_main_*
 falsepositives:
    - Unknown
@@ -7,7 +7,7 @@ references:
    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-06-01
-modified: 2023-09-20
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
 logsource:
@@ -20,7 +20,7 @@ detection:
            # TODO: Add more interesting processes
            - '\ExtExport.exe'
            - '\odbcconf.exe'
-            - '\regsvr32.exe'
+            # - '\regsvr32.exe' # legitimately calls amsi.dll
            - '\rundll32.exe'
    condition: selection
 falsepositives:
@@ -14,7 +14,7 @@ references:
    - https://github.com/p3nt4/PowerShdll
 author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2019-11-14
-modified: 2025-02-24
+modified: 2025-10-07
 tags:
    - attack.t1059.001
    - attack.execution
@@ -28,50 +28,58 @@ detection:
        - ImageLoaded|endswith:
              - '\System.Management.Automation.dll'
              - '\System.Management.Automation.ni.dll'
-    filter_main_generic:
-        Image|endswith:
-            - ':\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7
-            - ':\Windows\System32\dsac.exe'
-            - ':\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
-            - ':\Windows\System32\runscripthelper.exe'
-            - ':\WINDOWS\System32\sdiagnhost.exe'
-            - ':\Windows\System32\ServerManager.exe'
-            - ':\Windows\System32\SyncAppvPublishingServer.exe'
-            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
-            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
-            - ':\Windows\System32\winrshost.exe'
-            - ':\Windows\System32\wsmprovhost.exe'
-            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
-            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
-            - ':\Windows\SysWOW64\winrshost.exe'
-            - ':\Windows\SysWOW64\wsmprovhost.exe'
-    filter_main_dotnet:
+    filter_main_powershell:
+        Image:
+            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' # PowerShell 7 preview
+            - 'C:\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7
+            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
+            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
+            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
+            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
+    filter_main_pwsh_preview:
        Image|contains:
-            - ':\Windows\Microsoft.NET\Framework\'
-            - ':\Windows\Microsoft.NET\FrameworkArm\'
-            - ':\Windows\Microsoft.NET\FrameworkArm64\'
-            - ':\Windows\Microsoft.NET\Framework64\'
+            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
+            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
+        Image|endswith: '\pwsh.exe'
+    filter_main_generic:
+        Image:
+            - 'C:\Windows\System32\dsac.exe'
+            - 'C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
+            - 'C:\Windows\System32\runscripthelper.exe'
+            - 'C:\WINDOWS\System32\sdiagnhost.exe'
+            - 'C:\Windows\System32\ServerManager.exe'
+            - 'C:\Windows\System32\SyncAppvPublishingServer.exe'
+            - 'C:\Windows\System32\winrshost.exe'
+            - 'C:\Windows\System32\wsmprovhost.exe'
+            - 'C:\Windows\SysWOW64\winrshost.exe'
+            - 'C:\Windows\SysWOW64\wsmprovhost.exe'
+    filter_main_dotnet:
+        Image|startswith:
+            - 'C:\Windows\Microsoft.NET\Framework\'
+            - 'C:\Windows\Microsoft.NET\FrameworkArm\'
+            - 'C:\Windows\Microsoft.NET\FrameworkArm64\'
+            - 'C:\Windows\Microsoft.NET\Framework64\'
        Image|endswith: '\mscorsvw.exe'
    filter_optional_sql_server_mgmt:
-        Image|contains:
-            - ':\Program Files (x86)\Microsoft SQL Server Management Studio'
-            - ':\Program Files\Microsoft SQL Server Management Studio'
+        Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft SQL Server Management Studio'
+            - 'C:\Program Files\Microsoft SQL Server Management Studio'
        Image|endswith: '\IDE\Ssms.exe'
    filter_optional_sql_server_tools:
-        Image|contains:
-            - ':\Program Files (x86)\Microsoft SQL Server\'
-            - ':\Program Files\Microsoft SQL Server\'
+        Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft SQL Server\'
+            - 'C:\Program Files\Microsoft SQL Server\'
        Image|endswith: '\Tools\Binn\SQLPS.exe'
    filter_optional_citrix:
        Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe'
    filter_optional_vs:
-        Image|contains:
-            - ':\Program Files (x86)\Microsoft Visual Studio\'
-            - ':\Program Files\Microsoft Visual Studio\'
+        Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
+            - 'C:\Program Files\Microsoft Visual Studio\'
    filter_optional_chocolatey:
-        Image|contains: ':\ProgramData\chocolatey\choco.exe'
+        Image|startswith: 'C:\ProgramData\chocolatey\choco.exe'
    filter_optional_nextron:
-        Image|contains: ':\Windows\Temp\asgard2-agent\'
+        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
        Image|endswith:
            - '\thor64.exe'
            - '\thor.exe'
@@ -11,7 +11,7 @@ references:
    - https://github.com/ORCx41/DeleteShadowCopies
 author: frack113
 date: 2022-10-31
-modified: 2023-05-03
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.impact
@@ -22,7 +22,7 @@ logsource:
 detection:
    selection:
        ImageLoaded|endswith: '\vssapi.dll'
-    filter_windows:
+    filter_main_windows:
        - Image:
              - 'C:\Windows\explorer.exe'
              - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
@@ -31,12 +31,12 @@ detection:
              - 'C:\Windows\SysWOW64\'
              - 'C:\Windows\Temp\{' # Installers
              - 'C:\Windows\WinSxS\'
-    filter_program_files:
+    filter_main_program_files:
        # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
-    filter_programdata_packagecache:
+    filter_optional_programdata_packagecache:
        # The following filter is required because of many FPs cause by:
        #   C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe
        #   C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe
@@ -44,7 +44,11 @@ detection:
        #   C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe
        #   etc.
        Image|startswith: 'C:\ProgramData\Package Cache\'
-    condition: selection and not 1 of filter_*
+    filter_optional_avira:
+        Image|contains|all:
+            - '\temp\is-'
+            - '\avira_system_speedup.tmp'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: high
@@ -11,7 +11,7 @@ references:
    - https://github.com/ORCx41/DeleteShadowCopies
 author: frack113
 date: 2023-02-17
-modified: 2025-01-19
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.impact
@@ -32,12 +32,16 @@ detection:
              - 'C:\Windows\Temp\{' # Installers
              - 'C:\Windows\WinSxS\'
              - 'C:\ProgramData\Package Cache\{'  # Microsoft Visual Redistributable installer  VC_redist/vcredist EXE
-    filter_optional_program_files:
+    filter_main_program_files:
        # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
-    condition: selection and not 1 of filter_*
+    filter_optional_avira:
+        Image|contains|all:
+            - '\temp\is-'
+            - '\avira_system_speedup.tmp'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: medium
@@ -6,7 +6,7 @@ references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
 date: 2022-08-17
-modified: 2023-03-13
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.persistence
@@ -30,6 +30,14 @@ detection:
            - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
    filter_log_dll_canon:
        ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
+    filter_log_dll_avast:
+        ImageLoaded:
+            - 'C:\Program Files\AVAST Software\Avast\log.dll'
+            - 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
+    filter_log_dll_avg:
+        ImageLoaded:
+            - 'C:\Program Files\AVG\Antivirus\log.dll'
+            - 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
    # F-Secure
    selection_fsecure:
        ImageLoaded|endswith: '\qrt.dll'
@@ -57,10 +65,14 @@ detection:
    # Avast
    selection_avast:
        ImageLoaded|endswith: '\wsc.dll'
-    filter_avast:
+    filter_wsc_dll_avast:
        ImageLoaded|startswith:
            - 'C:\program Files\AVAST Software\Avast\'
            - 'C:\program Files (x86)\AVAST Software\Avast\'
+    filter_wsc_dll_avg:
+        ImageLoaded|startswith:
+            - 'C:\Program Files\AVG\Antivirus\'
+            - 'C:\Program Files (x86)\AVG\Antivirus\'
    # ESET
    selection_eset_deslock:
        ImageLoaded|endswith: '\DLPPREM32.dll'
@@ -79,7 +91,7 @@ detection:
               or (selection_fsecure and not filter_fsecure)
               or (selection_mcafee and not filter_mcafee)
               or (selection_cyberark and not filter_cyberark)
-               or (selection_avast and not filter_avast)
+               or (selection_avast and not 1 of filter_wsc_dll_*)
               or (selection_titanium and not filter_titanium)
               or (selection_eset_deslock and not filter_eset_deslock)
 falsepositives:
@@ -6,7 +6,7 @@ references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
 date: 2022-10-25
-modified: 2023-05-05
+modified: 2025-10-06
 tags:
    - attack.defense-evasion
    - attack.persistence
@@ -29,6 +29,10 @@ detection:
            - 'C:\Windows\WinSxS\'
    filter_optional_steam:
        ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
+    filter_optional_opera:
+        # C:\\Users\\User\\AppData\\Local\\Temp\\.opera\\Opera Installer Temp\\opera_package_202311051506321\\assistant\\dbgcore.dll
+        ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package'
+        ImageLoaded|endswith: '\assistant\dbgcore.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule
@@ -6,7 +6,7 @@ references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
 date: 2022-10-25
-modified: 2023-05-05
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.persistence
@@ -35,6 +35,9 @@ detection:
        ImageLoaded|endswith:
            - '\Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll'
            - '\Epic Games\MagicLegends\x86\dbghelp.dll'
+    filter_optional_opera:
+        ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package'
+        ImageLoaded|endswith: '\assistant\dbghelp.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule
@@ -6,7 +6,7 @@ references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
 author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2023-05-15
-modified: 2023-05-20
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.privilege-escalation
@@ -28,7 +28,15 @@ detection:
            - '.tmp\Dropbox'
        ImageLoaded|contains|all:
            - '\AppData\Local\Temp\GUM'
-            - '.tmp\\goopdate.dll'
+            - '.tmp\goopdate.dll'
+    filter_optional_googleupdate_temp:
+        Image|contains:
+            - '\AppData\Local\Temp\GUM'
+            - ':\Windows\SystemTemp\GUM'
+        Image|endswith: '.tmp\GoogleUpdate.exe'
+        ImageLoaded|contains:
+            - '\AppData\Local\Temp\GUM'
+            - ':\Windows\SystemTemp\GUM'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.
@@ -12,6 +12,7 @@ references:
    - https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
 author: Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2025-07-25
+modified: 2025-10-06
 tags:
    - attack.defense-evasion
    - attack.persistence
@@ -32,7 +33,9 @@ detection:
        OriginalFileName: 'jli.dll'
        Product|startswith: 'OpenJDK Platform'
        Signed: 'true'
-    condition: selection and not 1 of filter_main_*
+    filter_optional_eclipse:
+        ImageLoaded|startswith: 'C:\eclipse\plugins\'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: high
@@ -10,7 +10,7 @@ references:
    - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
 author: Swachchhanda Shrawan Poudel
 date: 2024-02-28
-modified: 2025-07-15
+modified: 2025-10-07
 tags:
    - attack.t1218.011
    - attack.t1218.010
@@ -48,7 +48,30 @@ detection:
        SignatureStatus:
            - ''
            - '-'
-    condition: selection and not 1 of filter_main_*
+    filter_main_windows_installer:
+        Image:
+            - 'C:\Windows\SysWOW64\rundll32.exe'
+            - 'C:\Windows\System32\rundll32.exe'
+        ImageLoaded|startswith: 'C:\Windows\Installer\'
+        ImageLoaded|endswith:
+            - '.tmp-\Microsoft.Deployment.WindowsInstaller.dll'
+            - '.tmp-\Avira.OE.Setup.CustomActions.dll'
+    filter_main_assembly:
+        Image|startswith:
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\Microsoft.NET\Framework64'
+        Image|endswith: '\RegAsm.exe'
+        ImageLoaded|endswith: '.dll'
+        ImageLoaded|startswith: 'C:\Windows\assembly\NativeImages'
+    filter_optional_klite_codec:
+        Image:
+            - 'C:\Windows\SysWOW64\regsvr32.exe'
+            - 'C:\Windows\System32\regsvr32.exe'
+        ImageLoaded|startswith:
+            - 'C:\Program Files (x86)\K-Lite Codec Pack\'
+            - 'C:\Program Files\K-Lite Codec Pack\'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: medium
@@ -10,7 +10,7 @@ references:
    - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
 author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2021-11-10
-modified: 2024-07-02
+modified: 2025-10-06
 tags:
    - attack.execution
    - attack.t1203
@@ -56,10 +56,15 @@ detection:
        #       "outlook.office365.com"
        # ]
        DestinationIp|cidr:
+            - '13.107.4.0/22'
            - '13.107.6.152/31'
            - '13.107.18.10/31'
+            - '13.107.42.0/23'
            - '13.107.128.0/22'
+            - '23.35.224.0/20'
+            - '23.53.40.0/22'
            - '23.103.160.0/20'
+            - '23.216.76.0/22'
            - '40.96.0.0/13'
            - '40.104.0.0/15'
            - '52.96.0.0/14'
@@ -10,7 +10,7 @@ references:
    - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 date: 2019-09-12
-modified: 2024-10-07
+modified: 2025-10-07
 tags:
    - attack.execution
    - attack.t1059.001
@@ -22,19 +22,25 @@ detection:
    selection:
        PipeName|startswith: '\PSHost'
    filter_main_generic:
-        Image|contains:
-            - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
-            - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
-            - ':\Windows\system32\dsac.exe'
-            - ':\Windows\system32\inetsrv\w3wp.exe'   # this is sad :,( but it triggers FPs on Exchange servers
-            - ':\Windows\System32\sdiagnhost.exe'
-            - ':\Windows\system32\ServerManager.exe'
-            - ':\Windows\system32\wbem\wmiprvse.exe'
-            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
-            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
-            - ':\Windows\System32\wsmprovhost.exe'
-            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
-            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
+        - Image|contains:
+              - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
+              - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
+              - ':\Windows\system32\dsac.exe'
+              - ':\Windows\system32\inetsrv\w3wp.exe'   # this is sad :,( but it triggers FPs on Exchange servers
+              - ':\Windows\System32\sdiagnhost.exe'
+              - ':\Windows\system32\ServerManager.exe'
+              - ':\Windows\system32\wbem\wmiprvse.exe'
+              - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
+              - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
+              - ':\Windows\System32\wsmprovhost.exe'
+              - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
+              - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
+        - Image|contains|all:
+              - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
+              - '\pwsh.exe'
+        - Image|contains|all:
+              - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
+              - '\pwsh.exe'
    filter_optional_sqlserver: # Microsoft SQL Server\130\Tools\
        Image|startswith:
            - 'C:\Program Files (x86)\'
@@ -7,6 +7,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
 author: frack113
 date: 2021-12-28
+modified: 2025-10-07
 tags:
    - attack.persistence
    - attack.t1053.005
@@ -30,7 +31,12 @@ detection:
            - 'PS_ScheduledTask'
            - '-NameSpace'
            - 'Root\Microsoft\Windows\TaskScheduler'
-    condition: 1 of selection_*
+    filter_main_legitimate_scripts:
+        ScriptBlockText|contains|all:
+            - 'Microsoft.PowerShell.Core\Export-ModuleMember'
+            - 'Microsoft.Management.Infrastructure.CimInstance'
+            - '__cmdletization_methodParameter'
+    condition: 1 of selection_* and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: medium
@@ -14,7 +14,7 @@ references:
    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
 author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2022-09-12
-modified: 2025-03-12
+modified: 2025-10-06
 tags:
    - attack.defense-evasion
    - attack.t1070.001
@@ -32,7 +32,7 @@ detection:
        - ScriptBlockText|contains|all:
              - 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
              - 'ClearLog'
-        - ScriptBlockText|contains:
+        - ScriptBlockText|contains|all:
              - 'Diagnostics.EventLog'
              - 'Clear'
    condition: selection
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
 author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
 date: 2020-10-08
-modified: 2022-12-25
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1070.005
@@ -19,7 +19,14 @@ detection:
        ScriptBlockText|contains:
            - 'Remove-SmbShare'
            - 'Remove-FileShare'
-    condition: selection
+    filter_main_module_load:
+        ScriptBlockText|contains|all:
+            - 'FileShare.cdxml'
+            - 'Microsoft.PowerShell.Core\Export-ModuleMember'
+            - 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare'
+            - 'ObjectModelWrapper'
+            - 'Cmdletization.MethodParameter'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Administrators or Power users may remove their shares via cmd line
 level: medium
@@ -29,4 +29,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: medium
+level: low
@@ -10,7 +10,7 @@ references:
    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
 author: Sreeman, Florian Roth (Nextron Systems)
 date: 2022-01-04
-modified: 2023-05-12
+modified: 2025-10-07
 tags:
    - attack.command-and-control
    - attack.t1105
@@ -30,7 +30,29 @@ detection:
            - '--headless'
            - 'dump-dom'
            - 'http'
-    condition: selection
+    filter_optional_edge_1:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft\Edge\Application\'
+            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
+            - 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
+            - 'C:\Program Files\Microsoft\Edge\Application\'
+            - 'C:\Program Files\Microsoft\EdgeCore\'
+            - 'C:\Program Files\Microsoft\EdgeWebView\'
+            - 'C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge'
+        Image|endswith:
+            - '\msedge.exe'
+            - '\msedgewebview2.exe'
+            - '\MicrosoftEdge.exe'
+        CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
+    filter_optional_edge_2:
+        Image|contains:
+            - '\AppData\Local\Microsoft\WindowsApps\'
+            - '\Windows\SystemApps\Microsoft.MicrosoftEdge'
+        Image|endswith:
+            - '\msedge.exe'
+            - '\MicrosoftEdge.exe'
+        CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: high
@@ -2,7 +2,7 @@ title: File And SubFolder Enumeration Via Dir Command
 id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
 status: test
 description: |
-    Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
+    Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
 author: frack113
@@ -8,7 +8,7 @@ references:
    - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
 author: Beyu Denis, oscd.community
 date: 2020-10-18
-modified: 2024-04-24
+modified: 2025-10-08
 tags:
    - attack.defense-evasion
    - attack.t1218
@@ -27,7 +27,15 @@ detection:
            - '.dll"'
            - ".csproj'"
            - ".dll'"
-    condition: all of selection_*
+    filter_optional_notepad++:
+        ParentImage:
+            - 'C:\Program Files (x86)\Notepad++\notepad++.exe'
+            - 'C:\Program Files\Notepad++\notepad++.exe'
+        CommandLine|contains|all:
+            - 'C:\ProgramData\CSScriptNpp\'
+            - '-cscs_path:'
+            - '\cs-script\cscs.dll'
+    condition: all of selection_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate administrator usage
 level: medium
@@ -13,7 +13,7 @@ references:
    - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2023-07-06
-modified: 2024-06-27
+modified: 2025-10-08
 tags:
    - attack.discovery
    - attack.t1057
@@ -32,7 +32,13 @@ detection:
            - 'systeminfo*|*find'
            - 'tasklist*|*find'
            - 'whoami*|*find'
-    condition: selection
+    filter_optional_xampp:
+        CommandLine|contains|all:
+            - 'cmd.exe /c TASKLIST /V |'
+            - 'FIND /I'
+            - '\xampp\'
+            - '\catalina_start.bat'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: medium
@@ -10,7 +10,7 @@ references:
    - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-02-13
-modified: 2024-06-24
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1070
@@ -26,10 +26,13 @@ detection:
    selection_cli:
        CommandLine|contains: 'unload'
    filter_optional_avira:
-        ParentImage|startswith: 'C:\Users\'
-        ParentImage|contains: '\AppData\Local\Temp\'
+        ParentImage|contains:
+            - '\AppData\Local\Temp\'
+            - ':\Windows\Temp\'
        ParentImage|endswith: '\endpoint-protection-installer-x64.tmp'
-        CommandLine|endswith: 'unload rtp_filesystem_filter'
+        CommandLine|endswith:
+            - 'unload rtp_filesystem_filter'
+            - 'unload rtp_filter'
    filter_optional_manageengine:
        ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe'
        CommandLine|endswith: 'unload DFMFilter'
@@ -12,14 +12,14 @@ references:
    - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
 author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2024-06-24
-modified: 2025-08-18
+modified: 2025-10-07
 tags:
    - attack.credential-access
 logsource:
    product: windows
    category: process_creation
 detection:
-    selection_metadata:
+    selection_img_metadata:
        Image|endswith: '\lazagne.exe'
    selection_img_cli:
        # Note: This selection can be prone to FP. An initial baseline is required
@@ -67,20 +67,20 @@ detection:
            - '.exe windows'
    selection_cli_modules:
        CommandLine|contains:
-            - 'all '
-            - 'browsers '
-            - 'chats '
-            - 'databases '
-            - 'games '
-            - 'mails '
-            - 'maven '
-            - 'memory '
-            - 'multimedia '
-            - 'php '
-            - 'svn '
-            - 'sysadmin '
-            - 'unused '
-            - 'wifi '
+            - ' all '
+            - ' browsers '
+            - ' chats '
+            - ' databases '
+            - ' games '
+            - ' mails '
+            - ' maven '
+            - ' memory '
+            - ' multimedia '
+            - ' php '
+            - ' svn '
+            - ' sysadmin '
+            - ' unused '
+            - ' wifi '
    selection_cli_options:
        CommandLine|contains:
            - '-1Password'
@@ -133,7 +133,7 @@ detection:
            - '-vaultfiles'
            - '-vnc'
            - '-winscp'
-    condition: selection_metadata or selection_img_cli or all of selection_cli_*
+    condition: 1 of selection_img_* or all of selection_cli_*
 falsepositives:
    - Some false positive is expected from tools with similar command line flags.
 # Note: Increase the level to "high" after an initial baseline
@@ -9,7 +9,7 @@ references:
    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-10-28
-modified: 2024-03-13
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1218.007
@@ -34,7 +34,11 @@ detection:
        CommandLine|contains:
            - 'http'
            - '\\\\'
-    condition: all of selection_*
+    filter_optional_openoffice:
+        CommandLine|contains|all:
+            - '\AppData\Local\Temp\OpenOffice'
+            - 'Installation Files\openoffice'
+    condition: all of selection_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: medium
@@ -6,7 +6,7 @@ references:
    - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/
 author: frack113
 date: 2022-08-14
-modified: 2023-02-10
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1562.004
@@ -24,6 +24,9 @@ detection:
    filter_optional_dropbox:
        ParentImage|endswith: '\Dropbox.exe'
        CommandLine|contains: 'name=Dropbox'
+    filter_optional_avast:
+        ParentImage|endswith: '\instup.exe'
+        CommandLine|contains: 'advfirewall firewall delete rule name="Avast Antivirus Admin Client"'
    condition: all of selection_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate administration activity
@@ -16,7 +16,7 @@ references:
    - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
 author: frack113
 date: 2021-11-01
-modified: 2023-12-13
+modified: 2025-10-07
 tags:
    - attack.execution
    - attack.t1059.001
@@ -26,9 +26,11 @@ logsource:
 detection:
    selection_img:
        - OriginalFileName:
+              - 'powershell_ise.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
        - Image|endswith:
+              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
    selection_option:
@@ -40,7 +42,22 @@ detection:
        CommandLine|contains:
            - 'Bypass'
            - 'Unrestricted'
-    condition: all of selection_*
+    filter_main_powershell_core:
+        ParentImage:
+            - 'C:\Windows\SysWOW64\msiexec.exe'
+            - 'C:\Windows\System32\msiexec.exe'
+        CommandLine|contains:
+            - '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\PowerShell\7\'
+            - '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files (x86)\PowerShell\7\'
+    filter_optional_avast:
+        ParentImage|contains:
+            - 'C:\Program Files\Avast Software\Avast\'
+            - 'C:\Program Files (x86)\Avast Software\Avast\'
+            - '\instup.exe'
+        CommandLine|contains:
+            - '-ExecutionPolicy ByPass -File "C:\Program Files\Avast Software\Avast'
+            - '-ExecutionPolicy ByPass -File "C:\Program Files (x86)\Avast Software\Avast\'
+    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Administrator scripts
 level: medium
@@ -8,7 +8,7 @@ references:
    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-01-02
-modified: 2025-01-20
+modified: 2025-10-07
 tags:
    - attack.execution
    - attack.t1059
@@ -24,12 +24,26 @@ detection:
              - 'python2.exe'
    selection_cli:
        CommandLine|contains: ' -c'
-    filter_main_python: # Based on baseline
-        ParentImage|startswith: 'C:\Program Files\Python'
+    filter_main_python_1: # Based on baseline
+        ParentImage|startswith:
+            - 'C:\Program Files\Python'
+            - 'C:\Program Files (x86)\Python'
        ParentImage|endswith: '\python.exe'
        ParentCommandLine|contains: '-E -s -m ensurepip -U --default-pip'
+    filter_main_python_trace: # Based on baseline
+        ParentImage|startswith:
+            - 'C:\Program Files\Python'
+            - 'C:\Program Files (x86)\Python'
+        CommandLine|contains|all:
+            # CommandLine: \"C:\\Program Files\\Python312\\python.exe\" -W ignore::DeprecationWarning -c \"\nimport runpy\nimport sys\nsys.path = ['C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj\\\\pip-23.2.1-py3-none-any.whl'] + sys.path\nsys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj', '--upgrade', 'pip']\nrunpy.run_module(\\\"pip\\\", run_name=\\\"__main__\\\", alter_sys=True)\n\
+            - '-W ignore::DeprecationWarning'
+            - "['install', '--no-cache-dir', '--no-index', '--find-links',"
+            - "'--upgrade', 'pip'"
    filter_optional_vscode:
-        ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+        - ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+        - ParentImage:
+              - 'C:\Program Files\Microsoft VS Code\Code.exe'
+              - 'C:\Program Files (x86)\Microsoft VS Code\Code.exe'
    filter_optional_pip:
        CommandLine|contains|all:
            - '<pip-setuptools-caller>'
@@ -15,10 +15,12 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection_1:
-        Image|endswith: '\reg.exe'
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_cli_add:
        CommandLine|contains: 'add'     # to avoid intersection with discovery tactic rules
-    selection_2:
+    selection_cli_keys:
        CommandLine|contains:           # need to improve this list, there are plenty of ASEP reg keys
            - '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
            - '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
@@ -6,7 +6,7 @@ references:
    - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-07-14
-modified: 2022-08-08
+modified: 2025-10-07
 tags:
    - attack.persistence
    - attack.privilege-escalation
@@ -24,7 +24,17 @@ detection:
            - 'binPath'
            - 'type'
            - 'kernel'
-    condition: selection
+    filter_optional_avira_driver:
+        - CommandLine|contains|all:
+              - 'create netprotection_network_filter'
+              - 'type= kernel start= '
+              - 'binPath= System32\drivers\netprotection_network_filter'
+              - 'DisplayName= netprotection_network_filter'
+              - 'group= PNP_TDI tag= yes'
+        - CommandLine|contains|all:
+              - 'create avelam binpath=C:\Windows\system32\drivers\avelam.sys'
+              - 'type=kernel start=boot error=critical group=Early-Launch'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
    - Rare legitimate installation of kernel drivers via sc.exe
 level: medium
@@ -11,7 +11,7 @@ references:
    - https://blog.talosintelligence.com/gophish-powerrat-dcrat/
 author: Florian Roth (Nextron Systems)
 date: 2022-02-21
-modified: 2024-10-28
+modified: 2025-10-07
 tags:
    - attack.execution
    - attack.t1053.005
@@ -21,7 +21,7 @@ logsource:
 detection:
    selection_1_create:
        Image|endswith: '\schtasks.exe'
-        CommandLine|contains: ' /create '
+        CommandLine|contains|windash: ' /create '
    selection_1_all_folders:
        CommandLine|contains:
            - ':\Perflogs'
@@ -49,15 +49,15 @@ detection:
    filter_optional_avira_install:
        # Comment out this filter if you dont use AVIRA
        CommandLine|contains|all:
-            - '/Create /Xml "C:\Users\'
-            - '\AppData\Local\Temp\.CR.'
-            - 'Avira_Security_Installation.xml'
+            - '/Create /Xml '
+            - '\Temp\.CR.'
+            - '\Avira_Security_Installation.xml'
    filter_optional_avira_other:
        # Comment out this filter if you dont use AVIRA
        CommandLine|contains|all:
            - '/Create /F /TN'
            - '/Xml '
-            - '\AppData\Local\Temp\is-'
+            - '\Temp\'
            - 'Avira_'
        CommandLine|contains:
            - '.tmp\UpdateFallbackTask.xml'
@@ -66,7 +66,7 @@ detection:
            - '.tmp\MaintenanceTask.xml'
    filter_optional_klite_codec:
        CommandLine|contains|all:
-            - '\AppData\Local\Temp\'
+            - '\Temp\'
            - '/Create /TN "klcp_update" /XML '
            - '\klcp_update_task.xml'
    condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*
@@ -14,7 +14,7 @@ references:
    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
 author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
 date: 2022-06-09
-modified: 2023-11-09
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.execution
@@ -36,8 +36,10 @@ detection:
        CommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\Discord\Update.exe'
-            - ' --processStart'
            - 'Discord.exe'
+        CommandLine|contains:
+            - '--createShortcut'
+            - '--processStart'
    filter_optional_github_desktop:
        CommandLine|contains|all:
            - ':\Users\'
@@ -7,7 +7,7 @@ references:
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-01-12
-modified: 2023-08-31
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
 logsource:
@@ -24,6 +24,7 @@ detection:
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
+            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
@@ -42,6 +43,9 @@ detection:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\pwsh.exe'
+    filter_optional_sysinternals:
+        ParentImage|startswith: 'C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite'
+        Image|endswith: '\cmd.exe'
    condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate packages that make use of external binaries such as Windows Terminal
@@ -8,6 +8,7 @@ references:
    - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document
 author: Joseph Kamau
 date: 2024-05-27
+modified: 2025-10-07
 tags:
    - attack.execution
    - attack.t1204.002
@@ -29,9 +30,14 @@ detection:
            - '\maxthon.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
-            - ''
        CommandLine|contains: 'http'
-    condition: selection
+    filter_main_microsoft_help:
+        CommandLine|contains: 'https://go.microsoft.com/fwlink/'
+    filter_optional_foxit:
+        CommandLine|contains:
+            - 'http://ad.foxitsoftware.com/adlog.php?'
+            - 'https://globe-map.foxitservice.com/go.php?do=redirect'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
 level: medium
@@ -13,7 +13,7 @@ references:
    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
 author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
 date: 2020-07-03
-modified: 2023-08-29
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1036.003
@@ -21,11 +21,12 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection_cmd:
+    selection_img_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'copy '
-    selection_pwsh:
+    selection_img_pwsh:
        Image|endswith:
+            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
@@ -33,19 +34,28 @@ detection:
            - ' copy '
            - 'cpi '
            - ' cp '
-    selection_other:
+    selection_img_other:
        - Image|endswith:
              - '\robocopy.exe'
              - '\xcopy.exe'
        - OriginalFileName:
              - 'robocopy.exe'
              - 'XCOPY.EXE'
-    target:
+    selection_target:
        CommandLine|contains:
            - '\System32'
            - '\SysWOW64'
            - '\WinSxS'
-    condition: 1 of selection_* and target
+    filter_optional_avira:
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains|all:
+            - '/c copy'
+            - '\Temp\'
+            - '\avira_system_speedup.exe'
+        CommandLine|contains:
+            - 'C:\Program Files\Avira\'
+            - 'C:\Program Files (x86)\Avira\'
+    condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*
 falsepositives:
    - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
    - When cmd.exe and xcopy.exe are called directly #  C:\Windows\System32\cmd.exe /c copy file1 file2
@@ -1,47 +0,0 @@
-title: Use Short Name Path in Command Line
-id: 349d891d-fef0-4fe4-bc53-eee623a15969
-related:
-    - id: a96970af-f126-420d-90e1-d37bf25e50e1
-      type: similar
-status: test
-description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
-references:
-    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
-    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
-    - https://twitter.com/frack113/status/1555830623633375232
-author: frack113, Nasreddine Bencherchali
-date: 2022-08-07
-modified: 2025-07-04
-tags:
-    - attack.defense-evasion
-    - attack.t1564.004
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains:
-            - '~1\'
-            - '~2\'
-    filter:
-        - ParentImage:
-              - 'C:\Windows\System32\Dism.exe'
-              - 'C:\Windows\System32\cleanmgr.exe'
-              - 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe'
-        - ParentImage|endswith:
-              - '\WebEx\WebexHost.exe'
-              - '\thor\thor64.exe'
-              - '\veam.backup.shell.exe'
-              - '\winget.exe'
-              - '\Everything\Everything.exe'
-              - '\aurora-agent-64.exe'
-              - '\aurora-agent.exe'
-        - ParentImage|contains: '\AppData\Local\Temp\WinGet\'
-        - CommandLine|contains:
-              - '\appdata\local\webex\webex64\meetings\wbxreport.exe'
-              - 'C:\Program Files\Git\post-install.bat'
-              - 'C:\Program Files\Git\cmd\scalar.exe'
-    condition: selection and not filter
-falsepositives:
-    - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.
-level: medium
@@ -6,7 +6,7 @@ references:
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 author: Max Altgelt (Nextron Systems)
 date: 2022-08-23
-modified: 2023-12-14
+modified: 2025-10-08
 tags:
    - attack.defense-evasion
    - attack.privilege-escalation
@@ -15,10 +15,23 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    sysnative:
+    selection:
        - CommandLine|contains: ':\Windows\Sysnative\'
        - Image|contains: ':\Windows\Sysnative\'
-    condition: sysnative
+    filter_main_ngen:
+        Image|contains:
+            - 'C:\Windows\Microsoft.NET\Framework64\v'
+            - 'C:\Windows\Microsoft.NET\Framework\v'
+            - 'C:\Windows\Microsoft.NET\FrameworkArm\v'
+            - 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
+        Image|endswith: '\ngen.exe'
+        CommandLine|contains: 'install'
+    filter_optional_xampp:
+        CommandLine|contains|all:
+            - '"C:\Windows\sysnative\cmd.exe"'
+            - '\xampp\'
+            - '\catalina_start.bat'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: medium
@@ -12,7 +12,7 @@ references:
    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
 author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2017-11-27
-modified: 2025-07-11
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1036
@@ -85,9 +85,12 @@ detection:
    filter_optional_system32:
        Image|contains: '\SystemRoot\System32\'
    filter_main_powershell:
-        Image:
-            - 'C:\Program Files\PowerShell\7\pwsh.exe'
-            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
+        Image|contains:
+            - 'C:\Program Files\PowerShell\7\'
+            - 'C:\Program Files\PowerShell\7-preview\'
+            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
+            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
+        Image|endswith: '\pwsh.exe'
    filter_main_wsl_windowsapps:
        Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
        Image|endswith: '\wsl.exe'
@@ -8,7 +8,7 @@ references:
    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
 author: Victor Sergeev, oscd.community
 date: 2020-10-09
-modified: 2022-07-11
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1218
@@ -23,7 +23,12 @@ detection:
        CommandLine|contains|all:
            - '/S'
            - '/C'
-    condition: all of selection_*
+    filter_main_runtimebroker:
+        ParentImage|endswith: 'C:\Windows\System32\RuntimeBroker.exe'
+        CommandLine|contains|all:
+            - 'verclsid.exe" /S /C {'
+            - '} /I {'
+    condition: all of selection_* and not 1 of filter_main_*
 fields:
    - CommandLine
 falsepositives:
@@ -12,6 +12,7 @@ references:
    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
 author: 'Matt Anderson (Huntress)'
 date: 2025-07-11
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
 logsource:
@@ -20,7 +21,13 @@ logsource:
 detection:
    selection:
        TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
-    condition: selection
+    filter_main_defender:
+        Image|startswith:
+            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+            - 'C:\Program Files\Windows Defender\'
+            - 'C:\Program Files (x86)\Windows Defender\'
+        Image|endswith: '\MsMpEng.exe'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unlikely as this weakens defenses and normally would not be done even if using another AV.
 level: medium
@@ -7,7 +7,7 @@ references:
    - https://seclists.org/fulldisclosure/2020/Mar/45
 author: frack113
 date: 2021-06-07
-modified: 2023-02-08
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1562.001
@@ -16,11 +16,16 @@ logsource:
    category: registry_delete
 detection:
    selection:
-        EventType: DeleteKey
        TargetObject|endswith:
            - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
            - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
-    condition: selection
+    filter_main_defender:
+        Image|startswith:
+            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+            - 'C:\Program Files\Windows Defender\'
+            - 'C:\Program Files (x86)\Windows Defender\'
+        Image|endswith: '\MsMpEng.exe'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unlikely
 level: high
@@ -12,7 +12,7 @@ references:
    - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020-05-02
-modified: 2025-07-11
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1112
@@ -21,50 +21,76 @@ logsource:
    category: registry_delete
 detection:
    selection:
-        EventType: 'DeleteKey'
        TargetObject|endswith: '\shell\open\command'
-    filter_svchost:
+    filter_main_explorer:
+        Image|endswith: 'C:\Windows\explorer.exe'
+    filter_main_svchost:
        Image: 'C:\Windows\system32\svchost.exe'
-    filter_office:
-        Image|startswith:
-            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
-            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
-        Image|endswith: '\OfficeClickToRun.exe'
-    filter_integrator:
+    filter_main_msiexec:
        Image:
-            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
-            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
-    filter_dropbox:
+            - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
+    filter_main_generic_prorams:
+        Image|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+    filter_main_openwith:
+        Image: 'C:\Windows\System32\OpenWith.exe'
+    filter_optional_dropbox:
        Image|endswith: '\Dropbox.exe'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\Dropbox.'
-    filter_wireshark:
+    filter_optional_wireshark:
        Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\wireshark-capture-file\'
-    filter_opera:
-        Image|startswith:
-            - 'C:\Program Files\Opera\'
-            - 'C:\Program Files (x86)\Opera\'
-        Image|endswith: '\installer.exe'
-    filter_peazip:
+    filter_optional_peazip:
        Image|contains: 'peazip'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\PeaZip.'
-    filter_everything:
+    filter_optional_everything:
        Image|endswith: '\Everything.exe'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\Everything.'
-    filter_uninstallers:
+    filter_optional_uninstallers:
        # This image path is linked with different uninstallers when running as admin unfortunately
        Image|startswith: 'C:\Windows\Installer\MSI'
-    filter_java:
+    filter_optional_java:
        Image|startswith: 'C:\Program Files (x86)\Java\'
        Image|endswith: '\installer.exe'
        TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
-    filter_edgeupdate:
+    filter_optional_edgeupdate:
        Image|contains: '\Microsoft\EdgeUpdate\Install'
-    condition: selection and not 1 of filter_*
+    filter_optional_avira:
+        Image:
+            - 'C:\Program Files (x86)\Avira\Antivirus\'
+            - 'C:\Program Files\Avira\Antivirus\'
+        TargetObject|endswith:
+            - '\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command'
+            - '\AntiVir.Keyfile\shell\open\command'
+    filter_optional_installer_temp:
+        - Image|contains|all:
+              - 'AppData\Local\Temp'
+              - '\setup.exe'
+        - Image|contains|all:
+              - '\Temp\is-'
+              - '\target.tmp'
+    filter_optional_ninite:
+        Image|endswith: '\ninite.exe'
+    filter_optional_discord:
+        Image|endswith: '\reg.exe'
+        TargetObject|endswith: '\Discord\shell\open\command'
+    filter_optional_spotify:
+        Image|endswith: '\Spotify.exe'
+        TargetObject|endswith: '\Spotify\shell\open\command'
+    filter_optional_eclipse:
+        Image|endswith: 'C:\eclipse\eclipse.exe'
+        TargetObject|contains: '_Classes\eclipse+'
+    filter_optional_teamviewer:
+        Image|contains|all:
+            - '\Temp'
+            - '\TeamViewer'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
-    - Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered
+    - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered
 level: medium
@@ -7,7 +7,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
 author: frack113
 date: 2022-04-04
-modified: 2024-03-25
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1564.001
@@ -26,6 +26,10 @@ detection:
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\SAVService\(Default)'
            - '\Control\SafeBoot\Network\SAVService\(Default)'
+    filter_optional_mbamservice:
+        Image|endswith: '\MBAMInstallerService.exe'
+        TargetObject|endswith: '\MBAMService\(Default)'
+        Details: 'Service'
    condition: selection and not 1 of filter_optional_*
 falsepositives:
    - Unknown
@@ -12,7 +12,7 @@ references:
    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019-10-25
-modified: 2025-06-16
+modified: 2025-10-07
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,9 +20,9 @@ logsource:
    category: registry_set
    product: windows
 detection:
-    current_version_base:
+    selection_current_version_base:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
-    current_version_keys:
+    selection_current_version_keys:
        TargetObject|contains:
            - '\ShellServiceObjectDelayLoad'
            - '\Run\'
@@ -44,7 +44,7 @@ detection:
            - '\Authentication\PLAP Providers'
            - '\Authentication\Credential Providers'
            - '\Authentication\Credential Provider Filters'
-    filter_all:
+    filter_main_all:
        - Details: '(Empty)'
        - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
        - Image|endswith:
@@ -61,85 +61,111 @@ detection:
              - 'C:\Program Files\Everything\Everything.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
-    filter_logonui:
+    filter_main_logonui:
        Image: 'C:\Windows\system32\LogonUI.exe'
        TargetObject|contains:
            - '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\'  # PIN
            - '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\'  # fingerprint
            - '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\'  # facial recognizion
            - '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\'  # Trusted Signal (Phone proximity, Network location)
-    filter_edge:
+    filter_main_edge:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
            - 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
-    filter_dropbox:
+    filter_main_officeclicktorun:
+        Image|startswith:
+            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
+        Image|endswith: '\OfficeClickToRun.exe'
+    filter_main_defender:
+        Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
+    filter_main_teams:
+        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
+        Details|contains: '\Microsoft\Teams\Update.exe --processStart '
+    filter_main_ctfmon:
+        Image: 'C:\Windows\system32\userinit.exe'
+        Details: 'ctfmon.exe /n'
+    filter_optional_dropbox:
        Image: 'C:\Windows\system32\regsvr32.exe'
        TargetObject|contains: 'DropboxExt'
        Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
-    filter_opera:
+    filter_optional_opera_1:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
        Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
-    filter_itunes:
+    filter_optional_opera_2:
+        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable'
+        Details:
+            - 'C:\Program Files\Opera\launcher.exe'
+            - 'C:\Program Files (x86)\Opera\launcher.exe'
+    filter_optional_itunes:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
        Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
-    filter_zoom:
+    filter_optional_zoom:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
        Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
-    filter_greenshot:
+    filter_optional_greenshot:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
        Details: 'C:\Program Files\Greenshot\Greenshot.exe'
-    filter_googledrive1:
+    filter_optional_googledrive1:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
        Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
        Details|contains: '\GoogleDriveFS.exe'
-    filter_googledrive2:
+    filter_optional_googledrive2:
        TargetObject|contains: 'GoogleDrive'
        Details:
            - '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
            - '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
            - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
            - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
-    filter_onedrive:
+    filter_optional_onedrive:
        Details|startswith:
            - 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
            - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
        Details|contains: '\AppData\Local\Microsoft\OneDrive\'
-    filter_python:
+    filter_optional_python:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
        Details|contains|all:
            - '\AppData\Local\Package Cache\{'
            - '}\python-'
        Details|endswith: '.exe" /burn.runonce'
-    filter_officeclicktorun:
-        Image|startswith:
-            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
-            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
-        Image|endswith: '\OfficeClickToRun.exe'
-    filter_defender:
-        Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
-    filter_teams:
-        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
-        Details|contains: '\Microsoft\Teams\Update.exe --processStart '
-    filter_ctfmon:
-        Image: 'C:\Windows\system32\userinit.exe'
-        Details: 'ctfmon.exe /n'
-    filter_AVG:
-        Image|startswith: 'C:\Program Files\AVG\Antivirus\Setup\'
+    filter_optional_AVG_setup:
+        Image|contains:
+            - 'C:\Program Files\AVG\Antivirus\Setup\'
+            - 'C:\Program Files (x86)\AVG\Antivirus\Setup\'
+            - '\instup.exe'
        Details:
            - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
            - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
            - '{472083B0-C522-11CF-8763-00608CC02F24}'
-    filter_aurora_dashboard:
+            - '{472083B1-C522-11CF-8763-00608CC02F24}'
+    filter_optional_Avast:
+        Image|contains:
+            - 'C:\Program Files\Avast Software\Avast\Setup\'
+            - 'C:\Program Files (x86)\Avast Software\Avast\Setup\'
+            - '\instup.exe'
+        Details:
+            - '"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui'
+            - '"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui'
+    filter_optional_AVG_avgtoolsvc:
+        Image:
+            - 'C:\Program Files\AVG\Antivirus\avgToolsSvc.exe'
+            - 'C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe'
+        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\'
+        Details: 'Binary Data'
+    filter_optional_aurora_dashboard:
        Image|endswith:
            - '\aurora-agent-64.exe'
            - '\aurora-agent.exe'
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
        Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
-    filter_everything:
+    filter_optional_everything:
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
        Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
-    condition: all of current_version_* and not 1 of filter_*
+    filter_optional_discord:
+        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Discord'
+        Details|endswith: '\Discord\Update.exe --processStart Discord.exe'
+    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019-10-25
-modified: 2025-07-04
+modified: 2025-10-07
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -55,6 +55,17 @@ detection:
    filter_main_runtimebroker:
        Image: 'C:\Windows\System32\RuntimeBroker.exe'
        TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
+    filter_optional_avguard:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
+            - 'C:\Program Files\Avira\Antivirus\avguard.exe'
+        TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
+        TargetObject|endswith:
+            - '\userinit\UseAsDefault'
+            - '\shell\UseAsDefault'
+        Details:
+            - 'explorer.exe'
+            - 'C:\Windows\system32\userinit.exe,'
    filter_optional_edge:
        Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
        Image|endswith: '\MicrosoftEdgeUpdate.exe'
@@ -11,7 +11,7 @@ references:
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019-10-25
-modified: 2023-08-17
+modified: 2025-10-07
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -19,11 +19,11 @@ logsource:
    category: registry_set
    product: windows
 detection:
-    office:
+    selection_office_root:
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Office'
            - '\Software\Microsoft\Office'
-    office_details:
+    selection_office_details:
        TargetObject|contains:
            - '\Word\Addins'
            - '\PowerPoint\Addins'
@@ -32,9 +32,9 @@ detection:
            - '\Excel\Addins'
            - '\Access\Addins'
            - 'test\Special\Perf'
-    filter_empty:
+    filter_main_empty:
        Details: '(Empty)'
-    filter_known_addins:
+    filter_main_known_addins:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
@@ -62,15 +62,22 @@ detection:
            - '\Outlook\Addins\UCAddin.LyncAddin.1'
            - '\Outlook\Addins\UCAddin.UCAddin.1'
            - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
-    filter_officeclicktorun:
+    filter_main_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
-    filter_avg:
-        Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
+    filter_optional_avg:
+        Image:
+            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
+            - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
-    condition: office and office_details and not 1 of filter_*
+    filter_optional_avast:
+        Image:
+            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
+            - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
+        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
+    condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
 fields:
    - SecurityID
    - ObjectName
@@ -12,7 +12,7 @@ references:
    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019-10-25
-modified: 2023-08-17
+modified: 2025-10-07
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -35,47 +35,14 @@ detection:
            - '\Explorer\ShellExecuteHooks'
            - '\Explorer\SharedTaskScheduler'
            - '\Explorer\Browser Helper Objects'
-    filter_empty:
+    filter_main_empty:
        Details: '(Empty)'
-    filter_edge:
-        Image|contains|all:
-            - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
-            - '\setup.exe'
-    filter_msoffice1:
-        Image: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe'
-        TargetObject|contains: '\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\'
-    filter_msoffice2:
-        Image:
-            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
-            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
-        TargetObject|contains: '\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\'
-    filter_dropbox:
-        - Details|endswith: '-A251-47B7-93E1-CDD82E34AF8B}'
-        - Details: 'grpconv -o'
-        - Details|contains|all:
-              - 'C:\Program Files'
-              - '\Dropbox\Client\Dropbox.exe'
-              - ' /systemstartup'
-    filter_evernote:
-        TargetObject|endswith: '\Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer'
-    filter_dotnet:
-        Image|contains: '\windowsdesktop-runtime-'
-        TargetObject|endswith:
-            - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}'
-            - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}'
-        Details|startswith: '"C:\ProgramData\Package Cache\'
-        Details|endswith: '.exe" /burn.runonce'
-    filter_office:
-        Image|startswith:
-            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
-            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
-        Image|endswith: '\OfficeClickToRun.exe'
-    filter_ms_win_desktop_runtime:
+    filter_main_ms_win_desktop_runtime:
        Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-'
-    filter_vcredist:
+    filter_main_vcredist:
        Image|endswith: '\VC_redist.x64.exe'
        Details|endswith: '}\VC_redist.x64.exe" /burn.runonce'
-    filter_upgrades:
+    filter_main_upgrades:
        Image|startswith:
            - 'C:\ProgramData\Package Cache'
            - 'C:\Windows\Temp\'
@@ -84,19 +51,65 @@ detection:
            - '\windowsdesktop-runtime-'  # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205-99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe
            - '\AspNetCoreSharedFrameworkBundle-'  # "C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle-x86.exe" /burn.runonce
        Details|endswith: ' /burn.runonce'
-    filter_uninstallers:
+    filter_main_uninstallers:
        # This image path is linked with different uninstallers when running as admin unfortunately
        Image|startswith: 'C:\Windows\Installer\MSI'
        TargetObject|contains: '\Explorer\Browser Helper Objects'
-    filter_msiexec:
+    filter_main_msiexec:
        Image: 'C:\WINDOWS\system32\msiexec.exe'
        TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\'
-    condition: all of selection_wow_current_version_* and not 1 of filter_*
-fields:
-    - SecurityID
-    - ObjectName
-    - OldValueType
-    - NewValueType
+    filter_main_edge:
+        Image|contains|all:
+            - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
+            - '\setup.exe'
+    filter_optional_msoffice1:
+        Image: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe'
+        TargetObject|contains: '\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\'
+    filter_optional_msoffice2:
+        Image:
+            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
+            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
+        TargetObject|contains: '\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\'
+    filter_optional_dropbox:
+        - Details|endswith: '-A251-47B7-93E1-CDD82E34AF8B}'
+        - Details: 'grpconv -o'
+        - Details|contains|all:
+              - 'C:\Program Files'
+              - '\Dropbox\Client\Dropbox.exe'
+              - ' /systemstartup'
+    filter_optional_evernote:
+        TargetObject|endswith: '\Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer'
+    filter_optional_dotnet:
+        Image|contains: '\windowsdesktop-runtime-'
+        TargetObject|endswith:
+            - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}'
+            - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}'
+        Details|startswith: '"C:\ProgramData\Package Cache\'
+        Details|endswith: '.exe" /burn.runonce'
+    filter_optional_office:
+        Image|startswith:
+            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
+        Image|endswith: '\OfficeClickToRun.exe'
+    filter_optional_discord:
+        TargetObject|endswith: '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Discord'
+        Details|endswith: 'Discord.exe --checkInstall'
+    filter_optional_avira:
+        Details|endswith: '\Avira.OE.Setup.Bundle.exe" /burn.runonce'
+        Image|endswith: '\Avira.OE.Setup.Bundle.exe'
+    filter_optional_avg_1:
+        Image|endswith: '\instup.exe'
+        TargetObject|endswith: '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair'
+        Details|endswith: 'instup.exe" /instop:repair /wait'
+    filter_optional_avg_2:
+        Image|endswith: '\instup.exe'
+        TargetObject|endswith:
+            - '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg\(Default)'
+            - '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw\(Default)'
+        Details:
+            - '{472083B1-C522-11CF-8763-00608CC02F24}'
+            - '{472083B0-C522-11CF-8763-00608CC02F24}'
+    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
@@ -9,7 +9,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 author: Florian Roth (Nextron Systems), frack113
 date: 2022-05-02
-modified: 2023-08-17
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1112
@@ -17,7 +17,7 @@ logsource:
    category: registry_set
    product: windows
 detection:
-    selection_1:
+    selection_service_start:
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\Start'
        Image|contains:
@@ -30,7 +30,7 @@ detection:
            - 'DWORD (0x00000001)'  # System
            - 'DWORD (0x00000002)'  # Automatic
            # 3 - Manual , 4 - Disabled
-    selection_2:
+    selection_service_imagepath:
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
@@ -38,11 +38,15 @@ detection:
            - '\Perflogs\'
            - '\ADMIN$\'
            - '\Temp\'
-    filter_1:
+    filter_optional_avast:
        Image|contains|all: # Filter FP with Avast software
            - '\Common Files\'
            - '\Temp\'
-    condition: 1 of selection_* and not 1 of filter_*
+    filter_optional_mbamservice:
+        TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath'
+        Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"'
+        Image: 'C:\Windows\system32\services.exe'
+    condition: 1 of selection_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: high
@@ -16,6 +16,7 @@ references:
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
 author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
 date: 2023-12-21
+modified: 2025-10-08
 tags:
    - attack.defense-evasion
    - attack.impact
@@ -41,6 +42,12 @@ detection:
    filter_main_svchost:
        # Note: Excluding GPO changes
        Image|endswith: '\svchost.exe'
+    filter_main_empty:
+        TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
+        Details: '(Empty)'
+    filter_main_explorer:
+        # Normally Explorer.exe is the process that changes the desktop background
+        Image|endswith: 'C:\Windows\Explorer.EXE'
    condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_*
 falsepositives:
    - Administrative scripts that change the desktop background to a company logo or other image.
@@ -8,7 +8,7 @@ references:
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-01
-modified: 2023-08-17
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
 logsource:
@@ -25,9 +25,18 @@ detection:
            - '\Enable'
            - '\Start'
        Details: DWORD (0x00000000)
-    filter_wevtutil:
+    filter_main_wevtutil:
        Image: 'C:\Windows\system32\wevtutil.exe'
-    condition: all of selection_* and not 1 of filter_*
+    filter_main_defender:
+        Image|startswith:
+            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+            - 'C:\Program Files\Windows Defender\'
+            - 'C:\Program Files (x86)\Windows Defender\'
+        Image|endswith: '\MsMpEng.exe'
+        TargetObject|contains:
+            - '\DefenderApiLogger\'
+            - '\DefenderAuditLogger\'
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: high
@@ -9,7 +9,7 @@ references:
    - https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-05-16
-modified: 2023-08-17
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
 logsource:
@@ -25,7 +25,17 @@ detection:
        Image:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\ie4uinit.exe'
-    condition: selection and not 1 of filter_main_*
+    filter_optional_avira:
+        Image|contains|all:
+            - '\Temp\'
+            - '\.cr\avira_'
+        Details|contains: 'DWORD (0x00000001)'
+    filter_optional_foxit:
+        Image:
+            - 'C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
+            - 'C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
+        Details|contains: 'DWORD (0x00000001)'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - As this is controlled by group policy as well as user settings. Some false positives may occur.
 level: medium
@@ -13,6 +13,7 @@ references:
    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
 author: Anish Bogati
 date: 2023-11-28
+modified: 2025-10-08
 tags:
    - attack.persistence
    - attack.t1546.007
@@ -23,7 +24,13 @@ detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
        Details|contains: '.dll'
-    condition: selection
+    filter_main_poqexec:
+        Image: 'C:\Windows\System32\poqexec.exe'
+        Details:
+            - 'ipmontr.dll'
+            - 'iasmontr.dll'
+            - 'ippromon.dll'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Legitimate helper added by different programs and the OS
 level: medium
@@ -7,7 +7,7 @@ references:
    - https://vanmieghem.io/stealth-outlook-persistence/
 author: Bhabesh Raj
 date: 2021-01-10
-modified: 2023-08-28
+modified: 2025-10-07
 tags:
    - attack.t1137.006
    - attack.persistence
@@ -22,24 +22,46 @@ detection:
            - '\Software\Microsoft\Office\Excel\Addins\'
            - '\Software\Microsoft\Office\Powerpoint\Addins\'
            - '\Software\Microsoft\VSTO\Security\Inclusion\'
-    filter_image:
-        Image|endswith:
-            - '\msiexec.exe'
-            - '\regsvr32.exe' # e.g. default Evernote installation
-    # triggered by a default Office 2019 installation
-    filter_office:
+    filter_main_system:
+        Image:
+            - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
+            - 'C:\Windows\System32\regsvr32.exe'
+            - 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
+    filter_main_office_click_to_run:
+        Image|startswith:
+            - 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
+            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+        Image|endswith: '\OfficeClickToRun.exe'
+    filter_main_integrator:
+        Image:
+            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
+            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
+    filter_main_office_apps:
+        Image|startswith:
+            - 'C:\Program Files\Microsoft Office\OFFICE'
+            - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
+            - 'C:\Program Files\Microsoft Office\Root\OFFICE'
+            - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
        Image|endswith:
            - '\excel.exe'
-            - '\integrator.exe'
-            - '\OfficeClickToRun.exe'
-            - '\winword.exe'
+            - '\Integrator.exe'
+            - '\outlook.exe'
+            - '\powerpnt.exe'
+            - '\Teams.exe'
            - '\visio.exe'
-    filter_teams:
-        Image|endswith: '\Teams.exe'
-    filter_avg:
-        Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
+            - '\winword.exe'
+    filter_optional_avg:
+        Image:
+            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
+            - 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
-    condition: selection and not 1 of filter_*
+    filter_optional_avast:
+        Image:
+            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
+            - 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
+        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate Addin Installation
 level: medium
@@ -11,7 +11,7 @@ references:
    - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
 author: frack113
 date: 2023-01-27
-modified: 2024-07-03
+modified: 2025-10-07
 tags:
    - attack.defense-evasion
    - attack.t1036.003
@@ -22,9 +22,8 @@ detection:
    selection_main:
        TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
    selection_susp_paths:
-        Image|contains:
-            - '\AppData\Local\Temp\'
-            - '\Users\Public\'
+        Image|contains: '\Users\Public\'
+            # - '\AppData\Local\Temp\'  # Commented out as it's used by legitimate installers
    selection_susp_images:
        Image|endswith:
            - '\reg.exe'
@@ -7,7 +7,7 @@ references:
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
 author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2018-08-25
-modified: 2025-02-17
+modified: 2025-10-06
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -55,7 +55,14 @@ detection:
        Details|contains:
            - '\AppData\Local\Temp\'
            - 'C:\Windows\Temp\'
-    condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_*
+    filter_optional_spotify:
+        Image|endswith:
+            - 'C:\Program Files\Spotify\Spotify.exe'
+            - 'C:\Program Files (x86)\Spotify\Spotify.exe'
+            - '\AppData\Roaming\Spotify\Spotify.exe'
+        TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify'
+        Details|endswith: 'Spotify.exe --autostart --minimized'
+    condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Software using weird folders for updates
 level: high