diff --git a/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml b/rules-deprecated/windows/file_event_win_susp_clr_logs.yml
similarity index 97%
rename from rules/windows/file/file_event/file_event_win_susp_clr_logs.yml
rename to rules-deprecated/windows/file_event_win_susp_clr_logs.yml
index 4b5d1c854..84d2f62d7 100644
--- a/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml
+++ b/rules-deprecated/windows/file_event_win_susp_clr_logs.yml
@@ -1,6 +1,6 @@
 title: Suspicious CLR Logs Creation
 id: e4b63079-6198-405c-abd7-3fe8b0ce3263
-status: experimental
+status: deprecated
 description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.
 references:
     - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
@@ -8,7 +8,7 @@ references:
     - https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml
 author: omkar72, oscd.community, Wojciech Lesicki
 date: 2020/10/12
-modified: 2022/06/24
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.defense_evasion
diff --git a/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml b/rules-deprecated/windows/proc_creation_win_indirect_cmd.yml
similarity index 96%
rename from rules/windows/process_creation/proc_creation_win_indirect_cmd.yml
rename to rules-deprecated/windows/proc_creation_win_indirect_cmd.yml
index a2f9064b5..ae206f284 100644
--- a/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml
+++ b/rules-deprecated/windows/proc_creation_win_indirect_cmd.yml
@@ -1,13 +1,13 @@
 title: Indirect Command Execution
 id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
-status: test
+status: deprecated
 description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md
     - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
 author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2019/10/24
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.defense_evasion
     - attack.t1202
diff --git a/rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml b/rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml
similarity index 73%
rename from rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml
rename to rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml
index 29a87ef8f..e05d0a2a5 100644
--- a/rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml
+++ b/rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml
@@ -1,12 +1,16 @@
 title: Indirect Command Exectuion via Forfiles
 id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
-status: experimental
-description: Detects the use of native Windows tool, forfiles to execute a file. Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
+related:
+    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
+      type: obsoletes
+status: deprecated
+description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting.
 references:
     - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a
     - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
-author: Tim Rauch (rule), Elastic (idea)
+author: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2022/10/17
+modified: 2023/01/04
 tags:
     - attack.defense_evasion
     - attack.t1202
diff --git a/rules/cloud/aws/aws_enum_buckets.yml b/rules/cloud/aws/aws_enum_buckets.yml
new file mode 100644
index 000000000..dafc5c15e
--- /dev/null
+++ b/rules/cloud/aws/aws_enum_buckets.yml
@@ -0,0 +1,29 @@
+title: Potential Bucket Enumeration on AWS
+id: f305fd62-beca-47da-ad95-7690a0620084
+related:
+    - id: 4723218f-2048-41f6-bcb0-417f2d784f61
+      type: similar
+status: experimental
+description: Looks for potential enumeration of AWS buckets via ListBuckets.
+references:
+    - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
+    - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
+    - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
+author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
+date: 2023/01/06
+tags:
+    - attack.discovery
+    - attack.t1580
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: 'ec2.amazonaws.com'
+        eventName: 'ListBuckets'
+    filter:
+        type: 'AssumedRole'
+    condition: selection and not filter
+falsepositives:
+    - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
+level: low
diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml
index c47b8e5f7..6e81408f4 100644
--- a/rules/cloud/aws/aws_enum_storage.yml
+++ b/rules/cloud/aws/aws_enum_storage.yml
@@ -1,5 +1,8 @@
 title: Potential Storage Enumeration on AWS
 id: 4723218f-2048-41f6-bcb0-417f2d784f61
+related:
+    - id: f305fd62-beca-47da-ad95-7690a0620084
+      type: similar
 status: experimental
 description: Detects potential enumeration activity targeting AWS storage
 references:
diff --git a/rules/cloud/azure/azure_app_privileged_permissions.yml b/rules/cloud/azure/azure_app_privileged_permissions.yml
index ec44918df..bdc64a4c7 100644
--- a/rules/cloud/azure/azure_app_privileged_permissions.yml
+++ b/rules/cloud/azure/azure_app_privileged_permissions.yml
@@ -9,8 +9,8 @@ date: 2022/07/28
 tags:
     - attack.privilege_escalation
 logsource:
-    product: microsoft365portal
-    service: auditlogs
+    product: azure
+    service: microsoft365portal
 detection:
     selection:
         properties.message: Add app role assignment to service principal
diff --git a/rules/linux/auditd/lnx_auditd_binary_padding.yml b/rules/linux/auditd/lnx_auditd_binary_padding.yml
index 54d9207d9..a13c63e96 100644
--- a/rules/linux/auditd/lnx_auditd_binary_padding.yml
+++ b/rules/linux/auditd/lnx_auditd_binary_padding.yml
@@ -2,13 +2,13 @@ title: Binary Padding - Linux
 id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
 status: test
 description: |
-  Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
-  This rule detect using dd and truncate to add a junk data to file.
+    Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
+    This rule detect using dd and truncate to add a junk data to file.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
 author: 'Igor Fits, oscd.community'
 date: 2020/10/13
-modified: 2022/11/26
+modified: 2023/01/06
 tags:
     - attack.defense_evasion
     - attack.t1027.001
@@ -16,17 +16,17 @@ logsource:
     product: linux
     service: auditd
 detection:
-    execve:
+    selection_execve:
         type: 'EXECVE'
-    truncate:
+    keywords_truncate:
         - 'truncate'
         - '-s'
-    dd:
+    keywords_dd:
         - 'dd'
         - 'if='
-    filter:
+    keywords_filter:
         - 'of='
-    condition: execve and (all of truncate or (all of dd and not filter))
+    condition: selection_execve and (all of keywords_truncate or (all of keywords_dd and not keywords_filter))
 falsepositives:
-    - Legitimate script work
+    - Unknown
 level: high
diff --git a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml
index fc4b87556..db6bb212a 100644
--- a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml
+++ b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
 author: 'Igor Fits, oscd.community'
 date: 2020/10/15
-modified: 2022/11/28
+modified: 2023/01/06
 tags:
     - attack.credential_access
     - attack.t1552.001
@@ -14,12 +14,12 @@ logsource:
     product: linux
     service: auditd
 detection:
-    execve:
+    selection:
         type: 'EXECVE'
-    passwordgrep:
+    keywords:
         - 'grep'
         - 'password'
-    condition: execve and all of passwordgrep
+    condition: selection and all of keywords
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml
similarity index 90%
rename from rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml
rename to rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml
index d28ba5af1..618c59c82 100644
--- a/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml
+++ b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml
@@ -6,6 +6,7 @@ references:
     - https://twitter.com/wdormann/status/1486161836961579020
 author: Sreeman
 date: 2022/01/26
+modified: 2023/01/06
 tags:
     - attack.privilege_escalation
     - attack.t1548.001
@@ -13,11 +14,11 @@ logsource:
     product: linux
     service: auth
 detection:
-    keyword:
+    keywords:
         - 'pkexec'
         - 'The value for environment variable XAUTHORITY contains suscipious content'
         - '[USER=root] [TTY=/dev/pts/0]'
-    condition: all of keyword
+    condition: all of keywords
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/linux/other/lnx_susp_failed_logons_single_source.yml b/rules/linux/builtin/auth/lnx_auth_susp_failed_logons_single_source.yml
similarity index 100%
rename from rules/linux/other/lnx_susp_failed_logons_single_source.yml
rename to rules/linux/builtin/auth/lnx_auth_susp_failed_logons_single_source.yml
diff --git a/rules/linux/other/lnx_clamav.yml b/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml
similarity index 100%
rename from rules/linux/other/lnx_clamav.yml
rename to rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml
diff --git a/rules/linux/builtin/lnx_crontab_file_modification.yml b/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml
similarity index 100%
rename from rules/linux/builtin/lnx_crontab_file_modification.yml
rename to rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml
diff --git a/rules/linux/other/lnx_susp_guacamole.yml b/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml
similarity index 100%
rename from rules/linux/other/lnx_susp_guacamole.yml
rename to rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml
diff --git a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml
index 36577bd51..ae84422a5 100644
--- a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml
+++ b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml
@@ -7,17 +7,18 @@ references:
     - https://github.com/Immersive-Labs-Sec/nimbuspwn
 author: Bhabesh Raj
 date: 2022/05/04
+modified: 2023/01/06
 tags:
     - attack.privilege_escalation
     - attack.t1068
 logsource:
     product: linux
 detection:
-    keyword:
+    keywords:
         - 'networkd-dispatcher'
         - 'Error handling notification for interface'
         - '../../'
-    condition: all of keyword
+    condition: all of keywords
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml
index 74a59784c..324126620 100644
--- a/rules/linux/builtin/lnx_susp_dev_tcp.yml
+++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml
@@ -8,13 +8,13 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan
 author: frack113
 date: 2021/12/10
-modified: 2022/01/10
+modified: 2023/01/06
 tags:
     - attack.reconnaissance
 logsource:
     product: linux
 detection:
-    keyword:
+    keywords:
         - 'cat </dev/tcp/'
         - 'exec 3<>/dev/tcp/'
         - 'echo >/dev/tcp/'
@@ -25,7 +25,7 @@ detection:
         - '(sh)0>/dev/tcp/'
         - 'bash -c ''bash -i >& /dev/tcp/'
         - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/'
-    condition: 1 of keyword
+    condition: keywords
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/linux/other/lnx_ssh_cve_2018_15473.yml b/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml
similarity index 100%
rename from rules/linux/other/lnx_ssh_cve_2018_15473.yml
rename to rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml
diff --git a/rules/linux/other/lnx_susp_ssh.yml b/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml
similarity index 100%
rename from rules/linux/other/lnx_susp_ssh.yml
rename to rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml
diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml
similarity index 100%
rename from rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml
rename to rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml
diff --git a/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml
similarity index 100%
rename from rules/linux/other/lnx_security_tools_disabling_syslog.yml
rename to rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml
diff --git a/rules/linux/other/lnx_susp_named.yml b/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml
similarity index 100%
rename from rules/linux/other/lnx_susp_named.yml
rename to rules/linux/builtin/syslog/lnx_syslog_susp_named.yml
diff --git a/rules/linux/other/lnx_susp_vsftp.yml b/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml
similarity index 100%
rename from rules/linux/other/lnx_susp_vsftp.yml
rename to rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml
diff --git a/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml b/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml
new file mode 100644
index 000000000..9633677c0
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml
@@ -0,0 +1,29 @@
+title: HackTool Execution
+id: a015e032-146d-4717-8944-7a1884122111
+status: experimental
+description: Detects known hacktool execution based on image name
+references:
+    - Internal Research
+author: Nasreddine Bencherchali
+date: 2023/01/03
+tags:
+    - attack.execution
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+            # Add more as you see fit
+            - '/sqlmap'
+            - '/teamserver'
+            - '/aircrack-ng'
+            - '/john'
+            - '/setoolkit'
+            - '/wpscan'
+            - '/hydra'
+            - '/nikto'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml
new file mode 100644
index 000000000..726225676
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml
@@ -0,0 +1,47 @@
+title: Suspicious Package Installed - Linux
+id: 700fb7e8-2981-401c-8430-be58e189e741
+status: experimental
+description: Detects installation of suspicious packages using system installation utilities
+references:
+    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
+author: Nasreddine Bencherchali
+date: 2023/01/03
+tags:
+    - attack.defense_evasion
+    - attack.t1553.004
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection_tool_apt:
+        Image|endswith:
+            - '/apt'
+            - '/apt-get'
+        CommandLine|contains: 'install'
+    selection_tool_yum:
+        Image|endswith: '/yum'
+        CommandLine|contains:
+            - 'localinstall'
+            - 'install'
+    selection_tool_rpm:
+        Image|endswith: '/rpm'
+        CommandLine|contains: '-i'
+    selection_tool_dpkg:
+        Image|endswith: '/dpkg'
+        CommandLine|contains:
+            - '--install'
+            - '-i'
+    selection_keyword:
+        CommandLine|contains:
+            # Add more suspicious packages
+            - 'nmap'
+            - ' nc'
+            - 'netcat'
+            - 'wireshark'
+            - 'tshark'
+            - 'openconnect'
+            - 'proxychains'
+    condition: 1 of selection_tool_* and selection_keyword
+falsepositives:
+    - Legitimate administration activities
+level: medium
diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml
new file mode 100644
index 000000000..33e0d9972
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml
@@ -0,0 +1,41 @@
+title: Suspicious Git Clone - Linux
+id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
+status: experimental
+description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
+references:
+    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
+author: Nasreddine Bencherchali
+date: 2023/01/03
+modified: 2023/01/05
+tags:
+    - attack.reconnaissance
+    - attack.t1593.003
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/git'
+        CommandLine|contains: ' clone '
+    selection_keyword:
+        CommandLine|contains:
+            # Add more suspicious keywords
+            - 'exploit'
+            - 'Vulns'
+            - 'vulnerability'
+            - 'RCE'
+            - 'RemoteCodeExecution'
+            - 'Invoke-'
+            - 'CVE-'
+            - 'poc-'
+            - 'ProofOfConcept'
+            # Add more vuln names
+            - 'proxyshell'
+            - 'log4shell'
+            - 'eternalblue'
+            - 'eternal-blue'
+            - 'MS17-'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml b/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml
index f7f329e03..4570e106d 100644
--- a/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml
+++ b/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md
 author: remotephone
 date: 2021/11/20
-modified: 2022/12/25
+modified: 2023/01/04
 tags:
     - attack.defense_evasion
     - attack.t1036.006
@@ -17,7 +17,7 @@ detection:
     selection1:
         CommandLine|endswith: ' '
     selection2:
-        ImageName|endswith: ' '
+        Image|endswith: ' '
     condition: 1 of selection*
 falsepositives:
     - Mistyped commands or legitimate binaries named to match the pattern
diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml
index d832f6094..7e00356ca 100644
--- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml
+++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml
@@ -4,7 +4,7 @@ status: test
 description: Collect pertinent data from the configuration files
 author: Austin Clark
 date: 2019/08/11
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.discovery
     - attack.credential_access
@@ -15,7 +15,6 @@ tags:
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'show running-config'
diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
index cac0f231d..ee51db55f 100644
--- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
+++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
@@ -4,7 +4,7 @@ status: test
 description: Show when private keys are being exported from the device, or when new certificates are installed
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.credential_access
     - attack.defense_evasion
@@ -13,7 +13,6 @@ tags:
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'crypto pki export'
diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml
index ea9d7290f..7ff07143b 100644
--- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml
+++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml
@@ -4,14 +4,13 @@ status: test
 description: Turn off logging locally or remote
 author: Austin Clark
 date: 2019/08/11
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.defense_evasion
     - attack.t1562.001
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'no logging'
diff --git a/rules/network/cisco/aaa/cisco_cli_discovery.yml b/rules/network/cisco/aaa/cisco_cli_discovery.yml
index ca5e160ea..970e34df7 100644
--- a/rules/network/cisco/aaa/cisco_cli_discovery.yml
+++ b/rules/network/cisco/aaa/cisco_cli_discovery.yml
@@ -4,7 +4,7 @@ status: test
 description: Find information about network devices that is not stored in config files
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.discovery
     - attack.t1083
@@ -19,7 +19,6 @@ tags:
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'dir'
diff --git a/rules/network/cisco/aaa/cisco_cli_dos.yml b/rules/network/cisco/aaa/cisco_cli_dos.yml
index 769660112..e2455a3bc 100644
--- a/rules/network/cisco/aaa/cisco_cli_dos.yml
+++ b/rules/network/cisco/aaa/cisco_cli_dos.yml
@@ -4,7 +4,7 @@ status: test
 description: Detect a system being shutdown or put into different boot mode
 author: Austin Clark
 date: 2019/08/15
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.impact
     - attack.t1495
@@ -13,7 +13,6 @@ tags:
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'shutdown'
diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml
index e79f3b9f7..beedf9793 100644
--- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml
+++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml
@@ -4,7 +4,7 @@ status: test
 description: See what files are being deleted from flash file systems
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.defense_evasion
     - attack.impact
@@ -14,7 +14,6 @@ tags:
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'erase'
diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml
index 4a8bbfc82..ccd20f84a 100644
--- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml
+++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml
@@ -4,14 +4,13 @@ status: test
 description: See what commands are being input into the device by other people, full credentials can be in the history
 author: Austin Clark
 date: 2019/08/11
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.credential_access
     - attack.t1552.003
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'show history'
diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml
index c941f2447..678773565 100644
--- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml
+++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml
@@ -4,7 +4,7 @@ status: test
 description: Find local accounts being created or modified as well as remote authentication configurations
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.persistence
     - attack.t1136.001
@@ -12,7 +12,6 @@ tags:
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'username'
diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml
index a3f833c20..699678c94 100644
--- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml
+++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml
@@ -4,7 +4,7 @@ status: test
 description: Modifications to a config that will serve an adversary's impacts or persistence
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.persistence
     - attack.impact
@@ -15,7 +15,6 @@ tags:
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'ip http server'
diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml
index b4f5f2963..a5068ab1d 100644
--- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml
+++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml
@@ -4,7 +4,7 @@ status: test
 description: Various protocols maybe used to put data on the device for exfil or infil
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.collection
     - attack.lateral_movement
@@ -16,7 +16,6 @@ tags:
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'tftp'
diff --git a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml
index 0a390d6d4..e5063d4dc 100644
--- a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml
+++ b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml
@@ -4,7 +4,7 @@ status: test
 description: Show when a monitor or a span/rspan is setup or modified
 author: Austin Clark
 date: 2019/08/11
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
     - attack.credential_access
     - attack.discovery
@@ -12,7 +12,6 @@ tags:
 logsource:
     product: cisco
     service: aaa
-    category: accounting
 detection:
     keywords:
         - 'monitor capture point'
diff --git a/rules/linux/modsecurity/modsec_mulitple_blocks.yml b/rules/product/modsecurity/modsec_mulitple_blocks.yml
similarity index 92%
rename from rules/linux/modsecurity/modsec_mulitple_blocks.yml
rename to rules/product/modsecurity/modsec_mulitple_blocks.yml
index 6ae3bc1ae..f98254afd 100644
--- a/rules/linux/modsecurity/modsec_mulitple_blocks.yml
+++ b/rules/product/modsecurity/modsec_mulitple_blocks.yml
@@ -4,12 +4,12 @@ status: stable
 description: Detects multiple blocks by the mod_security module (Web Application Firewall)
 author: Florian Roth
 date: 2017/02/28
+modified: 2023/01/07
 tags:
     - attack.impact
     - attack.t1499
 logsource:
-    product: linux
-    service: modsecurity
+    product: modsecurity
 detection:
     selection:
         - 'mod_security: Access denied'
diff --git a/rules/web/web_cve_2021_26858_iis_rce.yml b/rules/web/web_cve_2021_26858_iis_rce.yml
index 02853d426..e85114085 100644
--- a/rules/web/web_cve_2021_26858_iis_rce.yml
+++ b/rules/web/web_cve_2021_26858_iis_rce.yml
@@ -6,10 +6,10 @@ references:
     - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
 author: frack113
 date: 2021/08/10
-modified: 2022/10/09
+modified: 2023/01/04
 logsource:
     product: windows
-    category: webserver
+    service: iis
     definition: w3c-logging must be enabled https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging
 detection:
     selection:
diff --git a/rules/windows/builtin/dns_server/win_susp_dns_config.yml b/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml
similarity index 100%
rename from rules/windows/builtin/dns_server/win_susp_dns_config.yml
rename to rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml
diff --git a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
index dc80a5d10..68b7cb97b 100644
--- a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
@@ -6,7 +6,7 @@ references:
     - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
 author: Florian Roth
 date: 2021/08/09
-modified: 2022/10/09
+modified: 2023/01/06
 tags:
     - attack.t1587.001
     - attack.resource_development
@@ -14,15 +14,15 @@ logsource:
     product: windows
     service: msexchange-management
 detection:
-    selection_cmdlet:
+    keywords_cmdlet:
         - 'OabVirtualDirectory'
         - ' -ExternalUrl '
-    selection_params:
+    keywords_params:
         - 'eval(request'
         - 'http://f/<script'
         - '"unsafe"};'
         - 'function Page_Load()'
-    condition: all of selection_cmdlet and selection_params
+    condition: all of keywords_cmdlet and keywords_params
 falsepositives:
     - Unlikely
 level: critical
diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml
index 5ae421a73..27ffe6dcd 100644
--- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/GossiTheDog/status/1429175908905127938
 author: Max Altgelt
 date: 2021/08/23
-modified: 2022/10/09
+modified: 2023/01/06
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -14,17 +14,17 @@ logsource:
     service: msexchange-management
     product: windows
 detection:
-    export_command:
+    keywords_export_command:
         - 'New-ExchangeCertificate'
         - ' -GenerateRequest'
         - ' -BinaryEncoded'
         - ' -RequestFile'
-    export_params:
+    keywords_export_params:
         - '\\\\localhost\\C$'
         - '\\\\127.0.0.1\\C$'
         - 'C:\\inetpub'
         - '.aspx'
-    condition: all of export_command and export_params
+    condition: all of keywords_export_command and keywords_export_params
 falsepositives:
     - Unlikely
 level: critical
diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml
index e20a59983..74de6e875 100644
--- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
 author: Christian Burkard
 date: 2021/08/27
-modified: 2022/10/09
+modified: 2023/01/06
 tags:
     - attack.defense_evasion
     - attack.t1070
@@ -14,11 +14,11 @@ logsource:
     service: msexchange-management
     product: windows
 detection:
-    command:
+    keywords:
         - 'Remove-MailboxExportRequest'
         - ' -Identity '
         - ' -Confirm "False"'
-    condition: all of command
+    condition: all of keywords
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml
index bca53094a..4269f15aa 100644
--- a/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/OTR_Community/status/1371053369071132675
 author: Jose Rodriguez @Cyb3rPandaH
 date: 2021/03/15
-modified: 2022/12/25
+modified: 2023/01/06
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -14,12 +14,12 @@ logsource:
     product: windows
     service: msexchange-management
 detection:
-    selection:
+    keywords:
         - 'Set-OabVirtualDirectory'
         - 'ExternalUrl'
         - 'Page_Load'
         - 'script'
-    condition: all of selection
+    condition: all of keywords
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml
index f9f4dc85c..1b087a989 100644
--- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml
+++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml
@@ -10,12 +10,12 @@ references:
     - https://twitter.com/SBousseaden/status/1490608838701166596
 author: Tim Rauch
 date: 2022/09/15
-modified: 2022/12/04
+modified: 2023/01/04
 tags:
     - attack.privilege_escalation
     - attack.t1543
 logsource:
-    category: security
+    service: security
     product: windows
     definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
diff --git a/rules/windows/builtin/security/win_security_susp_computer_name.yml b/rules/windows/builtin/security/win_security_susp_computer_name.yml
index c74d21d53..1b7b0338f 100644
--- a/rules/windows/builtin/security/win_security_susp_computer_name.yml
+++ b/rules/windows/builtin/security/win_security_susp_computer_name.yml
@@ -8,6 +8,7 @@ references:
     - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
 author: elhoim
 date: 2022/09/09
+modified: 2023/01/04
 tags:
     - cve.2021.42278
     - cve.2021.42287
@@ -15,7 +16,7 @@ tags:
     - attack.privilege_escalation
     - attack.t1078
 logsource:
-    category: security
+    service: security
     product: windows
 detection:
     # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
diff --git a/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml
index d5d3b1ff0..c9b75f3bd 100644
--- a/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml
+++ b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml
@@ -9,13 +9,13 @@ references:
     - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
 author: Tim Rauch
 date: 2022/09/15
-modified: 2022/12/04
+modified: 2023/01/04
 tags:
     - attack.privilege_escalation
     - attack.t1543
 logsource:
-    category: system
     product: windows
+    service: system
 detection:
     selection:
         Provider_Name: 'Service Control Manager'
diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml
index a88e8f6a8..6012c2d8f 100644
--- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml
+++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml
@@ -1,29 +1,41 @@
 title: NET CLR Binary Execution Usage Log Artifact
 id: e0b06658-7d1d-4cd3-bf15-03467507ff7c
+related:
+    - id: 4508a70e-97ef-4300-b62b-ff27992990ea
+      type: derived
+    - id: e4b63079-6198-405c-abd7-3fe8b0ce3263
+      type: obsoletes
 status: experimental
-description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context
+description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
 references:
     - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
     - https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml
-author: frack113
+    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
+    - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
+author: frack113, omkar72, oscd.community, Wojciech Lesicki
 date: 2022/11/18
+modified: 2023/01/05
 tags:
     - attack.defense_evasion
     - attack.t1218
 logsource:
     category: file_event
     product: windows
+    definition: 'Requirements: UsageLogs folder must be monitored by sysmon configuration'
 detection:
     selection:
         TargetFilename|endswith:
+            - '\UsageLogs\cmstp.exe.log'
             - '\UsageLogs\cscript.exe.log'
-            - '\UsageLogs\wscript.exe.log'
-            - '\UsageLogs\wmic.exe.log'
             - '\UsageLogs\mshta.exe.log'
-            - '\UsageLogs\svchost.exe.log'
+            - '\UsageLogs\msxsl.exe.log'
             - '\UsageLogs\regsvr32.exe.log'
             - '\UsageLogs\rundll32.exe.log'
+            - '\UsageLogs\svchost.exe.log'
+            - '\UsageLogs\wscript.exe.log'
+            - '\UsageLogs\wmic.exe.log'
     condition: selection
 falsepositives:
-    - Legitimate use
-level: medium
+    - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml
index 65be22fc8..47888c46d 100644
--- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml
+++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml
@@ -1,4 +1,4 @@
-title: Persistence Via Notepad++ Plugins
+title: Potential Persistence Via Notepad++ Plugins
 id: 54127bd4-f541-4ac3-afdb-ea073f63f692
 status: experimental
 description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
@@ -6,7 +6,7 @@ references:
     - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
 author: Nasreddine Bencherchali
 date: 2022/06/10
-modified: 2022/09/20
+modified: 2023/01/05
 tags:
     - attack.persistence
 logsource:
diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit.yml b/rules/windows/file/file_event/file_event_win_ntds_dit.yml
index 8b70e991a..dfa976046 100644
--- a/rules/windows/file/file_event/file_event_win_ntds_dit.yml
+++ b/rules/windows/file/file_event/file_event_win_ntds_dit.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
 author: Florian Roth
 date: 2022/03/11
-modified: 2022/07/14
+modified: 2023/01/05
 tags:
     - attack.credential_access
     - attack.t1003.003
@@ -19,8 +19,8 @@ logsource:
 detection:
     selection_file:
         TargetFilename|endswith: '\ntds.dit'
-    selection_process:
-        - ParentImage|endswith:
+    selection_process_parent:
+        ParentImage|endswith:
             - '\powershell.exe'
             - '\pwsh.exe'
             - '\wscript.exe'
@@ -29,19 +29,21 @@ detection:
             - '\php-cgi.exe'
             - '\nginx.exe'
             - '\httpd.exe'
-        - ParentImage|contains:
+    selection_process_parent_path:
+        ParentImage|contains:
             - '\apache'
             - '\tomcat'
             - '\AppData\'
             - '\Temp\'
             - '\Public\'
             - '\PerfLogs\'
-        - Image|contains:
+    selection_process_child:
+        Image|contains:
             - '\AppData\'
             - '\Temp\'
             - '\Public\'
             - '\PerfLogs\'
-    condition: selection_file and 1 of selection_process*
+    condition: selection_file and 1 of selection_process_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml b/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml
index 1e571fc62..bc9e0bee3 100644
--- a/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml
+++ b/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml
@@ -2,9 +2,9 @@ title: Outlook C2 Macro Creation
 id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
 status: test
 description: |
-  Detects the creation of a macro file for Outlook.
-  Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137.
-  Particularly interesting if both events Registry & File Creation happens at the same time.
+    Detects the creation of a macro file for Outlook.
+    Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137.
+    Particularly interesting if both events Registry & File Creation happens at the same time.
 references:
     - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
 author: '@ScoubiMtl'
@@ -24,5 +24,5 @@ detection:
         TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
     condition: selection
 falsepositives:
-    - User genuinly creates a VB Macro for their email
+    - User genuinely creates a VB Macro for their email
 level: medium
diff --git a/rules/windows/file/file_event/file_event_win_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_outlook_newform.yml
index 022efb165..5c5e86082 100644
--- a/rules/windows/file/file_event/file_event_win_outlook_newform.yml
+++ b/rules/windows/file/file_event/file_event_win_outlook_newform.yml
@@ -18,8 +18,6 @@ detection:
         Image|endswith: '\outlook.exe'
         TargetFilename|contains: '\appdata\local\microsoft\FORMS\'
     condition: selection
-fields:
-    - TargetFilename
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
index 5bcc9ffbe..824315e1a 100644
--- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
+++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
@@ -19,9 +19,10 @@ references:
     - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
     - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
     - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
+    - https://github.com/HarmJ0y/DAMP
 author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein
 date: 2018/04/07
-modified: 2023/01/02
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059.001
@@ -34,6 +35,7 @@ detection:
             - '\Add-Exfiltration.ps1'
             - '\Add-Persistence.ps1'
             - '\Add-RegBackdoor.ps1'
+            - '\Add-RemoteRegBackdoor.ps1'
             - '\Add-ScrnSaveBackdoor.ps1'
             - '\Check-VM.ps1'
             - '\Do-Exfiltration.ps1'
@@ -217,6 +219,7 @@ detection:
             - '\PowerUpSQL.ps1'
             - '\PowerView.ps1'
             - '\PSAsyncShell.ps1'
+            - '\RemoteHashRetrieval.ps1'
             - '\Remove-Update.ps1'
             - '\Set-MacAttribute.ps1'
             - '\Set-Wallpaper.ps1'
diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml
index 90fa23699..898434ae4 100644
--- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml
+++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml
@@ -2,10 +2,10 @@ title: PowerShell Writing Startup Shortcuts
 id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
 status: experimental
 description: |
-  Attempts to detect PowerShell writing startup shortcuts.
-  This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
-  Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
-  In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
+    Attempts to detect PowerShell writing startup shortcuts.
+    This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
+    Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
+    In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
 references:
     - https://redcanary.com/blog/intelligence-insights-october-2021/
     - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
diff --git a/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml b/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml
index 5670924b8..8e92311ac 100755
--- a/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml
+++ b/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml
@@ -15,7 +15,6 @@ logsource:
     product: windows
 detection:
     selection:
-        # Sysmon: File Creation (ID 11)
         TargetFilename|contains|all:
             - '\AppData\Local\Temp\SAM-'
             - '.dmp'
diff --git a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml
index 3850c9dca..1e9b66a50 100644
--- a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml
+++ b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml
@@ -1,12 +1,12 @@
-title: RedMimicry Winnti Playbook Dropped File
+title: Potential Winnti Dropper Activity
 id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
 status: test
-description: Detects actions caused by the RedMimicry Winnti playbook
+description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
 references:
-    - https://redmimicry.com
+    - https://redmimicry.com/posts/redmimicry-winnti/#dropper
 author: Alexander Rausch
 date: 2020/06/24
-modified: 2021/11/27
+modified: 2023/01/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -15,10 +15,10 @@ logsource:
     category: file_event
 detection:
     selection:
-        TargetFilename|contains:
-            - gthread-3.6.dll
-            - sigcmm-2.4.dll
-            - \Windows\Temp\tmp.bat
+        TargetFilename|endswith:
+            - '\gthread-3.6.dll'
+            - '\sigcmm-2.4.dll'
+            - '\Windows\Temp\tmp.bat'
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml b/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml
index f0c6bd2f4..6c3d9310b 100644
--- a/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml
+++ b/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml
@@ -1,4 +1,4 @@
-title: Remote Credential Dump
+title: Potential Remote Credential Dumping Activity
 id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
 status: experimental
 description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
@@ -7,7 +7,7 @@ references:
     - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
 author: SecurityAura
 date: 2022/11/16
-modified: 2022/11/29
+modified: 2023/01/05
 tags:
     - attack.credential_access
     - attack.t1003
diff --git a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml
index a7b422a4c..4aeb3536e 100644
--- a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml
+++ b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml
@@ -1,15 +1,18 @@
-title: RipZip Attack on Startup Folder
+title: Potential RipZip Attack on Startup Folder
 id: a6976974-ea6f-4e97-818e-ea08625c52cb
 status: experimental
-description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
+description: |
+    Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
+    If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
+    Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
 references:
     - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
 author: Greg (rule)
 date: 2022/07/21
-modified: 2022/09/27
+modified: 2023/01/05
 tags:
-    - attack.t1547
     - attack.persistence
+    - attack.t1547
 logsource:
     category: file_event
     product: windows
@@ -20,4 +23,6 @@ detection:
             - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
         Image|endswith: '\explorer.exe'
     condition: selection
+falsepositives:
+    - Unknown
 level: high
diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml
index 109779a3b..a82debc61 100644
--- a/rules/windows/file/file_event/file_event_win_sam_dump.yml
+++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml
@@ -1,4 +1,4 @@
-title: SAM Dump File Creation
+title: Potential SAM Database Dump
 id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
 status: experimental
 description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
@@ -10,6 +10,7 @@ references:
     - https://github.com/FireFart/hivenightmare
 author: Florian Roth
 date: 2022/02/11
+modified: 2023/01/05
 tags:
     - attack.credential_access
     - attack.t1003.002
@@ -30,7 +31,7 @@ detection:
             - '\AppData\Roaming\sam'
             - '_ShadowSteal.zip'       # https://github.com/HuskyHacks/ShadowSteal
             - '\Documents\SAM.export'  # https://github.com/n3tsurge/CVE-2021-36934/
-        - TargetFilename: 'c:\sam'
+            - ':\sam'
         - TargetFilename|contains:
             - '\hive_sam_'             # https://github.com/FireFart/hivenightmare
             - '\sam.save'
diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml
index b1232f7a9..e66c473f2 100644
--- a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml
+++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml
@@ -6,7 +6,7 @@ references:
     - Internal Research
 author: Florian Roth
 date: 2021/11/20
-modified: 2022/07/14
+modified: 2023/01/05
 logsource:
     category: file_event
     product: windows
@@ -21,8 +21,7 @@ detection:
             - '\sh.exe'
             - '\bash.exe'
             - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
-            - '\certutil.exe'
-        TargetFilename|contains:
+        TargetFilename|startswith:
             - 'C:\Users\Public'
             - 'C:\PerfLogs'
     selection_program:
@@ -40,9 +39,6 @@ detection:
             - '\AppData\'
             - 'C:\Windows\Temp'
     condition: 1 of selection*
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml
index e303701db..68b6e479b 100644
--- a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml
+++ b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml
@@ -1,5 +1,8 @@
 title: Startup Folder File Write
 id: 2aa0a6b4-a865-495b-ab51-c28249537b75
+related:
+    - id: 28208707-fe31-437f-9a7f-4b1108b94d2e
+      type: similar
 status: test
 description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
 references:
@@ -22,5 +25,5 @@ detection:
         - TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
     condition: selection and not filter_update
 falsepositives:
-    - An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
+    - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
 level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml
index 4cd414b40..3c9a63ebb 100644
--- a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml
@@ -6,6 +6,7 @@ references:
     - https://twitter.com/eral4m/status/1480468728324231172?s=20
 author: frack113
 date: 2022/01/21
+modified: 2023/01/05
 tags:
     - attack.defense_evasion
     - attack.t1564
@@ -15,13 +16,13 @@ logsource:
 detection:
     selection:
         Image|endswith: '\colorcpl.exe'
-    valid_ext:
+    filter_ext:
         TargetFilename|endswith:
             - '.icm'
             - '.gmmp'
             - '.cdmp'
             - '.camp'
-    condition: selection and not valid_ext
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml
index 4e7346ec3..4fdff1339 100644
--- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml
@@ -1,11 +1,15 @@
 title: Suspicious Startup Folder Persistence
 id: 28208707-fe31-437f-9a7f-4b1108b94d2e
+related:
+    - id: 2aa0a6b4-a865-495b-ab51-c28249537b75
+      type: similar
 status: experimental
 description: Detects when a file with a suspicious extension is created in the startup folder
 references:
     - https://github.com/last-byte/PersistenceSniper
 author: Nasreddine Bencherchali
 date: 2022/08/10
+modified: 2023/01/06
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -23,6 +27,10 @@ detection:
             - '.ps1'
             - '.hta'
             - '.dll'
+            - '.jar'
+            - '.msi'
+            - '.scr'
+            - '.cmd'
     condition: selection
 falsepositives:
     - Rare legitimate usage of some of the extensions mentioned in the rule
diff --git a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml
index 9821a9b7d..f5d2001a0 100644
--- a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml
@@ -9,6 +9,7 @@ references:
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
 author: Nasreddine Bencherchali
 date: 2022/08/24
+modified: 2023/01/06
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -22,4 +23,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate use of the profile by developers or administrators
-level: high
+level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml b/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml
index 67cafa273..51c9a8e5b 100644
--- a/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml
@@ -4,6 +4,8 @@ status: experimental
 description: Detects the creation of an file in user Word Startup
 references:
     - Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
+    - http://addbalance.com/word/startup.htm
+    - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
 author: frack113
 date: 2022/06/05
 tags:
diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml
index 1ed3bffe5..eb8192074 100644
--- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml
+++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml
@@ -1,14 +1,15 @@
 title: CLR DLL Loaded Via Scripting Applications
 id: 4508a70e-97ef-4300-b62b-ff27992990ea
 status: test
-description: Detects CLR DLL being loaded by an scripting applications
+description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript
 references:
     - https://github.com/tyranid/DotNetToJScript
     - https://thewover.github.io/Introducing-Donut/
     - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
 author: omkar72, oscd.community
 date: 2020/10/14
-modified: 2021/11/27
+modified: 2023/01/06
 tags:
     - attack.execution
     - attack.privilege_escalation
@@ -22,6 +23,8 @@ detection:
             - '\wscript.exe'
             - '\cscript.exe'
             - '\mshta.exe'
+            - '\cmstp.exe'
+            - '\msxsl.exe'
         ImageLoaded|endswith:
             - '\clr.dll'
             - '\mscoree.dll'
diff --git a/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml b/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml
index 7921423c7..9aa733888 100755
--- a/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml
+++ b/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml
@@ -1,12 +1,12 @@
-title: VBA DLL Loaded Via Microsoft Word
+title: VBA DLL Loaded Via Office Application
 id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
 status: test
-description: Detects DLL's Loaded Via Word Containing VBA Macros
+description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
 references:
     - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
 author: Antonlovesdnb
 date: 2020/02/19
-modified: 2021/11/27
+modified: 2023/01/06
 tags:
     - attack.execution
     - attack.t1204.002
diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
index f5681b205..335baafab 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection:
         ContextInfo|contains: '*'
diff --git a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml
index f9de98a09..44eceaa41 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml
@@ -21,7 +21,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|contains:
diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml
index 95535ca0b..4df78d588 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_1a_payload:
         Payload|contains:
diff --git a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml
index 826bb54ff..4fd3af03c 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml
@@ -17,7 +17,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|contains: 'Expand-Archive'
diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml
index fd3a425c0..095388e73 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection:
         Payload|contains|all:
diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
index 5ba8781e7..bdb3c7e4b 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
@@ -7,18 +7,18 @@ references:
     - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
-modified: 2022/06/20
+modified: 2023/01/04
 tags:
     - attack.collection
     - attack.t1115
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
-    selection_4103:
+    selection:
         Payload|contains: 'Get-Clipboard'
-    condition: selection_4103
+    condition: selection
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
index 46976953b..947318b1a 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml
index f23e75d22..ade49c077 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_payload:
         - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
index 010548ea8..8ca8db286 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"'
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
index f95db218a..47582f71a 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml
index c459d364a..3c9c60b8a 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|contains|all:
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml
index 0e9e880c6..272615b59 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|contains|all:
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml
index e5b6f4462..d350934c0 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml
index 567a0fe9e..40955c038 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml
index ad33cb51d..97918504e 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
-modified: 2022/11/29
+modified: 2023/01/04
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -18,9 +18,9 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabledd
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
-    selection_4103:
+    selection:
         Payload|contains|all:
             - 'set'
             - '&&'
@@ -28,7 +28,7 @@ detection:
             - 'vbscript:createobject'
             - '.run'
             - '(window.close)'
-    condition: selection_4103
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml
index 0dcd50e28..535393eb3 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|contains|all:
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml
index 10e11a918..7b992b806 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
diff --git a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml
index c2c8b233a..230e21713 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection:
         ContextInfo|contains:
diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
index 6f9d204c1..fc612df0d 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection:
         ContextInfo|contains|all:
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml
index a49837b18..3facf209c 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     test_2:
         - Payload|contains: get-ADPrincipalGroupMembership
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
index 6e59a9f24..0585ac797 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
@@ -7,14 +7,14 @@ references:
     - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
 author: frack113
 date: 2021/07/13
-modified: 2022/12/02
+modified: 2023/01/04
 tags:
     - attack.defense_evasion
     - attack.t1218
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabledd
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_cmd:
         ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand '
@@ -24,12 +24,7 @@ detection:
             - '-ModulePath '
             - '-ScriptBlock '
             - '-RemoteFXvGPUDisablementFilePath'
-    condition: selection_cmd and selection_opt
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml
index c5ffd17ef..6d0a118f7 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection:
         ContextInfo|contains: 'Get-NetTCPConnection'
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml
index e37c54b48..6e2d3bb30 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml
@@ -3,28 +3,32 @@ id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
 related:
     - id: 3d304fda-78aa-43ed-975c-d740798a49c1
       type: derived
+    - id: ed965133-513f-41d9-a441-e38076a0798f
+      type: similar
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
 author: Florian Roth (rule)
 date: 2017/03/12
-modified: 2022/12/02
+modified: 2023/01/03
 tags:
     - attack.execution
     - attack.t1059.001
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_encoded:
         ContextInfo|contains:
             - ' -enc '
             - ' -EncodedCommand '
+            - ' -ec '
     selection_hidden:
         ContextInfo|contains:
             - ' -w hidden '
             - ' -window hidden '
             - ' -windowstyle hidden '
+            - ' -w 1 '
     selection_noninteractive:
         ContextInfo|contains:
             - ' -noni '
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml
index 8c224599e..cbd449cb0 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml
@@ -3,18 +3,22 @@ id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
 related:
     - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
       type: derived
+    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
+      type: similar
+    - id: 536e2947-3729-478c-9903-745aaffe60d2
+      type: similar
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2022/12/02
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059.001
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_convert_b64:
         ContextInfo|contains|all:
@@ -64,7 +68,7 @@ detection:
         ContextInfo|contains:
             - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
             - 'Write-ChocolateyWarning'
-    condition: 1 of selection* and not 1 of filter*
+    condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml
index 36cd5f293..414038c71 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     test_3:
         - Payload|contains:
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml
index 7985de802..d52ff5326 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection:
         ContextInfo|contains: 'Reset-ComputerMachinePassword'
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
index 76ec86dc2..201f634c2 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection:
         - Payload|contains: get-smbshare
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml
index 0579a4f7a..839919b76 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_4103:
         ContextInfo|contains|all:
diff --git a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
index ed0d1c132..899a443f7 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection:
         ContextInfo|contains: 'SyncAppvPublishingServer.exe'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
index a745ebdc1..5326d1f6b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
@@ -20,7 +20,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_cmd:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
index df4639d7e..9890b9455 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
index 23b3341b7..2c8971122 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml
index 8482c2316..9344c27ad 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml
index 678e522be..744061a8e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml
new file mode 100644
index 000000000..fa229d87a
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml
@@ -0,0 +1,27 @@
+title: Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging
+id: fa2559c8-1197-471d-9cdd-05a0273d4522
+related:
+    - id: 92a974db-ab84-457f-9ec0-55db83d7a825
+      type: similar
+status: experimental
+description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
+references:
+    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
+author: Nasreddine Bencherchali
+date: 2023/01/04
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockLogging|contains:
+            - "if(0){{{0}}}' -f $(0 -as [char]) +"
+            - "#<NULL>"
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml
index f2b73179c..65c1adbec 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml
@@ -20,6 +20,7 @@ tags:
 logsource:
     product: windows
     service: powershell
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     empire:
         # better to randomise the order
diff --git a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml
index 54e8f51e4..5f4479c4f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         #4194304 DONT_REQ_PREAUTH
diff --git a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml
index 5d26c54cb..f08297092 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_ext:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml
index 7f0bf381f..b52742308 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: '.CopyFromScreen'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml
index ed41b15b2..58bf2d79f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml
index 45bb433b9..626222653 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml
index cddc30ca5..d71d9a6ef 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml
index c11b8debe..2a268411c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml
index 12f875418..c1de11032 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection1a:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml
index dd5ff3bb1..1f131eaf9 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection1:
         ScriptBlockText|contains: Clear-History
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
index c1c7fb77f..3f7ced816 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_cmdlet:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml
index 8520b93de..4f015b275 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml
@@ -17,7 +17,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml
index 03c915c60..ca28cd647 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_copy:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml
index c14435c36..c958c74e5 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml
@@ -17,7 +17,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml
index dde79372c..1a61b9f01 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'New-LocalUser'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
index aaa8fb639..295acc7b8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml
index cca164ff5..426d1093c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
index 0462aaa64..461dea45e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_action:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml
index d6e71c8bc..926eef0f8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml
@@ -12,7 +12,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml
index 6538dcd50..8f22cc66e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: System.DirectoryServices.AccountManagement
diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml
index ca73990c6..0dc350ac3 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml
@@ -12,7 +12,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml
index 51f323566..9d25a3898 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_cmd:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml
index 835ff5cc2..2b27478f2 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'Start-Dnscat2'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml
index 0236bb86e..182a9dd07 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_kiddie:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml
index a91231944..261f32155 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_cmdlet:
         ScriptBlockText|contains: 'Enable-PSRemoting '
diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml
index 42e9e9523..2748b953b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml
@@ -19,7 +19,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_cmd:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml
index 2936b9cc4..3217f716d 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_cmd:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml
index 29c478e2e..e95b2ac3e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_pwsh_remove:   #Autologger provider removal
         ScriptBlockText|contains: 'Remove-EtwTraceProvider '
diff --git a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
index e7bd9b6f4..2a849fd21 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
@@ -11,7 +11,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml
index e96a83222..72a20a433 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml
index 6199b3064..d9bcf8a6b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml
@@ -12,7 +12,7 @@ date: 2022/12/23
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml
index 9fb1db082..65ba85aca 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml
index 0e41957b9..4df3417ad 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml
index df302f649..9ffd8f8d8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
index 6b95f660a..859873cea 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml
index 1c0c1665e..0b0acc4b2 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml
index 88aee21b4..07ac82232 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml
@@ -11,7 +11,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml
index 268431ea1..298c852d1 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml
index dee35db0e..f91f79597 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml
@@ -12,7 +12,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_import:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml
index 8de575e07..fd593ed98 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_cmdlet:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml
index 50a292386..81743a193 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_cmdlet:
         - ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
index 67d28cc30..6a31ff85f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml
index 961bf2f7a..3072d3a9d 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_iex:
         - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
index eaf60b389..6655b55cb 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
index 59bf712e2..1f74ac185 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml
index 0faf6f2f3..c4b59ffee 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml
index e89bc32d9..2ef76b674 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml
index 1d8a40dc1..97483435b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml
index c1b3ad62c..376de6fbd 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml
index 0d685fdb1..7aa4eec0f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml
index 8a5d19679..c5ea8efd9 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml
index 6bedc03fb..13730ccf8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
diff --git a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml
index 6a3a73bf6..e3b70db34 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_basic:
         ScriptBlockText|contains: 'Get-Keystrokes'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml
index 501c3c0eb..18053947f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml
index 7825d3345..ab2894205 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml
@@ -17,7 +17,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
index 6d3e83f5d..d7c926141 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
@@ -21,9 +21,10 @@ references:
     - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
     - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
     - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
+    - https://github.com/HarmJ0y/DAMP
 author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
 date: 2017/03/05
-modified: 2023/01/02
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.discovery
@@ -38,15 +39,18 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
             - 'Add-Exfiltration'
             - 'Add-Persistence'
             - 'Add-RegBackdoor'
+            - 'Add-RemoteRegBackdoor'
             - 'Add-ScrnSaveBackdoor'
             - 'Check-VM'
+            - 'ConvertTo-Rc4ByteStream'
+            - 'Decrypt-Hash'
             - 'Do-Exfiltration'
             - 'Enabled-DuplicateToken'
             - 'Exploit-Jboss'
@@ -64,6 +68,12 @@ detection:
             - 'Get-PassHashes'
             - 'Get-RegAlwaysInstallElevated'
             - 'Get-RegAutoLogon'
+            - 'Get-RemoteBootKey'
+            - 'Get-RemoteCachedCredential'
+            - 'Get-RemoteLocalAccountHash'
+            - 'Get-RemoteLSAKey'
+            - 'Get-RemoteMachineAccountHash'
+            - 'Get-RemoteNLKMKey'
             - 'Get-RickAstley'
             - 'Get-Screenshot'
             - 'Get-SecurityPackages'
@@ -211,6 +221,7 @@ detection:
             - 'Invoke-Zerologon'
             - 'MailRaider'
             - 'New-HoneyHash'
+            - 'New-InMemoryModule'
             - 'Out-Minidump'
             - 'Port-Scan'
             - 'PowerBreach'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml
index d1a82c7da..baa89ee45 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml
index 3ef3cc064..9c2fdf12d 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml
@@ -12,7 +12,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml
index 56be9cb6c..165852609 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_path:
         ScriptBlockText|contains: \SOFTWARE\Policies\Microsoft\Windows\System
diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml
index bc7de16b3..7c0110098 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
index 9a68fcd84..b878064e2 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml
index 702df6e6e..6485befa8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_content:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml
index f94cb548b..27ebe0fde 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml
index 12036f63b..4fb949f32 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml
index f742e1293..d03f82f61 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'PromptForCredential'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml
index 7f392e44b..95b10125e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml
@@ -12,7 +12,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'PSAsyncShell'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml
index d8be59d97..927e769d9 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'PS ATTACK!!!'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml
index aa160f594..49e612494 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
index c75aee72c..e181f62a9 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
index 51d67294f..ddc1cf1ef 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: System.IdentityModel.Tokens.KerberosRequestorSecurityToken
diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml
index 269775a91..7276ced41 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection1:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml
index 1d2663ef6..287caec29 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml
index 9cdd71a13..779c695a4 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_1:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
index db41fc30d..9e79f3aa2 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'Send-MailMessage'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml
index cb99de2e3..497c0d9b4 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_action:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
index 0a7e959c1..92e9ce7ff 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     cmdlet:
         ScriptBlockText|contains: 'Set-ExecutionPolicy'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml
index 33ed1c1de..77c40abbb 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'AAAAYInlM'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml
index 0e7ce203a..fd3eb2972 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml
index 1e7e08871..4fdeb58a1 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml
index b1973cef2..df0557846 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_compspec:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml
new file mode 100644
index 000000000..4e660deeb
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml
@@ -0,0 +1,33 @@
+title: Potential Persistence Via Security Descriptors - ScriptBlock
+id: 2f77047c-e6e9-4c11-b088-a3de399524cd
+status: experimental
+description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
+references:
+    - https://github.com/HarmJ0y/DAMP
+author: Nasreddine Bencherchali
+date: 2023/01/05
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'win32_Trustee'
+            - 'win32_Ace'
+            - '.AccessMask'
+            - '.AceType'
+            - '.SetSecurityDescriptor'
+        ScriptBlockText|contains:
+            - '\Lsa\JD'
+            - '\Lsa\Skew1'
+            - '\Lsa\Data'
+            - '\Lsa\GBG'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml
index cbb20614d..d3365ee89 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     test_2:
         ScriptBlockText|contains: get-ADPrincipalGroupMembership
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml
index e3484e805..97238f5d8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml
@@ -17,7 +17,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml
index 67b6b25a5..55d817a7e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml
index b8a2e0a53..bea931133 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     webclient:
         ScriptBlockText|contains: 'System.Net.WebClient'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml
index b814f9f23..f26d83b63 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml
@@ -17,7 +17,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_start:
         ScriptBlockText|contains: Start-Process
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
index c01b922c5..1b882804c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'Export-PfxCertificate'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml
index c0c3b1688..f2ebf2f61 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml
index 6404067b4..4c462db62 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
index eed1d381f..dfa2eb12b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml
index 306f99d50..91b760ca3 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml
index 8fce8cea8..b30d717b4 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: Get-GPO
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml
index 3e4ed607a..2ecdba0d0 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: Get-Process
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml
index 2a1c1e65d..418a10281 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'Get-Process lsass'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml
index 016637ff1..95e93e86d 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml
index 982006546..fc85471f7 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml
index 3e88f4542..1f35d5f74 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml
index d4d6ca63d..c431c9f3c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml
@@ -3,28 +3,32 @@ id: ed965133-513f-41d9-a441-e38076a0798f
 related:
     - id: 3d304fda-78aa-43ed-975c-d740798a49c1
       type: derived
+    - id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
+      type: similar
 status: test
 description: Detects suspicious PowerShell invocation command parameters
 author: Florian Roth (rule)
 date: 2017/03/12
-modified: 2022/12/25
+modified: 2023/01/03
 tags:
     - attack.execution
     - attack.t1059.001
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_encoded:
         ScriptBlockText|contains:
             - ' -enc '
             - ' -EncodedCommand '
+            - ' -ec '
     selection_hidden:
         ScriptBlockText|contains:
             - ' -w hidden '
             - ' -window hidden '
             - ' -windowstyle hidden '
+            - ' -w 1 '
     selection_noninteractive:
         ScriptBlockText|contains:
             - ' -noni '
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml
index d98028c9a..a35ced0ba 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml
@@ -3,27 +3,31 @@ id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
 related:
     - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
       type: derived
+    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
+      type: similar
+    - id: 536e2947-3729-478c-9903-745aaffe60d2
+      type: similar
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2022/02/21
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059.001
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
-    select_convert_b64:
+    selection_convert_b64:
         ScriptBlockText|contains|all:
             - '-nop'
             - ' -w '
             - 'hidden'
             - ' -c '
             - '[Convert]::FromBase64String'
-    select_iex_selection:
+    selection_iex_selection:
         ScriptBlockText|contains|all:
             - ' -w '
             - 'hidden'
@@ -32,20 +36,20 @@ detection:
             - ' -c '
             - 'iex'
             - 'New-Object'
-    select_enc_selection:
+    selection_enc_selection:
         ScriptBlockText|contains|all:
             - ' -w '
             - 'hidden'
             - '-ep'
             - 'bypass'
             - '-Enc'
-    select_reg_selection:
+    selection_reg_selection:
         ScriptBlockText|contains|all:
             - 'powershell'
             - 'reg'
             - 'add'
             - 'HKCU\software\microsoft\windows\currentversion\run'
-    select_webclient_selection:
+    selection_webclient_selection:
         ScriptBlockText|contains|all:
             - 'bypass'
             - '-noprofile'
@@ -54,7 +58,7 @@ detection:
             - 'new-object'
             - 'system.net.webclient'
             - '.download'
-    select_iex_webclient:
+    selection_iex_webclient:
         ScriptBlockText|contains|all:
             - 'iex'
             - 'New-Object'
@@ -65,7 +69,7 @@ detection:
             - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
             - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
             - 'Write-ChocolateyWarning'
-    condition: 1 of select* and not 1 of filter*
+    condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
index 5fe1d34d9..61071b01b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml
index c595f7474..0e8decea4 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml
new file mode 100644
index 000000000..d0796f6d0
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml
@@ -0,0 +1,26 @@
+title: Potential Keylogger Activity
+id: 965e2db9-eddb-4cf6-a986-7a967df651e4
+status: experimental
+description: Detects PowerShell scripts that contains reference to keystroke capturing functions
+references:
+    - https://twitter.com/ScumBots/status/1610626724257046529
+    - https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content
+    - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content
+    - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
+author: Nasreddine Bencherchali
+date: 2023/01/04
+tags:
+    - attack.collection
+    - attack.credential_access
+    - attack.t1056.001
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
index 1321b31b9..05a66e50b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled for 4104
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml
index a3750fde6..51dcb960c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     test_3:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml
index 02e29b791..b9159bcbe 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml
index 5dbc2f1ac..7cb2cf29b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml
index 59e59dae7..9ccd81c10 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml
index e0e381e37..4020eb333 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml
index 61737d379..6293d0c16 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml
index 392f497b8..f6bb2827d 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml
@@ -12,7 +12,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml
index 5ec305e37..0478af77b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_action:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml
index 9966e7b8a..f5b63be2d 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml
index 36667445c..64e36663e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_sddl_flag:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml
new file mode 100644
index 000000000..abbc8cf1e
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml
@@ -0,0 +1,26 @@
+title: Potential PowerShell Obfuscation Using Alias Cmdlets
+id: 96cd126d-f970-49c4-848a-da3a09f55c55
+status: experimental
+description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
+references:
+    - https://github.com/1337Rin/Swag-PSO
+author: frack113
+date: 2023/01/08
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1027
+    - attack.t1059.001 
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - 'Set-Alias '
+            - 'New-Alias '
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml
index 775db8b76..f46c20b08 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: get-smbshare
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml
index b840d8d3f..fe2906a00 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml
index 1ae9f611a..4e689a786 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml
index 5dfe70bc1..666ce10d0 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml
index 5d5615af3..03bf4c28b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_1:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml
index 79d8c7ca2..7dd77e543 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: Win32_PnPEntity
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
index 863835803..7b53b258e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
index ea8c32176..c18e3b00f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
@@ -6,23 +6,27 @@ description: |
     In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
-author: frack113
+author: frack113, Tim Shelton (fp AWS)
 date: 2021/10/20
-modified: 2022/12/25
+modified: 2023/01/03
 tags:
     - attack.defense_evasion
     - attack.t1564.003
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
             - 'powershell'
             - 'WindowStyle'
             - 'Hidden'
-    condition: selection
+    filter:
+        ScriptBlockText|contains|all:
+            - ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
+            - '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml
index 3bf43e462..f9b1a61d4 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml
@@ -11,7 +11,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml
index 5c4423415..83a82e09f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_4104:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
index 2b296019a..88486a63c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'SyncAppvPublishingServer.exe'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml
index 8d2a5aa0d..6cdeaa8a2 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_options_disabling_preference:
         ScriptBlockText|contains: 'Set-MpPreference'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
index 878e181a2..f9d75a872 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_remove:
         ScriptBlockText|contains: 'Remove-MpPreference'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml
index 447eb452c..8476044f5 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml
index 6b01394ae..915f754d8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_ioc:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
index bb7aa8894..07d60631b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
@@ -9,14 +9,14 @@ references:
     - https://github.com/danielbohannon/Invoke-Obfuscation
 author: frack113
 date: 2022/12/27
-modified: 2022/12/30
+modified: 2023/01/03
 tags:
     - attack.defense_evasion
     - attack.t1027.009
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         # Examples:
@@ -28,7 +28,9 @@ detection:
         #- ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
         - ScriptBlockText|re: '"(\{\d\})+"\s*-f'
         - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
-    condition: selection
+    filter:
+        ScriptBlockText|contains: 'it will return true or false instead'  # Chocolatey install script https://github.com/chocolatey/chocolatey
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml
index 33eeecfb1..f8e3495de 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml
@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_upload.yml b/rules/windows/powershell/powershell_script/posh_ps_upload.yml
index 2ba788f2a..4d7e2283e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_upload.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_upload.yml
@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_cmdlet:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml
index eccbec3af..f6f4b8e80 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml
index fad3f7007..37ab5b8ba 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml
index 695c9fff0..b54a9a758 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml
@@ -17,7 +17,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml
index 54c54c962..ac66e8082 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml
@@ -12,7 +12,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
index d5360f44f..acacbec7c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     category: ps_script
     product: windows
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_args_exc:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml
index a2f99f466..a02efba72 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml
@@ -20,7 +20,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_args:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml
index 3ce685531..24ab10e8c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml
@@ -17,7 +17,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains: 'CurrentVersion\Winlogon'
diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml
index 0d446e39c..9cab3e260 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_ioc:
         - ScriptBlockText|contains|all:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml
index 5ed3c1338..d53f5db28 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml
@@ -18,7 +18,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml
index da767dee7..8bd67af54 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml
index 223b3637b..aa42855b6 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml
@@ -14,7 +14,7 @@ date: 2022/12/23
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
         ScriptBlockText|contains:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
index 78da29951..dc27f6514 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
@@ -16,7 +16,7 @@ tags:
 logsource:
     product: windows
     category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_xml:
         ScriptBlockText|contains|all:
diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
new file mode 100644
index 000000000..a876d74a3
--- /dev/null
+++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
@@ -0,0 +1,25 @@
+title: Potential NT API Stub Patching
+id: b916cba1-b38a-42da-9223-17114d846fd6
+status: experimental
+description: Detects potential NT API stub patching as seen used by the project PatchingAPI
+references:
+    - https://github.com/D1rkMtr/UnhookingPatch
+    - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
+author: frack113
+date: 2023/01/07
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    category: process_access
+    product: windows
+detection:
+    selection:
+        GrantedAccess: '0x1FFFFF'
+        CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
+        CallTrace|contains: '|UNKNOWN('
+        CallTrace|endswith: ')'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_amsi_null_bits_bypass.yml b/rules/windows/process_creation/proc_creation_win_amsi_null_bits_bypass.yml
new file mode 100644
index 000000000..2a6d13d82
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_amsi_null_bits_bypass.yml
@@ -0,0 +1,26 @@
+title: Potential AMSI Bypass Using NULL Bits - ProcessCreation
+id: 92a974db-ab84-457f-9ec0-55db83d7a825
+related:
+    - id: fa2559c8-1197-471d-9cdd-05a0273d4522
+      type: similar
+status: experimental
+description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
+references:
+    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
+author: Nasreddine Bencherchali
+date: 2023/01/04
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|contains:
+            - "if(0){{{0}}}' -f $(0 -as [char]) +"
+            - "#<NULL>"
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml b/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml
new file mode 100644
index 000000000..d1bbf3ae2
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml
@@ -0,0 +1,34 @@
+title: Suspicious Double File Extention in ParentCommandLine
+id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c
+related:
+    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
+      type: derived
+status: experimental
+description: Detect execution of suspicious double extension files in ParentCommandLine
+references:
+    - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior
+    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
+author: frack113
+date: 2023/01/06
+tags:
+    - attack.defense_evasion
+    - attack.t1036.007 
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentCommandLine|contains: 
+            - '.doc.lnk'
+            - '.docx.lnk'
+            - '.xls.lnk'
+            - '.xlsx.lnk'
+            - '.ppt.lnk'
+            - '.pptx.lnk'
+            - '.rtf.lnk'
+            - '.pdf.lnk'
+            - '.txt.lnk'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml
index 2194f4acd..bee5a6cc4 100644
--- a/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml
+++ b/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
 author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/21
-modified: 2022/06/12
+modified: 2023/01/03
 tags:
     - attack.discovery
     - attack.t1033
@@ -15,30 +15,33 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_1:
-        - Image|endswith: '\whoami.exe'
-        - Image|endswith: '\wmic.exe'
-          CommandLine|contains|all:
-            - 'useraccount'
-            - 'get'
-        - Image|endswith:
+    selection_other_img:
+        Image|endswith:
+            - '\whoami.exe'
             - '\quser.exe'
             - '\qwinsta.exe'
-        - Image|endswith: '\cmdkey.exe'
-          CommandLine|contains: ' /l'
-        - Image|endswith: '\cmd.exe'
-          CommandLine|contains|all:
+    selection_other_wmi:
+        Image|endswith: '\wmic.exe'
+        CommandLine|contains|all:
+            - 'useraccount'
+            - 'get'
+    selection_other_cmdkey:
+        Image|endswith: '\cmdkey.exe'
+        CommandLine|contains: ' /l'
+    selection_cmd:
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains|all:
             - ' /c'
             - 'dir '
             - '\Users\'
-    filter_1:
+    filter_cmd:
         CommandLine|contains: ' rmdir ' # don't match on 'dir'   "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005"
-    selection_2:
+    selection_net:
         Image|endswith:
             - '\net.exe'
             - '\net1.exe'
         CommandLine|contains: 'user'
-    filter_2:
+    filter_net:
         CommandLine|contains:
             - '/domain'       # local account discovery only
             - '/add'          # discovery only
@@ -49,15 +52,7 @@ detection:
             - '/scriptpath'   # discovery only
             - '/times'        # discovery only
             - '/workstations' # discovery only
-    condition: (selection_1 and not filter_1) or (selection_2 and not filter_2)
-fields:
-    - Image
-    - CommandLine
-    - User
-    - LogonGuid
-    - Hashes
-    - ParentProcessGuid
-    - ParentCommandLine
+    condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*
 falsepositives:
     - Legitimate administrator or user enumerates local users for legitimate reason
 level: low
diff --git a/rules/windows/process_creation/proc_creation_win_susp_cdb.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml
similarity index 72%
rename from rules/windows/process_creation/proc_creation_win_susp_cdb.yml
rename to rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml
index ab3ec391d..325a8c7d1 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_cdb.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml
@@ -1,14 +1,14 @@
-title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
+title: WinDbg/CDB LOLBIN Usage
 id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
 status: test
-description: Launch 64-bit shellcode from a debugger script file using cdb.exe.
+description: Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file
 references:
     - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
-    - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+    - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
     - https://twitter.com/nas_bench/status/1534957360032120833
 author: Beyu Denis, oscd.community, Nasreddine Bencherchali
 date: 2019/10/26
-modified: 2022/06/09
+modified: 2023/01/04
 tags:
     - attack.execution
     - attack.t1106
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml
index a297dfe47..2bce671d0 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml
@@ -1,12 +1,12 @@
 title: Monitoring Winget For LOLbin Execution
 id: 313d6012-51a0-4d93-8dfc-de8553239e25
 status: experimental
-description: Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
+description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them without touching disk. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
 references:
     - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
 author: Sreeman, Florian Roth, Frack113
 date: 2020/04/21
-modified: 2022/01/11
+modified: 2023/01/03
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -15,16 +15,16 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        CommandLine|contains|all:
-            - 'winget'
-            - 'install'
+    selection_img:
+        - Image|endswith: '\winget.exe'
+        - OriginalFileName: 'winget.exe'
+    selection_install_flag:
+        CommandLine|contains: 'install'
+    selection_manifest_flag:
         CommandLine|contains:
             - '-m '
             - '--manifest'
-    condition: selection
-fields:
-    - CommandLine
+    condition: all of selection_*
 falsepositives:
     - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users.
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml b/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml
index 375c72c13..ff672f2cb 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml
@@ -1,5 +1,10 @@
 title: Use of Forfiles For Execution
 id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
+related:
+    - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
+      type: obsoletes
+    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
+      type: obsoletes
 status: experimental
 description: Execute commands and binaries from the context of "forfiles". This is used as a LOLBIN for example to bypass application whitelisting.
 references:
@@ -31,5 +36,5 @@ detection:
             - ' -c '
     condition: all of selection*
 falsepositives:
-    - Legitimate use by a via a batch script or by an administrator.
+    - Legitimate use via a batch script or by an administrator.
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml
index 45a030e69..2a068f1fb 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml
@@ -1,12 +1,16 @@
 title: Use of Pcalua For Execution
 id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2
+related:
+    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
+      type: obsoletes
 status: experimental
-description: Execute commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This is used as a LOLBIN for example to bypass application whitelisting.
+description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/
     - https://pentestlab.blog/2020/07/06/indirect-command-execution/
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2022/06/14
+modified: 2023/01/04
 tags:
     - attack.execution
     - attack.t1059
diff --git a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml
index 4e0562d41..0be61da5f 100644
--- a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml
+++ b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml
@@ -17,8 +17,10 @@ references:
     - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
     - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
     - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
+    - https://github.com/HarmJ0y/DAMP
 author: Nasreddine Bencherchali
 date: 2023/01/02
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.discovery
@@ -39,8 +41,11 @@ detection:
             - 'Add-Exfiltration'
             - 'Add-Persistence'
             - 'Add-RegBackdoor'
+            - 'Add-RemoteRegBackdoor'
             - 'Add-ScrnSaveBackdoor'
             - 'Check-VM'
+            - 'ConvertTo-Rc4ByteStream'
+            - 'Decrypt-Hash'
             - 'Do-Exfiltration'
             - 'Enabled-DuplicateToken'
             - 'Exploit-Jboss'
@@ -58,6 +63,12 @@ detection:
             - 'Get-PassHashes'
             - 'Get-RegAlwaysInstallElevated'
             - 'Get-RegAutoLogon'
+            - 'Get-RemoteBootKey'
+            - 'Get-RemoteCachedCredential'
+            - 'Get-RemoteLocalAccountHash'
+            - 'Get-RemoteLSAKey'
+            - 'Get-RemoteMachineAccountHash'
+            - 'Get-RemoteNLKMKey'
             - 'Get-RickAstley'
             - 'Get-Screenshot'
             - 'Get-SecurityPackages'
@@ -205,6 +216,7 @@ detection:
             - 'Invoke-Zerologon'
             - 'MailRaider'
             - 'New-HoneyHash'
+            - 'New-InMemoryModule'
             - 'Out-Minidump'
             - 'Port-Scan'
             - 'PowerBreach'
diff --git a/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml b/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml
index 82d2e0c6d..7b95ab800 100644
--- a/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml
+++ b/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml
@@ -1,7 +1,7 @@
 title: Suspicious Usage of the Manage-bde.wsf Script
 id: c363385c-f75d-4753-a108-c1a8e28bdbda
 status: test
-description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
+description: Detects usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
 references:
     - https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/
     - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
diff --git a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml
index b953fc654..e28e6189b 100644
--- a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml
+++ b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml
@@ -1,4 +1,4 @@
-title: PowerShell Downgrade Attack
+title: Potential PowerShell Downgrade Attack
 id: b3512211-c67e-4707-bedc-66efc7848863
 related:
     - id: 6331d09b-4785-4c13-980f-f96661356249
@@ -7,9 +7,10 @@ status: test
 description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
 references:
     - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-
 author: Harish Segar (rule)
 date: 2020/03/20
-modified: 2022/07/14
+modified: 2023/01/04
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -19,9 +20,7 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith:
-            - '\powershell.exe'
-            - '\pwsh.exe'
+        Image|endswith: '\powershell.exe'
         CommandLine|contains:
             - ' -version 2 '
             - ' -versio 2 '
@@ -29,6 +28,7 @@ detection:
             - ' -vers 2 '
             - ' -ver 2 '
             - ' -ve 2 '
+            - ' -v 2 '
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml
index 8395bb6bc..03f94f14c 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml
@@ -7,6 +7,7 @@ references:
     - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
 author: Florian Roth
 date: 2022/09/13
+modified: 2023/01/05
 tags:
     - attack.command_and_control
     - attack.t1572
@@ -14,13 +15,13 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection_img:
         Image|endswith: '\3proxy.exe'
     selection_pe:
         Description: '3proxy - tiny proxy server'
     selection_params: # param combos seen in the wild
         CommandLine|contains: '.exe -i127.0.0.1 -p'
-    condition: 1 of selection
+    condition: 1 of selection_*
 falsepositives:
     - Administrative activity
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
index 6f2c861cb..1323b9225 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/Wh04m1001/SysmonEoP
 author: frack113, Tim Shelton (update fp)
 date: 2022/12/05
-modified: 2022/12/28
+modified: 2023/01/06
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -30,16 +30,25 @@ detection:
             - 'AUTHORI'
             - 'AUTORI'
         LogonId: '0x3e7'
-    filter_compattelrunner:
-        ParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
-        ParentCommandLine|contains: '-m:appraiser.dll -f:DoScheduledTelemetryRun'
-        OriginalFileName: 'PowerShell.EXE'
-        CommandLine|contains: '-ExecutionPolicy Restricted -Command Write-Host'
-    filter_erl:
-        # Example:
+    filter_generic:
+        # Example 1:
         #   C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers []
-        ParentImage|startswith: 'C:\Program Files\erl-'
-        ParentImage|endswith: '\bin\erl.exe'
+        # Example 2:
+        #   ParentImage: C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe" /appid 000000ad-cb03-500b-9459-c46d000000ad
+        #   CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector
+        ParentImage|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Program Files (x86)\'
+            - 'C:\Program Files\'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+    filter_manageengine:
+        # Example:
+        #   ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380
+        #   CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA)
+        ParentImage: 'C:\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe'
+        Image|endswith: '\cmd.exe'
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
index 0694210af..87112f39a 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
@@ -5,12 +5,16 @@ description: Detects clearing or configuration of eventlogs using wevtutil, powe
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
     - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
-author: Ecco, Daniil Yugoslavskiy, oscd.community
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
+    - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
+    - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
+author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
 date: 2019/09/26
-modified: 2022/09/12
+modified: 2023/01/06
 tags:
     - attack.defense_evasion
     - attack.t1070.001
+    - attack.t1562.002
     - car.2016-04-002
 logsource:
     category: process_creation
@@ -23,6 +27,7 @@ detection:
             - ' cl '                # short version of 'clear-log'
             - 'set-log '            # modifies config of specified log. could be uset to set it to a tiny size
             - ' sl '                # short version of 'set-log'
+            - 'lfn:'                # change log file location and name
     selection_other_ps:
         Image|endswith:
             - '\powershell.exe'
@@ -35,8 +40,17 @@ detection:
     selection_other_wmic:
         Image|endswith: '\wmic.exe'
         CommandLine|contains: ' ClearEventLog '
-    condition: 1 of selection_*
+    filter_msiexec:
+        # Example seen during office update/installation:
+        #   ParentImage: C:\Windows\SysWOW64\msiexec.exe
+        #   CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
+        ParentImage:
+            - 'C:\Windows\SysWOW64\msiexec.exe'
+            - 'C:\Windows\System32\msiexec.exe'
+        CommandLine|contains: ' sl '
+    condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
     - Admin activity
     - Scripts and administrative tools used in the monitored environment
+    - Maintenance activity
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
index aa78f8cbc..98bc09e1c 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
@@ -6,7 +6,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/
 author: Victor Sergeev, oscd.community
 date: 2020/10/09
-modified: 2021/11/27
+modified: 2022/01/06
 tags:
     - attack.command_and_control
     - attack.t1105
@@ -18,7 +18,9 @@ detection:
         Image|endswith: '\GfxDownloadWrapper.exe'
     filter:
         CommandLine|contains: 'gameplayapi.intel.com'
-        ParentImage|endswith: '\GfxDownloadWrapper.exe'
+        ParentImage|endswith: 
+            - '\GfxDownloadWrapper.exe'
+            - '\igfxEM.exe'
     condition: image_path and not filter
 fields:
     - CommandLine
diff --git a/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml b/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml
new file mode 100644
index 000000000..10eb2b7d9
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml
@@ -0,0 +1,46 @@
+title: Suspicious Git Clone
+id: aef9d1f1-7396-4e92-a927-4567c7a495c1
+status: experimental
+description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
+references:
+    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
+author: Nasreddine Bencherchali
+date: 2023/01/03
+tags:
+    - attack.reconnaissance
+    - attack.t1593.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+            - '\git.exe'
+            - '\git-remote-https.exe'
+        - OriginalFileName: 'git.exe'
+    selection_cli:
+        CommandLine|contains:
+            - ' clone '
+            - 'git-remote-https '
+    selection_keyword:
+        CommandLine|contains:
+            # Add more suspicious keywords
+            - 'exploit'
+            - 'Vulns'
+            - 'vulnerability'
+            - 'RCE'
+            - 'RemoteCodeExecution'
+            - 'Invoke-'
+            - 'CVE-'
+            - 'poc-'
+            - 'ProofOfConcept'
+            # Add more vuln names
+            - 'proxyshell'
+            - 'log4shell'
+            - 'eternalblue'
+            - 'eternal-blue'
+            - 'MS17-'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml
rename to rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml
index ee2326fa1..6ec1ffd49 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml
@@ -6,15 +6,17 @@ references:
     - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
 author: Florian Roth
 date: 2022/03/24
+modified: 2023/01/05
 logsource:
     product: windows
     category: process_creation
 detection:
     selection:
-        # Marker
         CommandLine|contains:
             - '.DownloadString('
             - '.DownloadFile('
+            - 'Invoke-WebRequest '
+            - 'iwr '
     condition: selection
 falsepositives:
     - Scripts or tools that download files
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml
index 39ef07776..233b9fbe1 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml
@@ -1,12 +1,12 @@
 title: PowerShell Web Download and Execution
 id: 85b0b087-eddf-4a2b-b033-d771fa2b9775
 status: experimental
-description: Detects suspicious ways to download files or content and execute them using PowerShell
+description: Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression
 references:
     - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
 author: Florian Roth
 date: 2022/03/24
-modified: 2022/09/02
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059
@@ -14,12 +14,13 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    selection:
+    selection_download:
         CommandLine|contains:
             - '.DownloadString('
             - '.DownloadFile('
             - 'Invoke-WebRequest '
-    execution:
+            - 'iwr '
+    selection_iex:
         CommandLine|contains:
             - 'IEX('
             - 'IEX ('
@@ -28,9 +29,9 @@ detection:
             - 'I`E`X'
             - '| IEX'
             - '|IEX '
-            - 'Invoke-Execution'
+            - 'Invoke-Expression'
             - ';iex $'
-    condition: selection and execution
+    condition: all of selection_*
 falsepositives:
     - Scripts or tools that download files and execute them
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml
index bd014bf7d..72dcd5a32 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml
@@ -8,7 +8,7 @@ references:
     - https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/
 author: frack113
 date: 2022/01/02
-modified: 2022/09/26
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059.001
@@ -26,13 +26,13 @@ detection:
             - ' -enc '
             - ' -enco'
             - ' -ec '
-    filter:
+    filter_encoding:
         CommandLine|contains: ' -Encoding '
     filter_azure:
         ParentImage|contains:
             - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
             - '\gc_worker.exe'
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml
similarity index 80%
rename from rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml
rename to rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml
index cde6c7063..ee0f6a3a2 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml
@@ -6,7 +6,7 @@ references:
     - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
 author: Florian Roth
 date: 2022/05/24
-modified: 2022/09/26
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059.001
@@ -14,16 +14,20 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    encoded:
-        Image|endswith:
+    selection_img:
+        - Image|endswith:
             - '\powershell.exe'
             - '\pwsh.exe'
+        - OriginalFileName:
+            - 'PowerShell.Exe'
+            - 'pwsh.dll'
+    selection_flags:
         CommandLine|contains:
             - ' -e '
             - ' -en '
             - ' -enc '
             - ' -enco'
-    selection:
+    selection_encoded:
         CommandLine|contains:
             - ' JAB'
             - ' SUVYI'
@@ -32,11 +36,11 @@ detection:
             - ' IAB'
             - ' PAA'
             - ' aQBlAHgA'
-    filter:
+    filter_gcworker:
         ParentImage|contains:
             - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
             - '\gc_worker.exe'
-    condition: encoded and selection and not filter
+    condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Other tools that work with encoded scripts in the command line instead of script files
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml
index 1aca33703..411a4258a 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml
@@ -1,12 +1,12 @@
 title: PowerShell Get-Process LSASS
 id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
 status: test
-description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
+description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
 references:
     - https://twitter.com/PythonResponder/status/1385064506049630211
 author: Florian Roth
 date: 2021/04/23
-modified: 2022/10/09
+modified: 2023/01/05
 tags:
     - attack.credential_access
     - attack.t1552.004
@@ -15,7 +15,11 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains: 'Get-Process lsass'
+        CommandLine|contains:
+            # You can add more permutation as you see fit
+            - 'Get-Process lsas'
+            - 'ps lsas'
+            - 'gps lsas'
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml
index ec18d703f..0283ce54a 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml
@@ -6,7 +6,7 @@ references:
     - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
 author: John Lambert (rule)
 date: 2019/01/16
-modified: 2021/11/27
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059.001
@@ -14,12 +14,16 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    encoded:
-        Image|endswith:
+    selection_img:
+        - Image|endswith:
             - '\powershell.exe'
             - '\pwsh.exe'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+    selection_hidden:
         CommandLine|contains: ' hidden '
-    selection:
+    selection_encoded:
         CommandLine|contains:
             - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
             - 'aXRzYWRtaW4gL3RyYW5zZmVy'
@@ -69,7 +73,7 @@ detection:
             - 'bQBlAG0AbQBvAHYAZQ'
             - 'bWVtbW92Z'
             - 'ZW1tb3Zl'
-    condition: encoded and selection
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
index 291c1ec16..10496ed6c 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
@@ -1,7 +1,7 @@
 title: Suspicious PowerShell IEX Execution Patterns
 id: 09576804-7a05-458e-a817-eb718ca91f54
 status: experimental
-description: Detects suspicious ways to run Invoke-Execution using IEX acronym
+description: Detects suspicious ways to run Invoke-Execution using IEX alias
 references:
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
 author: Florian Roth
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml
new file mode 100644
index 000000000..576b5a1c7
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml
@@ -0,0 +1,71 @@
+title: Suspicious PowerShell Invocations - Specific - ProcessCreation
+id: 536e2947-3729-478c-9903-745aaffe60d2
+related:
+    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
+      type: derived
+    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
+      type: similar
+    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
+      type: similar
+status: experimental
+description: Detects suspicious PowerShell invocation command parameters
+author: Nasreddine Bencherchali
+date: 2023/01/05
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_convert_b64:
+        CommandLine|contains|all:
+            - '-nop'
+            - ' -w '
+            - 'hidden'
+            - ' -c '
+            - '[Convert]::FromBase64String'
+    selection_iex:
+        CommandLine|contains|all:
+            - ' -w '
+            - 'hidden'
+            - '-noni'
+            - '-nop'
+            - ' -c '
+            - 'iex'
+            - 'New-Object'
+    selection_enc:
+        CommandLine|contains|all:
+            - ' -w '
+            - 'hidden'
+            - '-ep'
+            - 'bypass'
+            - '-Enc'
+    selection_reg:
+        CommandLine|contains|all:
+            - 'powershell'
+            - 'reg'
+            - 'add'
+            - '\software\'
+    selection_webclient:
+        CommandLine|contains|all:
+            - 'bypass'
+            - '-noprofile'
+            - '-windowstyle'
+            - 'hidden'
+            - 'new-object'
+            - 'system.net.webclient'
+            - '.download'
+    selection_iex_webclient:
+        CommandLine|contains|all:
+            - 'iex'
+            - 'New-Object'
+            - 'Net.WebClient'
+            - '.Download'
+    filter_chocolatey:
+        CommandLine|contains:
+            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
+            - 'Write-ChocolateyWarning'
+    condition: 1 of selection_* and not 1 of filter_*
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml
similarity index 88%
rename from rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml
rename to rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml
index ebc7bc536..719342b7c 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml
@@ -1,4 +1,4 @@
-title: PowerShell Encoded Character Syntax
+title: Potential PowerShell Obfuscation Via WCHAR
 id: e312efd0-35a1-407f-8439-b8d434b438a6
 status: test
 description: Detects suspicious encoded character syntax often used for defense evasion
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/0gtweet/status/1281103918693482496
 author: Florian Roth
 date: 2020/07/09
-modified: 2021/11/27
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059.001
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml
index 231c3df22..ff94f4f4a 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml
@@ -1,12 +1,12 @@
 title: Suspicious PowerShell Parent Process
 id: 754ed792-634f-40ae-b3bc-e0448d33f695
 status: test
-description: Detects a suspicious parents of powershell.exe
+description: Detects a suspicious parents of powershell.exe process
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
 author: Teymur Kheirkhabarov, Harish Segar (rule)
 date: 2020/03/20
-modified: 2022/11/18
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059.001
@@ -14,7 +14,19 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_image1:
+    selection_powershell:
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        - CommandLine|contains:
+            - '/c powershell'  # FPs with sub processes that contained "powershell" soemwhere in the command line
+            - '/c pwsh'
+        - Description: 'Windows PowerShell'
+        - Product: 'PowerShell Core 6'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+    selection_parent:
         - ParentImage|endswith:
             - '\mshta.exe'
             - '\rundll32.exe'
@@ -47,15 +59,6 @@ detection:
             - '\jbosssvc.exe'
             - '\MicrosoftEdgeSH.exe'
         - ParentImage|contains: 'tomcat'
-    selection_powershell:
-        - Image|endswith:
-            - '\powershell.exe'
-            - '\pwsh.exe'
-        - CommandLine|contains:
-            - '/c powershell'  # FPs with sub processes that contained "powershell" soemwhere in the command line
-            - '/c pwsh'
-        - Description: 'Windows PowerShell'
-        - Product: 'PowerShell Core 6'
     condition: all of selection*
 falsepositives:
     - Other scripts
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml
index 5c078464b..8c1392850 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/splinter_code/status/1420546784250769408
 author: Florian Roth
 date: 2021/07/29
-modified: 2022/12/25
+modified: 2023/01/06
 tags:
     - attack.credential_access
     - attack.t1003.002
@@ -17,7 +17,7 @@ detection:
     selection_1:
         CommandLine|contains|all:
             - '\HarddiskVolumeShadowCopy'
-            - 'ystem32\config\sam'
+            - 'System32\config\sam'
     selection_2:
         CommandLine|contains:
             - 'Copy-Item'
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml
similarity index 67%
rename from rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml
rename to rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml
index 2729b1f39..d17c4f684 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml
@@ -1,12 +1,12 @@
-title: Suspicious PowerShell Invocation Based on Parent Process
+title: Suspicious PowerShell Invocation From Script Engines
 id: 95eadcb2-92e4-4ed1-9031-92547773a6db
 status: test
 description: Detects suspicious powershell invocations from interpreters or unusual programs
 references:
-    - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
+    - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
 author: Florian Roth
 date: 2019/01/16
-modified: 2022/07/14
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059.001
@@ -21,12 +21,9 @@ detection:
         Image|endswith:
             - '\powershell.exe'
             - '\pwsh.exe'
-    falsepositive:
+    filter_health_service:
         CurrentDirectory|contains: '\Health Service State\'
-    condition: selection and not falsepositive
-fields:
-    - CommandLine
-    - ParentCommandLine
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Microsoft Operations Manager (MOM)
     - Other scripts
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml
index 823ddbe39..ca500b437 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml
@@ -1,12 +1,12 @@
-title: Suspicious PowerShell Sub Processes
+title: Suspicious PowerShell Child Processes
 id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
 status: experimental
-description: Detects suspicious sub processes spawned by PowerShell
+description: Detects suspicious child processes spawned by PowerShell
 references:
     - https://twitter.com/ankit_anubhav/status/1518835408502620162
 author: Florian Roth, Tim Shelton
 date: 2022/04/26
-modified: 2022/07/14
+modified: 2023/01/05
 logsource:
     category: process_creation
     product: windows
@@ -32,10 +32,10 @@ detection:
             - '\rundll32.exe'
             - '\forfiles.exe'
             - '\scriptrunner.exe'
-    falsepositive:
+    filter_amazon:
         ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
         CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
-    condition: selection and not falsepositive
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml
index 1513eed84..9445f3367 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml
@@ -6,7 +6,7 @@ references:
     - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
 author: Florian Roth
 date: 2022/05/24
-modified: 2022/07/14
+modified: 2023/01/05
 tags:
     - attack.execution
     - attack.t1059.001
@@ -14,11 +14,14 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith:
+    selection_img:
+        - Image|endswith:
             - '\powershell.exe'
             - '\pwsh.exe'
-    encoded:
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+    selection_encoded:
         CommandLine|contains:
             - 'TgBlAFQALgB3AEUAQg'
             - '4AZQBUAC4AdwBFAEIA'
@@ -165,7 +168,7 @@ detection:
             - 'bgBFAFQALgBXAEUAQg'
             - '4ARQBUAC4AVwBFAEIA'
             - 'uAEUAVAAuAFcARQBCA'
-    condition: selection and encoded
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml
index 170e98577..826452f11 100644
--- a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml
+++ b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml
@@ -1,4 +1,4 @@
-title: Suspicious WMI Reconnaissance
+title: WMI Process Reconnaissance
 id: 221b251a-357a-49a9-920a-271802777cc0
 status: experimental
 description: An adversary might use WMI to list Processes running on the compromised host or list installed Software hotfix and patches.
@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
 author: frack113
 date: 2022/01/01
-modified: 2022/05/13
+modified: 2023/01/03
 tags:
     - attack.execution
     - attack.t1047
diff --git a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml
new file mode 100644
index 000000000..bc803a81c
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml
@@ -0,0 +1,25 @@
+title: Potential AMSI COM Server Hijacking
+id: 160d2780-31f7-4922-8b3a-efce30e63e96
+status: experimental
+description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
+references:
+    - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
+    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
+author: Nasreddine Bencherchali
+date: 2023/01/04
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)'
+    filter:
+        Details: '%windir%\system32\amsi.dll'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml
index 241d4cc46..929f87513 100644
--- a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml
+++ b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml
@@ -1,5 +1,8 @@
 title: IE Change Domain Zone
 id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393
+related:
+    - id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
+      type: derived
 status: experimental
 description: Hides the file extension through modification of the registry
 references:
diff --git a/rules/windows/registry/registry_set/registry_set_ie_persistence.yml b/rules/windows/registry/registry_set/registry_set_ie_persistence.yml
index 62ff81e87..d28f4de23 100644
--- a/rules/windows/registry/registry_set/registry_set_ie_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_ie_persistence.yml
@@ -1,12 +1,13 @@
 title: Modification of IE Registry Settings
 id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
 status: experimental
-description: Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings
+description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence
 references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
 author: frack113
 date: 2022/01/22
-modified: 2022/03/29
+modified: 2023/01/06
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -31,6 +32,9 @@ detection:
             - '\WpadDecision'
     filter_binary:
         Details: 'Binary Data'
+    filter_accepted_documents:
+        # Spotted during office installations
+        TargetObject|contains: '\Accepted Documents\'
     condition: selection_domains and not 1 of filter_*
 falsepositives:
     - Unknown
diff --git a/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml b/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml
index 80f4ae4b0..f9e8cd2e6 100644
--- a/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml
@@ -9,6 +9,7 @@ references:
     - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308
 author: Nasreddine Bencherchali
 date: 2022/07/21
+modified: 2023/01/06
 tags:
     - attack.persistence
 logsource:
@@ -27,7 +28,45 @@ detection:
             - 'HKLM\SOFTWARE\Classes\CLSID'
             - 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID'
         TargetObject|contains: '\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}'
-    condition: 1 of selection_*
+    filter_default_targets:
+        Image|startswith:
+            # We assume if an attacker has access to one of these directories. Then he already has admin.
+            - 'C:\Windows\System32\'
+            - 'C:\Program Files (x86)\'
+            - 'C:\Program Files\'
+        TargetObject|contains:
+            # TODO: Add the default extension PersistentHandler.
+            # Note this could also offer blindspot as the attacker could use on of these and hijack them
+            - '\CLSID\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\' # Office Open XML Format PowerPoint Persistent Handler
+            - '\CLSID\{4887767F-7ADC-4983-B576-88FB643D6F79}\' # Office Open XML Format Excel Persistent Handler
+            - '\CLSID\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\' # Office Open XML Format Word Persistent Handler
+            - '\CLSID\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\' # Microsoft OneNote Windows Desktop Search IFilter Persistent handler
+            - '\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\' # Null persistent handler
+            - '\CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\' # PDF Persistent Handler
+            - '\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\' # rtf persistent handler
+            - '\CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\' # Open Document Format ODT Persistent Handler
+            - '\CLSID\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\' # Zip Persistent Handler
+            - '\CLSID\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\' # Open Document Format ODS Persistent Handler
+            - '\CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\' # Related to MIME Filter
+            - '\CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\' # Related to MIME Filter
+            - '\CLSID\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\' # Setting Content File Persistent Handler
+            - '\CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\' # Plain Text persistent handler
+            - '\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\' # Wordpad OOXML Document Filter
+            - '\CLSID\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\' # XML File Persistent Handler
+            - '\CLSID\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\' # .url File Persistent Handler
+            - '\CLSID\{9694E38A-E081-46ac-99A0-8743C909ACB6}\' # html persistent handler for mapi email
+            - '\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\' # Microsoft Office Persistent Handler
+            - '\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\' # Wordpad ODT Document Filter
+            - '\CLSID\{B4132098-7A03-423D-9463-163CB07C151F}\' # Office Open XML Format Excel Persistent Handler
+            - '\CLSID\{d044309b-5da6-4633-b085-4ed02522e5a5}\' # App Content File Persistent Handler
+            - '\CLSID\{D169C14A-5148-4322-92C8-754FC9D018D8}\' # rtf persistent handler for mapi email
+            - '\CLSID\{DD75716E-B42E-4978-BB60-1497B92E30C4}\' # text persistent handler for mapi email
+            - '\CLSID\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\' # Open Document Format ODP Persistent Handler
+            - '\CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8}\' # Microsoft OneNote Section persistent handler
+            - '\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}' # HTML File persistent handler
+            #- '\CLSID\{F6F00E65-9CAF-43BB-809A-38AA4621BCF2}' # XMind Persistent Handler (not present by default)
+            - '\CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\' # Office Outlook MSG Persistent Handler
+    condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
     - Legitimate registration of IFilters by the OS or software
 level: medium
diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
index a7ec76dc0..0c79e4e82 100644
--- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
@@ -7,6 +7,7 @@ references:
     - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
 author: frack113
 date: 2022/08/28
+modified: 2023/01/06
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -26,7 +27,12 @@ detection:
         # Example of target object by svchost
         # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
         # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
-        Image: 'C:\WINDOWS\system32\svchost.exe'
+        Image: 'C:\Windows\system32\svchost.exe'
+    filter_misexec:
+        # This FP has been seen during installation/updates
+        Image:
+            - 'C:\Windows\system32\msiexec.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Legitimate use
diff --git a/rules/windows/sysmon/sysmon_process_hollowing.yml b/rules/windows/sysmon/sysmon_process_hollowing.yml
index 47201e255..a222d8141 100644
--- a/rules/windows/sysmon/sysmon_process_hollowing.yml
+++ b/rules/windows/sysmon/sysmon_process_hollowing.yml
@@ -7,7 +7,7 @@ references:
     - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
 author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
 date: 2022/01/25
-modified: 2022/02/01
+modified: 2023/01/03
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -27,6 +27,7 @@ detection:
             - '\opera.exe'
             - '\firefox.exe'
             - '\MicrosoftEdge.exe'
+            - '\WMIADAP.exe' 
     condition: selection and not filters
 falsepositives:
     - There are no known false positives at this time
diff --git a/tests/logsource.json b/tests/logsource.json
index 45761f7da..af0264b4f 100644
--- a/tests/logsource.json
+++ b/tests/logsource.json
@@ -4,6 +4,7 @@
     "legit":{
         "windows":{
             "commun": ["EventID","Provider_Name"],
+            "empty": [],
             "category":{
                 "process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion",
                                     "Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName",
@@ -41,9 +42,13 @@
                 "ps_module":["ContextInfo","UserData","Payload"],
                 "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"],
                 "file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"],
-                "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"]
+                "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"],
+                "ps_classic_start":[],
+                "ps_classic_provider_start":[],
+                "sysmon_error":[]
             },
             "service":{
+                "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"],
                 "bits-client":["RemoteName","LocalName","processPath","processId"],
                 "codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer",
                                             "RequestedPolicy","ValidatedPolicy","Status"],
@@ -61,10 +66,32 @@
                 "smbclient-security":["Reason","Status","ShareNameLength","ShareName","ObjectNameLength","ObjectName",
                                     "UserNameLength","UserName","ServerNameLength","ServerName"],
                 "taskscheduler":["TaskName","UserContext","Path","ProcessID","Priority"],
-                "terminalservices-localsessionmanager":["User","SessionID","Address"]
+                "terminalservices-localsessionmanager":["User","SessionID","Address"],
+                "iis":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method",
+                        "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status",
+                        "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent",
+                        "cs-referer","cs-cookie"],
+                "application":[],
+                "sysmon":[],
+                "powershell":[],
+                "powershell-classic":[],
+                "security":[],
+                "system":[],
+                "windefend":[],
+                "wmi":[],
+                "microsoft-servicebus-client":[],
+                "printservice-operational":[],
+                "driver-framework":[],
+                "dns-server-analytic":[],
+                "dns-server":[],
+                "printservice-admin":[],
+                "msexchange-management":[],
+                "applocker":[]
             }
         },
         "linux":{
+            "commun": [],
+            "empty": [],
             "category":{
                 "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName",
                                     "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes",
@@ -96,10 +123,21 @@
                     "proctitle","prom","proto","qbytes","range","rdev","reason","removed","res","resrc","result","role","rport","saddr","sauid",
                     "scontext","selected-context","seperm","seperms","seqno","seresult","ses","seuser","sgid","sig","sigev_signo","smac","spid",
                     "sport","state","subj","success","suid","syscall","table","tclass","tcontext","terminal","tty","type","uid","unit","uri","user",
-                    "uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"]
+                    "uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"],
+                "vsftpd":[],
+                "sshd":[],
+                "syslog":[],
+                "guacamole":[],
+                "auth":[],
+                "clamav":[],
+                "modsecurity":[],
+                "sudo":[],
+                "cron":[]
             }
         },
         "empty":{
+            "commun": [],
+            "empty": ["not_found"],
             "category":{
                 "proxy":["c-uri","c-uri-extension","c-uri-query","c-uri-stem","c-useragent","cs-bytes","cs-cookie",
                         "cs-host","cs-method","r-dns","cs-referrer","cs-version","sc-bytes","sc-status","src_ip","dst_ip",
@@ -107,11 +145,185 @@
                 "webserver":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method",
                             "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status",
                             "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent",
-                            "cs-referer","cs-cookie"]
+                            "cs-referer","cs-cookie"],
+                "antivirus":[],
+                "database":[],
+                "dns":[],
+                "firewall":[]
+            },
+            "service":{
+                "apache":[],
+                "netflow":[]
+            }
+        },
+        "cisco":{
+            "commun": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "aaa":[]
+            }
+        },
+        "django":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
+        "python":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
+        "qualys":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
+        "rpc_firewall":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
+        "ruby_on_rails":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
+        "modsecurity":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
+        "spring":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
+        "sql":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
+        "aws":{
+            "commun": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "cloudtrail":[]
+            }
+        },
+        "azure":{
+            "commun": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "activitylogs":[],
+                "auditlogs":[],
+                "azureactivity":[],
+                "microsoft365portal":[],
+                "signinlogs":[]
+            }
+        },
+        "gcp":{
+            "commun": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "gcp.audit":[]
+            }
+        },
+        "google_workspace":{
+            "commun": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "google_workspace.admin":[]
+            }
+        },
+        "m365":{
+            "commun": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "exchange":[],
+                "threat_detection":[],
+                "threat_management":[]
+            }
+        },
+        "okta":{
+            "commun": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "okta":[]
+            }
+        },
+        "onelogin":{
+            "commun": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "onelogin.events":[]
+            }
+        },
+        "zeek":{
+            "commun": [],
+            "empty": [],
+            "category":{
+            },
+            "service":{
+                "kerberos":[],
+                "smb_files":[],
+                "rdp":[],
+                "http":[],
+                "dns":[],
+                "dce_rpc":[],
+                "x509":[]
+            }
+        },
+        "macos":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName",
+                                    "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes",
+                                    "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"],
+                "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname",
+                                    "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort",
+                                    "DestinationPortName"],
+                "process_termination": ["ProcessGuid","ProcessId","Image","User"],
+                "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"],
+                "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
+                "sysmon_status": ["Configuration","ConfigurationFileHash"],
+                "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"]
             },
             "service":{
             }
-        }
+        }    
     },
     "addon":{
         "windows":{
@@ -127,7 +339,8 @@
                 "process_access": ["SourceCommandLine","CallTraceExtended"],
                 "file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"],
                 "file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"]
-            }
+            },
+            "service":{}
         }
     }
 }
\ No newline at end of file
diff --git a/tests/test_logsource.py b/tests/test_logsource.py
index 99c7d5104..85fae26bb 100644
--- a/tests/test_logsource.py
+++ b/tests/test_logsource.py
@@ -73,6 +73,47 @@ class TestRules(unittest.TestCase):
         
         return data
 
+    def exist_logsource(self,logsource:dict) -> bool:
+        #Check New product
+        if logsource["product"]:
+            if logsource["product"] in fieldname_dict.keys():
+                product = logsource["product"]
+            else:
+                return False
+        else:
+            product="empty"
+        
+        if logsource["category"] and logsource["category"] in fieldname_dict[product]['category'].keys():
+            return True
+        elif logsource["service"] and logsource["service"] in fieldname_dict[product]['service'].keys():
+            return True
+        elif logsource["category"] == None and logsource["service"] == None:
+            return True # We known the product but there are no category or service 
+        
+        return False
+
+    def get_logsource(self,logsource:dict) -> list:
+        data = None
+        
+        product = logsource["product"]  if logsource["product"] in fieldname_dict.keys() else "empty"
+
+        if logsource["category"] and logsource["category"] in fieldname_dict[product]['category'].keys():
+            data= fieldname_dict[product]["category"][logsource["category"]]
+        elif logsource["service"] and logsource["service"] in fieldname_dict[product]['service'].keys():
+            data= fieldname_dict[product]["service"][logsource["service"]]
+        elif logsource["category"] == None and logsource["service"] == None:
+            data = fieldname_dict[product]["empty"]
+
+        return data
+
+    def not_commun(self,logsource:dict,data:list) -> bool:
+        product = logsource["product"]  if logsource["product"] in fieldname_dict.keys() else "empty"
+
+        if fieldname_dict[product]["commun"] == data:
+            return False
+        else:
+            return True
+
     #
     # test functions
     #
@@ -84,6 +125,7 @@ class TestRules(unittest.TestCase):
             'service',
             'definition',
         ]
+
         for file in self.yield_next_rule_file_path(self.path_to_rules):
             logsource = self.get_rule_part(
                 file_path=file, part_name="logsource")
@@ -93,7 +135,7 @@ class TestRules(unittest.TestCase):
                 continue
             valid = True
             for key in logsource:
-                if key.lower() not in valid_logsource:
+                if key not in valid_logsource:
                     print(
                         Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key))
                     valid = False
@@ -107,65 +149,49 @@ class TestRules(unittest.TestCase):
         self.assertEqual(faulty_rules, [], Fore.RED +
                          "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source")
 
+    def test_logsource_value(self):
+        faulty_rules = []
+
+        for file in self.yield_next_rule_file_path(self.path_to_rules):
+            logsource = self.get_rule_part(
+                file_path=file, part_name="logsource")
+            if logsource:
+                full_logsource = self.full_logsource(logsource)
+                if not self.exist_logsource(full_logsource):
+                    faulty_rules.append(file)
+                    print(
+                        Fore.RED + "Rule {} has the unknown logsource product/category/service ({}/{}/{})".format(file,
+                                                                                                        full_logsource["product"],
+                                                                                                        full_logsource["category"],
+                                                                                                        full_logsource["service"]
+                                                                                                        ))
+
+        self.assertEqual(faulty_rules, [], Fore.RED +
+                        "There are rules with non-conform 'logsource' values.")
 
     def test_fieldname_case(self):
         files_with_fieldname_issues = []
 
-        def check_category(product,category,fieldname) -> bool:
-            valid = True
-
-            if product in fieldname_dict.keys():
-                if category in fieldname_dict[product]['category'].keys():
-                    if  fieldname in fieldname_dict[product]['category'][category]:
-                        pass
-                    else:
-                        valid = False
-            
-            return valid
-
-        def check_service(product,service,fieldname) -> bool:
-            valid = True
-
-            if product in fieldname_dict.keys():
-                if service in fieldname_dict[product]['service'].keys():
-                    if  fieldname in fieldname_dict[product]['service'][service]:
-                        pass
-                    else:
-                        valid = False
-            
-            return valid
-
         for file in self.yield_next_rule_file_path(self.path_to_rules):
             logsource = self.get_rule_part(file_path=file, part_name="logsource")
             detection = self.get_rule_part(file_path=file, part_name="detection")
             
             if logsource and detection :
                 full_logsource = self.full_logsource(logsource)
+                list_valid = self.get_logsource(full_logsource)
+                fisrt_time = True
 
-                #  check the field name
-                if full_logsource['product']:
-                    if full_logsource['category']:
-                        for field in self.get_detection_field(detection):
-                            if not check_category(full_logsource['product'],full_logsource['category'],field):
-                                print(
-                                    Fore.RED + "Rule {} has the invalid field <{}> for category <{}>".format(file, field,full_logsource['category']))
+                if list_valid != [] and self.not_commun(full_logsource,list_valid):
+                    for field in self.get_detection_field(detection):
+                        if not field in list_valid:
+                            print(
+                                Fore.RED + "Rule {} has the invalid field <{}>".format(file, field))
+                            if fisrt_time:
                                 files_with_fieldname_issues.append(file)
-                    elif full_logsource['service']:
-                        for field in self.get_detection_field(detection):
-                            if not check_service(full_logsource['product'],full_logsource['service'],field):
-                                print(
-                                    Fore.RED + "Rule {} has the invalid field <{}> for service <{}>".format(file, field,full_logsource['service']))
-                                files_with_fieldname_issues.append(file)                        
-                else:
-                    if full_logsource['category']:
-                        for field in self.get_detection_field(detection):
-                            if not check_category("empty",full_logsource['category'],field):
-                                print(
-                                    Fore.RED + "Rule {} has the invalid field <{}> for category <{}>".format(file, field,full_logsource['category']))
-                                files_with_fieldname_issues.append(file)                        
+                                fisrt_time = False # can be many error in the same rule
 
         self.assertEqual(files_with_fieldname_issues, [], Fore.RED +
-                         "There are rule files which contains unkown field or with cast error")
+                         "There are rule files which contains unknown field or with cast error")
 
 def load_fields_json(name:str):
     data = {}
@@ -180,6 +206,9 @@ def load_fields_json(name:str):
     for product in json_dict["addon"]:
         for category in json_dict["addon"][product]["category"]:
             data[product]["category"][category] += json_dict["addon"][product]["category"][category]
+        for service in json_dict["addon"][product]["service"]:
+            data[product]["service"][service] += json_dict["addon"][product]["service"][service]
+
 
     # We use some extracted hash
     # Add commun field
diff --git a/tests/test_rules.py b/tests/test_rules.py
index 004b72032..c6087e238 100755
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@@ -17,6 +17,14 @@ import collections
 
 
 class TestRules(unittest.TestCase):
+
+    @classmethod
+    def setUpClass(cls):
+        print("Calling get_mitre_data()")
+        # Get Current Data from MITRE ATT&CK®
+        cls.MITRE_ALL = get_mitre_data()
+        print("Catched data - starting tests...")
+
     MITRE_TECHNIQUE_NAMES = [
         "process_injection", "signed_binary_proxy_execution", "process_injection"]  # incomplete list
     MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access",
@@ -24,7 +32,8 @@ class TestRules(unittest.TestCase):
     # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules
     TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"}
 
-    path_to_rules = "rules"
+    path_to_rules = "../rules"
+    path_to_rules = os.path.join(os.path.dirname(os.path.realpath(__file__)), path_to_rules)
 
     # Helper functions
     def yield_next_rule_file_path(self, path_to_rules: str) -> str:
@@ -101,7 +110,7 @@ class TestRules(unittest.TestCase):
             tags = self.get_rule_part(file_path=file, part_name="tags")
             if tags:
                 for tag in tags:
-                    if tag not in MITRE_ALL and tag.startswith("attack."):
+                    if tag not in self.MITRE_ALL and tag.startswith("attack."):
                         print(
                             Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag))
                         files_with_incorrect_mitre_tags.append(file)
@@ -857,6 +866,8 @@ class TestRules(unittest.TestCase):
                                     pattern_prefix = "win_applocker_"
                                 elif value == "dns-server-analytic":
                                     pattern_prefix = "win_dns_analytic_"
+                                elif value == "bitlocker":
+                                    pattern_prefix = "win_bitlocker_"
                         
                     # This value is used to test if we should add the OS infix for certain categories
                     if os_bool:
@@ -1244,7 +1255,9 @@ def get_mitre_data():
     """
     Use Tags from CTI subrepo to get consitant data
     """
-    cti_path = "tests/cti/"
+    cti_path = "cti/"
+    cti_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), cti_path)
+
     # Get ATT&CK information
     lift = attack_client(local_path=cti_path)
     # Techniques
@@ -1293,7 +1306,5 @@ def get_mitre_data():
 
 if __name__ == "__main__":
     init(autoreset=True)
-    # Get Current Data from MITRE ATT&CK®
-    MITRE_ALL = get_mitre_data()
     # Run the tests
     unittest.main()
diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml
index df881f41a..458f64607 100644
--- a/tools/config/elk-windows.yml
+++ b/tools/config/elk-windows.yml
@@ -109,4 +109,9 @@ logsources:
     service: ldap_debug
     conditions:
       EventLog: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: logstash-*
diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml
index 5f3098e63..90f764db2 100644
--- a/tools/config/elk-winlogbeat-sp.yml
+++ b/tools/config/elk-winlogbeat-sp.yml
@@ -109,6 +109,11 @@ logsources:
     service: ldap_debug
     conditions:
       log_name: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: <winlogbeat-{now/d}>
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'
diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml
index 4e55a3e8c..cb0d4e24a 100644
--- a/tools/config/elk-winlogbeat.yml
+++ b/tools/config/elk-winlogbeat.yml
@@ -109,6 +109,11 @@ logsources:
     service: ldap_debug
     conditions:
       logname: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      logname: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'
diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml
index 1eedbd76b..ff57115d1 100644
--- a/tools/config/fireeye-helix.yml
+++ b/tools/config/fireeye-helix.yml
@@ -137,6 +137,11 @@ logsources:
         service: ldap_debug
         conditions:
             channel: 'Microsoft-Windows-LDAP-Client/Debug'
+    windows-bitlocker:
+        product: windows
+        service: bitlocker
+        conditions:
+            channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
     linux:
         product: linux
         index: posix
diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml
index 879e1bc07..f7faa953f 100644
--- a/tools/config/logpoint-windows.yml
+++ b/tools/config/logpoint-windows.yml
@@ -109,6 +109,11 @@ logsources:
     service: ldap_debug
     conditions:
       event_source: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      event_source: 'Microsoft-Windows-BitLocker/BitLocker Management'
 fieldmappings:
     EventID: event_id
     FailureCode: result_code
diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml
index 637f099f8..48bcf02c0 100644
--- a/tools/config/logstash-windows.yml
+++ b/tools/config/logstash-windows.yml
@@ -130,4 +130,9 @@ logsources:
     service: ldap_debug
     conditions:
       Channel: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      Channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: logstash-*
diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml
index 6102e3d8c..556051e6c 100644
--- a/tools/config/powershell.yml
+++ b/tools/config/powershell.yml
@@ -150,4 +150,9 @@ logsources:
     product: windows
     service: ldap_debug
     conditions:
-      LogName: 'Microsoft-Windows-LDAP-Client/Debug'
\ No newline at end of file
+      LogName: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      LogName: 'Microsoft-Windows-BitLocker/BitLocker Management'
\ No newline at end of file
diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml
index f8c30dcca..1df7507d0 100644
--- a/tools/config/splunk-windows.yml
+++ b/tools/config/splunk-windows.yml
@@ -166,6 +166,11 @@ logsources:
     service: ldap_debug
     conditions:
       source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
   windows-defender:
     product: windows
     service: windefend
diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml
index aa0e9f75e..d23d40698 100644
--- a/tools/config/sumologic.yml
+++ b/tools/config/sumologic.yml
@@ -140,6 +140,11 @@ logsources:
     service: ldap_debug
     conditions:
       source: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      source: 'Microsoft-Windows-BitLocker/BitLocker Management'
   apache:
     service: apache
     index: WEBSERVER
diff --git a/tools/config/thor.yml b/tools/config/thor.yml
index 86c46e545..5eb6437e4 100644
--- a/tools/config/thor.yml
+++ b/tools/config/thor.yml
@@ -414,6 +414,11 @@ logsources:
     service: ldap_debug
     sources:
       - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    sources:
+      - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'
   apache:
     category: webserver
     sources:
diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index cbc432525..ce55c210f 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -154,6 +154,11 @@ logsources:
     service: ldap_debug
     conditions:
       winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml
index 564ecfee6..6234fc1ed 100644
--- a/tools/config/winlogbeat-old.yml
+++ b/tools/config/winlogbeat-old.yml
@@ -117,6 +117,11 @@ logsources:
     service: ldap_debug
     conditions:
       log_name: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      log_name: 'Microsoft-Windows-BitLocker/BitLocker Management'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'
diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml
index 23eedcd78..7948fcf8c 100644
--- a/tools/config/winlogbeat.yml
+++ b/tools/config/winlogbeat.yml
@@ -143,6 +143,11 @@ logsources:
     service: ldap_debug
     conditions:
       winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug'
+  windows-bitlocker:
+    product: windows
+    service: bitlocker
+    conditions:
+      winlog.channel: 'bitlocker'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py
index df4e60f0c..4b88e0666 100644
--- a/tools/sigma/backends/lacework.py
+++ b/tools/sigma/backends/lacework.py
@@ -658,7 +658,7 @@ class LaceworkQuery:
         return title, query_id
 
     @staticmethod
-    def get_query_sources(logsource_name, logsource_config) -> list[str]:
+    def get_query_sources(logsource_name, logsource_config):
         # 4. validate service has a source mapping
         source = safe_get(logsource_config, 'source', str)
         sources = safe_get(logsource_config, 'sources', list)