Skip to content

[Rule Tuning] Windows Setup Guides - Low and Medium Severity Rules#6042

Merged
w0rk3r merged 7 commits into
mainfrom
win_setup_guides
May 4, 2026
Merged

[Rule Tuning] Windows Setup Guides - Low and Medium Severity Rules#6042
w0rk3r merged 7 commits into
mainfrom
win_setup_guides

Conversation

@w0rk3r

@w0rk3r w0rk3r commented May 4, 2026

Copy link
Copy Markdown
Contributor

Issues

Resolves https://github.com/elastic/ia-trade-team/issues/205

Summary

Adds Setup guides to low and medium severity rules, high and critical were covered by the revamp PRs.

@w0rk3r w0rk3r self-assigned this May 4, 2026
@w0rk3r w0rk3r added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Domain: Endpoint backport: auto labels May 4, 2026
@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic

tradebot-elastic commented May 4, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ✅ System Shells via Services (eql)
  • ❌ Potential Credential Access via DuplicateHandle in LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Microsoft IIS Service Account Password Dumped (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Enumerating Domain Trusts via DSQUERY.EXE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Removable Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User account exposed to Kerberoasting (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Establish VScode Remote Tunnel (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Peripheral Device Discovery (eql)
  • ❌ Potential Persistence via Mandatory User Profile (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Audit Policy Sub-Category Disabled (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Third-party Backup Files Deleted via Unexpected Process (eql)
  • ❌ Suspicious Lsass Process Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Scheduled Job Creation (eql)
  • ❌ Potential Ransomware Behavior - Note Files by System (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Time Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution from a Removable Media with Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Scheduled Task Execution at Scale via GPO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Download via Desktopimgdownldr Utility (eql)
  • ❌ Potential Timestomp in Executable Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Startup/Logon Script added to Group Policy Object (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Created with a Duplicated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Management Access Launch After MSI Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via WinRM Remote Shell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Download via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ PowerShell Script with Encryption/Decryption Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Inter-Process Communication via Outlook (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Activity from a Windows System Binary (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious .NET Code Compilation (eql)
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Memory Dump Handle Access (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Mofcomp Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Computer Account NTLM Relay Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via PowerShell Remoting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Password Reset Remotely (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Discovery Command via SYSTEM Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Privileged Local Groups Membership (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Adobe Hijack Persistence (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Web Shell ASPX File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Outlook Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote File Download via PowerShell (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Port Forwarding Rule Addition (eql)
  • ✅ Unusual Parent-Child Relationship (eql)
  • ❌ Downloaded Shortcut Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Outlook VBA (eql)
  • ✅ Potential DNS Tunneling via NsLookup (eql)
  • ❌ Suspicious Module Loaded by LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent Process for cmd.exe (eql)
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Creation CallTrace (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration via Rclone (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Creation via Secondary Logon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Persistence by a Suspicious Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows Event Logs Cleared (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Encrypting Files with WinRar or 7z (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft Exchange Server UM Spawning Suspicious Processes (eql)
  • ❌ Multiple Logon Failure from the same Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NetNTLMv1 Downgrade Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ❌ Multiple Logon Failure Followed by Logon Success (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via MSSQL xp_cmdshell Stored Procedure (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Registry Persistence via AppCert DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Network Logon Provider Registry Modification (eql)
  • ❌ PsExec Network Connection (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Sandbox with Sensitive Configuration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Backup Deletion with Wbadmin (eql)
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Lateral Tool Transfer via SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious PrintSpooler Service Executable File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Outbound Scheduled Task Activity via PowerShell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Added to Privileged Group in Active Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via PowerShell profile (eql)
  • ✅ Suspicious Execution via Scheduled Task (eql)
  • ❌ Unsigned DLL loaded by DNS Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Account Configured with Never-Expiring Password (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Connection to Commonly Abused Web Services (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of the msPKIAccountCredentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Connection to WebDAV Target (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ❌ Scheduled Task Created by a Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Access to LDAP Attributes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of Boot Configuration (eql)
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ✅ Exporting Exchange Mailbox via PowerShell (eql)
  • ✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Group Modification by SYSTEM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious RDP ActiveX Client Loaded (eql)
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscated Script via High Entropy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access to a Sensitive LDAP Attribute (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Enumeration Command Spawned via WMIPrvSE (eql)
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System File Ownership Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ PowerShell Suspicious Payload Encoded and Compressed (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Temporarily Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious PowerShell Engine ImageLoad (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Administrator Accounts (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WMI Image Load from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential WPAD Spoofing via DNS Record Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Traffic from Unusual Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Command Prompt Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ❌ Potential WSUS Abuse for Lateral Movement (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ A scheduled task was created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious SolarWinds Child Process (eql)
  • ❌ Deprecated - Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Group Policy Discovery via Microsoft GPResult Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SeDebugPrivilege Enabled by a Suspicious Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ❌ Suspicious Shell Execution via Velociraptor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via WMI Event Subscription (eql)
  • ❌ Remote Scheduled Task Creation via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Enumeration via Active Directory Web Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ❌ Microsoft Build Engine Started by a Script Process (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ❌ Process Injection by the Microsoft Build Engine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Scheduled Task Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Logon from New Source IP (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Registry File Creation in SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Office Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Print Spooler SPL File Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remotely Started Services via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Execution via File Shares (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Scheduled Task Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Copy via TeamViewer (eql)
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Mixed Logon Types (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Windows Script Interpreter Executing Process via WMI (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Veeam Credential Access Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Image Load (taskschd.dll) from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Searching for Saved Credentials via VaultCmd (eql)
  • ❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential RemoteMonologue Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Persistence via BITS Job Notify Cmdline (eql)
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Remote Management Tool Vendors on Same Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Mounting Hidden or WebDav Remote Shares (eql)
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ✅ Installation of Custom Shim Databases (eql)
  • ✅ Remote File Download via MpCmdRun (eql)
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Operation by dns.exe (kuery)
  • ❌ SMB Connections via LOLBin or Untrusted Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Downloaded URL Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ✅ Symbolic Link to Shadow Copy Created (eql)
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Remote Windows Service Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Service Command Lateral Movement (eql)
  • ❌ Potential Protocol Tunneling via Cloudflared (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Execution via SolarWinds Process (eql)
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Service was Installed in the System (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Pass-the-Hash (PtH) Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Driver Loaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ✅ Connection to Commonly Abused Free SSL Certificate Providers (eql)
  • ❌ First Time Seen NewCredentials Logon Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Pre-authentication Disabled for User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Protocol Tunneling via Yuze (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Installation of Security Support Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Host File System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential LSA Authentication Package Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ AdFind Command Activity (eql)
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Print Spooler Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote Desktop File Opened from Suspicious Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Script Executing PowerShell (eql)
  • ❌ Rare SMB Connection to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ Persistent Scripts in the Startup Directory (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Active Directory Replication Account Backdoor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Extension Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileged Accounts Brute Force (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Copy to a Hidden Share (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Application Shimming via Sdbinst (eql)
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ Svchost spawning Cmd (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Windows Defender Tampering (eql)
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Process Access via Windows API (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Discovery using AdExplorer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented May 4, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ✅ System Shells via Services (eql)
  • ❌ Potential Credential Access via DuplicateHandle in LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Microsoft IIS Service Account Password Dumped (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Enumerating Domain Trusts via DSQUERY.EXE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Removable Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User account exposed to Kerberoasting (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Establish VScode Remote Tunnel (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Peripheral Device Discovery (eql)
  • ❌ Potential Persistence via Mandatory User Profile (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Audit Policy Sub-Category Disabled (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Third-party Backup Files Deleted via Unexpected Process (eql)
  • ❌ Suspicious Lsass Process Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Scheduled Job Creation (eql)
  • ❌ Potential Ransomware Behavior - Note Files by System (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Time Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution from a Removable Media with Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Scheduled Task Execution at Scale via GPO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Download via Desktopimgdownldr Utility (eql)
  • ❌ Potential Timestomp in Executable Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Startup/Logon Script added to Group Policy Object (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Created with a Duplicated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Management Access Launch After MSI Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via WinRM Remote Shell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Download via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ PowerShell Script with Encryption/Decryption Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Inter-Process Communication via Outlook (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Activity from a Windows System Binary (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious .NET Code Compilation (eql)
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Memory Dump Handle Access (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Mofcomp Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Computer Account NTLM Relay Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via PowerShell Remoting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Password Reset Remotely (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Discovery Command via SYSTEM Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Privileged Local Groups Membership (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Adobe Hijack Persistence (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Web Shell ASPX File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Outlook Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote File Download via PowerShell (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Port Forwarding Rule Addition (eql)
  • ✅ Unusual Parent-Child Relationship (eql)
  • ❌ Downloaded Shortcut Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Outlook VBA (eql)
  • ✅ Potential DNS Tunneling via NsLookup (eql)
  • ❌ Suspicious Module Loaded by LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent Process for cmd.exe (eql)
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Creation CallTrace (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration via Rclone (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Creation via Secondary Logon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Persistence by a Suspicious Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows Event Logs Cleared (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Encrypting Files with WinRar or 7z (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft Exchange Server UM Spawning Suspicious Processes (eql)
  • ❌ Multiple Logon Failure from the same Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NetNTLMv1 Downgrade Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ❌ Multiple Logon Failure Followed by Logon Success (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via MSSQL xp_cmdshell Stored Procedure (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Registry Persistence via AppCert DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Network Logon Provider Registry Modification (eql)
  • ❌ PsExec Network Connection (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Sandbox with Sensitive Configuration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Backup Deletion with Wbadmin (eql)
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Lateral Tool Transfer via SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious PrintSpooler Service Executable File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Outbound Scheduled Task Activity via PowerShell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Added to Privileged Group in Active Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via PowerShell profile (eql)
  • ✅ Suspicious Execution via Scheduled Task (eql)
  • ❌ Unsigned DLL loaded by DNS Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Account Configured with Never-Expiring Password (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Connection to Commonly Abused Web Services (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of the msPKIAccountCredentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Connection to WebDAV Target (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ❌ Scheduled Task Created by a Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Access to LDAP Attributes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of Boot Configuration (eql)
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ✅ Exporting Exchange Mailbox via PowerShell (eql)
  • ✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Group Modification by SYSTEM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious RDP ActiveX Client Loaded (eql)
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscated Script via High Entropy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access to a Sensitive LDAP Attribute (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Enumeration Command Spawned via WMIPrvSE (eql)
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System File Ownership Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ PowerShell Suspicious Payload Encoded and Compressed (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Temporarily Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious PowerShell Engine ImageLoad (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Administrator Accounts (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WMI Image Load from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential WPAD Spoofing via DNS Record Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Traffic from Unusual Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Command Prompt Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ❌ Potential WSUS Abuse for Lateral Movement (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ A scheduled task was created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious SolarWinds Child Process (eql)
  • ❌ Deprecated - Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Group Policy Discovery via Microsoft GPResult Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SeDebugPrivilege Enabled by a Suspicious Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ❌ Suspicious Shell Execution via Velociraptor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via WMI Event Subscription (eql)
  • ❌ Remote Scheduled Task Creation via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Enumeration via Active Directory Web Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ❌ Microsoft Build Engine Started by a Script Process (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ❌ Process Injection by the Microsoft Build Engine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Scheduled Task Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Logon from New Source IP (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Registry File Creation in SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Office Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Print Spooler SPL File Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remotely Started Services via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Execution via File Shares (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Scheduled Task Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Copy via TeamViewer (eql)
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Mixed Logon Types (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Windows Script Interpreter Executing Process via WMI (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Veeam Credential Access Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Image Load (taskschd.dll) from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Searching for Saved Credentials via VaultCmd (eql)
  • ❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential RemoteMonologue Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Persistence via BITS Job Notify Cmdline (eql)
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Remote Management Tool Vendors on Same Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Mounting Hidden or WebDav Remote Shares (eql)
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ✅ Installation of Custom Shim Databases (eql)
  • ✅ Remote File Download via MpCmdRun (eql)
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Operation by dns.exe (kuery)
  • ❌ SMB Connections via LOLBin or Untrusted Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Downloaded URL Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ✅ Symbolic Link to Shadow Copy Created (eql)
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Remote Windows Service Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Service Command Lateral Movement (eql)
  • ❌ Potential Protocol Tunneling via Cloudflared (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Execution via SolarWinds Process (eql)
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Service was Installed in the System (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Pass-the-Hash (PtH) Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Driver Loaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ✅ Connection to Commonly Abused Free SSL Certificate Providers (eql)
  • ❌ First Time Seen NewCredentials Logon Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Pre-authentication Disabled for User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Protocol Tunneling via Yuze (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Installation of Security Support Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Host File System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential LSA Authentication Package Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ AdFind Command Activity (eql)
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Print Spooler Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote Desktop File Opened from Suspicious Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Script Executing PowerShell (eql)
  • ❌ Rare SMB Connection to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ Persistent Scripts in the Startup Directory (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Active Directory Replication Account Backdoor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Extension Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileged Accounts Brute Force (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Copy to a Hidden Share (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Application Shimming via Sdbinst (eql)
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ Svchost spawning Cmd (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Windows Defender Tampering (eql)
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Process Access via Windows API (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Discovery using AdExplorer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented May 4, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ✅ System Shells via Services (eql)
  • ❌ Potential Credential Access via DuplicateHandle in LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Microsoft IIS Service Account Password Dumped (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Enumerating Domain Trusts via DSQUERY.EXE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Removable Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User account exposed to Kerberoasting (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Establish VScode Remote Tunnel (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Peripheral Device Discovery (eql)
  • ❌ Potential Persistence via Mandatory User Profile (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Audit Policy Sub-Category Disabled (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Third-party Backup Files Deleted via Unexpected Process (eql)
  • ❌ Suspicious Lsass Process Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Scheduled Job Creation (eql)
  • ❌ Potential Ransomware Behavior - Note Files by System (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Time Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution from a Removable Media with Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Scheduled Task Execution at Scale via GPO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Download via Desktopimgdownldr Utility (eql)
  • ❌ Potential Timestomp in Executable Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Startup/Logon Script added to Group Policy Object (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Created with a Duplicated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Management Access Launch After MSI Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via WinRM Remote Shell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Download via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ PowerShell Script with Encryption/Decryption Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Inter-Process Communication via Outlook (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Activity from a Windows System Binary (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious .NET Code Compilation (eql)
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Memory Dump Handle Access (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Mofcomp Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Computer Account NTLM Relay Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via PowerShell Remoting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Password Reset Remotely (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Discovery Command via SYSTEM Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Privileged Local Groups Membership (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Adobe Hijack Persistence (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Web Shell ASPX File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Outlook Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote File Download via PowerShell (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Port Forwarding Rule Addition (eql)
  • ✅ Unusual Parent-Child Relationship (eql)
  • ❌ Downloaded Shortcut Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Outlook VBA (eql)
  • ✅ Potential DNS Tunneling via NsLookup (eql)
  • ❌ Suspicious Module Loaded by LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent Process for cmd.exe (eql)
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Creation CallTrace (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration via Rclone (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Creation via Secondary Logon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Persistence by a Suspicious Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows Event Logs Cleared (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Encrypting Files with WinRar or 7z (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft Exchange Server UM Spawning Suspicious Processes (eql)
  • ❌ Multiple Logon Failure from the same Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NetNTLMv1 Downgrade Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ❌ Multiple Logon Failure Followed by Logon Success (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via MSSQL xp_cmdshell Stored Procedure (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Registry Persistence via AppCert DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Network Logon Provider Registry Modification (eql)
  • ❌ PsExec Network Connection (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Sandbox with Sensitive Configuration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Backup Deletion with Wbadmin (eql)
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Lateral Tool Transfer via SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious PrintSpooler Service Executable File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Outbound Scheduled Task Activity via PowerShell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Added to Privileged Group in Active Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via PowerShell profile (eql)
  • ✅ Suspicious Execution via Scheduled Task (eql)
  • ❌ Unsigned DLL loaded by DNS Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Account Configured with Never-Expiring Password (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Connection to Commonly Abused Web Services (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of the msPKIAccountCredentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Connection to WebDAV Target (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ❌ Scheduled Task Created by a Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Access to LDAP Attributes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of Boot Configuration (eql)
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ✅ Exporting Exchange Mailbox via PowerShell (eql)
  • ✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Group Modification by SYSTEM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious RDP ActiveX Client Loaded (eql)
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscated Script via High Entropy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access to a Sensitive LDAP Attribute (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Enumeration Command Spawned via WMIPrvSE (eql)
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System File Ownership Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ PowerShell Suspicious Payload Encoded and Compressed (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Temporarily Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious PowerShell Engine ImageLoad (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Administrator Accounts (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WMI Image Load from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential WPAD Spoofing via DNS Record Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Traffic from Unusual Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Command Prompt Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ❌ Potential WSUS Abuse for Lateral Movement (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ A scheduled task was created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious SolarWinds Child Process (eql)
  • ❌ Deprecated - Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Group Policy Discovery via Microsoft GPResult Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SeDebugPrivilege Enabled by a Suspicious Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ❌ Suspicious Shell Execution via Velociraptor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via WMI Event Subscription (eql)
  • ❌ Remote Scheduled Task Creation via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Enumeration via Active Directory Web Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ❌ Microsoft Build Engine Started by a Script Process (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ❌ Process Injection by the Microsoft Build Engine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Scheduled Task Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Logon from New Source IP (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Registry File Creation in SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Office Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Print Spooler SPL File Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remotely Started Services via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Execution via File Shares (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Scheduled Task Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Copy via TeamViewer (eql)
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Mixed Logon Types (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Windows Script Interpreter Executing Process via WMI (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Veeam Credential Access Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Image Load (taskschd.dll) from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Searching for Saved Credentials via VaultCmd (eql)
  • ❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential RemoteMonologue Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Persistence via BITS Job Notify Cmdline (eql)
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Remote Management Tool Vendors on Same Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Mounting Hidden or WebDav Remote Shares (eql)
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ✅ Installation of Custom Shim Databases (eql)
  • ✅ Remote File Download via MpCmdRun (eql)
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Operation by dns.exe (kuery)
  • ❌ SMB Connections via LOLBin or Untrusted Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Downloaded URL Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ✅ Symbolic Link to Shadow Copy Created (eql)
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Remote Windows Service Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Service Command Lateral Movement (eql)
  • ❌ Potential Protocol Tunneling via Cloudflared (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Execution via SolarWinds Process (eql)
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Service was Installed in the System (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Pass-the-Hash (PtH) Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Driver Loaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ✅ Connection to Commonly Abused Free SSL Certificate Providers (eql)
  • ❌ First Time Seen NewCredentials Logon Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Pre-authentication Disabled for User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Protocol Tunneling via Yuze (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Installation of Security Support Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Host File System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential LSA Authentication Package Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ AdFind Command Activity (eql)
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Print Spooler Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote Desktop File Opened from Suspicious Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Script Executing PowerShell (eql)
  • ❌ Rare SMB Connection to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ Persistent Scripts in the Startup Directory (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Active Directory Replication Account Backdoor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Extension Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileged Accounts Brute Force (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Copy to a Hidden Share (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Application Shimming via Sdbinst (eql)
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ Svchost spawning Cmd (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Windows Defender Tampering (eql)
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Process Access via Windows API (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Discovery using AdExplorer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented May 4, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ✅ System Shells via Services (eql)
  • ❌ Potential Credential Access via DuplicateHandle in LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Microsoft IIS Service Account Password Dumped (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Enumerating Domain Trusts via DSQUERY.EXE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Removable Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User account exposed to Kerberoasting (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Establish VScode Remote Tunnel (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Peripheral Device Discovery (eql)
  • ❌ Potential Persistence via Mandatory User Profile (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Audit Policy Sub-Category Disabled (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Third-party Backup Files Deleted via Unexpected Process (eql)
  • ❌ Suspicious Lsass Process Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Scheduled Job Creation (eql)
  • ❌ Potential Ransomware Behavior - Note Files by System (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Time Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution from a Removable Media with Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Scheduled Task Execution at Scale via GPO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Download via Desktopimgdownldr Utility (eql)
  • ❌ Potential Timestomp in Executable Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Startup/Logon Script added to Group Policy Object (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Created with a Duplicated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Management Access Launch After MSI Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via WinRM Remote Shell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Download via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ PowerShell Script with Encryption/Decryption Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Inter-Process Communication via Outlook (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Activity from a Windows System Binary (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious .NET Code Compilation (eql)
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Memory Dump Handle Access (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Mofcomp Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Computer Account NTLM Relay Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via PowerShell Remoting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Password Reset Remotely (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Discovery Command via SYSTEM Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Privileged Local Groups Membership (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Adobe Hijack Persistence (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Web Shell ASPX File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Outlook Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote File Download via PowerShell (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Port Forwarding Rule Addition (eql)
  • ✅ Unusual Parent-Child Relationship (eql)
  • ❌ Downloaded Shortcut Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Outlook VBA (eql)
  • ✅ Potential DNS Tunneling via NsLookup (eql)
  • ❌ Suspicious Module Loaded by LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent Process for cmd.exe (eql)
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Creation CallTrace (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration via Rclone (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Creation via Secondary Logon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Persistence by a Suspicious Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows Event Logs Cleared (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Encrypting Files with WinRar or 7z (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft Exchange Server UM Spawning Suspicious Processes (eql)
  • ❌ Multiple Logon Failure from the same Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NetNTLMv1 Downgrade Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ❌ Multiple Logon Failure Followed by Logon Success (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via MSSQL xp_cmdshell Stored Procedure (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Registry Persistence via AppCert DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Network Logon Provider Registry Modification (eql)
  • ❌ PsExec Network Connection (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Sandbox with Sensitive Configuration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Backup Deletion with Wbadmin (eql)
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Lateral Tool Transfer via SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious PrintSpooler Service Executable File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Outbound Scheduled Task Activity via PowerShell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Added to Privileged Group in Active Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via PowerShell profile (eql)
  • ✅ Suspicious Execution via Scheduled Task (eql)
  • ❌ Unsigned DLL loaded by DNS Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Account Configured with Never-Expiring Password (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Connection to Commonly Abused Web Services (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of the msPKIAccountCredentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Connection to WebDAV Target (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ❌ Scheduled Task Created by a Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Access to LDAP Attributes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of Boot Configuration (eql)
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ✅ Exporting Exchange Mailbox via PowerShell (eql)
  • ✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Group Modification by SYSTEM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious RDP ActiveX Client Loaded (eql)
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscated Script via High Entropy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access to a Sensitive LDAP Attribute (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Enumeration Command Spawned via WMIPrvSE (eql)
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System File Ownership Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ PowerShell Suspicious Payload Encoded and Compressed (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Temporarily Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious PowerShell Engine ImageLoad (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Administrator Accounts (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WMI Image Load from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential WPAD Spoofing via DNS Record Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Traffic from Unusual Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Command Prompt Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ❌ Potential WSUS Abuse for Lateral Movement (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ A scheduled task was created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious SolarWinds Child Process (eql)
  • ❌ Deprecated - Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Group Policy Discovery via Microsoft GPResult Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SeDebugPrivilege Enabled by a Suspicious Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ❌ Suspicious Shell Execution via Velociraptor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via WMI Event Subscription (eql)
  • ❌ Remote Scheduled Task Creation via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Enumeration via Active Directory Web Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ❌ Microsoft Build Engine Started by a Script Process (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ❌ Process Injection by the Microsoft Build Engine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Scheduled Task Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Logon from New Source IP (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Registry File Creation in SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Office Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Print Spooler SPL File Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remotely Started Services via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Execution via File Shares (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Scheduled Task Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Copy via TeamViewer (eql)
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Mixed Logon Types (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Windows Script Interpreter Executing Process via WMI (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Veeam Credential Access Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Image Load (taskschd.dll) from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Searching for Saved Credentials via VaultCmd (eql)
  • ❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential RemoteMonologue Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Persistence via BITS Job Notify Cmdline (eql)
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Remote Management Tool Vendors on Same Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Mounting Hidden or WebDav Remote Shares (eql)
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ✅ Installation of Custom Shim Databases (eql)
  • ✅ Remote File Download via MpCmdRun (eql)
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Operation by dns.exe (kuery)
  • ❌ SMB Connections via LOLBin or Untrusted Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Downloaded URL Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ✅ Symbolic Link to Shadow Copy Created (eql)
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Remote Windows Service Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Service Command Lateral Movement (eql)
  • ❌ Potential Protocol Tunneling via Cloudflared (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Execution via SolarWinds Process (eql)
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Service was Installed in the System (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Pass-the-Hash (PtH) Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Driver Loaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ✅ Connection to Commonly Abused Free SSL Certificate Providers (eql)
  • ❌ First Time Seen NewCredentials Logon Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Pre-authentication Disabled for User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Protocol Tunneling via Yuze (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Installation of Security Support Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Host File System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential LSA Authentication Package Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ AdFind Command Activity (eql)
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Print Spooler Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote Desktop File Opened from Suspicious Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Script Executing PowerShell (eql)
  • ❌ Rare SMB Connection to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ Persistent Scripts in the Startup Directory (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Active Directory Replication Account Backdoor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Extension Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileged Accounts Brute Force (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Copy to a Hidden Share (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Application Shimming via Sdbinst (eql)
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ Svchost spawning Cmd (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Windows Defender Tampering (eql)
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Process Access via Windows API (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Discovery using AdExplorer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented May 4, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ✅ System Shells via Services (eql)
  • ❌ Potential Credential Access via DuplicateHandle in LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Microsoft IIS Service Account Password Dumped (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Enumerating Domain Trusts via DSQUERY.EXE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Removable Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User account exposed to Kerberoasting (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Establish VScode Remote Tunnel (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Peripheral Device Discovery (eql)
  • ❌ Potential Persistence via Mandatory User Profile (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Audit Policy Sub-Category Disabled (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Third-party Backup Files Deleted via Unexpected Process (eql)
  • ❌ Suspicious Lsass Process Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Scheduled Job Creation (eql)
  • ❌ Potential Ransomware Behavior - Note Files by System (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Time Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution from a Removable Media with Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Scheduled Task Execution at Scale via GPO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Download via Desktopimgdownldr Utility (eql)
  • ❌ Potential Timestomp in Executable Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Startup/Logon Script added to Group Policy Object (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Created with a Duplicated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Management Access Launch After MSI Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via WinRM Remote Shell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Download via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ PowerShell Script with Encryption/Decryption Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Inter-Process Communication via Outlook (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Activity from a Windows System Binary (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious .NET Code Compilation (eql)
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Memory Dump Handle Access (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Mofcomp Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Computer Account NTLM Relay Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via PowerShell Remoting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Password Reset Remotely (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Discovery Command via SYSTEM Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Privileged Local Groups Membership (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Adobe Hijack Persistence (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Web Shell ASPX File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Outlook Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote File Download via PowerShell (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Port Forwarding Rule Addition (eql)
  • ✅ Unusual Parent-Child Relationship (eql)
  • ❌ Downloaded Shortcut Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Outlook VBA (eql)
  • ✅ Potential DNS Tunneling via NsLookup (eql)
  • ❌ Suspicious Module Loaded by LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent Process for cmd.exe (eql)
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Creation CallTrace (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration via Rclone (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Creation via Secondary Logon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Persistence by a Suspicious Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows Event Logs Cleared (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Encrypting Files with WinRar or 7z (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft Exchange Server UM Spawning Suspicious Processes (eql)
  • ❌ Multiple Logon Failure from the same Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NetNTLMv1 Downgrade Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ❌ Multiple Logon Failure Followed by Logon Success (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via MSSQL xp_cmdshell Stored Procedure (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Registry Persistence via AppCert DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Network Logon Provider Registry Modification (eql)
  • ❌ PsExec Network Connection (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Sandbox with Sensitive Configuration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Backup Deletion with Wbadmin (eql)
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Lateral Tool Transfer via SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious PrintSpooler Service Executable File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Outbound Scheduled Task Activity via PowerShell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Added to Privileged Group in Active Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via PowerShell profile (eql)
  • ✅ Suspicious Execution via Scheduled Task (eql)
  • ❌ Unsigned DLL loaded by DNS Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Account Configured with Never-Expiring Password (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Connection to Commonly Abused Web Services (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of the msPKIAccountCredentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Connection to WebDAV Target (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ❌ Scheduled Task Created by a Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Access to LDAP Attributes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of Boot Configuration (eql)
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ✅ Exporting Exchange Mailbox via PowerShell (eql)
  • ✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Group Modification by SYSTEM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious RDP ActiveX Client Loaded (eql)
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscated Script via High Entropy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access to a Sensitive LDAP Attribute (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Enumeration Command Spawned via WMIPrvSE (eql)
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System File Ownership Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ PowerShell Suspicious Payload Encoded and Compressed (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Temporarily Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious PowerShell Engine ImageLoad (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Administrator Accounts (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WMI Image Load from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential WPAD Spoofing via DNS Record Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Traffic from Unusual Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Command Prompt Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ❌ Potential WSUS Abuse for Lateral Movement (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ A scheduled task was created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious SolarWinds Child Process (eql)
  • ❌ Deprecated - Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Group Policy Discovery via Microsoft GPResult Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SeDebugPrivilege Enabled by a Suspicious Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ❌ Suspicious Shell Execution via Velociraptor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via WMI Event Subscription (eql)
  • ❌ Remote Scheduled Task Creation via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Enumeration via Active Directory Web Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ❌ Microsoft Build Engine Started by a Script Process (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ❌ Process Injection by the Microsoft Build Engine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Scheduled Task Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Logon from New Source IP (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Registry File Creation in SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Office Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Print Spooler SPL File Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remotely Started Services via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Execution via File Shares (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Scheduled Task Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Copy via TeamViewer (eql)
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Mixed Logon Types (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Windows Script Interpreter Executing Process via WMI (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Veeam Credential Access Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Image Load (taskschd.dll) from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Searching for Saved Credentials via VaultCmd (eql)
  • ❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential RemoteMonologue Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Persistence via BITS Job Notify Cmdline (eql)
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Remote Management Tool Vendors on Same Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Mounting Hidden or WebDav Remote Shares (eql)
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ✅ Installation of Custom Shim Databases (eql)
  • ✅ Remote File Download via MpCmdRun (eql)
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Operation by dns.exe (kuery)
  • ❌ SMB Connections via LOLBin or Untrusted Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Downloaded URL Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ✅ Symbolic Link to Shadow Copy Created (eql)
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Remote Windows Service Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Service Command Lateral Movement (eql)
  • ❌ Potential Protocol Tunneling via Cloudflared (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Execution via SolarWinds Process (eql)
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Service was Installed in the System (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Pass-the-Hash (PtH) Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Driver Loaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ✅ Connection to Commonly Abused Free SSL Certificate Providers (eql)
  • ❌ First Time Seen NewCredentials Logon Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Pre-authentication Disabled for User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Protocol Tunneling via Yuze (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Installation of Security Support Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Host File System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential LSA Authentication Package Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ AdFind Command Activity (eql)
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Print Spooler Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote Desktop File Opened from Suspicious Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Script Executing PowerShell (eql)
  • ❌ Rare SMB Connection to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ Persistent Scripts in the Startup Directory (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Active Directory Replication Account Backdoor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Extension Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileged Accounts Brute Force (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Copy to a Hidden Share (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Application Shimming via Sdbinst (eql)
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ Svchost spawning Cmd (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Windows Defender Tampering (eql)
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Process Access via Windows API (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Discovery using AdExplorer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Aegrah Aegrah left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Manually tested ~15+ links, and sampled through the list. No issues identified.

@tradebot-elastic

tradebot-elastic commented May 4, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ✅ System Shells via Services (eql)
  • ❌ Potential Credential Access via DuplicateHandle in LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Microsoft IIS Service Account Password Dumped (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Enumerating Domain Trusts via DSQUERY.EXE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Removable Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User account exposed to Kerberoasting (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Establish VScode Remote Tunnel (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Peripheral Device Discovery (eql)
  • ❌ Potential Persistence via Mandatory User Profile (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Audit Policy Sub-Category Disabled (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Third-party Backup Files Deleted via Unexpected Process (eql)
  • ❌ Suspicious Lsass Process Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Scheduled Job Creation (eql)
  • ❌ Potential Ransomware Behavior - Note Files by System (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Time Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution from a Removable Media with Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Scheduled Task Execution at Scale via GPO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Download via Desktopimgdownldr Utility (eql)
  • ❌ Potential Timestomp in Executable Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Startup/Logon Script added to Group Policy Object (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Created with a Duplicated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Management Access Launch After MSI Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via WinRM Remote Shell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Download via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ PowerShell Script with Encryption/Decryption Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Inter-Process Communication via Outlook (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a DNS-Named Record (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Activity from a Windows System Binary (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious .NET Code Compilation (eql)
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Memory Dump Handle Access (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Mofcomp Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Computer Account NTLM Relay Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via PowerShell Remoting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Password Reset Remotely (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Discovery Command via SYSTEM Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Privileged Local Groups Membership (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Adobe Hijack Persistence (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ Windows Script Execution from Archive (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Web Shell ASPX File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Outlook Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote File Download via PowerShell (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Port Forwarding Rule Addition (eql)
  • ✅ Unusual Parent-Child Relationship (eql)
  • ❌ Downloaded Shortcut Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Outlook VBA (eql)
  • ✅ Potential DNS Tunneling via NsLookup (eql)
  • ❌ Suspicious Module Loaded by LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent Process for cmd.exe (eql)
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Creation CallTrace (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration via Rclone (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Creation via Secondary Logon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Persistence by a Suspicious Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows Event Logs Cleared (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Encrypting Files with WinRar or 7z (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ❌ Suspicious Remote Registry Access via SeBackupPrivilege (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft Exchange Server UM Spawning Suspicious Processes (eql)
  • ❌ Multiple Logon Failure from the same Source Address (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential NetNTLMv1 Downgrade Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ❌ Multiple Logon Failure Followed by Logon Success (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via MSSQL xp_cmdshell Stored Procedure (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Registry Persistence via AppCert DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Network Logon Provider Registry Modification (eql)
  • ❌ PsExec Network Connection (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Sandbox with Sensitive Configuration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Backup Deletion with Wbadmin (eql)
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Lateral Tool Transfer via SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious PrintSpooler Service Executable File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Outbound Scheduled Task Activity via PowerShell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User Added to Privileged Group in Active Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via PowerShell profile (eql)
  • ✅ Suspicious Execution via Scheduled Task (eql)
  • ❌ Unsigned DLL loaded by DNS Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Account Configured with Never-Expiring Password (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Connection to Commonly Abused Web Services (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of the msPKIAccountCredentials (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Rare Connection to WebDAV Target (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ❌ Scheduled Task Created by a Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Access to LDAP Attributes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of Boot Configuration (eql)
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ✅ Exporting Exchange Mailbox via PowerShell (eql)
  • ✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
  • ❌ Potential PowerShell Obfuscation via Special Character Overuse (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Group Modification by SYSTEM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious RDP ActiveX Client Loaded (eql)
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell Obfuscated Script via High Entropy (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Access to a Sensitive LDAP Attribute (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Enumeration Command Spawned via WMIPrvSE (eql)
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System File Ownership Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ PowerShell Suspicious Payload Encoded and Compressed (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Temporarily Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious PowerShell Engine ImageLoad (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Administrator Accounts (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WMI Image Load from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential WPAD Spoofing via DNS Record Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Traffic from Unusual Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Command Prompt Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ❌ Potential WSUS Abuse for Lateral Movement (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ A scheduled task was created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Evasion via Windows Filtering Platform (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious SolarWinds Child Process (eql)
  • ❌ Deprecated - Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Group Policy Discovery via Microsoft GPResult Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SeDebugPrivilege Enabled by a Suspicious Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ❌ Suspicious Shell Execution via Velociraptor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via WMI Event Subscription (eql)
  • ❌ Remote Scheduled Task Creation via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Enumeration via Active Directory Web Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ❌ Microsoft Build Engine Started by a Script Process (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ❌ Process Injection by the Microsoft Build Engine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DCSync (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Scheduled Task Update (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Logon from New Source IP (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Registry File Creation in SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious MS Office Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Print Spooler SPL File Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remotely Started Services via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Execution via File Shares (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Scheduled Task Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Copy via TeamViewer (eql)
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Account Takeover - Mixed Logon Types (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Windows Script Interpreter Executing Process via WMI (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Veeam Credential Access Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Image Load (taskschd.dll) from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Searching for Saved Credentials via VaultCmd (eql)
  • ❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential RemoteMonologue Attack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Persistence via BITS Job Notify Cmdline (eql)
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Multiple Remote Management Tool Vendors on Same Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Mounting Hidden or WebDav Remote Shares (eql)
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ✅ Installation of Custom Shim Databases (eql)
  • ✅ Remote File Download via MpCmdRun (eql)
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Operation by dns.exe (kuery)
  • ❌ SMB Connections via LOLBin or Untrusted Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Downloaded URL Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ✅ Symbolic Link to Shadow Copy Created (eql)
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Remote Windows Service Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Service Command Lateral Movement (eql)
  • ❌ Potential Protocol Tunneling via Cloudflared (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Execution via SolarWinds Process (eql)
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Service was Installed in the System (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Pass-the-Hash (PtH) Attempt (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Driver Loaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ✅ Connection to Commonly Abused Free SSL Certificate Providers (eql)
  • ❌ First Time Seen NewCredentials Logon Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Pre-authentication Disabled for User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Protocol Tunneling via Yuze (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Installation of Security Support Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Host File System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential LSA Authentication Package Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ AdFind Command Activity (eql)
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Print Spooler Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote Desktop File Opened from Suspicious Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Script Executing PowerShell (eql)
  • ❌ Rare SMB Connection to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ Persistent Scripts in the Startup Directory (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Active Directory Replication Account Backdoor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Extension Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileged Accounts Brute Force (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Copy to a Hidden Share (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Application Shimming via Sdbinst (eql)
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ Svchost spawning Cmd (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Microsoft Windows Defender Tampering (eql)
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Process Access via Windows API (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Active Directory Discovery using AdExplorer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@w0rk3r w0rk3r merged commit d95919b into main May 4, 2026
13 checks passed
@w0rk3r w0rk3r deleted the win_setup_guides branch May 4, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants