hunting/index.yml

llm:
  11e33a8f-805b-4394-bee0-08ae8d78b025:
    name: AWS Bedrock LLM Sensitive Content Refusals
    path: ./llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml
    mitre:
    - AML.T0051
  00023411-192e-4472-90aa-da7562bc3f2a:
    name: AWS Bedrock LLM Denial-of-Service or Resource Exhaustion
    path: ./llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml
    mitre:
    - AML.T0034
  131e5887-463a-46a1-a44e-b96361bc6cbc:
    name: AWS Bedrock LLM Ignore Previous Prompt Detection
    path: ./llm/queries/aws_bedrock_ignore_previous_prompt_detection.toml
    mitre:
    - AML.T0051.000
  991b55c3-6327-4af6-8e0c-5d4870748369:
    name: AWS Bedrock LLM Latency Anomalies
    path: ./llm/queries/aws_bedrock_latency_anomalies_detection.toml
    mitre:
    - AML.T0029
macos:
  dc04d70a-80aa-4c3f-ad02-2b18d54af6d4:
    name: Suspicious Network Connections by Unsigned Mach-O
    path: ./macos/queries/suspicious_network_connections_by_unsigned_macho.toml
    mitre:
    - T1071
  69fc4f40-8fb1-4652-99b7-52755cd370fe:
    name: Low Occurrence of Suspicious Launch Agent or Launch Daemon
    path: ./macos/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml
    mitre:
    - T1547
    - T1547.011
    - T1543
    - T1543.001
    - T1543.004
linux:
  ecd84bc7-32ae-474b-93a8-d1d9736c3464:
    name: Network Connections with Low Occurrence Frequency for Unique Agent ID
    path: ./linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml
    mitre:
    - T1071.001
    - T1071.004
  2db642d2-621a-4183-88b5-b2659dc2c940:
    name: OSQuery SUID Hunting
    path: ./linux/queries/privilege_escalation_via_suid_binaries.toml
    mitre:
    - T1548.001
    - T1574.002
  5984a354-d76c-43e6-bdd9-228456f1b371:
    name: Persistence via Message-of-the-Day
    path: ./linux/queries/persistence_via_message_of_the_day.toml
    mitre:
    - T1036.005
    - T1546.003
  00461198-9a2d-4823-b4cc-f3d1b5c17935:
    name: Hidden Process Execution
    path: ./linux/queries/defense_evasion_via_hidden_process_execution.toml
    mitre:
    - T1036.004
    - T1059
  6e57e6a6-f150-405d-b8be-e4e666a3a86d:
    name: Privilege Escalation Identification via Existing Sudoers File
    path: ./linux/queries/privilege_escalation_via_existing_sudoers.toml
    mitre:
    - T1548.003
  223f812c-a962-4d58-961d-134d8f8b15da:
    name: Excessive SSH Network Activity to Unique Destinations
    path: ./linux/queries/excessive_ssh_network_activity_unique_destinations.toml
    mitre:
    - T1021.004
    - T1078.003
  8dcc2161-65e0-4448-a03a-1c4e0cbc9330:
    name: XDG Persistence
    path: ./linux/queries/persistence_via_xdg_autostart_modifications.toml
    mitre:
    - T1547.001
    - T1053.005
  d2d24ad6-a315-4e05-a3f9-e205eb805df4:
    name: Persistence via Systemd (Timers)
    path: ./linux/queries/persistence_via_systemd_timers.toml
    mitre:
    - T1053.005
    - T1546.002
  12526f14-5e35-4f5f-884c-96c6a353a544:
    name: Low Volume External Network Connections from Process by Unique Agent
    path: ./linux/queries/low_volume_external_network_connections_from_process.toml
    mitre:
    - T1071.001
    - T1071.004
  27d76f07-7dc4-49bc-b4a7-6d9a01de171f:
    name: Persistence via System V Init
    path: ./linux/queries/persistence_via_sysv_init.toml
    mitre:
    - T1037
  2d7bb29d-d53f-47ab-a0b4-1818adb91423:
    name: Git Hook/Pager Persistence
    path: ./linux/queries/persistence_via_git_hook_pager.toml
    mitre:
    - T1546.004
    - T1059.004
  7422faf1-ba51-49c3-b8ba-13759e6bcec4:
    name: Persistence Through Reverse/Bind Shells
    path: ./linux/queries/persistence_reverse_bind_shells.toml
    mitre:
    - T1059.004
  c7044817-d9a5-4755-abab-9059e50dab24:
    name: Low Volume Modifications to Critical System Binaries by Unique Host
    path: ./linux/queries/low_volume_modifications_to_critical_system_binaries.toml
    mitre:
    - T1070.004
    - T1569.002
  20a02fad-2a09-44c0-a8ce-ce4502859c8a:
    name: Shell Modification Persistence
    path: ./linux/queries/persistence_via_shell_modification_persistence.toml
    mitre:
    - T1546.004
    - T1053.005
  0ea47044-b161-4785-ba99-e11f46d6ac51:
    name: Uncommon Process Execution from Suspicious Directory
    path: ./linux/queries/execution_uncommon_process_execution_from_suspicious_directory.toml
    mitre:
    - T1036.004
    - T1049
    - T1059
    - T1059.004
  783d6091-b98d-45a8-a880-a07f112a8aa2:
    name: Low Volume GTFOBins External Network Connections
    path: ./linux/queries/low_volume_gtfobins_external_network_connections.toml
    mitre:
    - T1219
    - T1071.001
  8d42a644-5b60-4165-a8f1-84d5bcdd4ade:
    name: Persistence via Udev
    path: ./linux/queries/persistence_via_udev.toml
    mitre:
    - T1547.010
  e1f59c9a-7a2a-4eb8-a524-97b16a041a4a:
    name: Drivers Load with Low Occurrence Frequency
    path: ./linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml
    mitre:
    - T1547.006
    - T1069.002
  95c1467d-d566-4645-b5f1-37a4b0093bb6:
    name: Logon Activity by Source IP
    path: ./linux/queries/login_activity_by_source_address.toml
    mitre:
    - T1110
    - T1078
  d22cbe8f-c84d-4811-aa6d-f1ee00c806b2:
    name: Unusual System Binary Parent (Potential System Binary Hijacking Attempt)
    path: ./linux/queries/persistence_via_unusual_system_binary_parent.toml
    mitre:
    - T1546.004
    - T1059.004
  3f3fd2b9-940c-4310-adb1-d8b7d726e281:
    name: Segmentation Fault & Potential Buffer Overflow Hunting
    path: ./linux/queries/privilege_escalation_via_segmentation_fault_and_buffer_overflow.toml
    mitre:
    - T1203
    - T1068
  2d01a413-8d97-407a-8698-02dfc7119c97:
    name: Persistence via Package Manager
    path: ./linux/queries/persistence_via_package_manager.toml
    mitre:
    - T1546.004
    - T1059.004
  11810497-8ce3-4960-9777-9d0e97052682:
    name: Potential Defense Evasion via Multi-Dot Process Execution
    path: ./linux/queries/defense_evasion_via_multi_dot_process_execution.toml
    mitre:
    - T1036.004
    - T1070
  0d061fad-cf35-43a6-b9b7-986c348bf182:
    name: Unusual File Downloads from Source Addresses
    path: ./linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml
    mitre:
    - T1071.001
    - T1071.004
  6f67704d-e5b1-4613-912c-e2965660fe17:
    name: Process Capability Hunting
    path: ./linux/queries/privilege_escalation_via_process_capabilities.toml
    mitre:
    - T1548.001
    - T1548.003
  aa759db0-4499-42f2-9f2f-be3e00fdebfa:
    name: Persistence via SSH Configurations and/or Keys
    path: ./linux/queries/persistence_via_ssh_configurations_and_keys.toml
    mitre:
    - T1098.004
    - T1563.001
  e1cffb7c-4acf-4e7a-8d72-b8b7657cf7b8:
    name: Persistence via Cron
    path: ./linux/queries/persistence_via_cron.toml
    mitre:
    - T1053.003
    - T1053.005
  c9931736-d5ec-4c89-b4d2-d71dcf5ca12a:
    name: Low Volume Process Injection-Related Syscalls by Process Executable
    path: ./linux/queries/low_volume_process_injection_syscalls_by_executable.toml
    mitre:
    - T1055.001
    - T1055.009
  f00c9757-d21b-432c-90a6-8372f18075d0:
    name: Privilege Escalation/Persistence via User/Group Creation and/or Modification
    path: ./linux/queries/persistence_via_user_group_creation_modification.toml
    mitre:
    - T1136
    - T1136.001
    - T1136.002
  9d485892-1ca2-464b-9e4e-6b21ab379b9a:
    name: Defense Evasion via Capitalized Process Execution
    path: ./linux/queries/defense_evasion_via_capitalized_process_execution.toml
    mitre:
    - T1036.004
    - T1070
  a95f778f-2193-4a3d-bbbe-7b02d5740638:
    name: Persistence via rc.local/rc.common
    path: ./linux/queries/persistence_via_rc_local.toml
    mitre:
    - T1037.004
    - T1546.003
  2a3c46b8-7bd6-4bc4-a4a8-a1af114ea152:
    name: Persistence via Pluggable Authentication Modules (PAM)
    path: ./linux/queries/persistence_via_pluggable_authentication_module.toml
    mitre:
    - T1556.003
  664d65ec-029e-4746-bf97-7bf3a0113e6a:
    name: Persistence via Dynamic Linker Hijacking
    path: ./linux/queries/persistence_via_dynamic_linker_hijacking.toml
    mitre:
    - T1574.006
  d667d328-fadc-4a52-9b46-f42b1a83181c:
    name: Persistence via Loadable Kernel Modules
    path: ./linux/queries/persistence_via_loadable_kernel_modules.toml
    mitre:
    - T1547.006
  e2e4a1ad-5e03-4968-927c-9ef13c49a3b8:
    name: Persistence via Web Shell
    path: ./linux/queries/persistence_via_web_shell.toml
    mitre:
    - T1505.003
  1d7cae97-2dea-4f01-b04c-85fa4bd991d0:
    name: Persistence via DPKG/RPM Package
    path: ./linux/queries/persistence_via_rpm_dpkg_installer_packages.toml
    mitre:
    - T1546.016
  b9b4f11f-1db9-491a-ab43-0e69e3f6d5be:
    name: Persistence via Docker Container
    path: ./linux/queries/persistence_via_malicious_docker_container.toml
    mitre:
    - T1610
okta:
  0b936024-71d9-11ef-a9be-f661ea17fbcc:
    name: Failed OAuth Access Token Retrieval via Public Client App
    path: ./okta/queries/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml
    mitre:
    - T1550.001
  31585786-71f4-11ef-9e99-f661ea17fbcc:
    name: Successful Impossible Travel Sign-On Events
    path: ./okta/queries/initial_access_impossible_travel_sign_on.toml
    mitre:
    - T1078.004
  223451b0-6eca-11ef-a070-f661ea17fbcc:
    name: Rapid MFA Deny Push Notifications (MFA Bombing)
    path: ./okta/queries/credential_access_mfa_bombing_push_notications.toml
    mitre:
    - T1621
  11666aa0-71d9-11ef-a9be-f661ea17fbcc:
    name: Rare Occurrence of OAuth Access Token Granted to Public Client App
    path: ./okta/queries/defense_evasion_rare_oauth_access_token_granted_by_application.toml
    mitre:
    - T1550.001
  c8a35a26-71f1-11ef-9c4e-f661ea17fbcc:
    name: Identify High Average of Failed Daily Authentication Attempts
    path: ./okta/queries/initial_access_higher_than_average_failed_authentication.toml
    mitre:
    - T1078.004
  1c2d2b08-71ee-11ef-952e-f661ea17fbcc:
    name: Password Spraying from Repeat Source
    path: ./okta/queries/initial_access_password_spraying_from_repeat_source.toml
    mitre:
    - T1078.004
  f3bc68f4-71e9-11ef-952e-f661ea17fbcc:
    name: Rare Occurrence of Domain with User Authentication Events
    path: ./okta/queries/persistence_rare_domain_with_user_authentication.toml
    mitre:
    - T1078.004
  7c51fe3e-6ae9-11ef-919d-f661ea17fbcc:
    name: Multi-Factor Authentication (MFA) Push Notification Bombing
    path: ./okta/queries/persistence_multi_factor_push_notification_bombing.toml
    mitre:
    - T1556.006
  c784106e-6ae8-11ef-919d-f661ea17fbcc:
    name: Rapid Reset Password Requests for Different Users
    path: ./okta/queries/credential_access_rapid_reset_password_requests_for_different_users.toml
    mitre:
    - T1098.001
  38d82c2c-71d9-11ef-a9be-f661ea17fbcc:
    name: OAuth Access Token Granted for Public Client App from Multiple Client Addresses
    path: ./okta/queries/defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.toml
    mitre:
    - T1550.001
  03bce3b0-6ded-11ef-9282-f661ea17fbcc:
    name: Multiple Application SSO Authentication from the Same Source
    path: ./okta/queries/defense_evasion_multiple_application_sso_authentication_repeat_source.toml
    mitre:
    - T1550.001
aws:
  c3d24ae8-655d-11ef-a990-f661ea17fbcc:
    name: High EC2 Instance Deployment Count Attempts by Single User or Role
    path: ./aws/queries/ec2_high_instance_deployment_count_attempts.toml
    mitre:
    - T1578.002
  e3206d1c-64a9-11ef-a642-f661ea17fbcc:
    name: Lambda Add Permissions for Write Actions to Function
    path: ./aws/queries/lambda_add_permissions_for_write_actions_to_function.toml
    mitre:
    - T1584.007
  913a47be-649c-11ef-a693-f661ea17fbcc:
    name: IAM User Activity with No MFA Session
    path: ./aws/queries/iam_user_activity_with_no_mfa_session.toml
    mitre:
    - T1078.004
  f9eae44e-5e4d-11ef-878f-f661ea17fbce:
    name: SSM Start Remote Session to EC2 Instance
    path: ./aws/queries/ssm_start_remote_session_to_ec2_instance.toml
    mitre:
    - T1021.007
  e6e78858-6482-11ef-93bd-f661ea17fbcc:
    name: High Frequency of EC2 Multi-Region `DescribeInstances` API Calls
    path: ./aws/queries/ec2_discovery_multi_region_describe_instance_calls.toml
    mitre:
    - T1580
  429824b6-60b2-11ef-b0a4-f661ea17fbce:
    name: IAM Assume Role Creation with Attached Policy
    path: ./aws/queries/iam_assume_role_creation_with_attached_policy.toml
    mitre:
    - T1098.003
  1844f2d6-5dc7-11ef-b76c-f661ea17fbce:
    name: SSM Rare SendCommand Code Execution by EC2 Instance
    path: ./aws/queries/ssm_rare_sendcommand_code_execution.toml
    mitre:
    - T1651
  f11ac62c-5f42-11ef-9d72-f661ea17fbce:
    name: EC2 Modify Instance Attribute User Data
    path: ./aws/queries/ec2_modify_instance_attribute_user_data.toml
    mitre:
    - T1059.009
    - T1037
  ef579900-75ef-11ef-b47f-f661ea17fbcc:
    name: S3 Public Bucket Rapid Object Access Attempts
    path: ./aws/queries/s3_public_bucket_rapid_object_access_attempts.toml
    mitre:
    - T1530
  408ba5f6-5db7-11ef-a01c-f661ea17fbce:
    name: EC2 Suspicious Get User Password Request
    path: ./aws/queries/ec2_suspicious_get_user_password_request.toml
    mitre:
    - T1552.005
  38454a64-5b55-11ef-b345-f661ea17fbce:
    name: SSM SendCommand API Used by EC2 Instance
    path: ./aws/queries/ssm_sendcommand_api_used_by_ec2_instance.toml
    mitre:
    - T1651
  953b1252-5efd-11ef-a997-f661ea17fbce:
    name: Signin Single Factor Console Login via Federated Session
    path: ./aws/queries/signin_single_factor_console_login_via_federated_session.toml
    mitre:
    - T1078.004
  d74f8928-5e46-11ef-9488-f661ea17fbce:
    name: Multiple Service Logging Deleted or Stopped
    path: ./aws/queries/multiple_service_logging_deleted_or_stopped.toml
    mitre:
    - T1562.008
  ef244ca0-5e32-11ef-a8d3-f661ea17fbce:
    name: Secrets Manager High Frequency of Programmatic GetSecretValue API Calls
    path: ./aws/queries/secretsmanager_high_frequency_get_secret_value.toml
    mitre:
    - T1555.006
  7a083b24-6482-11ef-8a8f-f661ea17fbcc:
    name: High Frequency of Service Quotas Multi-Region `GetServiceQuota` API Calls
    path: ./aws/queries/servicequotas_discovery_multi_region_get_service_quota_calls.toml
    mitre:
    - T1580
  696c3f40-5b54-11ef-b9df-f661ea17fbce:
    name: User Creation with Administrator Policy Assigned
    path: ./aws/queries/iam_user_creation_with_administrator_policy_assigned.toml
    mitre:
    - T1098.003
    - T1136.003
  3f8393b2-5f0b-11ef-8a25-f661ea17fbce:
    name: STS Suspicious Federated Temporary Credential Request
    path: ./aws/queries/sts_suspicious_federated_temporary_credential_request.toml
    mitre:
    - T1550.001
  418baaf2-9ae1-11ef-be63-f661ea17fbcd:
    name: AWS IAM Customer-Managed Policy Attachment to Existing Roles
    path: ./aws/queries/iam_customer_managed_policies_attached_to_existing_roles.toml
    mitre:
    - T1548.005
  18ce3dbc-b1b3-11ef-9e63-f661ea17fbce:
    name: AWS IAM Unusual AWS Access Key Usage for User
    path: ./aws/queries/iam_unusual_access_key_usage_for_user.toml
    mitre:
    - T1078.004
windows:
  44e6adc6-e183-4bfa-b06d-db41669641fa:
    name: Rundll32 Execution Aggregated by Command Line
    path: ./windows/queries/rundll32_execution_aggregated_by_cmdline.toml
    mitre:
    - T1127
    - T1218
    - T1218.011
  df4ee961-254d-4ad1-af15-c65c3b65abcd:
    name: Persistence via Run Key with Low Occurrence Frequency
    path: ./windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml
    mitre:
    - T1547
    - T1547.001
  5e5aa9c2-96a8-4d5b-bbca-ff2ec8fefa5b:
    name: High Count of Network Connection Over Extended Period by Process
    path: ./windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml
    mitre:
    - T1071
  4f878255-53b8-4914-9a7d-4b668bd2ea6a:
    name: Low Occurrence Rate of CreateRemoteThread by Source Process
    path: ./windows/queries/createremotethread_by_source_process_with_low_occurrence.toml
    mitre:
    - T1055
  34a7aadb-fb0f-45ea-9260-830f39c3343b:
    name: Rare DLL Side-Loading by Occurrence
    path: ./windows/queries/detect_rare_dll_sideload_by_occurrence.toml
    mitre:
    - T1574
    - T1574.002
  f7d2054f-b571-4cd0-b39e-a779576e9398:
    name: Excessive RDP Network Activity by Host and User
    path: ./windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml
    mitre:
    - T1021
    - T1021.001
  d06bc067-6174-412f-b1c9-bf8f15149519:
    name: DLL Hijack via Masquerading as Microsoft Native Libraries
    path: ./windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml
    mitre:
    - T1574
    - T1574.001
  44223fd6-8241-4c21-9d54-21201fa15b12:
    name: Scheduled Tasks Creation for Unique Hosts by Task Command
    path: ./windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml
    mitre:
    - T1053
    - T1053.005
  24925575-defd-4581-bfda-a8753dcfb46e:
    name: Egress Network Connections with Total Bytes Greater than Threshold
    path: ./windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml
    mitre:
    - T1071
  df50f65e-e820-47f4-a039-671611582f51:
    name: Scheduled tasks Creation by Action via Registry
    path: ./windows/queries/scheduled_task_creation_by_action_via_registry.toml
    mitre:
    - T1053
    - T1053.005
  a95e69af-22ad-4ab7-919e-794501f10c95:
    name: Low Frequency of Process Execution via WMI by Unique Agent
    path: ./windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml
    mitre:
    - T1047
  1c7be6db-12eb-4281-878d-b6abe0454f36:
    name: DNS Queries via LOLBins with Low Occurence Frequency
    path: ./windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml
    mitre:
    - T1071
  386f9cec-bb44-4dd2-8368-45e6fa0a425b:
    name: Network Discovery via Sensitive Ports by Unusual Process
    path: ./windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml
    mitre:
    - T1021
    - T1021.002
    - T1021.001
  48b75e53-3c73-40bd-873d-569dd8d7d925:
    name: Unique Windows Services Creation by Service File Name
    path: ./windows/queries/unique_windows_services_creation_by_servicefilename.toml
    mitre:
    - T1543
    - T1543.003
  7a2c8397-d219-47ad-a8e2-93562e568d08:
    name: Suspicious DNS TXT Record Lookups by Process
    path: ./windows/queries/suspicious_dns_txt_record_lookups_by_process.toml
    mitre:
    - T1071
    - T1071.004
  ea950361-33e4-4045-96a5-d36ca28fbc91:
    name: Persistence via Startup with Low Occurrence Frequency by Unique Host
    path: ./windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml
    mitre:
    - T1547
    - T1547.001
  d0aed6f5-f84c-4da8-bb2a-b5ca0fbb55e0:
    name: Rare LSASS Process Access Attempts
    path: ./windows/queries/detect_rare_lsass_process_access_attempts.toml
    mitre:
    - T1003
    - T1003.001
  24108755-4d1f-4d7a-ad5f-04c2ca55e9a3:
    name: Frequency of Process Execution via Network Logon by Source Address
    path: ./windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml
    mitre:
    - T1021
  c00f1afe-4f25-4542-8cc9-277b23581121:
    name: Libraries Loaded by svchost with Low Occurrence Frequency
    path: ./windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml
    mitre:
    - T1543
    - T1543.003
  a0a84a86-115f-42f9-90a5-4cb7ceeef981:
    name: Low Occurence of Process Execution via Windows Services with Unique Agent
    path: ./windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml
    mitre:
    - T1543
    - T1543.003
  52a958e8-0368-4e74-bd4b-a64faf397bf4:
    name: Startup Execution with Low Occurrence Frequency by Unique Host
    path: ./windows/queries/execution_via_startup_with_low_occurrence_frequency.toml
    mitre:
    - T1547
    - T1547.001
  a2006c66-d6ab-43ee-871e-d650e38f7972:
    name: Masquerading Attempts as Native Windows Binaries
    path: ./windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml
    mitre:
    - T1036
  2e583d3c-7ad6-4544-a0db-c685b2066493:
    name: Suspicious Base64 Encoded Powershell Command
    path: ./windows/queries/suspicious_base64_encoded_powershell_commands.toml
    mitre:
    - T1059
    - T1059.001
    - T1027
    - T1027.010
  cebfbb4d-5b2a-44d8-b763-5512b654fb26:
    name: Low Occurrence of Drivers Loaded on Unique Hosts
    path: ./windows/queries/drivers_load_with_low_occurrence_frequency.toml
    mitre:
    - T1068
  441fba85-47a9-4f1f-aab4-569bbfdc548b:
    name: Windows Logon Activity by Source IP
    path: ./windows/queries/windows_logon_activity_by_source_ip.toml
    mitre:
    - T1110
    - T1110.001
    - T1110.003
  b786bcd7-b119-4ff7-b839-3927c2ff7f1f:
    name: Executable File Creation by an Unusual Microsoft Binary
    path: ./windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml
    mitre:
    - T1211
    - T1055
  0d960760-8a40-49c1-bbdd-4deb32c7fd67:
    name: Low Frequency of Process Execution via Windows Scheduled Task by Unique
      Agent
    path: ./windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml
    mitre:
    - T1053
    - T1053.005
  5fd5da54-0515-4d6b-b8d7-30fd05f5be33:
    name: Execution via Remote Services by Client Address
    path: ./windows/queries/execution_via_remote_services_by_client_address.toml
    mitre:
    - T1021
    - T1021.003
    - T1021.006
    - T1047
  aca4877f-d284-4bdb-8e18-b1414d3a7c20:
    name: Windows Command and Scripting Interpreter from Unusual Parent Process
    path: ./windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml
    mitre:
    - T1059
    - T1059.001
    - T1059.003
  814894a4-c951-4f33-ab0b-09354e1cb957:
    name: PE File Transfer via SMB_Admin Shares by Agent or User
    path: ./windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml
    mitre:
    - T1021
    - T1021.002
  f1b8519a-4dae-475f-965a-f53559233eab:
    name: Microsoft Office Child Processes with Low Occurrence Frequency by Unique
      Agent
    path: ./windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml
    mitre:
    - T1566
    - T1566.001
  8a95f552-f149-4c71-888e-f2690f5add15:
    name: Excessive SMB Network Activity by Process ID
    path: ./windows/queries/excessive_smb_network_activity_by_process_id.toml
    mitre:
    - T1021
    - T1021.002