diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md
index 26e74821bff..2f423c63cae 100644
--- a/.github/latest_archiver_output.md
+++ b/.github/latest_archiver_output.md
@@ -1,516 +1,522 @@
 # Reference Archiver Results
 
-Last Execution: 2024-07-15 02:23:02
+Last Execution: 2024-08-01 02:00:18
 
 ### Archiver Script Results
 
 
 #### Newly Archived References
 
-N/A
+- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
 
 #### Already Archived References
 
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent
-- https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/
-- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
-- https://portmap.io/
-- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
-- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
-- https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/
-- https://github.com/wavestone-cdt/EDRSandblast
-- https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
-- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
-- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
-- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4
-- https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
-- https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
-- https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
-- https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
-- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140
-- https://github.com/LOLBAS-Project/LOLBAS/pull/151
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
-- https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
-- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
-- https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
-- https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
-- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
-- https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
-- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
-- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
-- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
-- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
-- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
-- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
-- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
-- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
+- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+- https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://docs.github.com/en/migrations
+- https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
+- https://security.padok.fr/en/blog/kubernetes-webhook-attackers
+- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
+- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701
+- https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py
+- https://asec.ahnlab.com/en/58878/
+- https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
 
 #### Error While Archiving References
 
 - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
-- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
-- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
-- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
-- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
-- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
-- https://security.padok.fr/en/blog/kubernetes-webhook-attackers
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
-- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
-- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
-- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
-- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
-- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
-- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699
-- https://www.group-ib.com/blog/apt41-world-tour-2021/
-- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
-- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
-- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
-- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634
-- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
-- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
+- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
+- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
+- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
+- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
 - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html
-- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
-- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
-- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
-- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
-- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
-- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
-- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
-- https://tria.ge/240123-rapteaahhr/behavioral1
-- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
-- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
-- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
-- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
-- https://www.loobins.io/binaries/launchctl/
-- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
-- https://twitter.com/DTCERT/status/1712785426895839339
-- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
-- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
-- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
-- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
-- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
-- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
-- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
-- https://www.fortiguard.com/psirt/FG-IR-22-398
-- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
-- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
-- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
-- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
-- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
-- https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
-- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
-- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
-- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2
-- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration
-- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval
-- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code
+- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
+- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
 - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
-- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
-- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
-- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
+- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
+- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
+- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
+- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
+- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
+- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
+- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
 - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
-- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
-- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
-- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
-- https://twitter.com/Max_Mal_/status/1775222576639291859
-- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
-- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
-- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
+- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
+- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
+- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
+- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address
+- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
+- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
+- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4
+- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
+- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
+- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
+- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
+- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
+- https://github.com/CICADA8-Research/RemoteKrbRelay
+- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
 - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
-- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16
-- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
-- https://www.loobins.io/binaries/xattr/
-- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
-- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
-- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
-- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
-- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
-- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
-- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
+- https://www.tenable.com/security/research/tra-2023-11
+- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
+- https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38
+- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
+- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
+- https://twitter.com/DTCERT/status/1712785421845790799
+- https://twitter.com/DTCERT/status/1712785426895839339
+- https://tria.ge/240123-rapteaahhr/behavioral1
+- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/
 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
-- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
-- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
-- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
-- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
+- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
+- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
+- https://www.fortiguard.com/psirt/FG-IR-22-398
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
+- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
+- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
+- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
+- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
+- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
+- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/
+- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
+- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
+- https://adsecurity.org/?p=1785
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
+- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
+- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
+- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
+- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
+- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
+- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
+- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
+- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml
 - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
-- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
-- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
-- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
+- https://github.com/grayhatkiller/SharpExShell
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038
+- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b
+- https://securelist.com/network-tunneling-with-qemu/111803/
+- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code
+- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
+- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
+- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
+- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
+- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
+- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647
+- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
 - https://github.com/rapid7/metasploit-framework/issues/11337
-- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001
-- https://tria.ge/240226-fhbe7sdc39/behavioral1
-- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
+- https://tria.ge/231212-r1bpgaefar/behavioral2
+- https://www.loobins.io/binaries/tmutil/
+- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
+- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token
+- https://www.cve.org/CVERecord?id=CVE-2024-1709
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
+- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
+- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
+- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml
+- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
+- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
 - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
+- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
+- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
+- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles
+- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
+- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
+- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
+- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
+- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
+- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
+- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
+- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
+- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
+- https://github.com/embedi/CVE-2017-11882
+- https://redcanary.com/blog/msix-installers/
+- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
+- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40
+- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
+- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
+- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
+- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
+- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
+- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet
+- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
+- https://malware.guide/browser-hijacker/remove-onelaunch-virus/
+- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
 - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
-- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
-- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role
-- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
-- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
-- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
-- https://www.cyberciti.biz/faq/linux-remove-user-command/
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
-- https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
-- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
+- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
+- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
+- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
+- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
+- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
+- https://help.duo.com/s/article/6327?language=en_US
+- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
+- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
+- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/
+- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
 - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
-- https://paper.seebug.org/1495/
-- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
+- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
 - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
-- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
-- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
-- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
-- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
-- https://twitter.com/DTCERT/status/1712785421845790799
-- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
-- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
-- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
-- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4
-- https://adsecurity.org/?p=1785
-- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
-- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
-- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
-- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
-- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
-- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012
-- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
-- https://objective-see.org/blog/blog_0x6D.html
-- https://github.com/0xthirteen/SharpMove/
-- https://evasions.checkpoint.com/techniques/macos.html
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416
-- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
-- https://github.com/antonioCoco/RoguePotato
-- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
-- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
-- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
-- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
-- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
-- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
-- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file
-- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
-- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
-- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
-- https://github.com/gentilkiwi/mimikatz
-- https://www.loobins.io/binaries/nscurl/
-- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
-- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials
-- https://tria.ge/231212-r1bpgaefar/behavioral2
-- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators
-- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
-- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly
-- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
-- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
-- https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html
-- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
-- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
-- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
-- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
-- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
-- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
-- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
-- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
-- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
+- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699
+- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
+- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
+- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal
+- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
+- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281
+- https://ss64.com/osx/sw_vers.html
+- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
 - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray
-- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
-- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
-- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
-- https://linux.die.net/man/1/arecord
-- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
-- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
-- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
-- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
-- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt
-- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
-- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
-- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent
+- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
+- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
 - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
-- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
-- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
-- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
-- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423
-- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
-- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
-- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
-- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
-- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
-- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741
-- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010
-- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
-- https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
-- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
+- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
+- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
+- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
+- https://objective-see.org/blog/blog_0x1E.html
+- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
+- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
+- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
+- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
+- https://github.com/0xthirteen/SharpMove/
 - https://learn.microsoft.com/en-us/windows/win32/shell/launch
+- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb
 - https://www.loobins.io/binaries/sysctl/#
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
-- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
-- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
-- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
-- https://localtonet.com/documents/supported-tunnels
-- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
-- https://anydesk.com/en/changelog/windows
+- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
+- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/
+- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
 - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
+- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
+- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706
+- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
+- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
+- https://x.com/_st0pp3r_/status/1742203752361128162?s=20
+- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details
+- https://ngrok.com/blog-post/new-ngrok-domains
+- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
+- https://www.group-ib.com/blog/apt41-world-tour-2021/
+- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
-- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles
-- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
-- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
-- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
-- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
-- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/
+- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
+- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
+- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
+- https://labs.withsecure.com/publications/kapeka
+- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010
+- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser
+- https://paper.seebug.org/1495/
+- https://cloud.google.com/access-context-manager/docs/audit-logging
+- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
+- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
+- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
+- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
+- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
+- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor
+- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
+- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
+- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
+- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
+- https://twitter.com/Max_Mal_/status/1775222576639291859
+- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
+- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
+- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
+- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
+- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
+- https://support.google.com/a/answer/9261439
+- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
 - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
+- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
+- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
+- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
+- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
+- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt
+- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
+- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
+- https://news.ycombinator.com/item?id=29504755
+- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
+- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
+- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
+- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
+- https://twitter.com/NathanMcNulty/status/1785051227568632263
+- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/
 - https://twitter.com/MsftSecIntel/status/1737895710169628824
-- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
+- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
+- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
+- https://localtonet.com/documents/supported-tunnels
 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
-- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
-- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
-- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
-- https://malware.guide/browser-hijacker/remove-onelaunch-virus/
-- https://asec.ahnlab.com/en/58878/
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
+- https://tria.ge/231023-lpw85she57/behavioral2
+- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
+- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
+- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
+- https://megatools.megous.com/
+- https://github.com/GhostPack/SharpDPAPI
 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
-- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647
-- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
-- https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/
-- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
-- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
-- https://github.com/grayhatkiller/SharpExShell
-- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
-- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
-- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
-- https://ss64.com/osx/sw_vers.html
-- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
-- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
-- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
-- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
-- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
-- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
-- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
-- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
-- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
-- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
+- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
+- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/
+- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
+- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
+- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
+- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
+- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
+- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
+- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
+- https://anydesk.com/en/changelog/windows
+- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
+- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
+- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
+- https://objective-see.org/blog/blog_0x6D.html
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
+- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
+- https://www.loobins.io/binaries/pbpaste/
+- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
+- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records
+- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
+- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
+- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
+- https://www.sans.org/cyber-security-summit/archives
+- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
+- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
-- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
-- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
-- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token
-- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
-- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
+- https://tria.ge/240521-ynezpagf56/behavioral1
 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661
-- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
-- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
-- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
-- https://www.tarasco.org/security/pwdump_7/
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor
-- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
-- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
-- https://github.com/embedi/CVE-2017-11882
-- https://redcanary.com/blog/msix-installers/
-- https://learn.microsoft.com/en-us/sysinternals/downloads/psservice
-- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
-- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
-- https://x.com/_st0pp3r_/status/1742203752361128162?s=20
-- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
-- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
+- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
+- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
+- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
+- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
 - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-
-- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
-- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
-- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
-- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
-- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent
-- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
+- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
+- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
+- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
+- https://github.com/amjcyber/EDRNoiseMaker
+- https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly
+- https://boinc.berkeley.edu/
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
+- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
+- https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
+- https://www.tarasco.org/security/pwdump_7/
+- https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities
+- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
+- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file
+- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
+- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity
+- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
+- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2
+- https://evasions.checkpoint.com/techniques/macos.html
 - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
-- https://news.ycombinator.com/item?id=29504755
-- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address
-- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
-- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
+- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
-- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
-- https://blog.sekoia.io/darkgate-internals/
-- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
-- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
-- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
-- https://www.softperfect.com/products/networkscanner/
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
-- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
-- https://megatools.megous.com/
-- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
-- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
-- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
-- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
+- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
+- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2
+- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423
+- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
+- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
+- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
+- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
+- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
+- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794
 - https://www.group-ib.com/resources/threat-research/red-curl-2.html
-- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
-- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
-- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
+- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl
+- https://www.cyberciti.biz/faq/linux-remove-user-command/
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
+- https://www.loobins.io/binaries/nscurl/
+- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
+- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
+- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
+- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
 - https://pentestlab.blog/tag/svchost/
-- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
-- https://securelist.com/network-tunneling-with-qemu/111803/
-- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace
-- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
+- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
+- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
+- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
+- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
+- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
+- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
+- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
+- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
+- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/
+- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
+- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
+- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner
 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
-- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
-- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
-- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
-- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
-- https://cloud.google.com/access-context-manager/docs/audit-logging
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
-- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
-- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
-- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
-- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
-- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet
-- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038
-- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml
-- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
-- https://www.sans.org/cyber-security-summit/archives
-- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
-- https://labs.withsecure.com/publications/kapeka
-- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
-- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
-- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
-- https://www.cve.org/CVERecord?id=CVE-2024-1709
-- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
-- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
-- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
-- https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
-- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
-- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl
-- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/
+- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration
+- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
+- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
+- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
+- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
+- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
+- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval
+- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
+- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
 - https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps
-- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
-- https://objective-see.org/blog/blog_0x1E.html
-- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
-- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
-- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
-- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
-- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
-- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
-- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
-- https://tria.ge/231023-lpw85she57/behavioral2
-- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
-- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706
-- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
-- https://ngrok.com/blog-post/new-ngrok-domains
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281
-- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701
-- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/
-- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
-- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
-- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
-- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
-- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
-- https://github.com/amjcyber/EDRNoiseMaker
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
-- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
-- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
-- https://help.duo.com/s/article/6327?language=en_US
-- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
-- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
-- https://support.google.com/a/answer/9261439
+- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
+- https://www.loobins.io/binaries/launchctl/
+- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001
+- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
+- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
+- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
+- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
+- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
 - https://www.attackiq.com/2023/09/20/emulating-rhysida/
-- https://unit42.paloaltonetworks.com/chromeloader-malware/
-- https://tria.ge/240521-ynezpagf56/behavioral1
-- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
-- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
-- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all
-- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
-- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
-- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
+- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
+- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
+- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
+- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
+- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
+- https://www.softperfect.com/products/networkscanner/
+- https://tria.ge/240226-fhbe7sdc39/behavioral1
+- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
+- https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
+- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
+- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
+- https://www.loobins.io/binaries/xattr/
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
+- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
+- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
+- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
+- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
+- https://learn.microsoft.com/en-us/sysinternals/downloads/psservice
 - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
+- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
 - https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd
-- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
-- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
-- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
-- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
+- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
 - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
-- https://www.loobins.io/binaries/tmutil/
-- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
+- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
+- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
+- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743
+- https://twitter.com/standa_t/status/1808868985678803222
+- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
+- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials
+- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
+- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
+- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
+- https://github.com/antonioCoco/RoguePotato
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
+- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
+- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
+- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
+- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
+- https://blog.sekoia.io/darkgate-internals/
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority
+- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
+- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
+- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
+- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
+- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
+- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
+- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
+- https://unit42.paloaltonetworks.com/chromeloader-malware/
+- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
+- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
+- https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html
+- https://linux.die.net/man/1/arecord
+- https://github.com/gentilkiwi/mimikatz
+- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
+- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace
+- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
+- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
diff --git a/tests/rule-references.txt b/tests/rule-references.txt
index 07b8e5fcb5a..533e26bbbbe 100644
--- a/tests/rule-references.txt
+++ b/tests/rule-references.txt
@@ -3717,3 +3717,20 @@ https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c74451
 https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
 https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
 https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
+https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
+https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416
+https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+https://docs.github.com/en/migrations
+https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
+https://security.padok.fr/en/blog/kubernetes-webhook-attackers
+https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
+https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
+https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
+https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
+https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701
+https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py
+https://asec.ahnlab.com/en/58878/
+https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
+https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
+https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html