diff --git a/Full_tests.csv b/Full_tests.csv
index 6dcf8806..70a1dd27 100644
--- a/Full_tests.csv
+++ b/Full_tests.csv
@@ -260,6 +260,7 @@ defense-evasion;T1112;command_prompt;['windows'];Windows Auto Update Option to N
 defense-evasion;T1112;command_prompt;['windows'];Do Not Connect To Win Update;d1de3767-99c2-4c6c-8c5a-4ba4586474c8;False;54
 defense-evasion;T1112;command_prompt;['windows'];Tamper Win Defender Protection;3b625eaa-c10d-4635-af96-3eae7d2a2f3c;False;55
 defense-evasion;T1112;powershell;['windows'];Snake Malware Registry Blob;8318ad20-0488-4a64-98f4-72525a012f6b;False;56
+defense-evasion;T1112;command_prompt;['windows'];Allow Simultaneous Download Registry;37950714-e923-4f92-8c7c-51e4b6fffbf6;False;57
 defense-evasion;T1574.008;powershell;['windows'];powerShell Persistence via hijacking default modules - Get-Variable.exe;1561de08-0b4b-498e-8261-e922f3494aae;True;1
 defense-evasion;T1027.001;sh;['macos', 'linux'];Pad Binary to Change Hash - Linux/macOS dd;ffe2346c-abd5-4b45-a713-bf5f1ebd573a;False;1
 defense-evasion;T1027.001;sh;['macos', 'linux'];Pad Binary to Change Hash using truncate command - Linux/macOS;e22a9e89-69c7-410f-a473-e6c212cd2292;False;2
@@ -391,6 +392,7 @@ defense-evasion;T1562.001;sh;['linux'];Clear Pagging Cache;f790927b-ea85-4a16-b7
 defense-evasion;T1562.001;sh;['linux'];Disable Memory Swap;e74e4c63-6fde-4ad2-9ee8-21c3a1733114;False;42
 defense-evasion;T1562.001;powershell;['windows'];Disable Hypervisor-Enforced Code Integrity (HVCI);70bd71e6-eba4-4e00-92f7-617911dbe020;False;43
 defense-evasion;T1562.001;command_prompt;['windows'];AMSI Bypass - Override AMSI via COM;17538258-5699-4ff1-92d1-5ac9b0dc21f5;True;44
+defense-evasion;T1562.001;bash;['iaas:aws'];AWS - GuardDuty Suspension or Deletion;11e65d8d-e7e4-470e-a3ff-82bc56ad938e;False;45
 defense-evasion;T1055.012;powershell;['windows'];Process Hollowing using PowerShell;562427b4-39ef-4e8c-af88-463a78e70b9c;True;1
 defense-evasion;T1055.012;powershell;['windows'];RunPE via VBA;3ad4a037-1598-4136-837c-4027e4fa319b;True;2
 defense-evasion;T1027;sh;['macos', 'linux'];Decode base64 Data into Script;f45df6be-2e1e-4136-a384-8f18ab3826fb;False;1
@@ -566,6 +568,7 @@ privilege-escalation;T1543.003;command_prompt;['windows'];Remote Service Install
 privilege-escalation;T1053.003;bash;['macos', 'linux'];Cron - Replace crontab with referenced file;435057fb-74b1-410e-9403-d81baf194f75;False;1
 privilege-escalation;T1053.003;bash;['macos', 'linux'];Cron - Add script to all cron subfolders;b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0;False;2
 privilege-escalation;T1053.003;bash;['linux'];Cron - Add script to /var/spool/cron/crontabs/ folder;2d943c18-e74a-44bf-936f-25ade6cccab4;False;3
+privilege-escalation;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;False;1
 privilege-escalation;T1574.001;command_prompt;['windows'];DLL Search Order Hijacking - amsi.dll;8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3;True;1
 privilege-escalation;T1055.003;powershell;['windows'];Thread Execution Hijacking;578025d5-faa9-4f6d-8390-aae527d503e1;True;1
 privilege-escalation;T1546.011;command_prompt;['windows'];Application Shim Installation;9ab27e22-ee62-4211-962b-d36d9a0e6a18;True;1
@@ -580,7 +583,8 @@ privilege-escalation;T1611;sh;['containers'];Deploy container using nsenter cont
 privilege-escalation;T1611;sh;['containers'];Mount host filesystem to escape privileged Docker container;6c499943-b098-4bc6-8d38-0956fc182984;False;2
 privilege-escalation;T1547.009;command_prompt;['windows'];Shortcut Modification;ce4fc678-364f-4282-af16-2fb4c78005ce;True;1
 privilege-escalation;T1547.009;powershell;['windows'];Create shortcut to cmd in startup folders;cfdc954d-4bb0-4027-875b-a1893ce406f2;True;2
-privilege-escalation;T1547.005;powershell;['windows'];Modify SSP configuration in registry;afdfd7e3-8a0b-409f-85f7-886fdf249c9e;True;1
+privilege-escalation;T1547.005;powershell;['windows'];Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry;afdfd7e3-8a0b-409f-85f7-886fdf249c9e;True;1
+privilege-escalation;T1547.005;powershell;['windows'];Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry;de3f8e74-3351-4fdb-a442-265dbf231738;False;2
 privilege-escalation;T1543.004;bash;['macos'];Launch Daemon;03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf;False;1
 privilege-escalation;T1574.008;powershell;['windows'];powerShell Persistence via hijacking default modules - Get-Variable.exe;1561de08-0b4b-498e-8261-e922f3494aae;True;1
 privilege-escalation;T1484.001;command_prompt;['windows'];LockBit Black - Modify Group policy settings -cmd;9ab80952-74ee-43da-a98c-1e740a985f28;True;1
@@ -807,7 +811,7 @@ execution;T1559;command_prompt;['windows'];Cobalt Strike Lateral Movement (psexe
 execution;T1559;command_prompt;['windows'];Cobalt Strike SSH (postex_ssh) pipe;d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6;False;3
 execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (4.2 and later);7a48f482-246f-4aeb-9837-21c271ebf244;False;4
 execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (before 4.2);8dbfc15c-527b-4ab0-a272-019f469d367f;False;5
-execution;T1204.003;powershell;['windows'];Malicious Execution from Mounted ISO Image;e9795c8d-42aa-4ed4-ad80-551ed793d006;False;1
+execution;T1204.003;powershell;['windows'];Malicious Execution from Mounted ISO Image;e9795c8d-42aa-4ed4-ad80-551ed793d006;True;1
 execution;T1059.006;sh;['linux'];Execute shell script via python's command mode arguement;3a95cdb2-c6ea-4761-b24e-02b71889b8bb;False;1
 execution;T1059.006;sh;['linux'];Execute Python via scripts (Linux);6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8;False;2
 execution;T1059.006;sh;['linux'];Execute Python via Python executables (Linux);0b44d79b-570a-4b27-a31f-3bf2156e5eaa;False;3
@@ -858,6 +862,8 @@ persistence;T1053.003;bash;['macos', 'linux'];Cron - Replace crontab with refere
 persistence;T1053.003;bash;['macos', 'linux'];Cron - Add script to all cron subfolders;b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0;False;2
 persistence;T1053.003;bash;['linux'];Cron - Add script to /var/spool/cron/crontabs/ folder;2d943c18-e74a-44bf-936f-25ade6cccab4;False;3
 persistence;T1137;command_prompt;['windows'];Office Application Startup - Outlook as a C2;bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c;True;1
+persistence;T1098.003;powershell;['azure-ad'];Azure AD - Add Company Administrator Role to a user;4d77f913-56f5-4a14-b4b1-bf7bb24298ad;False;1
+persistence;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;False;1
 persistence;T1574.001;command_prompt;['windows'];DLL Search Order Hijacking - amsi.dll;8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3;True;1
 persistence;T1137.006;powershell;['windows'];Code Executed Via Excel Add-in File (XLL);441b1a0f-a771-428a-8af0-e99e4698cda3;True;1
 persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via Excel Add-in File (XLL);9c307886-9fef-41d5-b344-073a0f5b2f5f;False;2
@@ -871,7 +877,7 @@ persistence;T1176;manual;['linux', 'windows', 'macos'];Chrome (Developer Mode);3
 persistence;T1176;manual;['linux', 'windows', 'macos'];Chrome (Chrome Web Store);4c83940d-8ca5-4bb2-8100-f46dc914bc3f;False;2
 persistence;T1176;manual;['linux', 'windows', 'macos'];Firefox;cb790029-17e6-4c43-b96f-002ce5f10938;False;3
 persistence;T1176;manual;['windows', 'macos'];Edge Chromium Addon - VPN;3d456e2b-a7db-4af8-b5b3-720e7c4d9da5;False;4
-persistence;T1176;powershell;['windows'];Google Chrome Load Unpacked Extension With Command Line;7a714703-9f6b-461c-b06d-e6aeac650f27;False;5
+persistence;T1176;powershell;['windows'];Google Chrome Load Unpacked Extension With Command Line;7a714703-9f6b-461c-b06d-e6aeac650f27;True;5
 persistence;T1546.011;command_prompt;['windows'];Application Shim Installation;9ab27e22-ee62-4211-962b-d36d9a0e6a18;True;1
 persistence;T1546.011;powershell;['windows'];New shim database files created in the default shim database directory;aefd6866-d753-431f-a7a4-215ca7e3f13d;True;2
 persistence;T1546.011;powershell;['windows'];Registry key creation and/or modification events for SDB;9b6a06f9-ab5e-4e8d-8289-1df4289db02f;True;3
@@ -879,7 +885,8 @@ persistence;T1547.010;command_prompt;['windows'];Add Port Monitor persistence in
 persistence;T1037.002;manual;['macos'];Logon Scripts - Mac;f047c7de-a2d9-406e-a62b-12a09d9516f4;False;1
 persistence;T1547.009;command_prompt;['windows'];Shortcut Modification;ce4fc678-364f-4282-af16-2fb4c78005ce;True;1
 persistence;T1547.009;powershell;['windows'];Create shortcut to cmd in startup folders;cfdc954d-4bb0-4027-875b-a1893ce406f2;True;2
-persistence;T1547.005;powershell;['windows'];Modify SSP configuration in registry;afdfd7e3-8a0b-409f-85f7-886fdf249c9e;True;1
+persistence;T1547.005;powershell;['windows'];Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry;afdfd7e3-8a0b-409f-85f7-886fdf249c9e;True;1
+persistence;T1547.005;powershell;['windows'];Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry;de3f8e74-3351-4fdb-a442-265dbf231738;False;2
 persistence;T1543.004;bash;['macos'];Launch Daemon;03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf;False;1
 persistence;T1574.008;powershell;['windows'];powerShell Persistence via hijacking default modules - Get-Variable.exe;1561de08-0b4b-498e-8261-e922f3494aae;True;1
 persistence;T1505.003;command_prompt;['windows'];Web Shell Written to Disk;0a2ce662-1efa-496f-a472-2fe7b080db16;True;1
@@ -1009,6 +1016,7 @@ persistence;T1547.007;sh;['macos'];Re-Opened Applications using LoginHook;5f5b71
 persistence;T1547.007;sh;['macos'];Append to existing loginwindow for Re-Opened Applications;766b6c3c-9353-4033-8b7e-38b309fa3a93;False;3
 persistence;T1574.002;command_prompt;['windows'];DLL Side-Loading using the Notepad++ GUP.exe binary;65526037-7079-44a9-bda1-2cb624838040;True;1
 persistence;T1574.002;command_prompt;['windows'];DLL Side-Loading using the dotnet startup hook environment variable;d322cdd7-7d60-46e3-9111-648848da7c02;False;2
+persistence;T1098.002;powershell;['office-365'];EXO - Full access mailbox permission granted to a user;17d046be-fdd0-4cbb-b5c7-55c85d9d0714;False;1
 persistence;T1037.001;command_prompt;['windows'];Logon Scripts;d6042746-07d4-4c92-9ad8-e644c114a231;True;1
 persistence;T1137.002;powershell;['windows'];Office Application Startup Test Persistence (HKCU);c3e35b58-fe1c-480b-b540-7600fb612563;True;1
 persistence;T1547.008;powershell;['windows'];Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt;8ecef16d-d289-46b4-917b-0dba6dc81cf1;True;1
@@ -1567,6 +1575,7 @@ discovery;T1046;powershell;['windows'];WinPwn - MS17-10;97585b04-5be2-40e9-8c31-
 discovery;T1046;powershell;['windows'];WinPwn - bluekeep;1cca5640-32a9-46e6-b8e0-fabbe2384a73;True;7
 discovery;T1046;powershell;['windows'];WinPwn - fruit;bb037826-cbe8-4a41-93ea-b94059d6bb98;True;8
 discovery;T1046;sh;['containers'];Network Service Discovery for Containers;06eaafdb-8982-426e-8a31-d572da633caa;False;9
+discovery;T1046;powershell;['windows'];Port-Scanning /24 Subnet with PowerShell;05df2a79-dba6-4088-a804-9ca0802ca8e4;False;10
 discovery;T1518;command_prompt;['windows'];Find and Display Internet Explorer Browser Version;68981660-6670-47ee-a5fa-7e74806420a4;True;1
 discovery;T1518;powershell;['windows'];Applications Installed;c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b;True;2
 discovery;T1518;sh;['macos'];Find and Display Safari Browser Version;103d6533-fd2a-4d08-976a-4a598565280f;False;3
@@ -1579,7 +1588,7 @@ discovery;T1124;sh;['macos'];System Time Discovery in macOS;f449c933-0891-407f-8
 discovery;T1124;command_prompt;['windows'];System Time Discovery W32tm as a Delay;d5d5a6b0-0f92-42d8-985d-47aafa2dd4db;True;4
 discovery;T1124;command_prompt;['windows'];System Time with Windows time Command;53ead5db-7098-4111-bb3f-563be390e72e;False;5
 reconnaissance;T1592.001;powershell;['windows'];Enumerate PlugNPlay Camera;d430bf85-b656-40e7-b238-42db01df0183;True;1
-impact;T1489;command_prompt;['windows'];Windows - Stop service using Service Controller;21dfb440-830d-4c86-a3e5-2a491d5a8d04;False;1
+impact;T1489;command_prompt;['windows'];Windows - Stop service using Service Controller;21dfb440-830d-4c86-a3e5-2a491d5a8d04;True;1
 impact;T1489;command_prompt;['windows'];Windows - Stop service using net.exe;41274289-ec9c-4213-bea4-e43c4aa57954;True;2
 impact;T1489;command_prompt;['windows'];Windows - Stop service by killing process;f3191b84-c38b-400b-867e-3a217a27795f;True;3
 impact;T1491.001;powershell;['windows'];Replace Desktop Wallpaper;30558d53-9d76-41c4-9267-a7bd5184bed3;True;1
@@ -1614,6 +1623,7 @@ impact;T1490;command_prompt;['windows'];Windows - Delete Backup Files;6b1dbaf6-c
 impact;T1490;command_prompt;['windows'];Windows - wbadmin Delete systemstatebackup;584331dd-75bc-4c02-9e0b-17f5fd81c748;True;7
 impact;T1490;command_prompt;['windows'];Windows - Disable the SR scheduled task;1c68c68d-83a4-4981-974e-8993055fa034;True;8
 impact;T1490;command_prompt;['windows'];Disable System Restore Through Registry;66e647d1-8741-4e43-b7c1-334760c2047f;True;9
+impact;T1490;powershell;['windows'];Windows - vssadmin Resize Shadowstorage Volume;da558b07-69ae-41b9-b9d4-4d98154a7049;False;10
 impact;T1529;command_prompt;['windows'];Shutdown System - Windows;ad254fa8-45c0-403b-8c77-e00b3d3e7a64;True;1
 impact;T1529;command_prompt;['windows'];Restart System - Windows;f4648f0d-bf78-483c-bafc-3ec99cd1c302;True;2
 impact;T1529;bash;['macos', 'linux'];Restart System via `shutdown` - macOS/Linux;6326dbc4-444b-4c04-88f4-27e94d0327cb;False;3
diff --git a/missing_tests.csv b/missing_tests.csv
index 229f6c3e..7bab6f1b 100644
--- a/missing_tests.csv
+++ b/missing_tests.csv
@@ -9,6 +9,7 @@ defense-evasion;T1553.002;win_security_susp_sdelete.yml
 defense-evasion;T1599.001;driver_load_win_windivert.yml
 defense-evasion;T1550;aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml
 defense-evasion;T1553.003;registry_set_sip_persistence.yml
+defense-evasion;T1222;posh_ps_set_acl.yml,posh_ps_set_acl_susp_location.yml
 defense-evasion;T1548;aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml,azure_aad_secops_ca_policy_removedby_bad_actor.yml,azure_aad_secops_ca_policy_updatedby_bad_actor.yml,azure_aad_secops_new_ca_policy_addedby_bad_actor.yml,azure_group_user_addition_ca_modification.yml,azure_group_user_removal_ca_modification.yml,lnx_auditd_capabilities_discovery.yml,file_event_lnx_doas_conf_creation.yml,proc_creation_lnx_doas_execution.yml,win_security_scm_database_privileged_operation.yml,win_system_vul_cve_2020_1472.yml,proc_access_win_svchost_cred_dump.yml,proc_creation_win_regedit_trustedinstaller.yml,proc_creation_win_susp_abusing_debug_privilege.yml,proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml,registry_set_comhijack_sdclt.yml
 defense-evasion;T1578.003;azure_aadhybridhealth_adfs_service_delete.yml
 defense-evasion;T1574.005;proc_creation_win_hktl_sharpup.yml
@@ -41,7 +42,7 @@ privilege-escalation;T1484;azure_ad_device_registration_policy_changes.yml
 execution;T1559.001;dns_query_win_regsvr32_network_activity.yml,net_connection_win_dllhost_net_connections.yml,net_connection_win_regsvr32_network_activity.yml,proc_access_win_cmstp_execution_by_access.yml
 execution;T1053;rpc_firewall_atsvc_lateral_movement.yml,rpc_firewall_itaskschedulerservice_lateral_movement.yml,rpc_firewall_sasec_lateral_movement.yml,cisco_cli_modify_config.yml,file_event_win_susp_task_write.yml,proc_creation_win_hktl_crackmapexec_execution_patterns.yml,proc_creation_win_hktl_sharpersist.yml,registry_set_taskcache_entry.yml,win_security_apt_slingshot.yml,proc_creation_win_apt_hafnium.yml,proc_creation_win_apt_actinium_persistence.yml
 execution;T1059.009;aws_iam_s3browser_loginprofile_creation.yml,aws_iam_s3browser_user_or_accesskey_creation.yml
-execution;T1059;azure_new_cloudshell_created.yml,lnx_auditd_bpfdoor_file_accessed.yml,proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml,proc_creation_lnx_netcat_reverse_shell.yml,proc_creation_lnx_python_pty_spawn.yml,proc_creation_lnx_susp_java_children.yml,proc_creation_lnx_xterm_reverse_shell.yml,proc_creation_macos_installer_susp_child_process.yml,proc_creation_macos_payload_decoded_and_decrypted.yml,proc_creation_macos_susp_browser_child_process.yml,proc_creation_macos_susp_execution_macos_script_editor.yml,win_security_alert_ruler.yml,win_defender_amsi_trigger.yml,win_defender_threat.yml,file_event_win_pcre_net_temp_file.yml,file_event_win_perflogs_susp_files.yml,image_load_dll_pcre_dotnet_dll_load.yml,posh_ps_win_defender_exclusions_added.yml,proc_creation_win_cmd_dosfuscation.yml,proc_creation_win_cmd_unusual_parent.yml,proc_creation_win_conhost_uncommon_parent.yml,proc_creation_win_fsutil_symlinkevaluation.yml,proc_creation_win_hktl_cobaltstrike_process_patterns.yml,proc_creation_win_hktl_sliver_c2_execution_pattern.yml,proc_creation_win_hktl_stracciatella_execution.yml,proc_creation_win_lolbin_forfiles.yml,proc_creation_win_lolbin_fsharp_interpreters.yml,proc_creation_win_lolbin_ftp.yml,proc_creation_win_lolbin_openconsole.yml,proc_creation_win_lolbin_pcalua.yml,proc_creation_win_lolbin_runscripthelper.yml,proc_creation_win_mshta_inline_vbscript.yml,proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml,proc_creation_win_office_outlook_susp_child_processes_remote.yml,proc_creation_win_perl_inline_command_execution.yml,proc_creation_win_php_inline_command_execution.yml,proc_creation_win_powershell_download_iex.yml,proc_creation_win_powershell_run_script_from_input_stream.yml,proc_creation_win_pua_wsudo_susp_execution.yml,proc_creation_win_python_inline_command_execution.yml,proc_creation_win_python_pty_spawn.yml,proc_creation_win_rar_susp_greedy_compression.yml,proc_creation_win_rasdial_execution.yml,proc_creation_win_renamed_ftp.yml,proc_creation_win_ruby_inline_command_execution.yml,proc_creation_win_susp_elevated_system_shell.yml,proc_creation_win_susp_hiding_malware_in_fonts_folder.yml,proc_creation_win_susp_lolbin_non_c_drive.yml,proc_creation_win_susp_network_scan_loop.yml,proc_creation_win_susp_script_exec_from_env_folder.yml,proc_creation_win_susp_script_exec_from_temp.yml,proc_creation_win_sysprep_appdata.yml,proc_creation_win_vmware_vmtoolsd_susp_child_process.yml,proc_creation_win_winget_add_custom_source.yml,proc_creation_win_winget_add_insecure_custom_source.yml,proc_creation_win_winget_add_susp_custom_source.yml,proc_creation_win_winget_local_install_via_manifest.yml,proc_creation_win_apt_turla_commands_critical.yml,proc_creation_win_apt_lazarus_group_activity.yml,proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml,proc_creation_win_exploit_cve_2021_40444.yml,proc_creation_win_apt_revil_kaseya.yml
+execution;T1059;azure_new_cloudshell_created.yml,lnx_auditd_bpfdoor_file_accessed.yml,proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml,proc_creation_lnx_netcat_reverse_shell.yml,proc_creation_lnx_python_pty_spawn.yml,proc_creation_lnx_susp_java_children.yml,proc_creation_lnx_xterm_reverse_shell.yml,proc_creation_macos_installer_susp_child_process.yml,proc_creation_macos_payload_decoded_and_decrypted.yml,proc_creation_macos_susp_browser_child_process.yml,proc_creation_macos_susp_execution_macos_script_editor.yml,win_security_alert_ruler.yml,win_defender_amsi_trigger.yml,win_defender_threat.yml,file_event_win_pcre_net_temp_file.yml,file_event_win_perflogs_susp_files.yml,image_load_dll_pcre_dotnet_dll_load.yml,image_load_side_load_abused_dlls_susp_paths.yml,posh_ps_win_defender_exclusions_added.yml,proc_creation_win_cmd_dosfuscation.yml,proc_creation_win_cmd_unusual_parent.yml,proc_creation_win_conhost_uncommon_parent.yml,proc_creation_win_fsutil_symlinkevaluation.yml,proc_creation_win_hktl_cobaltstrike_process_patterns.yml,proc_creation_win_hktl_sliver_c2_execution_pattern.yml,proc_creation_win_hktl_stracciatella_execution.yml,proc_creation_win_lolbin_forfiles.yml,proc_creation_win_lolbin_fsharp_interpreters.yml,proc_creation_win_lolbin_ftp.yml,proc_creation_win_lolbin_openconsole.yml,proc_creation_win_lolbin_pcalua.yml,proc_creation_win_lolbin_runscripthelper.yml,proc_creation_win_mshta_inline_vbscript.yml,proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml,proc_creation_win_office_outlook_susp_child_processes_remote.yml,proc_creation_win_perl_inline_command_execution.yml,proc_creation_win_php_inline_command_execution.yml,proc_creation_win_powershell_download_iex.yml,proc_creation_win_powershell_run_script_from_input_stream.yml,proc_creation_win_pua_wsudo_susp_execution.yml,proc_creation_win_python_inline_command_execution.yml,proc_creation_win_python_pty_spawn.yml,proc_creation_win_rar_susp_greedy_compression.yml,proc_creation_win_rasdial_execution.yml,proc_creation_win_renamed_ftp.yml,proc_creation_win_ruby_inline_command_execution.yml,proc_creation_win_susp_elevated_system_shell.yml,proc_creation_win_susp_hiding_malware_in_fonts_folder.yml,proc_creation_win_susp_lolbin_non_c_drive.yml,proc_creation_win_susp_network_scan_loop.yml,proc_creation_win_susp_script_exec_from_env_folder.yml,proc_creation_win_susp_script_exec_from_temp.yml,proc_creation_win_sysprep_appdata.yml,proc_creation_win_vmware_toolbox_cmd_persistence.yml,proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml,proc_creation_win_vmware_vmtoolsd_susp_child_process.yml,proc_creation_win_winget_add_custom_source.yml,proc_creation_win_winget_add_insecure_custom_source.yml,proc_creation_win_winget_add_susp_custom_source.yml,proc_creation_win_winget_local_install_via_manifest.yml,proc_creation_win_apt_turla_commands_critical.yml,proc_creation_win_apt_lazarus_group_activity.yml,proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml,proc_creation_win_exploit_cve_2021_40444.yml,proc_creation_win_apt_revil_kaseya.yml
 execution;T1204;av_hacktool.yml,proc_creation_macos_payload_decoded_and_decrypted.yml,proc_creation_macos_susp_execution_macos_script_editor.yml,proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml,registry_event_mimikatz_printernightmare.yml,proc_creation_win_malware_snatch_ransomware.yml,proc_creation_win_malware_darkside_ransomware.yml
 execution;T1203;av_exploiting.yml,lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml,proc_creation_lnx_omigod_scx_runasprovider_executescript.yml,proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml,proc_creation_macos_susp_browser_child_process.yml,zeek_http_omigod_no_auth_rce.yml,proxy_download_susp_tlds_blacklist.yml,proxy_download_susp_tlds_whitelist.yml,proxy_ios_implant.yml,win_audit_cve.yml,file_event_win_cve_2021_26858_msexchange.yml,file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml,net_connection_win_dfsvc_uncommon_ports.yml,net_connection_win_eqnedt.yml,net_connection_win_excel_outbound_network_connection.yml,proc_creation_win_hwp_exploits.yml,proc_creation_win_java_remote_debugging.yml,proc_creation_win_spoolsv_susp_child_processes.yml,proc_creation_win_exploit_cve_2017_0261.yml,proc_creation_win_exploit_cve_2017_11882.yml,proc_creation_win_exploit_cve_2017_8759.yml,registry_set_cve_2021_31979_cve_2021_33771_exploits.yml,proc_creation_win_exploit_cve_2021_26857_msexchange.yml,net_connection_win_dfsvc_suspicious_ip.yml
 execution;T1569;proc_creation_win_sysinternals_psexec_execution.yml,win_exploit_cve_2021_1675_printspooler.yml,win_exploit_cve_2021_1675_printspooler_operational.yml,win_security_exploit_cve_2021_1675_printspooler_security.yml
@@ -50,7 +51,6 @@ persistence;T1574.007;proc_creation_win_secedit_execution.yml
 persistence;T1543;win_codeintegrity_enforced_policy_block.yml,win_codeintegrity_revoked_driver_blocked.yml,win_security_service_installation_by_unusal_client.yml,win_system_krbrelayup_service_installation.yml,win_system_system_service_installation_by_unusal_client.yml,driver_load_win_mal_poortry_driver.yml,driver_load_win_pua_process_hacker.yml,driver_load_win_pua_system_informer.yml,driver_load_win_vuln_dell_driver.yml,driver_load_win_vuln_lenovo_driver.yml
 persistence;T1542.001;file_event_win_wpbbin_persistence.yml,proc_creation_win_wpbbin_potential_persistence.yml
 persistence;T1542.003;proc_creation_win_bcdedit_susp_execution.yml
-persistence;T1098.003;azure_ad_user_added_to_admin_role.yml,azure_app_privileged_permissions.yml,azure_app_role_added.yml,azure_granting_permission_detection.yml,github_outside_collaborator_detected.yml,okta_admin_role_assigned_to_user_or_group.yml
 persistence;T1053;rpc_firewall_atsvc_lateral_movement.yml,rpc_firewall_itaskschedulerservice_lateral_movement.yml,rpc_firewall_sasec_lateral_movement.yml,cisco_cli_modify_config.yml,file_event_win_susp_task_write.yml,proc_creation_win_hktl_crackmapexec_execution_patterns.yml,proc_creation_win_hktl_sharpersist.yml,registry_set_taskcache_entry.yml,win_security_apt_slingshot.yml,proc_creation_win_apt_hafnium.yml,proc_creation_win_apt_actinium_persistence.yml
 persistence;T1525;aws_ecs_task_definition_cred_endpoint_query.yml
 persistence;T1574.005;proc_creation_win_hktl_sharpup.yml
diff --git a/sigma_rule.csv b/sigma_rule.csv
index 2b2be68b..1fb2e418 100644
--- a/sigma_rule.csv
+++ b/sigma_rule.csv
@@ -375,6 +375,7 @@ proc_creation_lnx_security_software_discovery.yml;False
 proc_creation_lnx_security_tools_disabling.yml;False
 proc_creation_lnx_services_stop_and_disable.yml;False
 proc_creation_lnx_setgid_setuid.yml;False
+proc_creation_lnx_ssm_agent_abuse.yml;False
 proc_creation_lnx_sudo_cve_2019_14287.yml;False
 proc_creation_lnx_susp_chmod_directories.yml;False
 proc_creation_lnx_susp_curl_fileupload.yml;False
@@ -677,7 +678,7 @@ win_security_invoke_obfuscation_via_use_clip_services_security.yml;False
 win_security_invoke_obfuscation_via_use_mshta_services_security.yml;False
 win_security_invoke_obfuscation_via_use_rundll32_services_security.yml;False
 win_security_invoke_obfuscation_via_var_services_security.yml;False
-win_security_iso_mount.yml;False
+win_security_iso_mount.yml;True
 win_security_lm_namedpipe.yml;False
 win_security_lsass_access_non_system_account.yml;False
 win_security_mal_creddumper.yml;False
@@ -858,6 +859,7 @@ create_remote_thread_win_hktl_cactustorch.yml;False
 create_remote_thread_win_hktl_cobaltstrike.yml;False
 create_remote_thread_win_keepass.yml;False
 create_remote_thread_win_loadlibrary.yml;False
+create_remote_thread_win_mstsc_susp_location.yml;False
 create_remote_thread_win_password_dumper_lsass.yml;False
 create_remote_thread_win_powershell_generic.yml;True
 create_remote_thread_win_powershell_lsass.yml;False
@@ -993,7 +995,7 @@ file_event_win_office_susp_file_extension.yml;True
 file_event_win_office_uncommon_file_startup.yml;False
 file_event_win_pcre_net_temp_file.yml;False
 file_event_win_perflogs_susp_files.yml;False
-file_event_win_powershell_drop_binary_or_script.yml;False
+file_event_win_powershell_drop_binary_or_script.yml;True
 file_event_win_powershell_drop_powershell.yml;False
 file_event_win_powershell_exploit_scripts.yml;True
 file_event_win_powershell_module_creation.yml;False
@@ -1031,12 +1033,14 @@ file_event_win_susp_lnk_double_extension.yml;False
 file_event_win_susp_pfx_file_creation.yml;True
 file_event_win_susp_powershell_profile.yml;False
 file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml;False
+file_event_win_susp_recycle_bin_fake_exec.yml;False
 file_event_win_susp_spool_drivers_color_drop.yml;False
 file_event_win_susp_startup_folder_persistence.yml;False
 file_event_win_susp_system_interactive_powershell.yml;False
 file_event_win_susp_task_write.yml;False
 file_event_win_susp_teamviewer_remote_session.yml;False
 file_event_win_susp_vscode_powershell_profile.yml;False
+file_event_win_susp_windows_terminal_profile.yml;False
 file_event_win_susp_winsxs_binary_creation.yml;False
 file_event_win_sysinternals_livekd_default_dump_name.yml;False
 file_event_win_sysinternals_livekd_driver.yml;False
@@ -1070,6 +1074,7 @@ file_rename_win_ransomware.yml;False
 image_load_azure_microsoft_account_token_provider_dll_load.yml;False
 image_load_clickonce_unsigned_module_loaded.yml;False
 image_load_cmstp_load_dll_from_susp_location.yml;False
+image_load_credui_uncommon_process_load.yml;True
 image_load_dll_amsi_suspicious_process.yml;False
 image_load_dll_amsi_uncommon_process.yml;False
 image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml;False
@@ -1096,15 +1101,20 @@ image_load_office_powershell_dll_load.yml;False
 image_load_office_vbadll_load.yml;True
 image_load_scrcons_wmi_scripteventconsumer.yml;False
 image_load_side_load_7za.yml;False
+image_load_side_load_abused_dlls_susp_paths.yml;False
 image_load_side_load_antivirus.yml;False
 image_load_side_load_appverifui.yml;False
 image_load_side_load_aruba_networks_virtual_intranet_access.yml;False
+image_load_side_load_avkkid.yml;False
+image_load_side_load_ccleaner_du.yml;False
+image_load_side_load_ccleaner_reactivator.yml;False
 image_load_side_load_chrome_frame_helper.yml;False
 image_load_side_load_classicexplorer32.yml;False
 image_load_side_load_comctl32.yml;False
 image_load_side_load_coregen.yml;False
 image_load_side_load_dbgcore_dll.yml;False
 image_load_side_load_dbghelp_dll.yml;False
+image_load_side_load_eacore.yml;False
 image_load_side_load_edputil.yml;False
 image_load_side_load_from_non_system_location.yml;False
 image_load_side_load_goopdate.yml;False
@@ -1112,6 +1122,7 @@ image_load_side_load_gup_libcurl.yml;False
 image_load_side_load_iviewers.yml;False
 image_load_side_load_jsschhlp.yml;False
 image_load_side_load_libvlc.yml;False
+image_load_side_load_mfdetours.yml;False
 image_load_side_load_non_existent_dlls.yml;False
 image_load_side_load_office_dlls.yml;False
 image_load_side_load_rcdll.yml;False
@@ -1125,7 +1136,9 @@ image_load_side_load_solidpdfcreator.yml;False
 image_load_side_load_svchost_dlls.yml;False
 image_load_side_load_third_party.yml;False
 image_load_side_load_ualapi.yml;False
+image_load_side_load_vivaldi_elf.yml;False
 image_load_side_load_vmguestlib.yml;False
+image_load_side_load_vmmap_dbghelp.yml;False
 image_load_side_load_vmware_xfer.yml;False
 image_load_side_load_waveedit.yml;False
 image_load_side_load_wazuh.yml;False
@@ -1139,7 +1152,6 @@ image_load_susp_uncommon_image_load.yml;False
 image_load_tttracer_mod_load.yml;False
 image_load_uac_bypass_iscsicpl.yml;False
 image_load_uac_bypass_via_dism.yml;False
-image_load_uipromptforcreds_dlls.yml;True
 image_load_unsigned_image_loaded_into_lsass.yml;False
 image_load_wmic_remote_xsl_scripting_dlls.yml;True
 image_load_wmiprvse_wbemcomn_dll_hijack.yml;False
@@ -1254,7 +1266,6 @@ posh_pm_susp_smb_share_reco.yml;True
 posh_pm_susp_zip_compress.yml;True
 posh_pm_syncappvpublishingserver_exe.yml;False
 posh_ps_aadinternals_cmdlets_execution.yml;False
-posh_ps_accessing_win_api.yml;True
 posh_ps_access_to_browser_login_data.yml;True
 posh_ps_active_directory_module_dll_import.yml;False
 posh_ps_add_dnsclient_rule.yml;False
@@ -1345,6 +1356,8 @@ posh_ps_script_with_upload_capabilities.yml;True
 posh_ps_security_software_discovery.yml;True
 posh_ps_send_mailmessage.yml;True
 posh_ps_sensitive_file_discovery.yml;False
+posh_ps_set_acl.yml;False
+posh_ps_set_acl_susp_location.yml;False
 posh_ps_set_policies_to_unsecure_level.yml;True
 posh_ps_shellcode_b64.yml;False
 posh_ps_shellintel_malicious_commandlets.yml;True
@@ -1406,9 +1419,11 @@ posh_ps_user_profile_tampering.yml;True
 posh_ps_using_set_service_to_hide_services.yml;False
 posh_ps_veeam_credential_dumping_script.yml;False
 posh_ps_web_request_cmd_and_cmdlets.yml;True
+posh_ps_win32_nteventlogfile_usage.yml;False
 posh_ps_win32_product_install_msi.yml;True
 posh_ps_windows_firewall_profile_disabled.yml;False
 posh_ps_winlogon_helper_dll.yml;True
+posh_ps_win_api_susp_access.yml;True
 posh_ps_win_defender_exclusions_added.yml;False
 posh_ps_wmimplant.yml;False
 posh_ps_wmi_persistence.yml;True
@@ -1463,7 +1478,7 @@ proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml;False
 proc_creation_win_bitsadmin_potential_persistence.yml;True
 proc_creation_win_browsers_chromium_headless_debugging.yml;False
 proc_creation_win_browsers_chromium_headless_file_download.yml;False
-proc_creation_win_browsers_chromium_susp_load_extension.yml;False
+proc_creation_win_browsers_chromium_susp_load_extension.yml;True
 proc_creation_win_browsers_msedge_arbitrary_download.yml;False
 proc_creation_win_browsers_remote_debugging.yml;False
 proc_creation_win_browsers_tor_execution.yml;True
@@ -1504,6 +1519,7 @@ proc_creation_win_cmd_net_use_and_exec_combo.yml;False
 proc_creation_win_cmd_no_space_execution.yml;False
 proc_creation_win_cmd_ntdllpipe_redirect.yml;False
 proc_creation_win_cmd_path_traversal.yml;False
+proc_creation_win_cmd_ping_copy_combined_execution.yml;False
 proc_creation_win_cmd_ping_del_combined_execution.yml;False
 proc_creation_win_cmd_redirect.yml;True
 proc_creation_win_cmd_redirection_susp_folder.yml;False
@@ -1520,12 +1536,18 @@ proc_creation_win_conhost_susp_child_process.yml;True
 proc_creation_win_conhost_uncommon_parent.yml;False
 proc_creation_win_control_panel_item.yml;True
 proc_creation_win_createdump_lolbin_execution.yml;True
-proc_creation_win_csc_susp_folder.yml;True
+proc_creation_win_csc_susp_dynamic_compilation.yml;True
 proc_creation_win_csc_susp_parent.yml;False
 proc_creation_win_csi_execution.yml;False
 proc_creation_win_csi_use_of_csharp_console.yml;False
 proc_creation_win_csvde_export.yml;False
+proc_creation_win_curl_cookie_hijacking.yml;False
+proc_creation_win_curl_custom_user_agent.yml;False
+proc_creation_win_curl_download_direct_ip.yml;False
 proc_creation_win_curl_download_susp_file_sharing_domains.yml;False
+proc_creation_win_curl_insecure_connection.yml;False
+proc_creation_win_curl_insecure_porxy_or_doh.yml;False
+proc_creation_win_curl_local_file_read.yml;False
 proc_creation_win_curl_susp_download.yml;True
 proc_creation_win_desktopimgdownldr_remote_file_download.yml;False
 proc_creation_win_desktopimgdownldr_susp_execution.yml;True
@@ -1731,14 +1753,11 @@ proc_creation_win_lolbin_kavremover.yml;False
 proc_creation_win_lolbin_launch_vsdevshell.yml;False
 proc_creation_win_lolbin_manage_bde.yml;True
 proc_creation_win_lolbin_mavinject_process_injection.yml;True
-proc_creation_win_lolbin_mftrace.yml;False
 proc_creation_win_lolbin_mpiexec.yml;False
 proc_creation_win_lolbin_msdeploy.yml;False
 proc_creation_win_lolbin_msdt_answer_file.yml;False
 proc_creation_win_lolbin_msohtmed_download.yml;False
 proc_creation_win_lolbin_mspub_download.yml;False
-proc_creation_win_lolbin_not_from_c_drive.yml;True
-proc_creation_win_lolbin_offlinescannershell.yml;False
 proc_creation_win_lolbin_openconsole.yml;False
 proc_creation_win_lolbin_openwith.yml;False
 proc_creation_win_lolbin_pcalua.yml;False
@@ -1792,6 +1811,7 @@ proc_creation_win_lolbin_wuauclt.yml;True
 proc_creation_win_lolscript_register_app.yml;False
 proc_creation_win_malware_conti_shadowcopy.yml;True
 proc_creation_win_malware_script_dropper.yml;True
+proc_creation_win_mftrace_child_process.yml;False
 proc_creation_win_mmc_mmc20_lateral_movement.yml;True
 proc_creation_win_mmc_susp_child_process.yml;False
 proc_creation_win_mofcomp_execution.yml;True
@@ -1832,6 +1852,7 @@ proc_creation_win_netsh_fw_delete_rule.yml;False
 proc_creation_win_netsh_fw_disable.yml;True
 proc_creation_win_netsh_fw_enable_group_rule.yml;True
 proc_creation_win_netsh_fw_rules_discovery.yml;True
+proc_creation_win_netsh_fw_set_rule.yml;False
 proc_creation_win_netsh_helper_dll_persistence.yml;True
 proc_creation_win_netsh_packet_capture.yml;True
 proc_creation_win_netsh_port_forwarding.yml;True
@@ -1879,6 +1900,7 @@ proc_creation_win_office_spawn_exe_from_users_directory.yml;True
 proc_creation_win_office_susp_child_processes.yml;True
 proc_creation_win_office_svchost_parent.yml;True
 proc_creation_win_office_winword_dll_load.yml;False
+proc_creation_win_offlinescannershell_mpclient_sideloading.yml;False
 proc_creation_win_pdqdeploy_execution.yml;True
 proc_creation_win_pdqdeploy_runner_susp_children.yml;False
 proc_creation_win_perl_inline_command_execution.yml;False
@@ -1887,6 +1909,7 @@ proc_creation_win_ping_hex_ip.yml;False
 proc_creation_win_pktmon_execution.yml;True
 proc_creation_win_plink_port_forwarding.yml;False
 proc_creation_win_plink_susp_tunneling.yml;False
+proc_creation_win_portable_gpg.yml;False
 proc_creation_win_powercfg_execution.yml;False
 proc_creation_win_powershell_aadinternals_cmdlets_execution.yml;False
 proc_creation_win_powershell_active_directory_module_dll_import.yml;False
@@ -1908,6 +1931,7 @@ proc_creation_win_powershell_cmdline_special_characters.yml;True
 proc_creation_win_powershell_computer_discovery_get_adcomputer.yml;False
 proc_creation_win_powershell_create_service.yml;True
 proc_creation_win_powershell_decode_gzip.yml;False
+proc_creation_win_powershell_decrypt_pattern.yml;False
 proc_creation_win_powershell_defender_disable_feature.yml;False
 proc_creation_win_powershell_defender_exclusion.yml;True
 proc_creation_win_powershell_disable_defender_av_security_monitoring.yml;True
@@ -1955,6 +1979,8 @@ proc_creation_win_powershell_run_script_from_input_stream.yml;False
 proc_creation_win_powershell_sam_access.yml;True
 proc_creation_win_powershell_script_engine_parent.yml;True
 proc_creation_win_powershell_service_dacl_modification_set_service.yml;False
+proc_creation_win_powershell_set_acl.yml;False
+proc_creation_win_powershell_set_acl_susp_location.yml;False
 proc_creation_win_powershell_set_policies_to_unsecure_level.yml;True
 proc_creation_win_powershell_set_service_disabled.yml;False
 proc_creation_win_powershell_shadowcopy_deletion.yml;False
@@ -2160,6 +2186,7 @@ proc_creation_win_schtasks_parent.yml;False
 proc_creation_win_schtasks_persistence_windows_telemetry.yml;False
 proc_creation_win_schtasks_powershell_persistence.yml;False
 proc_creation_win_schtasks_reg_loader.yml;False
+proc_creation_win_schtasks_reg_loader_encoded.yml;False
 proc_creation_win_schtasks_schedule_type.yml;False
 proc_creation_win_schtasks_schedule_type_system.yml;False
 proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml;False
@@ -2177,8 +2204,9 @@ proc_creation_win_sc_sdset_hide_sevices.yml;True
 proc_creation_win_sc_sdset_modification.yml;False
 proc_creation_win_sc_service_path_modification.yml;True
 proc_creation_win_sc_service_tamper_for_persistence.yml;True
-proc_creation_win_sc_stop_service.yml;False
+proc_creation_win_sc_stop_service.yml;True
 proc_creation_win_sdbinst_shim_persistence.yml;True
+proc_creation_win_sdbinst_susp_extension.yml;False
 proc_creation_win_sdclt_child_process.yml;True
 proc_creation_win_sdiagnhost_susp_child.yml;False
 proc_creation_win_secedit_execution.yml;True
@@ -2196,6 +2224,7 @@ proc_creation_win_sqlite_chromium_profile_data.yml;False
 proc_creation_win_sqlite_firefox_gecko_profile_data.yml;True
 proc_creation_win_ssh_port_forward.yml;False
 proc_creation_win_ssh_rdp_tunneling.yml;False
+proc_creation_win_ssm_agent_abuse.yml;False
 proc_creation_win_stordiag_susp_child_process.yml;False
 proc_creation_win_susp_16bit_application.yml;False
 proc_creation_win_susp_abusing_debug_privilege.yml;True
@@ -2243,6 +2272,7 @@ proc_creation_win_susp_image_missing.yml;False
 proc_creation_win_susp_inline_base64_mz_header.yml;False
 proc_creation_win_susp_inline_win_api_access.yml;False
 proc_creation_win_susp_local_system_owner_account_discovery.yml;True
+proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml;True
 proc_creation_win_susp_lolbin_non_c_drive.yml;False
 proc_creation_win_susp_lsass_clone.yml;False
 proc_creation_win_susp_lsass_dump.yml;True
@@ -2252,6 +2282,7 @@ proc_creation_win_susp_network_scan_loop.yml;True
 proc_creation_win_susp_non_exe_image.yml;True
 proc_creation_win_susp_non_priv_reg_or_ps.yml;False
 proc_creation_win_susp_ntds.yml;False
+proc_creation_win_susp_nteventlogfile_usage.yml;False
 proc_creation_win_susp_ntfs_short_name_path_use_cli.yml;True
 proc_creation_win_susp_ntfs_short_name_path_use_image.yml;True
 proc_creation_win_susp_ntfs_short_name_use_cli.yml;False
@@ -2266,6 +2297,7 @@ proc_creation_win_susp_priv_escalation_via_named_pipe.yml;False
 proc_creation_win_susp_proc_wrong_parent.yml;False
 proc_creation_win_susp_progname.yml;True
 proc_creation_win_susp_recon.yml;True
+proc_creation_win_susp_recycle_bin_fake_execution.yml;False
 proc_creation_win_susp_redirect_local_admin_share.yml;False
 proc_creation_win_susp_remote_desktop_tunneling.yml;False
 proc_creation_win_susp_right_to_left_override.yml;False
@@ -2361,6 +2393,8 @@ proc_creation_win_vaultcmd_list_creds.yml;True
 proc_creation_win_verclsid_runs_com.yml;False
 proc_creation_win_virtualbox_execution.yml;True
 proc_creation_win_virtualbox_vboxdrvinst_execution.yml;False
+proc_creation_win_vmware_toolbox_cmd_persistence.yml;False
+proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml;False
 proc_creation_win_vmware_vmtoolsd_susp_child_process.yml;False
 proc_creation_win_vscode_child_processes_anomalies.yml;False
 proc_creation_win_vslsagent_agentextensionpath_load.yml;False
@@ -2374,8 +2408,11 @@ proc_creation_win_webshell_hacking.yml;False
 proc_creation_win_webshell_recon_detection.yml;False
 proc_creation_win_webshell_spawn.yml;False
 proc_creation_win_werfault_lsass_shtinkering.yml;False
+proc_creation_win_werfault_reflect_debugger_exec.yml;False
 proc_creation_win_wermgr_susp_child_process.yml;False
 proc_creation_win_wevtutil_recon.yml;False
+proc_creation_win_wget_download_direct_ip.yml;False
+proc_creation_win_wget_download_susp_file_sharing_domains.yml;False
 proc_creation_win_where_browser_data_recon.yml;True
 proc_creation_win_whoami_execution.yml;True
 proc_creation_win_whoami_execution_from_high_priv_process.yml;False
@@ -2598,9 +2635,12 @@ registry_set_persistence_natural_language.yml;False
 registry_set_persistence_office_vsto.yml;True
 registry_set_persistence_outlook_homepage.yml;True
 registry_set_persistence_outlook_todaypage.yml;False
+registry_set_persistence_reflectdebugger.yml;False
 registry_set_persistence_scrobj_dll.yml;True
 registry_set_persistence_search_order.yml;True
-registry_set_persistence_shim_databases.yml;True
+registry_set_persistence_shim_database.yml;True
+registry_set_persistence_shim_database_susp_application.yml;False
+registry_set_persistence_shim_database_uncommon_location.yml;False
 registry_set_persistence_typed_paths.yml;False
 registry_set_persistence_xll.yml;False
 registry_set_policies_associations_tamper.yml;False
@@ -2650,6 +2690,8 @@ sysmon_config_modification.yml;False
 sysmon_config_modification_error.yml;False
 sysmon_config_modification_status.yml;False
 sysmon_file_block_exe.yml;False
+sysmon_file_block_shredding.yml;False
+sysmon_file_executable.yml;False
 sysmon_process_hollowing.yml;False
 sysmon_wmi_event_subscription.yml;True
 sysmon_wmi_susp_encoded_scripts.yml;False
@@ -2828,6 +2870,7 @@ win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml;False
 web_cve_2023_23752_joomla_exploit_attempt.yml;False
 web_cve_2023_25157_geoserver_sql_injection.yml;False
 web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml;False
+web_cve_2023_27997_pre_authentication_rce.yml;False
 file_event_win_exploit_cve_2023_34362_moveit_transfer.yml;False
 web_cve_2023_34362_known_payload_request.yml.yml;False
 file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml;False
@@ -2891,13 +2934,18 @@ image_load_office_excel_xll_load.yml;False
 net_connection_win_dfsvc_suspicious_ip.yml;False
 posh_pm_susp_netfirewallrule_recon.yml;False
 posh_ps_mailbox_access.yml;False
+posh_ps_new_smbmapping_quic.yml;False
 posh_ps_registry_reconnaissance.yml;False
+posh_ps_win_api_functions_access.yml;False
+posh_ps_win_api_library_access.yml;False
+proc_creation_win_csc_compilation.yml;False
 proc_creation_win_curl_download.yml;False
 proc_creation_win_curl_execution.yml;False
 proc_creation_win_curl_fileupload.yml;True
 proc_creation_win_curl_useragent.yml;True
 proc_creation_win_dfsvc_child_processes.yml;False
 proc_creation_win_findstr_password_recon.yml;False
+proc_creation_win_net_quic.yml;False
 proc_creation_win_powershell_abnormal_commandline_size.yml;True
 proc_creation_win_powershell_import_module.yml;False
 registry_set_office_trusted_location.yml;False
diff --git a/yml/007e5672-2088-4853-a562-7490ddc19447.yml b/yml/007e5672-2088-4853-a562-7490ddc19447.yml
index 6cc97ac1..506640c5 100644
--- a/yml/007e5672-2088-4853-a562-7490ddc19447.yml
+++ b/yml/007e5672-2088-4853-a562-7490ddc19447.yml
@@ -19,13 +19,13 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml b/yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml
index b258b228..3818fdc6 100644
--- a/yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml
+++ b/yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
     name: posh_ps_file_and_directory_discovery.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
diff --git a/yml/05df2a79-dba6-4088-a804-9ca0802ca8e4.yml b/yml/05df2a79-dba6-4088-a804-9ca0802ca8e4.yml
new file mode 100644
index 00000000..c2b4ceb9
--- /dev/null
+++ b/yml/05df2a79-dba6-4088-a804-9ca0802ca8e4.yml
@@ -0,0 +1,21 @@
+Attack_name: Network Service Discovery
+Attack_description: "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.\
+  \ Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)   \n\nWithin cloud environments,\
+  \ adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services\
+  \ running on non-cloud systems as well.\n\nWithin macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour\
+  \ mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to\
+  \ find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)"
+guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4
+name: Port-Scanning /24 Subnet with PowerShell
+tactic:
+  - discovery
+technique:
+  - T1046
+os:
+  - windows
+description: |
+  Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
+  The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/069258f4-2162-46e9-9a25-c9c6c56150d2.yml b/yml/069258f4-2162-46e9-9a25-c9c6c56150d2.yml
index fdae2278..c869628d 100644
--- a/yml/069258f4-2162-46e9-9a25-c9c6c56150d2.yml
+++ b/yml/069258f4-2162-46e9-9a25-c9c6c56150d2.yml
@@ -24,11 +24,11 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 66d31e5f-52d6-40a4-9615-002d3789a119
     name: create_remote_thread_win_uncommon_source_image.yml
   - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
diff --git a/yml/06d9deba-f732-48a8-af8e-bdd6e4d98c1d.yml b/yml/06d9deba-f732-48a8-af8e-bdd6e4d98c1d.yml
index 123507f0..ae2af154 100644
--- a/yml/06d9deba-f732-48a8-af8e-bdd6e4d98c1d.yml
+++ b/yml/06d9deba-f732-48a8-af8e-bdd6e4d98c1d.yml
@@ -18,8 +18,8 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/079ee2e9-6f16-47ca-a635-14efcd994118.yml b/yml/079ee2e9-6f16-47ca-a635-14efcd994118.yml
index 9a9ce04b..073fdbf3 100644
--- a/yml/079ee2e9-6f16-47ca-a635-14efcd994118.yml
+++ b/yml/079ee2e9-6f16-47ca-a635-14efcd994118.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
     name: posh_ps_file_and_directory_discovery.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
diff --git a/yml/0bb64470-582a-4155-bde2-d6003a95ed34.yml b/yml/0bb64470-582a-4155-bde2-d6003a95ed34.yml
index 0fe96cac..da2a78a4 100644
--- a/yml/0bb64470-582a-4155-bde2-d6003a95ed34.yml
+++ b/yml/0bb64470-582a-4155-bde2-d6003a95ed34.yml
@@ -38,7 +38,7 @@ sigma_rule:
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
diff --git a/yml/0c0f5f06-166a-4f4d-bb4a-719df9a01dbb.yml b/yml/0c0f5f06-166a-4f4d-bb4a-719df9a01dbb.yml
index 8a109928..85cf4c2e 100644
--- a/yml/0c0f5f06-166a-4f4d-bb4a-719df9a01dbb.yml
+++ b/yml/0c0f5f06-166a-4f4d-bb4a-719df9a01dbb.yml
@@ -34,7 +34,7 @@ sigma_rule:
   - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
     name: posh_pm_susp_invocation_specific.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
@@ -76,7 +76,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
     name: proc_access_win_cred_dump_lsass_access.yml
   - id: 250ae82f-736e-4844-a68b-0b5e8cc887da
diff --git a/yml/0d181431-ddf3-4826-8055-2dbf63ae848b.yml b/yml/0d181431-ddf3-4826-8055-2dbf63ae848b.yml
index 2bea7743..4522b0ad 100644
--- a/yml/0d181431-ddf3-4826-8055-2dbf63ae848b.yml
+++ b/yml/0d181431-ddf3-4826-8055-2dbf63ae848b.yml
@@ -22,11 +22,11 @@ sigma_rule:
   - id: 754ed792-634f-40ae-b3bc-e0448d33f695
     name: proc_creation_win_powershell_susp_parent_process.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/10ba02d0-ab76-4f80-940d-451633f24c5b.yml b/yml/10ba02d0-ab76-4f80-940d-451633f24c5b.yml
index f4c88996..745fc45e 100644
--- a/yml/10ba02d0-ab76-4f80-940d-451633f24c5b.yml
+++ b/yml/10ba02d0-ab76-4f80-940d-451633f24c5b.yml
@@ -42,7 +42,7 @@ sigma_rule:
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: af4c87ce-bdda-4215-b998-15220772e993
diff --git a/yml/114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0.yml b/yml/114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0.yml
index ca80983f..cd8708e2 100644
--- a/yml/114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0.yml
+++ b/yml/114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0.yml
@@ -46,7 +46,7 @@ sigma_rule:
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
diff --git a/yml/11e65d8d-e7e4-470e-a3ff-82bc56ad938e.yml b/yml/11e65d8d-e7e4-470e-a3ff-82bc56ad938e.yml
new file mode 100644
index 00000000..32522948
--- /dev/null
+++ b/yml/11e65d8d-e7e4-470e-a3ff-82bc56ad938e.yml
@@ -0,0 +1,28 @@
+Attack_name: 'Impair Defenses: Disable or Modify Tools'
+Attack_description: "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes\
+  \ or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries\
+  \ may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized\
+  \ by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or\
+  \ modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features\
+  \ added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) \n\n\
+  Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code>\
+  \ may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents\
+  \ that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate\
+  \ rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example,\
+  \ adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate\
+  \ drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering\
+  \ features.(Citation: avoslocker_ransomware)"
+guid: 11e65d8d-e7e4-470e-a3ff-82bc56ad938e
+name: AWS - GuardDuty Suspension or Deletion
+tactic:
+  - defense-evasion
+technique:
+  - T1562.001
+os:
+  - iaas:aws
+description: 'Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration.
+
+  '
+executor: bash
+sigma: false
+sigma_rule: []
diff --git a/yml/1289f78d-22d2-4590-ac76-166737e1811b.yml b/yml/1289f78d-22d2-4590-ac76-166737e1811b.yml
index abf89577..52ec998c 100644
--- a/yml/1289f78d-22d2-4590-ac76-166737e1811b.yml
+++ b/yml/1289f78d-22d2-4590-ac76-166737e1811b.yml
@@ -30,7 +30,7 @@ sigma_rule:
   - id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
     name: net_connection_win_powershell_network_connection.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
diff --git a/yml/14920ebd-1d61-491a-85e0-fe98efe37f25.yml b/yml/14920ebd-1d61-491a-85e0-fe98efe37f25.yml
index a45d1c64..35b07252 100644
--- a/yml/14920ebd-1d61-491a-85e0-fe98efe37f25.yml
+++ b/yml/14920ebd-1d61-491a-85e0-fe98efe37f25.yml
@@ -19,13 +19,13 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/1561de08-0b4b-498e-8261-e922f3494aae.yml b/yml/1561de08-0b4b-498e-8261-e922f3494aae.yml
index 98d1b13a..b413f9fb 100644
--- a/yml/1561de08-0b4b-498e-8261-e922f3494aae.yml
+++ b/yml/1561de08-0b4b-498e-8261-e922f3494aae.yml
@@ -23,7 +23,7 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
     name: file_event_win_susp_get_variable.yml
 
diff --git a/yml/17d046be-fdd0-4cbb-b5c7-55c85d9d0714.yml b/yml/17d046be-fdd0-4cbb-b5c7-55c85d9d0714.yml
new file mode 100644
index 00000000..7d874b2c
--- /dev/null
+++ b/yml/17d046be-fdd0-4cbb-b5c7-55c85d9d0714.yml
@@ -0,0 +1,25 @@
+Attack_name: 'Account Manipulation: Additional Email Delegate Permissions'
+Attack_description: "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. \n\nFor example, the <code>Add-MailboxPermission</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001)\
+  \ cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation:\
+  \ Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation:\
+  \ Google Ensuring Your Information is Safe) \n\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign\
+  \ the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize\
+  \ any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\n\nThis may be\
+  \ used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts\
+  \ they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts\
+  \ in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation:\
+  \ Bienstock, D. - Defending O365 - 2019)"
+guid: 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
+name: EXO - Full access mailbox permission granted to a user
+tactic:
+  - persistence
+technique:
+  - T1098.002
+os:
+  - office-365
+description: |
+  Give a nominated user, full mailbox delegation access of another user.
+  This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/1c0a870f-dc74-49cf-9afc-eccc45e58790.yml b/yml/1c0a870f-dc74-49cf-9afc-eccc45e58790.yml
index d5050452..c50f4a63 100644
--- a/yml/1c0a870f-dc74-49cf-9afc-eccc45e58790.yml
+++ b/yml/1c0a870f-dc74-49cf-9afc-eccc45e58790.yml
@@ -22,11 +22,11 @@ sigma_rule:
   - id: 754ed792-634f-40ae-b3bc-e0448d33f695
     name: proc_creation_win_powershell_susp_parent_process.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/1cca5640-32a9-46e6-b8e0-fabbe2384a73.yml b/yml/1cca5640-32a9-46e6-b8e0-fabbe2384a73.yml
index ba3af5f9..49d2c843 100644
--- a/yml/1cca5640-32a9-46e6-b8e0-fabbe2384a73.yml
+++ b/yml/1cca5640-32a9-46e6-b8e0-fabbe2384a73.yml
@@ -42,7 +42,7 @@ sigma_rule:
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
@@ -86,7 +86,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
     name: posh_pm_bad_opsec_artifacts.yml
   - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
diff --git a/yml/1ed67900-66cd-4b09-b546-2a0ef4431a0c.yml b/yml/1ed67900-66cd-4b09-b546-2a0ef4431a0c.yml
index 530b7936..1842b81d 100644
--- a/yml/1ed67900-66cd-4b09-b546-2a0ef4431a0c.yml
+++ b/yml/1ed67900-66cd-4b09-b546-2a0ef4431a0c.yml
@@ -47,7 +47,7 @@ sigma_rule:
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
diff --git a/yml/21dfb440-830d-4c86-a3e5-2a491d5a8d04.yml b/yml/21dfb440-830d-4c86-a3e5-2a491d5a8d04.yml
index efe3a966..dd8d1717 100644
--- a/yml/21dfb440-830d-4c86-a3e5-2a491d5a8d04.yml
+++ b/yml/21dfb440-830d-4c86-a3e5-2a491d5a8d04.yml
@@ -18,5 +18,7 @@ description: |
   it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be
   started by running the cleanup command.
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1
+    name: proc_creation_win_sc_stop_service.yml
diff --git a/yml/29857f27-a36f-4f7e-8084-4557cd6207ca.yml b/yml/29857f27-a36f-4f7e-8084-4557cd6207ca.yml
index 29793bf4..86640281 100644
--- a/yml/29857f27-a36f-4f7e-8084-4557cd6207ca.yml
+++ b/yml/29857f27-a36f-4f7e-8084-4557cd6207ca.yml
@@ -24,7 +24,7 @@ sigma_rule:
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: dcd74b95-3f36-4ed9-9598-0490951643aa
     name: posh_ps_powerview_malicious_commandlets.yml
   - id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
diff --git a/yml/2988133e-561c-4e42-a15f-6281e6a9b2db.yml b/yml/2988133e-561c-4e42-a15f-6281e6a9b2db.yml
index a43b5fcf..00588f1f 100644
--- a/yml/2988133e-561c-4e42-a15f-6281e6a9b2db.yml
+++ b/yml/2988133e-561c-4e42-a15f-6281e6a9b2db.yml
@@ -19,13 +19,13 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/2b61977b-ae2d-4ae4-89cb-5c36c89586be.yml b/yml/2b61977b-ae2d-4ae4-89cb-5c36c89586be.yml
index 677f67f5..354e0999 100644
--- a/yml/2b61977b-ae2d-4ae4-89cb-5c36c89586be.yml
+++ b/yml/2b61977b-ae2d-4ae4-89cb-5c36c89586be.yml
@@ -41,7 +41,7 @@ sigma_rule:
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
diff --git a/yml/30558d53-9d76-41c4-9267-a7bd5184bed3.yml b/yml/30558d53-9d76-41c4-9267-a7bd5184bed3.yml
index a52be050..e5562a3b 100644
--- a/yml/30558d53-9d76-41c4-9267-a7bd5184bed3.yml
+++ b/yml/30558d53-9d76-41c4-9267-a7bd5184bed3.yml
@@ -20,7 +20,7 @@ sigma_rule:
   - id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
     name: posh_ps_susp_wallpaper.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 1139d2e2-84b1-4226-b445-354492eba8ba
     name: posh_ps_web_request_cmd_and_cmdlets.yml
 
diff --git a/yml/3177f4da-3d4b-4592-8bdc-aa23d0b2e843.yml b/yml/3177f4da-3d4b-4592-8bdc-aa23d0b2e843.yml
index 597e9008..e5b5e18b 100644
--- a/yml/3177f4da-3d4b-4592-8bdc-aa23d0b2e843.yml
+++ b/yml/3177f4da-3d4b-4592-8bdc-aa23d0b2e843.yml
@@ -30,7 +30,7 @@ sigma_rule:
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
diff --git a/yml/3278b2f6-f733-4875-9ef4-bfed34244f0a.yml b/yml/3278b2f6-f733-4875-9ef4-bfed34244f0a.yml
index 1f3e6364..2032c984 100644
--- a/yml/3278b2f6-f733-4875-9ef4-bfed34244f0a.yml
+++ b/yml/3278b2f6-f733-4875-9ef4-bfed34244f0a.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
diff --git a/yml/34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b.yml b/yml/34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b.yml
index f41efc79..0a367988 100644
--- a/yml/34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b.yml
+++ b/yml/34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b.yml
@@ -18,8 +18,8 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/345cb8e4-d2de-4011-a580-619cf5a9e2d7.yml b/yml/345cb8e4-d2de-4011-a580-619cf5a9e2d7.yml
index 2f123ac1..773be19e 100644
--- a/yml/345cb8e4-d2de-4011-a580-619cf5a9e2d7.yml
+++ b/yml/345cb8e4-d2de-4011-a580-619cf5a9e2d7.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
@@ -86,7 +86,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
     name: posh_pm_bad_opsec_artifacts.yml
   - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
diff --git a/yml/34f0a430-9d04-4d98-bcb5-1989f14719f0.yml b/yml/34f0a430-9d04-4d98-bcb5-1989f14719f0.yml
index 60972094..746e39f2 100644
--- a/yml/34f0a430-9d04-4d98-bcb5-1989f14719f0.yml
+++ b/yml/34f0a430-9d04-4d98-bcb5-1989f14719f0.yml
@@ -23,7 +23,7 @@ sigma_rule:
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
diff --git a/yml/35eb8d16-9820-4423-a2a1-90c4f5edd9ca.yml b/yml/35eb8d16-9820-4423-a2a1-90c4f5edd9ca.yml
index 7745d399..d4f2ae5e 100644
--- a/yml/35eb8d16-9820-4423-a2a1-90c4f5edd9ca.yml
+++ b/yml/35eb8d16-9820-4423-a2a1-90c4f5edd9ca.yml
@@ -20,7 +20,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
     name: file_event_win_creation_system_file.yml
   - id: e4a6b256-3e47-40fc-89d2-7a477edd6915
diff --git a/yml/37950714-e923-4f92-8c7c-51e4b6fffbf6.yml b/yml/37950714-e923-4f92-8c7c-51e4b6fffbf6.yml
new file mode 100644
index 00000000..6526bc24
--- /dev/null
+++ b/yml/37950714-e923-4f92-8c7c-51e4b6fffbf6.yml
@@ -0,0 +1,23 @@
+Attack_name: Modify Registry
+Attack_description: |-
+  Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
+
+  Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.
+
+  Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)
+
+  The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
+guid: 37950714-e923-4f92-8c7c-51e4b6fffbf6
+name: Allow Simultaneous Download Registry
+tactic:
+  - defense-evasion
+technique:
+  - T1112
+os:
+  - windows
+description: 'A registry modification to allow Simultaneous download in the system.
+
+  '
+executor: command_prompt
+sigma: false
+sigma_rule: []
diff --git a/yml/39ceed55-f653-48ac-bd19-aceceaf525db.yml b/yml/39ceed55-f653-48ac-bd19-aceceaf525db.yml
index 00fd7399..d44d1e30 100644
--- a/yml/39ceed55-f653-48ac-bd19-aceceaf525db.yml
+++ b/yml/39ceed55-f653-48ac-bd19-aceceaf525db.yml
@@ -19,13 +19,13 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/3c898f62-626c-47d5-aad2-6de873d69153.yml b/yml/3c898f62-626c-47d5-aad2-6de873d69153.yml
index e02a11bb..977c78a2 100644
--- a/yml/3c898f62-626c-47d5-aad2-6de873d69153.yml
+++ b/yml/3c898f62-626c-47d5-aad2-6de873d69153.yml
@@ -19,6 +19,6 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 2158f96f-43c2-43cb-952a-ab4580f32382
     name: proc_creation_win_psr_capture_screenshots.yml
diff --git a/yml/3d256a2f-5e57-4003-8eb6-64d91b1da7ce.yml b/yml/3d256a2f-5e57-4003-8eb6-64d91b1da7ce.yml
index 4f9a3fb2..4751c277 100644
--- a/yml/3d256a2f-5e57-4003-8eb6-64d91b1da7ce.yml
+++ b/yml/3d256a2f-5e57-4003-8eb6-64d91b1da7ce.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
     name: posh_ps_file_and_directory_discovery.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
diff --git a/yml/3f987809-3681-43c8-bcd8-b3ff3a28533a.yml b/yml/3f987809-3681-43c8-bcd8-b3ff3a28533a.yml
index d4d491d8..3228e550 100644
--- a/yml/3f987809-3681-43c8-bcd8-b3ff3a28533a.yml
+++ b/yml/3f987809-3681-43c8-bcd8-b3ff3a28533a.yml
@@ -30,6 +30,6 @@ sigma_rule:
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
     name: net_connection_win_powershell_network_connection.yml
diff --git a/yml/41ac52ba-5d5e-40c0-b267-573ed90489bd.yml b/yml/41ac52ba-5d5e-40c0-b267-573ed90489bd.yml
index 7594895a..872cd972 100644
--- a/yml/41ac52ba-5d5e-40c0-b267-573ed90489bd.yml
+++ b/yml/41ac52ba-5d5e-40c0-b267-573ed90489bd.yml
@@ -26,7 +26,7 @@ sigma_rule:
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
     name: posh_ps_invoke_command_remote.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
diff --git a/yml/453614d8-3ba6-4147-acc0-7ec4b3e1faef.yml b/yml/453614d8-3ba6-4147-acc0-7ec4b3e1faef.yml
index c44efea2..cc15603c 100644
--- a/yml/453614d8-3ba6-4147-acc0-7ec4b3e1faef.yml
+++ b/yml/453614d8-3ba6-4147-acc0-7ec4b3e1faef.yml
@@ -20,4 +20,4 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/46352f40-f283-4fe5-b56d-d9a71750e145.yml b/yml/46352f40-f283-4fe5-b56d-d9a71750e145.yml
index 2c5cab6e..b8dd60ff 100644
--- a/yml/46352f40-f283-4fe5-b56d-d9a71750e145.yml
+++ b/yml/46352f40-f283-4fe5-b56d-d9a71750e145.yml
@@ -30,7 +30,7 @@ sigma_rule:
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
     name: posh_ps_directoryservices_accountmanagement.yml
   - id: a861d835-af37-4930-bcd6-5b178bfb54df
diff --git a/yml/4a18cc4e-416f-4966-9a9d-75731c4684c0.yml b/yml/4a18cc4e-416f-4966-9a9d-75731c4684c0.yml
index e4680ba2..dd1b8460 100644
--- a/yml/4a18cc4e-416f-4966-9a9d-75731c4684c0.yml
+++ b/yml/4a18cc4e-416f-4966-9a9d-75731c4684c0.yml
@@ -38,4 +38,4 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/4d77f913-56f5-4a14-b4b1-bf7bb24298ad.yml b/yml/4d77f913-56f5-4a14-b4b1-bf7bb24298ad.yml
new file mode 100644
index 00000000..34f27064
--- /dev/null
+++ b/yml/4d77f913-56f5-4a14-b4b1-bf7bb24298ad.yml
@@ -0,0 +1,26 @@
+Attack_name: 'Account Manipulation: Additional Cloud Roles'
+Attack_description: "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies\
+  \ in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support\
+  \ O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability\
+  \ to reset the passwords of other admins).(Citation: Expel AWS Attacker)\n(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136)\
+  \ or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation,\
+  \ particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional\
+  \ Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions,\
+  \ which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be\
+  \ able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions\
+  \ to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\n\nSimilarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure\
+  \ resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) "
+guid: 4d77f913-56f5-4a14-b4b1-bf7bb24298ad
+name: Azure AD - Add Company Administrator Role to a user
+tactic:
+  - persistence
+technique:
+  - T1098.003
+os:
+  - azure-ad
+description: 'Add an existing Azure user account the Company Administrator Role.
+
+  '
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/4ea1fc97-8a46-4b4e-ba48-af43d2a98052.yml b/yml/4ea1fc97-8a46-4b4e-ba48-af43d2a98052.yml
index 286c9b07..501a63c8 100644
--- a/yml/4ea1fc97-8a46-4b4e-ba48-af43d2a98052.yml
+++ b/yml/4ea1fc97-8a46-4b4e-ba48-af43d2a98052.yml
@@ -37,7 +37,7 @@ sigma_rule:
   - id: cea72823-df4d-4567-950c-0b579eaf0846
     name: proc_creation_win_malware_script_dropper.yml
   - id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
-    name: image_load_uipromptforcreds_dlls.yml
+    name: image_load_credui_uncommon_process_load.yml
   - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
     name: registry_add_pua_sysinternals_execution_via_eula.yml
   - id: fa34b441-961a-42fa-a100-ecc28c886725
diff --git a/yml/54574908-f1de-4356-9021-8053dd57439a.yml b/yml/54574908-f1de-4356-9021-8053dd57439a.yml
index e8edccb6..ac388659 100644
--- a/yml/54574908-f1de-4356-9021-8053dd57439a.yml
+++ b/yml/54574908-f1de-4356-9021-8053dd57439a.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
@@ -88,7 +88,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
     name: posh_pm_bad_opsec_artifacts.yml
   - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
diff --git a/yml/559e6d06-bb42-4307-bff7-3b95a8254bad.yml b/yml/559e6d06-bb42-4307-bff7-3b95a8254bad.yml
index 63809682..6c9994a6 100644
--- a/yml/559e6d06-bb42-4307-bff7-3b95a8254bad.yml
+++ b/yml/559e6d06-bb42-4307-bff7-3b95a8254bad.yml
@@ -18,11 +18,11 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
     name: proc_creation_win_rundll32_run_locations.yml
   - id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
diff --git a/yml/562427b4-39ef-4e8c-af88-463a78e70b9c.yml b/yml/562427b4-39ef-4e8c-af88-463a78e70b9c.yml
index dc5d4b72..da27fbc2 100644
--- a/yml/562427b4-39ef-4e8c-af88-463a78e70b9c.yml
+++ b/yml/562427b4-39ef-4e8c-af88-463a78e70b9c.yml
@@ -23,11 +23,11 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
 
diff --git a/yml/56b9589c-9170-4682-8c3d-33b86ecb5119.yml b/yml/56b9589c-9170-4682-8c3d-33b86ecb5119.yml
index 100c8db9..640ecd99 100644
--- a/yml/56b9589c-9170-4682-8c3d-33b86ecb5119.yml
+++ b/yml/56b9589c-9170-4682-8c3d-33b86ecb5119.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
diff --git a/yml/58742c0f-cb01-44cd-a60b-fb26e8871c93.yml b/yml/58742c0f-cb01-44cd-a60b-fb26e8871c93.yml
index 8dd9b5e3..0e2d8da9 100644
--- a/yml/58742c0f-cb01-44cd-a60b-fb26e8871c93.yml
+++ b/yml/58742c0f-cb01-44cd-a60b-fb26e8871c93.yml
@@ -21,4 +21,4 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/58a193ec-131b-404e-b1ca-b35cf0b18c33.yml b/yml/58a193ec-131b-404e-b1ca-b35cf0b18c33.yml
index f1a8b128..1b5c5f25 100644
--- a/yml/58a193ec-131b-404e-b1ca-b35cf0b18c33.yml
+++ b/yml/58a193ec-131b-404e-b1ca-b35cf0b18c33.yml
@@ -19,13 +19,13 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/58ed10e8-0738-4651-8408-3a3e9a526279.yml b/yml/58ed10e8-0738-4651-8408-3a3e9a526279.yml
index ee4fd7c4..c956d085 100644
--- a/yml/58ed10e8-0738-4651-8408-3a3e9a526279.yml
+++ b/yml/58ed10e8-0738-4651-8408-3a3e9a526279.yml
@@ -22,4 +22,4 @@ sigma_rule:
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
diff --git a/yml/5a683850-1145-4326-a0e5-e91ced3c6022.yml b/yml/5a683850-1145-4326-a0e5-e91ced3c6022.yml
index 928ae461..80412289 100644
--- a/yml/5a683850-1145-4326-a0e5-e91ced3c6022.yml
+++ b/yml/5a683850-1145-4326-a0e5-e91ced3c6022.yml
@@ -18,8 +18,8 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/5a8a181c-2c8e-478d-a943-549305a01230.yml b/yml/5a8a181c-2c8e-478d-a943-549305a01230.yml
index 4e59fd8c..e204098e 100644
--- a/yml/5a8a181c-2c8e-478d-a943-549305a01230.yml
+++ b/yml/5a8a181c-2c8e-478d-a943-549305a01230.yml
@@ -30,7 +30,7 @@ sigma_rule:
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
diff --git a/yml/5b6f39a2-6ec7-4783-a5fd-2c54a55409ed.yml b/yml/5b6f39a2-6ec7-4783-a5fd-2c54a55409ed.yml
index 1800efdf..73ef29cb 100644
--- a/yml/5b6f39a2-6ec7-4783-a5fd-2c54a55409ed.yml
+++ b/yml/5b6f39a2-6ec7-4783-a5fd-2c54a55409ed.yml
@@ -34,7 +34,7 @@ sigma_rule:
   - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
     name: posh_pm_susp_invocation_specific.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
     name: posh_ps_file_and_directory_discovery.yml
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
diff --git a/yml/5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82.yml b/yml/5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82.yml
index e8198381..6c5be31a 100644
--- a/yml/5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82.yml
+++ b/yml/5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82.yml
@@ -51,7 +51,7 @@ sigma_rule:
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
diff --git a/yml/64fdb43b-5259-467a-b000-1b02c00e510a.yml b/yml/64fdb43b-5259-467a-b000-1b02c00e510a.yml
index 5a31ab4c..9bb25d73 100644
--- a/yml/64fdb43b-5259-467a-b000-1b02c00e510a.yml
+++ b/yml/64fdb43b-5259-467a-b000-1b02c00e510a.yml
@@ -20,4 +20,4 @@ sigma_rule:
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
diff --git a/yml/6502c8f0-b775-4dbd-9193-1298f56b6781.yml b/yml/6502c8f0-b775-4dbd-9193-1298f56b6781.yml
index 20132f91..29711681 100644
--- a/yml/6502c8f0-b775-4dbd-9193-1298f56b6781.yml
+++ b/yml/6502c8f0-b775-4dbd-9193-1298f56b6781.yml
@@ -58,7 +58,7 @@ sigma_rule:
   - id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
     name: posh_ps_susp_getprocess_lsass.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
diff --git a/yml/66fb0bc1-3c3f-47e9-a298-550ecfefacbc.yml b/yml/66fb0bc1-3c3f-47e9-a298-550ecfefacbc.yml
index e83045a9..db8f24b8 100644
--- a/yml/66fb0bc1-3c3f-47e9-a298-550ecfefacbc.yml
+++ b/yml/66fb0bc1-3c3f-47e9-a298-550ecfefacbc.yml
@@ -51,5 +51,5 @@ sigma_rule:
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
 
diff --git a/yml/686a9785-f99b-41d4-90df-66ed515f81d7.yml b/yml/686a9785-f99b-41d4-90df-66ed515f81d7.yml
index 01a8f17f..06743731 100644
--- a/yml/686a9785-f99b-41d4-90df-66ed515f81d7.yml
+++ b/yml/686a9785-f99b-41d4-90df-66ed515f81d7.yml
@@ -20,13 +20,13 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 754ed792-634f-40ae-b3bc-e0448d33f695
     name: proc_creation_win_powershell_susp_parent_process.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/69fc085b-5444-4879-8002-b24c8e1a3e02.yml b/yml/69fc085b-5444-4879-8002-b24c8e1a3e02.yml
index 571abd4a..c412a70d 100644
--- a/yml/69fc085b-5444-4879-8002-b24c8e1a3e02.yml
+++ b/yml/69fc085b-5444-4879-8002-b24c8e1a3e02.yml
@@ -20,6 +20,7 @@ os:
 description: |
   An adversary can disable the ETW Provider of Windows Defender,
   so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
 executor: powershell
 sigma: true
 sigma_rule:
diff --git a/yml/71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112.yml b/yml/71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112.yml
index d4dccd41..c280363f 100644
--- a/yml/71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112.yml
+++ b/yml/71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112.yml
@@ -18,4 +18,4 @@ executor: command_prompt
 sigma: true
 sigma_rule:
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/7230d01a-0a72-4bd5-9d7f-c6d472bc6a59.yml b/yml/7230d01a-0a72-4bd5-9d7f-c6d472bc6a59.yml
index ca43141c..903b6ca0 100644
--- a/yml/7230d01a-0a72-4bd5-9d7f-c6d472bc6a59.yml
+++ b/yml/7230d01a-0a72-4bd5-9d7f-c6d472bc6a59.yml
@@ -32,7 +32,7 @@ sigma_rule:
   - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
     name: posh_pm_susp_invocation_specific.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
     name: posh_ps_file_and_directory_discovery.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
diff --git a/yml/75f66e03-37d3-4704-9520-3210efbe33ce.yml b/yml/75f66e03-37d3-4704-9520-3210efbe33ce.yml
index 08b99040..042bcf2a 100644
--- a/yml/75f66e03-37d3-4704-9520-3210efbe33ce.yml
+++ b/yml/75f66e03-37d3-4704-9520-3210efbe33ce.yml
@@ -42,7 +42,7 @@ sigma_rule:
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
@@ -78,7 +78,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
     name: net_connection_win_binary_susp_com.yml
   - id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
diff --git a/yml/764ea176-fb71-494c-90ea-72e9d85dce76.yml b/yml/764ea176-fb71-494c-90ea-72e9d85dce76.yml
index ed3a9106..893fbe1a 100644
--- a/yml/764ea176-fb71-494c-90ea-72e9d85dce76.yml
+++ b/yml/764ea176-fb71-494c-90ea-72e9d85dce76.yml
@@ -44,7 +44,7 @@ sigma_rule:
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
diff --git a/yml/7804659b-fdbf-4cf6-b06a-c03e758590e8.yml b/yml/7804659b-fdbf-4cf6-b06a-c03e758590e8.yml
index 71bf3feb..28966971 100644
--- a/yml/7804659b-fdbf-4cf6-b06a-c03e758590e8.yml
+++ b/yml/7804659b-fdbf-4cf6-b06a-c03e758590e8.yml
@@ -46,7 +46,7 @@ sigma_rule:
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: af4c87ce-bdda-4215-b998-15220772e993
diff --git a/yml/7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66.yml b/yml/7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66.yml
index 874483af..3a951fa4 100644
--- a/yml/7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66.yml
+++ b/yml/7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66.yml
@@ -45,7 +45,7 @@ sigma_rule:
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
diff --git a/yml/78d10e20-c874-45f2-a9df-6fea0120ec27.yml b/yml/78d10e20-c874-45f2-a9df-6fea0120ec27.yml
index 827def30..5820d454 100644
--- a/yml/78d10e20-c874-45f2-a9df-6fea0120ec27.yml
+++ b/yml/78d10e20-c874-45f2-a9df-6fea0120ec27.yml
@@ -50,7 +50,7 @@ sigma_rule:
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
diff --git a/yml/78e95057-d429-4e66-8f82-0f060c1ac96f.yml b/yml/78e95057-d429-4e66-8f82-0f060c1ac96f.yml
index 635ff5bc..66b3e064 100644
--- a/yml/78e95057-d429-4e66-8f82-0f060c1ac96f.yml
+++ b/yml/78e95057-d429-4e66-8f82-0f060c1ac96f.yml
@@ -33,11 +33,11 @@ sigma_rule:
   - id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
     name: posh_ps_nishang_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
     name: posh_ps_script_with_upload_capabilities.yml
   - id: 1139d2e2-84b1-4226-b445-354492eba8ba
diff --git a/yml/7a714703-9f6b-461c-b06d-e6aeac650f27.yml b/yml/7a714703-9f6b-461c-b06d-e6aeac650f27.yml
index 28575d24..0e5b033b 100644
--- a/yml/7a714703-9f6b-461c-b06d-e6aeac650f27.yml
+++ b/yml/7a714703-9f6b-461c-b06d-e6aeac650f27.yml
@@ -24,5 +24,9 @@ description: |-
   https://attack.mitre.org/techniques/T1176/
   https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
 executor: powershell
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: 27ba3207-dd30-4812-abbf-5d20c57d474e
+    name: proc_creation_win_browsers_chromium_susp_load_extension.yml
+  - id: 7047d730-036f-4f40-b9d8-1c63e36d5e62
+    name: file_event_win_powershell_drop_binary_or_script.yml
diff --git a/yml/7e79a1b6-519e-433c-ad55-3ff293667101.yml b/yml/7e79a1b6-519e-433c-ad55-3ff293667101.yml
index 13079785..fb02a047 100644
--- a/yml/7e79a1b6-519e-433c-ad55-3ff293667101.yml
+++ b/yml/7e79a1b6-519e-433c-ad55-3ff293667101.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
diff --git a/yml/7ec5b74e-8289-4ff2-a162-b6f286a33abd.yml b/yml/7ec5b74e-8289-4ff2-a162-b6f286a33abd.yml
index 892bd815..4a4f0139 100644
--- a/yml/7ec5b74e-8289-4ff2-a162-b6f286a33abd.yml
+++ b/yml/7ec5b74e-8289-4ff2-a162-b6f286a33abd.yml
@@ -40,11 +40,11 @@ sigma_rule:
   - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
     name: posh_pm_susp_invocation_specific.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
     name: proc_access_win_cred_dump_lsass_access.yml
   - id: 250ae82f-736e-4844-a68b-0b5e8cc887da
diff --git a/yml/804f28fc-68fc-40da-b5a2-e9d0bce5c193.yml b/yml/804f28fc-68fc-40da-b5a2-e9d0bce5c193.yml
index 97c801f7..71ff25ec 100644
--- a/yml/804f28fc-68fc-40da-b5a2-e9d0bce5c193.yml
+++ b/yml/804f28fc-68fc-40da-b5a2-e9d0bce5c193.yml
@@ -26,7 +26,7 @@ sigma_rule:
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
     name: proc_access_win_cred_dump_lsass_access.yml
 
diff --git a/yml/86a43bad-12e3-4e85-b97c-4d5cf25b95c3.yml b/yml/86a43bad-12e3-4e85-b97c-4d5cf25b95c3.yml
index 887ec6f6..8fbfc27e 100644
--- a/yml/86a43bad-12e3-4e85-b97c-4d5cf25b95c3.yml
+++ b/yml/86a43bad-12e3-4e85-b97c-4d5cf25b95c3.yml
@@ -22,11 +22,11 @@ sigma_rule:
   - id: 754ed792-634f-40ae-b3bc-e0448d33f695
     name: proc_creation_win_powershell_susp_parent_process.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/8b56f787-73d9-4f1d-87e8-d07e89cbc7f5.yml b/yml/8b56f787-73d9-4f1d-87e8-d07e89cbc7f5.yml
index 210090c2..afa3f11d 100644
--- a/yml/8b56f787-73d9-4f1d-87e8-d07e89cbc7f5.yml
+++ b/yml/8b56f787-73d9-4f1d-87e8-d07e89cbc7f5.yml
@@ -36,7 +36,7 @@ sigma_rule:
   - id: 1139d2e2-84b1-4226-b445-354492eba8ba
     name: posh_ps_web_request_cmd_and_cmdlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
diff --git a/yml/90db9e27-8e7c-4c04-b602-a45927884966.yml b/yml/90db9e27-8e7c-4c04-b602-a45927884966.yml
index 9828d1e7..8f45ec57 100644
--- a/yml/90db9e27-8e7c-4c04-b602-a45927884966.yml
+++ b/yml/90db9e27-8e7c-4c04-b602-a45927884966.yml
@@ -25,7 +25,7 @@ sigma_rule:
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
diff --git a/yml/93662494-5ed7-4454-a04c-8c8372808ac2.yml b/yml/93662494-5ed7-4454-a04c-8c8372808ac2.yml
index 7b887d2d..2a160f1b 100644
--- a/yml/93662494-5ed7-4454-a04c-8c8372808ac2.yml
+++ b/yml/93662494-5ed7-4454-a04c-8c8372808ac2.yml
@@ -32,7 +32,7 @@ sigma_rule:
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
     name: posh_ps_directoryservices_accountmanagement.yml
   - id: a861d835-af37-4930-bcd6-5b178bfb54df
diff --git a/yml/964d8bf8-37bc-4fd3-ba36-ad13761ebbcc.yml b/yml/964d8bf8-37bc-4fd3-ba36-ad13761ebbcc.yml
index 85455f58..4290b956 100644
--- a/yml/964d8bf8-37bc-4fd3-ba36-ad13761ebbcc.yml
+++ b/yml/964d8bf8-37bc-4fd3-ba36-ad13761ebbcc.yml
@@ -51,7 +51,7 @@ sigma_rule:
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
     name: posh_ps_susp_getprocess_lsass.yml
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
@@ -83,7 +83,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
     name: posh_pm_bad_opsec_artifacts.yml
   - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
diff --git a/yml/97585b04-5be2-40e9-8c31-82157b8af2d6.yml b/yml/97585b04-5be2-40e9-8c31-82157b8af2d6.yml
index 075ed997..950ceadd 100644
--- a/yml/97585b04-5be2-40e9-8c31-82157b8af2d6.yml
+++ b/yml/97585b04-5be2-40e9-8c31-82157b8af2d6.yml
@@ -34,7 +34,7 @@ sigma_rule:
   - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
     name: posh_pm_susp_invocation_specific.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
     name: posh_ps_file_and_directory_discovery.yml
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
@@ -88,7 +88,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
     name: posh_pm_bad_opsec_artifacts.yml
   - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
diff --git a/yml/987901d1-5b87-4558-a6d9-cffcabc638b8.yml b/yml/987901d1-5b87-4558-a6d9-cffcabc638b8.yml
index 8c4d2d50..274547c8 100644
--- a/yml/987901d1-5b87-4558-a6d9-cffcabc638b8.yml
+++ b/yml/987901d1-5b87-4558-a6d9-cffcabc638b8.yml
@@ -49,7 +49,7 @@ sigma_rule:
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: af4c87ce-bdda-4215-b998-15220772e993
diff --git a/yml/99be2089-c52d-4a4a-b5c3-261ee42c8b62.yml b/yml/99be2089-c52d-4a4a-b5c3-261ee42c8b62.yml
index 402a2355..4f8bb1fe 100644
--- a/yml/99be2089-c52d-4a4a-b5c3-261ee42c8b62.yml
+++ b/yml/99be2089-c52d-4a4a-b5c3-261ee42c8b62.yml
@@ -20,4 +20,4 @@ executor: command_prompt
 sigma: true
 sigma_rule:
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/9b6a06f9-ab5e-4e8d-8289-1df4289db02f.yml b/yml/9b6a06f9-ab5e-4e8d-8289-1df4289db02f.yml
index f2b212a3..89d1b822 100644
--- a/yml/9b6a06f9-ab5e-4e8d-8289-1df4289db02f.yml
+++ b/yml/9b6a06f9-ab5e-4e8d-8289-1df4289db02f.yml
@@ -28,5 +28,5 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45
-    name: registry_set_persistence_shim_databases.yml
+    name: registry_set_persistence_shim_database.yml
 
diff --git a/yml/9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93.yml b/yml/9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93.yml
index 911baa5d..0ff87ff5 100644
--- a/yml/9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93.yml
+++ b/yml/9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93.yml
@@ -18,8 +18,8 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/9e9fd066-453d-442f-88c1-ad7911d32912.yml b/yml/9e9fd066-453d-442f-88c1-ad7911d32912.yml
index 64cf9d3e..f45f3776 100644
--- a/yml/9e9fd066-453d-442f-88c1-ad7911d32912.yml
+++ b/yml/9e9fd066-453d-442f-88c1-ad7911d32912.yml
@@ -45,7 +45,7 @@ sigma_rule:
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
diff --git a/yml/9ebe7901-7edf-45c0-b5c7-8366300919db.yml b/yml/9ebe7901-7edf-45c0-b5c7-8366300919db.yml
index 1ac7ea16..18f62418 100644
--- a/yml/9ebe7901-7edf-45c0-b5c7-8366300919db.yml
+++ b/yml/9ebe7901-7edf-45c0-b5c7-8366300919db.yml
@@ -29,13 +29,13 @@ sigma_rule:
   - id: 38a7625e-b2cb-485d-b83d-aff137d859f4
     name: posh_pm_remotefxvgpudisablement_abuse.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: b8af5f36-1361-4ebe-9e76-e36128d947bf
     name: posh_ps_remove_item_path.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
diff --git a/yml/9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b.yml b/yml/9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b.yml
index 244c6f77..4d79b03e 100644
--- a/yml/9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b.yml
+++ b/yml/9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b.yml
@@ -18,8 +18,8 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/a2d71eee-a353-4232-9f86-54f4288dd8c1.yml b/yml/a2d71eee-a353-4232-9f86-54f4288dd8c1.yml
index 741f90be..5444be5e 100644
--- a/yml/a2d71eee-a353-4232-9f86-54f4288dd8c1.yml
+++ b/yml/a2d71eee-a353-4232-9f86-54f4288dd8c1.yml
@@ -20,4 +20,4 @@ sigma_rule:
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
diff --git a/yml/a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd.yml b/yml/a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd.yml
index 5bad638f..e106231c 100644
--- a/yml/a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd.yml
+++ b/yml/a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd.yml
@@ -20,4 +20,4 @@ sigma_rule:
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
diff --git a/yml/aaa87b0e-5232-4649-ae5c-f1724a4b2798.yml b/yml/aaa87b0e-5232-4649-ae5c-f1724a4b2798.yml
index d35b0de9..2be4f75e 100644
--- a/yml/aaa87b0e-5232-4649-ae5c-f1724a4b2798.yml
+++ b/yml/aaa87b0e-5232-4649-ae5c-f1724a4b2798.yml
@@ -36,7 +36,7 @@ sigma_rule:
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
     name: posh_ps_file_and_directory_discovery.yml
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
diff --git a/yml/afdfd7e3-8a0b-409f-85f7-886fdf249c9e.yml b/yml/afdfd7e3-8a0b-409f-85f7-886fdf249c9e.yml
index 4950c17d..214b648c 100644
--- a/yml/afdfd7e3-8a0b-409f-85f7-886fdf249c9e.yml
+++ b/yml/afdfd7e3-8a0b-409f-85f7-886fdf249c9e.yml
@@ -4,7 +4,7 @@ Attack_description: |-
 
   The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
-name: Modify SSP configuration in registry
+name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry
 tactic:
   - privilege-escalation
   - persistence
@@ -12,7 +12,9 @@ technique:
   - T1547.005
 os:
   - windows
-description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
+description: |
+  Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+  A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
 executor: powershell
 sigma: true
 sigma_rule:
diff --git a/yml/afe369c2-b42e-447f-98a3-fb1f4e2b8552.yml b/yml/afe369c2-b42e-447f-98a3-fb1f4e2b8552.yml
index 8ca3bf5f..a3dfbb01 100644
--- a/yml/afe369c2-b42e-447f-98a3-fb1f4e2b8552.yml
+++ b/yml/afe369c2-b42e-447f-98a3-fb1f4e2b8552.yml
@@ -37,7 +37,7 @@ sigma_rule:
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
diff --git a/yml/b1636f0a-ba82-435c-b699-0d78794d8bfd.yml b/yml/b1636f0a-ba82-435c-b699-0d78794d8bfd.yml
index 3e8f1cde..4f9ce6fc 100644
--- a/yml/b1636f0a-ba82-435c-b699-0d78794d8bfd.yml
+++ b/yml/b1636f0a-ba82-435c-b699-0d78794d8bfd.yml
@@ -19,6 +19,6 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
diff --git a/yml/b8a8bdb2-7eae-490d-8251-d5e0295b2362.yml b/yml/b8a8bdb2-7eae-490d-8251-d5e0295b2362.yml
index b8fde1c9..29a90e55 100644
--- a/yml/b8a8bdb2-7eae-490d-8251-d5e0295b2362.yml
+++ b/yml/b8a8bdb2-7eae-490d-8251-d5e0295b2362.yml
@@ -21,13 +21,13 @@ sigma_rule:
   - id: 754ed792-634f-40ae-b3bc-e0448d33f695
     name: proc_creation_win_powershell_susp_parent_process.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/bb037826-cbe8-4a41-93ea-b94059d6bb98.yml b/yml/bb037826-cbe8-4a41-93ea-b94059d6bb98.yml
index a9ee8025..109b1d46 100644
--- a/yml/bb037826-cbe8-4a41-93ea-b94059d6bb98.yml
+++ b/yml/bb037826-cbe8-4a41-93ea-b94059d6bb98.yml
@@ -38,7 +38,7 @@ sigma_rule:
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
     name: posh_ps_file_and_directory_discovery.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
diff --git a/yml/bc25c04b-841e-4965-855f-d1f645d7ab73.yml b/yml/bc25c04b-841e-4965-855f-d1f645d7ab73.yml
index 4249c18a..63a3a4c2 100644
--- a/yml/bc25c04b-841e-4965-855f-d1f645d7ab73.yml
+++ b/yml/bc25c04b-841e-4965-855f-d1f645d7ab73.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
diff --git a/yml/c2587b8d-743d-4985-aa50-c83394eaeb68.yml b/yml/c2587b8d-743d-4985-aa50-c83394eaeb68.yml
index f5ea0ea4..d5be0985 100644
--- a/yml/c2587b8d-743d-4985-aa50-c83394eaeb68.yml
+++ b/yml/c2587b8d-743d-4985-aa50-c83394eaeb68.yml
@@ -30,6 +30,6 @@ sigma_rule:
   - id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
     name: proc_creation_win_rundll32_by_ordinal.yml
   - id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
-    name: proc_creation_win_lolbin_not_from_c_drive.yml
+    name: proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml
   - id: e0b06658-7d1d-4cd3-bf15-03467507ff7c
     name: file_event_win_net_cli_artefact.yml
diff --git a/yml/c9dc9de3-f961-4284-bd2d-f959c9f9fda5.yml b/yml/c9dc9de3-f961-4284-bd2d-f959c9f9fda5.yml
index 6d54e321..1587af95 100644
--- a/yml/c9dc9de3-f961-4284-bd2d-f959c9f9fda5.yml
+++ b/yml/c9dc9de3-f961-4284-bd2d-f959c9f9fda5.yml
@@ -38,7 +38,7 @@ sigma_rule:
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
     name: posh_ps_file_and_directory_discovery.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
diff --git a/yml/cab413d8-9e4a-4b8d-9b84-c985bd73a442.yml b/yml/cab413d8-9e4a-4b8d-9b84-c985bd73a442.yml
index 6e709d78..c7cf87bc 100644
--- a/yml/cab413d8-9e4a-4b8d-9b84-c985bd73a442.yml
+++ b/yml/cab413d8-9e4a-4b8d-9b84-c985bd73a442.yml
@@ -35,9 +35,9 @@ sigma_rule:
   - id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
     name: posh_ps_nishang_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 1139d2e2-84b1-4226-b445-354492eba8ba
     name: posh_ps_web_request_cmd_and_cmdlets.yml
   - id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
diff --git a/yml/cb6e76ca-861e-4a7f-be08-564caa3e6f75.yml b/yml/cb6e76ca-861e-4a7f-be08-564caa3e6f75.yml
index f69831bf..822a4de5 100644
--- a/yml/cb6e76ca-861e-4a7f-be08-564caa3e6f75.yml
+++ b/yml/cb6e76ca-861e-4a7f-be08-564caa3e6f75.yml
@@ -35,7 +35,7 @@ sigma_rule:
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
diff --git a/yml/cbbff285-9051-444a-9d17-c07cd2d230eb.yml b/yml/cbbff285-9051-444a-9d17-c07cd2d230eb.yml
index 09e08dc6..6824e70c 100644
--- a/yml/cbbff285-9051-444a-9d17-c07cd2d230eb.yml
+++ b/yml/cbbff285-9051-444a-9d17-c07cd2d230eb.yml
@@ -19,13 +19,13 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/ccf4ac39-ec93-42be-9035-90e2f26bcd92.yml b/yml/ccf4ac39-ec93-42be-9035-90e2f26bcd92.yml
index 33e0c07b..48220427 100644
--- a/yml/ccf4ac39-ec93-42be-9035-90e2f26bcd92.yml
+++ b/yml/ccf4ac39-ec93-42be-9035-90e2f26bcd92.yml
@@ -39,7 +39,7 @@ sigma_rule:
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
diff --git a/yml/ce483c35-c74b-45a7-a670-631d1e69db3d.yml b/yml/ce483c35-c74b-45a7-a670-631d1e69db3d.yml
index 1ab0b4df..38949077 100644
--- a/yml/ce483c35-c74b-45a7-a670-631d1e69db3d.yml
+++ b/yml/ce483c35-c74b-45a7-a670-631d1e69db3d.yml
@@ -44,7 +44,7 @@ sigma_rule:
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
diff --git a/yml/ce4e76e6-de70-4392-9efe-b281fc2b4087.yml b/yml/ce4e76e6-de70-4392-9efe-b281fc2b4087.yml
index b111b5da..eb84cd8c 100644
--- a/yml/ce4e76e6-de70-4392-9efe-b281fc2b4087.yml
+++ b/yml/ce4e76e6-de70-4392-9efe-b281fc2b4087.yml
@@ -38,11 +38,11 @@ sigma_rule:
   - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
     name: posh_pm_susp_invocation_specific.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
     name: proc_access_win_cred_dump_lsass_access.yml
   - id: 250ae82f-736e-4844-a68b-0b5e8cc887da
diff --git a/yml/d1334303-59cb-4a03-8313-b3e24d02c198.yml b/yml/d1334303-59cb-4a03-8313-b3e24d02c198.yml
index 5c494458..64072049 100644
--- a/yml/d1334303-59cb-4a03-8313-b3e24d02c198.yml
+++ b/yml/d1334303-59cb-4a03-8313-b3e24d02c198.yml
@@ -14,7 +14,7 @@ technique:
   - T1560.001
 os:
   - windows
-description: 'Note: Requires 7zip installation
+description: 'Note: This test requires 7zip installation
 
   '
 executor: command_prompt
diff --git a/yml/d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840.yml b/yml/d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840.yml
index fbe62870..117425b4 100644
--- a/yml/d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840.yml
+++ b/yml/d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840.yml
@@ -21,13 +21,13 @@ sigma_rule:
   - id: 754ed792-634f-40ae-b3bc-e0448d33f695
     name: proc_creation_win_powershell_susp_parent_process.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/d43a5bde-ae28-4c55-a850-3f4c80573503.yml b/yml/d43a5bde-ae28-4c55-a850-3f4c80573503.yml
index 347f2bbe..361a5830 100644
--- a/yml/d43a5bde-ae28-4c55-a850-3f4c80573503.yml
+++ b/yml/d43a5bde-ae28-4c55-a850-3f4c80573503.yml
@@ -18,8 +18,8 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/d6139549-7b72-4e48-9ea1-324fc9bdf88a.yml b/yml/d6139549-7b72-4e48-9ea1-324fc9bdf88a.yml
index 28f8347e..2bdce111 100644
--- a/yml/d6139549-7b72-4e48-9ea1-324fc9bdf88a.yml
+++ b/yml/d6139549-7b72-4e48-9ea1-324fc9bdf88a.yml
@@ -48,7 +48,7 @@ sigma_rule:
   - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
     name: net_connection_win_binary_susp_com.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
diff --git a/yml/da558b07-69ae-41b9-b9d4-4d98154a7049.yml b/yml/da558b07-69ae-41b9-b9d4-4d98154a7049.yml
new file mode 100644
index 00000000..044bee66
--- /dev/null
+++ b/yml/da558b07-69ae-41b9-b9d4-4d98154a7049.yml
@@ -0,0 +1,30 @@
+Attack_name: Inhibit System Recovery
+Attack_description: |-
+  Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
+
+  Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
+
+  A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
+
+  * <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>
+  * [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>
+  * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
+  * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
+  * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+
+  On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
+
+  Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+guid: da558b07-69ae-41b9-b9d4-4d98154a7049
+name: Windows - vssadmin Resize Shadowstorage Volume
+tactic:
+  - impact
+technique:
+  - T1490
+os:
+  - windows
+description: Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware
+  event and a precursor to deleting the shadowstorage.
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/db965264-3117-4bad-b7b7-2523b7856b92.yml b/yml/db965264-3117-4bad-b7b7-2523b7856b92.yml
index 6ed0da8c..01707162 100644
--- a/yml/db965264-3117-4bad-b7b7-2523b7856b92.yml
+++ b/yml/db965264-3117-4bad-b7b7-2523b7856b92.yml
@@ -39,7 +39,7 @@ sigma_rule:
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
     name: posh_ps_file_and_directory_discovery.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
diff --git a/yml/dbf4f5a9-b8e0-46a3-9841-9ad71247239e.yml b/yml/dbf4f5a9-b8e0-46a3-9841-9ad71247239e.yml
index 48208f84..14e59c6f 100644
--- a/yml/dbf4f5a9-b8e0-46a3-9841-9ad71247239e.yml
+++ b/yml/dbf4f5a9-b8e0-46a3-9841-9ad71247239e.yml
@@ -25,11 +25,11 @@ sigma_rule:
   - id: 61d0475c-173f-4844-86f7-f3eebae1c66b
     name: posh_ps_set_policies_to_unsecure_level.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
     name: proc_access_win_cred_dump_lsass_access.yml
 
diff --git a/yml/de3f8e74-3351-4fdb-a442-265dbf231738.yml b/yml/de3f8e74-3351-4fdb-a442-265dbf231738.yml
new file mode 100644
index 00000000..efce6ef2
--- /dev/null
+++ b/yml/de3f8e74-3351-4fdb-a442-265dbf231738.yml
@@ -0,0 +1,18 @@
+Attack_name: 'Boot or Logon Autostart Execution: Security Support Provider'
+Attack_description: |-
+  Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
+
+  The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
+guid: de3f8e74-3351-4fdb-a442-265dbf231738
+name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry
+tactic:
+  - persistence
+  - privilege-escalation
+technique:
+  - T1547.005
+os:
+  - windows
+description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/dec6a0d8-bcaf-4c22-9d48-2aee59fb692b.yml b/yml/dec6a0d8-bcaf-4c22-9d48-2aee59fb692b.yml
index e7c15ae8..e11c170d 100644
--- a/yml/dec6a0d8-bcaf-4c22-9d48-2aee59fb692b.yml
+++ b/yml/dec6a0d8-bcaf-4c22-9d48-2aee59fb692b.yml
@@ -38,7 +38,7 @@ sigma_rule:
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
diff --git a/yml/deecd55f-afe0-4a62-9fba-4d1ba2deb321.yml b/yml/deecd55f-afe0-4a62-9fba-4d1ba2deb321.yml
index 71d58ecb..1ba0dbb3 100644
--- a/yml/deecd55f-afe0-4a62-9fba-4d1ba2deb321.yml
+++ b/yml/deecd55f-afe0-4a62-9fba-4d1ba2deb321.yml
@@ -39,7 +39,7 @@ sigma_rule:
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
     name: posh_ps_susp_networkcredential.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
     name: net_connection_win_powershell_network_connection.yml
   - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
diff --git a/yml/e1f93a06-1649-4f07-89a8-f57279a7d60e.yml b/yml/e1f93a06-1649-4f07-89a8-f57279a7d60e.yml
index 57b93c23..239bce12 100644
--- a/yml/e1f93a06-1649-4f07-89a8-f57279a7d60e.yml
+++ b/yml/e1f93a06-1649-4f07-89a8-f57279a7d60e.yml
@@ -44,11 +44,11 @@ sigma_rule:
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
     name: net_connection_win_powershell_network_connection.yml
   - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
diff --git a/yml/e7bf9802-2e78-4db9-93b5-181b7bcd37d7.yml b/yml/e7bf9802-2e78-4db9-93b5-181b7bcd37d7.yml
index 5ba69856..ac04fc2b 100644
--- a/yml/e7bf9802-2e78-4db9-93b5-181b7bcd37d7.yml
+++ b/yml/e7bf9802-2e78-4db9-93b5-181b7bcd37d7.yml
@@ -43,7 +43,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
     name: proc_creation_win_susp_shell_spawn_susp_program.yml
   - id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
diff --git a/yml/e7e3a525-7612-4d68-a5d3-c4649181b8af.yml b/yml/e7e3a525-7612-4d68-a5d3-c4649181b8af.yml
index f8243785..cdafec35 100644
--- a/yml/e7e3a525-7612-4d68-a5d3-c4649181b8af.yml
+++ b/yml/e7e3a525-7612-4d68-a5d3-c4649181b8af.yml
@@ -23,13 +23,13 @@ sigma_rule:
   - id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
     name: posh_ps_susp_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/e9795c8d-42aa-4ed4-ad80-551ed793d006.yml b/yml/e9795c8d-42aa-4ed4-ad80-551ed793d006.yml
index 729b8e52..9f7f3c3e 100644
--- a/yml/e9795c8d-42aa-4ed4-ad80-551ed793d006.yml
+++ b/yml/e9795c8d-42aa-4ed4-ad80-551ed793d006.yml
@@ -13,5 +13,9 @@ os:
   - windows
 description: Adversaries may rely on a user running a malicious image to facilitate execution
 executor: powershell
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: 29e1c216-6408-489d-8a06-ee9d151ef819
+    name: posh_ps_susp_mount_diskimage.yml
+  - id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
+    name: win_security_iso_mount.yml
diff --git a/yml/e9f2b777-3123-430b-805d-5cedc66ab591.yml b/yml/e9f2b777-3123-430b-805d-5cedc66ab591.yml
index ebe4b346..0b27bffb 100644
--- a/yml/e9f2b777-3123-430b-805d-5cedc66ab591.yml
+++ b/yml/e9f2b777-3123-430b-805d-5cedc66ab591.yml
@@ -19,13 +19,13 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
     name: posh_ps_susp_windowstyle.yml
   - id: 1883444f-084b-419b-ac62-e0d0c5b3693f
diff --git a/yml/e9fdb899-a980-4ba4-934b-486ad22e22f4.yml b/yml/e9fdb899-a980-4ba4-934b-486ad22e22f4.yml
index 292f7d4f..957c2933 100644
--- a/yml/e9fdb899-a980-4ba4-934b-486ad22e22f4.yml
+++ b/yml/e9fdb899-a980-4ba4-934b-486ad22e22f4.yml
@@ -43,7 +43,7 @@ sigma_rule:
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
@@ -79,7 +79,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
     name: net_connection_win_binary_susp_com.yml
   - id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
diff --git a/yml/ec1d0b37-f659-4186-869f-31a554891611.yml b/yml/ec1d0b37-f659-4186-869f-31a554891611.yml
index 63bfcc7b..3c27bbfc 100644
--- a/yml/ec1d0b37-f659-4186-869f-31a554891611.yml
+++ b/yml/ec1d0b37-f659-4186-869f-31a554891611.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: d93129cd-1ee0-479f-bc03-ca6f129882e3
     name: posh_ps_detect_vm_env.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
@@ -80,7 +80,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
     name: posh_pm_bad_opsec_artifacts.yml
   - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
diff --git a/yml/eea1d918-825e-47dd-acc2-814d6c58c0e1.yml b/yml/eea1d918-825e-47dd-acc2-814d6c58c0e1.yml
index 9756cdf0..ee70868b 100644
--- a/yml/eea1d918-825e-47dd-acc2-814d6c58c0e1.yml
+++ b/yml/eea1d918-825e-47dd-acc2-814d6c58c0e1.yml
@@ -36,7 +36,7 @@ sigma_rule:
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
     name: posh_ps_susp_get_current_user.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
diff --git a/yml/f3132740-55bc-48c4-bcc0-758a459cd027.yml b/yml/f3132740-55bc-48c4-bcc0-758a459cd027.yml
index 801085a2..fb731d0e 100644
--- a/yml/f3132740-55bc-48c4-bcc0-758a459cd027.yml
+++ b/yml/f3132740-55bc-48c4-bcc0-758a459cd027.yml
@@ -38,4 +38,4 @@ sigma_rule:
   - id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
     name: win_alert_mimikatz_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
diff --git a/yml/f3c145f9-3c8d-422c-bd99-296a17a8f567.yml b/yml/f3c145f9-3c8d-422c-bd99-296a17a8f567.yml
index 3ecc9011..d8ae3810 100644
--- a/yml/f3c145f9-3c8d-422c-bd99-296a17a8f567.yml
+++ b/yml/f3c145f9-3c8d-422c-bd99-296a17a8f567.yml
@@ -45,7 +45,7 @@ sigma_rule:
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
     name: posh_ps_malicious_commandlets.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
@@ -85,7 +85,7 @@ sigma_rule:
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: b6d235fc-1d38-4b12-adbe-325f06728f37
     name: registry_event_cmstp_execution_by_registry.yml
   - id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
diff --git a/yml/f6df0b8e-2c83-44c7-ba5e-0fa4386bec41.yml b/yml/f6df0b8e-2c83-44c7-ba5e-0fa4386bec41.yml
index e2b8237a..e33d2ed7 100644
--- a/yml/f6df0b8e-2c83-44c7-ba5e-0fa4386bec41.yml
+++ b/yml/f6df0b8e-2c83-44c7-ba5e-0fa4386bec41.yml
@@ -20,6 +20,7 @@ os:
 description: |
   An adversary can disable the ETW Provider of Windows Defender,
   so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
 executor: command_prompt
 sigma: true
 sigma_rule:
diff --git a/yml/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.yml b/yml/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.yml
new file mode 100644
index 00000000..617fb4a1
--- /dev/null
+++ b/yml/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.yml
@@ -0,0 +1,27 @@
+Attack_name: 'Boot or Logon Autostart Execution: Print Processors'
+Attack_description: "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler\
+  \ service, spoolsv.exe, during boot. \n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the\
+  \ <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding\
+  \ the <code>HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver</code> Registry\
+  \ key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the <code>GetPrintProcessorDirectory</code>\
+  \ API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation:\
+  \ ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges."
+guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+name: Print Processors
+tactic:
+  - persistence
+  - privilege-escalation
+technique:
+  - T1547.012
+os:
+  - windows
+description: |
+  Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+  The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+  Note: The test assumes a x64 Windows operating system.
+
+  The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/f974894c-5991-4b19-aaf5-7cc2fe298c5d.yml b/yml/f974894c-5991-4b19-aaf5-7cc2fe298c5d.yml
index f90e8636..04841254 100644
--- a/yml/f974894c-5991-4b19-aaf5-7cc2fe298c5d.yml
+++ b/yml/f974894c-5991-4b19-aaf5-7cc2fe298c5d.yml
@@ -22,4 +22,4 @@ sigma_rule:
   - id: f62176f3-8128-4faa-bf6c-83261322e5eb
     name: posh_ps_malicious_keywords.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
diff --git a/yml/fa714db1-63dd-479e-a58e-7b2b52ca5997.yml b/yml/fa714db1-63dd-479e-a58e-7b2b52ca5997.yml
index a73b36e9..89ddb00a 100644
--- a/yml/fa714db1-63dd-479e-a58e-7b2b52ca5997.yml
+++ b/yml/fa714db1-63dd-479e-a58e-7b2b52ca5997.yml
@@ -40,10 +40,10 @@ sigma_rule:
   - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
     name: posh_pm_susp_invocation_specific.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
   - id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
     name: posh_pm_bad_opsec_artifacts.yml
diff --git a/yml/fd3c1c6a-02d2-4b72-82d9-71c527abb126.yml b/yml/fd3c1c6a-02d2-4b72-82d9-71c527abb126.yml
index 6d6a69be..68afce68 100644
--- a/yml/fd3c1c6a-02d2-4b72-82d9-71c527abb126.yml
+++ b/yml/fd3c1c6a-02d2-4b72-82d9-71c527abb126.yml
@@ -24,4 +24,4 @@ sigma_rule:
   - id: e32d4572-9826-4738-b651-95fa63747e8a
     name: proc_creation_win_powershell_frombase64string.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/fdd0c913-714b-4c13-b40f-1824d6c015f2.yml b/yml/fdd0c913-714b-4c13-b40f-1824d6c015f2.yml
index a03eaea3..476b3476 100644
--- a/yml/fdd0c913-714b-4c13-b40f-1824d6c015f2.yml
+++ b/yml/fdd0c913-714b-4c13-b40f-1824d6c015f2.yml
@@ -40,7 +40,7 @@ sigma_rule:
   - id: 0332a266-b584-47b4-933d-a00b103e1b37
     name: posh_ps_susp_gwmi.yml
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
     name: posh_ps_susp_download.yml
   - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
diff --git a/yml/fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4.yml b/yml/fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4.yml
index 303be579..4d9776e4 100644
--- a/yml/fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4.yml
+++ b/yml/fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4.yml
@@ -19,4 +19,4 @@ executor: command_prompt
 sigma: true
 sigma_rule:
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/ffcdbd6a-b0e8-487d-927a-09127fe9a206.yml b/yml/ffcdbd6a-b0e8-487d-927a-09127fe9a206.yml
index ff46ca27..51943620 100644
--- a/yml/ffcdbd6a-b0e8-487d-927a-09127fe9a206.yml
+++ b/yml/ffcdbd6a-b0e8-487d-927a-09127fe9a206.yml
@@ -18,4 +18,4 @@ executor: command_prompt
 sigma: true
 sigma_rule:
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml
diff --git a/yml/ffd9c807-d402-47d2-879d-f915cf2a3a94.yml b/yml/ffd9c807-d402-47d2-879d-f915cf2a3a94.yml
index dd4c6b5b..b22b154b 100644
--- a/yml/ffd9c807-d402-47d2-879d-f915cf2a3a94.yml
+++ b/yml/ffd9c807-d402-47d2-879d-f915cf2a3a94.yml
@@ -18,8 +18,8 @@ executor: powershell
 sigma: true
 sigma_rule:
   - id: 03d83090-8cba-44a0-b02f-0b756a050306
-    name: posh_ps_accessing_win_api.yml
+    name: posh_ps_win_api_susp_access.yml
   - id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
     name: file_event_win_csharp_compile_artefact.yml
   - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-    name: proc_creation_win_csc_susp_folder.yml
+    name: proc_creation_win_csc_susp_dynamic_compilation.yml