diff --git a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml
index aefa14a98f..782e8f3571 100644
--- a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml
+++ b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml
@@ -1,7 +1,7 @@
 name: Exchange PowerShell Abuse via SSRF
 id: 29228ab4-0762-11ec-94aa-acde48001122
-version: 5
-date: '2024-11-13'
+version: 6
+date: '2025-02-19'
 author: Michael Haag, Splunk
 status: experimental
 type: TTP
@@ -14,7 +14,7 @@ description: The following analytic detects suspicious behavior indicative of Pr
   If confirmed malicious, this could lead to unauthorized access, privilege escalation,
   or persistent control over the Exchange environment.
 data_source: []
-search: '`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST"
+search: '`windows_exchange_iis` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST"
   | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query,
   cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `exchange_powershell_abuse_via_ssrf_filter`'
diff --git a/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml b/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml
new file mode 100644
index 0000000000..14435b76f1
--- /dev/null
+++ b/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml
@@ -0,0 +1,65 @@
+name: Windows Compatibility Telemetry Suspicious Child Process
+id: 56fe46ca-ffef-46fe-8f0e-5cd4b7b4cc0c
+version: 1
+date: '2025-02-13'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.
+data_source: 
+- Windows Security Event ID 4688
+- Sysmon Event ID 1
+- CrowdStrike ProcessRollup2
+search: |-
+  |  tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name = "CompatTelRunner.exe" AND Processes.process="* -cv:*" NOT Processes.process IN ("* -m:*") BY _time span=1h Processes.user Processes.dest Processes.parent_process_name Processes.process_name
+  |`drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_compatibility_telemetry_suspicious_child_process_filter`
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: None identified
+references:
+- https://attack.mitre.org/techniques/T1546/
+- https://scythe.io/threat-thursday/windows-telemetry-persistence
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate processes on $dest$ 
+  search: '| from datamodel Endpoint.Processes
+| search dest = "$dest$" AND process_name = "$process_name$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The process $process_name$ was launched in a suspicious manner by $parent_process_name$ on host $dest$
+  risk_objects: 
+  - field: dest
+    type: system
+    score: 70
+  threat_objects: 
+  - field: process_name
+    type: process
+tags:
+  analytic_story: 
+  - Windows Persistence Techniques
+  asset_type: Endpoint
+  mitre_attack_id: 
+  - T1546
+  - T1053.005
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
\ No newline at end of file
diff --git a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml
new file mode 100644
index 0000000000..499d13543b
--- /dev/null
+++ b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml
@@ -0,0 +1,67 @@
+name: Windows Compatibility Telemetry Tampering Through Registry
+id: 43834687-cc48-4878-a2fa-f76e4271791f
+version: 1
+date: '2025-02-13'
+author: Steven Dick
+status: production
+type: TTP
+description: This detection identifies suspicious modifications to the Windows Compatibility Telemetry registry settings, specifically within the "TelemetryController" registry key and "Command" registry value. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.
+data_source: 
+- Sysmon Event ID 13
+search: |-
+  | tstats `security_content_summariesonly` min(_time) as firstTime, max(_time) as lastTime, count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" AND Registry.registry_value_name="Command" NOT Registry.registry_value_data IN ("(empty)")) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
+  | `drop_dm_object_name(Registry)`
+  | eval process = registry_value_data 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_compatibility_telemetry_tampering_through_registry_filter`
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: None identified
+references:
+- https://attack.mitre.org/techniques/T1546/
+- https://scythe.io/threat-thursday/windows-telemetry-persistence
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
+drilldown_searches:
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate registry changes on $dest$ 
+  search: '| from datamodel Endpoint.Registry
+| search registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" AND dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The process $process$ was added to registry settings for the Compatibility Appraiser by $user$ on host $dest$
+  risk_objects: 
+  - field: dest
+    type: system
+    score: 70
+  - field: user
+    type: user
+    score: 70
+  threat_objects: 
+  - field: process
+    type: process
+tags:
+  analytic_story: 
+  - Windows Persistence Techniques
+  asset_type: Endpoint
+  mitre_attack_id: 
+  - T1546
+  - T1053.005
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml
new file mode 100644
index 0000000000..5d7eb02d53
--- /dev/null
+++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml
@@ -0,0 +1,78 @@
+name: Windows Service Created with Suspicious Service Name
+id: 35eb6d19-a497-400c-93c5-645562804b11
+version: 1
+date: '2025-02-07'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
+data_source: 
+- Windows Event Log System 7045
+search: |-
+  `wineventlog_system` EventCode=7045 
+  | stats values(user) as user, values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
+  | eval process_name = mvindex(split(process,"\\"),-1)
+  | rename Computer as dest, ServiceName as object_name, ServiceType as object_type
+  | lookup windows_suspicious_services service_name as object_name
+  | where isnotnull(tool_name)
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_service_created_with_suspicious_service_name_filter`
+how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.
+known_false_positives: Legitimate applications may install services with uncommon services paths.
+references:
+- https://attack.mitre.org/techniques/T1569/002/
+- https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16
+- https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
+- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv
+drilldown_searches:
+- name: View the detection results for - "$dest$""
+  search: '%original_detection_search% | search dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate service events on $dest$ 
+  search: '`wineventlog_system` EventCode=7045 ServiceName = "$object_name$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A known malicious service name $object_name$ was created using $process$ on $dest$, this may indicate the presence of [$tool_name$]
+  risk_objects: 
+  - field: dest
+    type: system
+    score: 75
+  - field: user
+    type: user
+    score: 75
+  threat_objects: 
+  - field: process
+    type: process
+  - field: object_name
+    type: signature
+tags:
+  analytic_story: 
+  - Active Directory Lateral Movement
+  - Brute Ratel C4
+  - CISA AA23-347A
+  - Clop Ransomware
+  - Flax Typhoon
+  - PlugX
+  - Qakbot
+  - Snake Malware
+  asset_type: Endpoint
+  mitre_attack_id: 
+  - T1569.002
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log
+    source: XmlWinEventLog:System
+    sourcetype: XmlWinEventLog
diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv
new file mode 100644
index 0000000000..732f509268
--- /dev/null
+++ b/lookups/windows_suspicious_services.csv
@@ -0,0 +1,84 @@
+service_name,service_path,tool_name,tool_category,tool_type,severity,comment,reference
+*mimidrv*,,mimidrv,Credential Access,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
+*mimikatz*,,mimidrv,Credential Access,offensive_tool,critical,,https://github.com/mthcht/awesome-lists
+*sharpsploit*,,sharpsploit,Lateral Movement,offensive_tool,critical,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SharpSploit.csv,https://github.com/cobbr/SharpSploit/blob/c16931ddb8cd2335e0bd26feb9aaa35f449d48db/SharpSploit/LateralMovement/SCM.cs#L209
+3proxy,,3proxy,Defense Evasion,offensive_tool,medium,https://github.com/3proxy/3proxy/blob/a80bef9ecf0c0ed98ccb1a1a764f6b79a620b78f/src/stringtable.c#L14,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/_Others/3proxy.csv
+AADInternals,,AADInternals,Credential Access,greyware_tools,high,A little service to steal the AD FS DKM secret,https://github.com/Gerenios/AADInternals/blob/0fa2edf5676439cd3fe7c92ed8006b63f0be9632/ADFS.ps1#L484C132-L484C144
+aswSP_ArPot1,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf
+aswSP_ArPot2,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf
+aswSP_ArPot3,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf
+aswSP_ArPots,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf
+SecurityCenterIBM,,Clop Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html
+WinCheckDRVs,,Clop Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html
+BadWindowsService,,BadWindowsService,Privilege Escalation,offensive_tool,critical,https://github.com/eladshamir/BadWindowsService/blob/a7057720763fceaa7cbac9088d4c69b43d17a28f/BadWindowsService/ProjectInstaller.Designer.cs#L44,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/A-C/BadWindowsService.csv
+BlockNewProc,,BlockNewProc,Defense Evasion,offensive_tool,critical,PoCs to block new process with Process Notify Callback method - BlockNewProc,https://github.com/daem0nc0re/VectorKernel/blob/main/BlockNewProc/README.md
+BTOBTO,,smbExec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv
+c3pool_miner,,xmrig,Cryptominer,greyware_tool,critical,https://github.com/C3Pool/xmrig_setup/blob/82c4e9bf7ee3c0c9cd925ede6e46e9ed4cc5f195/setup_c3pool_miner.bat#L380,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv
+chopper,,TChopper,Lateral Movement,offensive_tool,critical,https://github.com/lawrenceamer/TChopper/blob/f7383a36af813019ebefb70803dc82a842ed9273/chopper.lpr#L237C25-L237C34,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Tchopper.csv
+CorpVPN,,UacMe,Persistence,offensive_tool,critical,https://github.com/r00t-3xp10it/redpill/blob/611d39b8bff717ac84d58550dc04e1b312acb19e/bin/UacMe.ps1#L291,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/redpill.csv
+CreateToken,,CreateToken,Privilege Escalation,offensive_tool,critical,PoCs to get full privileged SYSTEM token with `ZwCreateToken()` API - CreateToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md
+CreatSvcRpc_*,,CreateSvcRpc,Privilege Escalation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SspiUacBypass.csv
+csexecsvc,,csexec,Lateral Movement,offensive_tool,critical,https://github.com/malcomvetter/CSExec/blob/d6bd3f97e66dc65ccf64d9102a33379fdb769614/csexecsvc/Program.cs#L13,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/csexec.csv
+CyberGhost 6 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost 7 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost 8 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost Tunnel Client: CyberGhost-WireGuard-1,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost6Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 6\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost7Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 7\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhost8Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 8\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+CyberGhostTunnel$CyberGhost-WireGuard-1,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: \Program Files\CyberGhost 8\Applications\VPN\WGHelper.exe /service C:\Windows\system32\config\systemprofile\AppData\Local\CyberGhost\WGSession-1\CyberGhost-WireGuard-1.conf,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv
+dcrypt,,DiskCryptor,Impact,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DiskCryptor.csv
+dnsproxy,,dns-proxy,Defense Evasion,offensive_tool,critical,dnsproxy service,https://github.com/AdguardTeam/dnsproxy/pull/194/files
+final_seg,,TChopper,Lateral Movement,offensive_tool,critical,https://github.com/lawrenceamer/TChopper/blob/f7383a36af813019ebefb70803dc82a842ed9273/chopper.lpr#L237C25-L237C34,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Tchopper.csv
+GetFullPrivs,,GetFullPrivs,Privilege Escalation,offensive_tool,critical,PoCs to get full privileges with DKOM method - GetFullPrivs,https://github.com/daem0nc0re/VectorKernel/blob/main/GetFullPrivs/README.md
+GetProcHandle,,GetProcHandle,Privilege Escalation,offensive_tool,critical,PoCs to get full access process handle from kernelmode - GetProcHandle,https://github.com/daem0nc0re/VectorKernel/blob/main/GetProcHandle/README.md
+GoodSync Server,,goodync,Data Exfiltration,greyware_tool,high,,https://www.goodsync.com/
+InjectLibrary,,InjectLibrary,Defense Evasion,offensive_tool,critical,PoCs to perform DLL injection with Kernel APC Injection method - InjectLibrary,https://github.com/daem0nc0re/VectorKernel/blob/main/InjectLibrary/README.md
+KrbSCM,,KrbRelayUp,Privilege Escalation,offensive_tool,critical,https://github.com/Dec0ne/KrbRelayUp/blob/e919f78afbacdb2c2e86f17267674069a377011c/README.md?plain=1#L90,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/KrbRelayUp.csv
+MagnetRAMCapture Driver,,MAGNET RAM Capture,Credential Access,greyware_tool,critical,,https://startupstash.com/tools/magnet-ram-capture/
+maint,,impacketremoteshell,Lateral Movement,offensive_tool,high,default service name installed https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/impacketremoteshell/RemoteMaint/main.cpp#L108,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/impacketremoteshell.csv
+MakeMeAdmin,,MakeMeAdmin,Privilege Escalation,offensive_tool,high,Enables users to elevate themselves to administrator-level rights https://github.com/pseymour/MakeMeAdmin/blob/18ea04be3dbc6e7cab8096558a3b02ef8f8682f6/Service/ProjectInstaller.Designer.cs#L63,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/MakeMeAdmin.csv
+Meterpreter,,metasploit,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv
+metsvc,metsvc-server.exe,Metasploit server,Exploitation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv
+ModHide,,ModHide,Defense Evasion,offensive_tool,critical,PoCs to hide loaded kernel drivers with DKOM method - ModHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ModHide/README.md
+Neo_VPN,*\System32\drivers\Neo6_x64_VPN.sys,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv
+NoRebootSvc,NoReboot.exe,PSBits NoReboot.c,,offensive_tool,high,,https://github.com/gtworek/PSBits/blob/master/NoRebootSvc/readme.md
+Npcap Packet Driver (NPCAP),,NpCap Windows Packet Capture Library & Driver,Collection,greyware_tool,low,,https://github.com/nmap/npcap
+PAExec,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv
+PAExec-*,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv
+PCHunter*,,PCHunter,Defense Evasion,greyware_tool,medium,PCHunter service name installation - https://www.majorgeeks.com/files/details/pc_hunter.html,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PCHunter.csv
+physmem2profit,,physmem2profit,Credential Access,offensive_tool,critical,https://github.com/WithSecureLabs/physmem2profit/blob/2f64133bd9931303b8ae47630835e96347e0f294/server/Plugins/WinPmem.cs#L11,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/physmem2profit.csv
+PowerUpService,,PowerSploit Privesc.tests.ps1,Privilege Escalation,offensive_tool,critical,,https://github.com/PowerShellMafia/PowerSploit/blob/master/Tests/Privesc.tests.ps1
+PPLBlade,,pplblade,Defense Evasion,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PPLBlade.csv
+ProcExp,,DriverDump,Persistence,offensive_tool,critical,This program configures and loads a Windows service to manage a driver https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/driverdump/DriverDump/DriverDump.c#L45,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DriverDump.csv
+ProcHide,,ProcHide,Defense Evasion,offensive_tool,critical,PoCs to hide process with DKOM method - ProcHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcHide/README.md
+ProcProtect,,ProcProtect,Defense Evasion,offensive_tool,critical,PoCs to manipulate Protected Process - ProcProtect,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcProtect/README.md
+pwdump*,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/pwdump.csv
+PWDumpX Service,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PWDumpX.csv
+QueryModule,,QueryModule,Collection,offensive_tool,medium,PoCs to perform retrieving kernel driver loaded address information - QueryModule,https://github.com/daem0nc0re/VectorKernel/blob/main/QueryModule/README.md
+RandomService,,Invoke-SMBRemoting,Lateral Movement,offensive_tool,critical,Invoke-SMBRemoting service example,https://github.com/Leo4j/Amnesiac/blob/216ba3a280bf49ea3f5b1afab80f843bbde3548d/Tools/Invoke-SMBRemoting.ps1#L33C99-L33C113
+RemCom Service,,RemCom.exe,Lateral movement,offensive_tool,critical,,https://github.com/kavika13/RemCom
+REPLACE_ME_DummyServiceName,,netexec,Credential Access,offensive_tool,critical,https://github.com/Pennyw0rth/NetExec/blob/b855dac2b696ea1b744f10a0573c6b394670a5cb/nxc/data/keepass_trigger_module/RestartKeePass.ps1#L4,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NetExec.csv
+Ring0NamedPipeFilter,,NamedPipeMaster,Privilege Escalation,offensive_tool,critical,https://github.com/gavz/NamedPipeMaster,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NamedPipeMaster.csv
+Service_*,,PsMapExec,Lateral Movement,offensive_tool,critical,PsMapExec creating services regex detection: Service_[A-Za-z]{16},https://github.com/The-Viper-One/PsMapExec/blob/0ae7a6967c07bf3ebf555e665d4c43ce86c6addf/PsMapExec.ps1#L1488
+sesshijack,,atomic-red-team test T1563.002,Persistence,offensive_tool,high,,https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md?plain=1
+SEVPNCLIENTDEV,*\Program Files\SoftEther VPN Client Developer Edition\vpnclient.exe*,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv
+Shadowsocks Local Service,,Shadowsocks,C2,greyware_tool,high,https://github.com/shadowsocks/shadowsocks-rust/blob/846752866e0b52c3d93efa2036204eadc36cc696/README.md?plain=1#L458,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/shadowsocks.csv
+shadowsocks-local-service,,Shadowsocks,C2,greyware_tool,high,https://github.com/shadowsocks/shadowsocks-rust/blob/846752866e0b52c3d93efa2036204eadc36cc696/README.md?plain=1#L458,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/shadowsocks.csv
+SilkService,,SilkETW,Discovery,greyware_tool,low,C# wrappers for ETW - meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection,https://github.com/mandiant/SilkETW
+sliver*,,sliver,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/sliver.csv
+SoftEther VPN*,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv
+StealToken,,StealToken,Credential Access,offensive_tool,critical,PoCs to perform token stealing from kernelmode - StealToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md
+svcEasySystem,,p0wnedShell,Privilege Escalation,offensive_tool,critical,https://github.com/Cn33liz/p0wnedShell/blob/35853bcc2a184f0e0fa7b18b0e54d4ad7a985ed6/p0wnedShell/Modules/PrivEsc/p0wnedEasySystem.cs#L582C33-L582C46,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/p0wnedShell.csv
+svcHighPriv,,EasySystem,Privilege Escalation,offensive_tool,critical,https://github.com/S3cur3Th1sSh1t/Creds/blob/f71e780c51fdc2fdabe4e51831fa6289b1bede96/Csharp/NamedPipeSystem.cs#L28,https://github.com/mthcht/awesome-lists
+TestService,,SharpyStay default,Persistence,offensive_tool,critical,,https://github.com/antonioCoco/SharPyShell/blob/29718225791f11fd3d66dd03df4c05c414256630/modules/ps_modules/Get-System.ps1#L89
+TestSVC,,SharpyShell - Get-System.ps1 default service name,Privilege Escalation,offensive_tool,critical,,https://github.com/antonioCoco/SharPyShell/blob/29718225791f11fd3d66dd03df4c05c414256630/modules/ps_modules/Get-System.ps1#L89
+UACBypassedService,,S4UTomato & KRBUACBypass,Privilege Escalation,offensive_tool,critical,https://github.com/wh0amitz/S4UTomato/blob/c709a2997efb1b30375c5134ff57eb49ec177918/S4UTomato/lib/KrbSCM.cs#L10 - https://github.com/wh0amitz/KRBUACBypass/blob/e2ad3ff8b5810dda0b2d75442f1c67aef7e3c4c1/KRBUACBypass/lib/KrbSCM.cs#L10,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/S4UTomato.csv
+VPN Client Device Driver - VPN,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv
+WCESERVICE,,wce,Lateral Movement,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/wce.csv
+windows_monitoring,,social-engineer-toolkit persistence payload,Persistence,offensive_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/social-engineer-toolkit.csv
+winexesvc,,winexe,Lateral Movement,greyware_tool,low,https://www.kali.org/tools/winexe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/winexe.csv
+WinPwnage,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/persist/persistMethod12.py#L24,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv
+WinPwnageVPN,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/uac/uacMethod13.py#L54,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv
+WinRing0_*,,xmrig,Cryptomining,greyware_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv
+wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed with the tool no_defender https://github.com/es3n1n/no-defender - subject to false positives if avast is installed,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/no_defender.csv
diff --git a/lookups/windows_suspicious_services.yml b/lookups/windows_suspicious_services.yml
new file mode 100644
index 0000000000..cf85cbbf98
--- /dev/null
+++ b/lookups/windows_suspicious_services.yml
@@ -0,0 +1,14 @@
+name: windows_suspicious_services
+date: 2025-02-07
+version: 1
+id: 8c214005-2b4e-49c8-bba6-747005f11296
+author: Steven Dick
+lookup_type: csv
+description: A list of suspicious Windows Service names and locations
+default_match: false
+match_type: 
+- WILDCARD(service_name)
+- WILDCARD(service_path)
+min_matches: 1
+max_matches: 1
+case_sensitive_match: false
\ No newline at end of file
diff --git a/macros/exchange.yml b/macros/exchange.yml
deleted file mode 100644
index c32c147a16..0000000000
--- a/macros/exchange.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-definition: sourcetype="MSWindows:IIS"
-description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
-name: exchange
\ No newline at end of file
diff --git a/macros/windows_exchange_iis.yml b/macros/windows_exchange_iis.yml
new file mode 100644
index 0000000000..52db4e12d2
--- /dev/null
+++ b/macros/windows_exchange_iis.yml
@@ -0,0 +1,4 @@
+definition: (sourcetype="MSWindows:2003:IIS" OR sourcetype="MSWindows:2008R2:IIS" OR sourcetype="MSWindows:2010EWS:IIS" OR sourcetype="MSWindows:2012:IIS" OR sourcetype="MSWindows:2013EWS:IIS")
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environment.
+name: windows_exchange_iis