hayabusa/config/regex/detectlist_suspicous_services.txt

^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$
^%SYSTEMROOT%\\[a-zA-Z]{8}\.exe$
powershell.*FromBase64String.*IO.Compression.GzipStream
DownloadString\(.http
mimikatz
Invoke-Mimikatz.ps
PowerSploit.*ps1
User-Agent
[a-zA-Z0-9/+=]{500}
powershell.exe.*Hidden.*Enc
\\csc\.exe
\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline
# Generic cvtres.exe alert
\\cvtres\.exe.*
\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp
^[a-zA-Z]{22}$
^[a-zA-Z]{16}$