remove kind

detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml

@@ -13,7 +13,6 @@ description: The following analytic detects modifications to the registry relate
   By monitoring changes in the registry entries associated with antivirus autostart settings, this detection enables security 
   analysts to identify attempts to disable protective software. Detecting these modifications early is critical for maintaining 
   system integrity and preventing further compromise by malicious actors.
-kind: endpoint
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE Registry.registry_path IN("*\\kingsoft\\antivirus\\KAVReport\\*" , "*\\kingsoft\\antivirus\\KSetting\\*", "*\\kingsoft\\antivirus\\Windhunter\\*" ,"*\\Tencent\\QQPCMgr\\*") 
   AND ((Registry.registry_value_name IN("autostart","kxesc", "WindhunterSwitch") AND Registry.registry_value_data = "0x00000000")

detections/endpoint/windows_modify_registry_utilize_progids.yml

@@ -8,7 +8,6 @@ data_sources:
 type: Anomaly
 status: production
 description: The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypassed User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to a targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.
-kind: endpoint
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE Registry.registry_path= "*\\ms-settings\\CurVer\\(Default)"
   BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 

detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml

@@ -8,7 +8,6 @@ data_sources:
 type: TTP
 status: production
 description: The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.
-kind: endpoint
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*.pwn\\Shell\\Open\\command" OR Registry.registry_value_data = ".pwn") 
   BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 

detections/endpoint/windows_schedule_task_dll_module_loaded.yml

@@ -13,7 +13,6 @@ description: The following analytic detects instances where the taskschd.dll is
   writable or non-standard directories to manipulate the Task Scheduler and execute malicious tasks. By identifying 
   processes that load taskschd.dll in these unsafe locations, this detection helps security analysts flag potentially 
   malicious activity and investigate further to prevent unauthorized system modifications.
-kind: endpoint
 search: '`sysmon` EventCode=7 Image IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", 
   "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\temp\\*", "*\\PerfLogs\\*")
   ImageLoaded = "*\\taskschd.dll" 

detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml

@@ -8,7 +8,6 @@ data_sources:
 type: TTP
 status: production
 description: The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be abused by attackers to execute malicious payloads under the guise of normal system processes. By leveraging these tasks, adversaries can establish persistence or elevate privileges without raising suspicion. This detection helps security analysts identify unusual or unauthorized scheduled tasks involving these executables, allowing for timely investigation and remediation of potential threats.
-kind: endpoint
 search: '`wineventlog_security` EventCode=4698 TaskContent = "*<Command>C:\\Windows\\System32\\CompMgmtLauncher.exe</Command>*" OR 
   TaskContent = "*<Command>C:\\Windows\\System32\\zh-CN\\eventvwr.msc</Command>*" OR 
   TaskContent = "*<Command>C:\\Windows\\System32\\eventvwr.msc</Command>*"