Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
Detects potential suspicious winget package installation from a suspicious source.
Detects the download of suspicious file type from a well-known file and paste sharing domain
Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)
Detects the download of suspicious file type from URLs with IP
Detects the creation of a file on disk that has an imphash of a well-known hack tool
Exports the target Registry key and hides it in the specified alternate data stream.