Living Off The Land Binaries and Scripts.

https://lolbas-project.github.io/

and why hunting for LOLBINS is so useful

https://nasbench.medium.com/why-hunting-for-lolbins-is-one-of-the-best-bets-e5e58e1619c2

The URL's a Windows endpoint talks to and why

https://learn.microsoft.com/en-gb/windows/privacy/manage-windows-11-endpoints

https://learn.microsoft.com/en-gb/windows/privacy/manage-windows-21h2-endpoints

The abuse of MSRPC mapped to Mitre ATT&CK

https://github.com/jsecurity101/MSRPC-to-ATTACK

Finding Forensic Goodness In Obscure Windows Event Logs

https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3

Windows API calls commonly used by malware

https://malapi.io/

Detecting Windows Endpoint Compromise with System Access Control Lists.

https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950

https://github.com/OTRF/Set-AuditRule