@ghostrodeo Yeah. Also a test for any UEBA/ML type tooling. I fully expect EDR to catch out-of-the-box with signatures, but it's gotta be tested. I'm in process of finding a counterpart on the SOC team to work with to make the exercise 'purple': "Okay, here's the basic config. Didja see it? Okay, let's try w/some obfuscation...", etc.