Bias Analysis
Detected Bias Types
powershell_heavy
windows_tools
missing_linux_example
windows_first
Summary
The documentation page exhibits a notable Windows bias. Many of the process activity hunting queries and analytics rules focus on Windows-specific tools (e.g., PowerShell, rundll32.exe, certutil, Exchange PowerShell Snapin, cscript, AdFind, Powercat, Nishang), and several queries explicitly reference Windows system events (e.g., Windows System Shutdown/Reboot). There are no equivalent Linux or cross-platform examples provided, nor is there mention of Linux-specific tools or attack patterns. The documentation consistently prioritizes Windows-centric scenarios and tools, with little to no consideration for Linux environments.
Recommendations
- Add Linux-specific examples for process activity, such as detection of suspicious bash scripts, cron job persistence, or use of common Linux attack tools (e.g., netcat, bash reverse shells, python one-liners).
- Include analytics rules and hunting queries that target Linux system events (e.g., unauthorized sudo usage, suspicious modifications to /etc/passwd or /etc/shadow, abnormal SSH activity).
- Provide parity for registry and file activity by referencing Linux equivalents (e.g., monitoring changes to important configuration files, detection of rootkit installation attempts).
- Balance PowerShell and Windows tool coverage with Linux shell and utility coverage (e.g., grep, awk, sed, systemctl, journalctl).
- Explicitly state cross-platform applicability where possible, and clarify which content is Windows-only versus platform-agnostic.
- Consider adding a section or table that maps Windows-centric detections to their Linux equivalents to help users adapt content for non-Windows environments.
Create Pull Request