Update doc

rules/README.md

@@ -34,7 +34,10 @@
 	* [Suspicious.PowerShell.B](#suspiciouspowershellb)
 	* [Suspicious.PowerShell.C](#suspiciouspowershellc)
 * [Suspicious.RunFromSusPath](#suspiciousrunfromsuspath)
-	* [Telemetry.RunFromSusPath.E](#telemetryrunfromsuspathe)
+	* [Suspicious.RunFromSusPath.A](#suspiciousrunfromsuspatha)
+	* [Suspicious.RunFromSusPath.B](#suspiciousrunfromsuspathb)
+	* [Suspicious.RunFromSusPath.C](#suspiciousrunfromsuspathc)
+	* [Suspicious.RunFromSusPath.D](#suspiciousrunfromsuspathd)
 * [Suspicious.ScriptHost](#suspiciousscripthost)
 	* [Suspicious.ScriptHost.A](#suspiciousscripthosta)
 	* [Suspicious.ScriptHost.B](#suspiciousscripthostb)
@@ -57,11 +60,7 @@
 * [Telemetry.ReadBrowserData](#telemetryreadbrowserdata)
 	* [Telemetry.ReadBrowserData.A](#telemetryreadbrowserdataa)
 * [Telemetry.RunFromSusPath](#telemetryrunfromsuspath)
-	* [Suspicious.RunFromSusPath.A](#suspiciousrunfromsuspatha)
-	* [Suspicious.RunFromSusPath.B](#suspiciousrunfromsuspathb)
-	* [Suspicious.RunFromSusPath.C](#suspiciousrunfromsuspathc)
-	* [Suspicious.RunFromSusPath.D](#suspiciousrunfromsuspathd)
-	* [Suspicious.RunFromSusPath.E](#suspiciousrunfromsuspathe)
+	* [Telemetry.RunFromSusPath.A](#telemetryrunfromsuspatha)
 * [Telemetry.TerminalServer](#telemetryterminalserver)
 	* [Telemetry.TerminalServer.A](#telemetryterminalservera)
 * [Template](#template)
@@ -270,14 +269,46 @@
 ***rule.json hash: 8407b3ae9312f1ebc1145986020e3ff3cd72543e98e6ded29b064a7ccf875ea8***
 # Suspicious.RunFromSusPath
 
-## Telemetry.RunFromSusPath.E
+## Suspicious.RunFromSusPath.A
 
-状态：未启用
+状态：启用
 
 行为描述：源程序`*`做出以下操作时，提示用户处理
+- 对路径为`*\Users\*\AppData\Roaming\>`的程序进行**执行**操作
+- 对路径为`*\Users\*\AppData\>`的程序进行**执行**操作
+- 对路径为`*\Users\>\>`的程序进行**执行**操作
+- 对路径为`*\ProgramData\>`的程序进行**执行**操作
+- 对路径为`*\Program Files\>`的程序进行**执行**操作
+- 对路径为`*\Program Files (x86)\>`的程序进行**执行**操作
+- 对路径为`*\Users\*\AppData\Local\>`的程序进行**执行**操作
+- 对路径为`*\Users\>\Documents\>`的程序进行**执行**操作
+- 对路径为`*\Users\>\Documents\>\>`的程序进行**执行**操作
+- 对路径为`*\Users\Public\>.bat`的文件进行**读取**操作
+
+## Suspicious.RunFromSusPath.B
+
+状态：启用
+
+行为描述：源程序`*`做出以下操作时，提示用户处理
+- 对路径为`*\Recycler\*`的程序进行**执行**操作
+- 对路径为`*\$RECYCLE.BIN\*`的程序进行**执行**操作
+- 对路径为`*\System Volume Information\*`的程序进行**执行**操作
+
+## Suspicious.RunFromSusPath.C
+
+状态：启用
+
+行为描述：源程序`*`做出以下操作时，提示用户处理
+- 对路径为`*\ProgramData\>\>.exe`的程序进行**执行**操作
+
+## Suspicious.RunFromSusPath.D
+
+状态：启用
+
+行为描述：源程序`*\Windows\Sys?????\>`做出以下操作时，提示用户处理
 - 对路径为`*\Users\*\AppData\Roaming\>\>.exe`的程序进行**执行**操作
 
-***rule.json hash: ae7bf2ac35fb32eee6f78358c21c58b8e16d1e3204d61c29e3504a940ca0b6a1***
+***rule.json hash: 0ce318e7bf946e22f9b9bc6bb13188f0e1fc43c42d10a7699f0d4a0c6af16cb7***
 # Suspicious.ScriptHost
 
 ## Suspicious.ScriptHost.A
@@ -399,53 +430,14 @@
 ***rule.json hash: 04c8f6e13bbfc0027141f86bf678a2573bfd46326051c1753b2930bfdc2d1d7a***
 # Telemetry.RunFromSusPath
 
-## Suspicious.RunFromSusPath.A
-
-状态：启用
-
-行为描述：源程序`*`做出以下操作时，提示用户处理
-- 对路径为`*\Users\*\AppData\Roaming\>`的程序进行**执行**操作
-- 对路径为`*\Users\*\AppData\>`的程序进行**执行**操作
-- 对路径为`*\Users\>\>`的程序进行**执行**操作
-- 对路径为`*\ProgramData\>`的程序进行**执行**操作
-- 对路径为`*\Program Files\>`的程序进行**执行**操作
-- 对路径为`*\Program Files (x86)\>`的程序进行**执行**操作
-- 对路径为`*\Users\*\AppData\Local\>`的程序进行**执行**操作
-- 对路径为`*\Users\>\Documents\>`的程序进行**执行**操作
-- 对路径为`*\Users\>\Documents\>\>`的程序进行**执行**操作
-- 对路径为`*\Users\Public\>.bat`的文件进行**读取**操作
-
-## Suspicious.RunFromSusPath.B
-
-状态：启用
-
-行为描述：源程序`*`做出以下操作时，提示用户处理
-- 对路径为`*\Recycler\*`的程序进行**执行**操作
-- 对路径为`*\$RECYCLE.BIN\*`的程序进行**执行**操作
-- 对路径为`*\System Volume Information\*`的程序进行**执行**操作
-
-## Suspicious.RunFromSusPath.C
-
-状态：未启用
-
-行为描述：源程序`*`做出以下操作时，提示用户处理
-- 对路径为`*\ProgramData\>\>.exe`的程序进行**执行**操作
-
-## Suspicious.RunFromSusPath.D
-
-状态：启用
-
-行为描述：源程序`*\Windows\Sys?????\>`做出以下操作时，提示用户处理
-- 对路径为`*\Users\*\AppData\Roaming\>\>.exe`的程序进行**执行**操作
-
-## Suspicious.RunFromSusPath.E
+## Telemetry.RunFromSusPath.A
 
 状态：未启用
 
 行为描述：源程序`*`做出以下操作时，提示用户处理
 - 对路径为`*\Users\*\AppData\Roaming\>\>.exe`的程序进行**执行**操作
 
-***rule.json hash: 08f7e3dc7ada40ee0b6cce1ef341404eb3de0be6da37d852a0549a1c049944c2***
+***rule.json hash: 8e649f1c95f70ea514564927537534ec4e4d61a9dc322d163fff85aab12fd612***
 # Telemetry.TerminalServer
 
 ## Telemetry.TerminalServer.A

rules/README_en_us.md

@@ -34,7 +34,10 @@ Contents
 	* [Suspicious.PowerShell.B](#suspiciouspowershellb)
 	* [Suspicious.PowerShell.C](#suspiciouspowershellc)
 * [Suspicious.RunFromSusPath](#suspiciousrunfromsuspath)
-	* [Telemetry.RunFromSusPath.E](#telemetryrunfromsuspathe)
+	* [Suspicious.RunFromSusPath.A](#suspiciousrunfromsuspatha)
+	* [Suspicious.RunFromSusPath.B](#suspiciousrunfromsuspathb)
+	* [Suspicious.RunFromSusPath.C](#suspiciousrunfromsuspathc)
+	* [Suspicious.RunFromSusPath.D](#suspiciousrunfromsuspathd)
 * [Suspicious.ScriptHost](#suspiciousscripthost)
 	* [Suspicious.ScriptHost.A](#suspiciousscripthosta)
 	* [Suspicious.ScriptHost.B](#suspiciousscripthostb)
@@ -57,11 +60,7 @@ Contents
 * [Telemetry.ReadBrowserData](#telemetryreadbrowserdata)
 	* [Telemetry.ReadBrowserData.A](#telemetryreadbrowserdataa)
 * [Telemetry.RunFromSusPath](#telemetryrunfromsuspath)
-	* [Suspicious.RunFromSusPath.A](#suspiciousrunfromsuspatha)
-	* [Suspicious.RunFromSusPath.B](#suspiciousrunfromsuspathb)
-	* [Suspicious.RunFromSusPath.C](#suspiciousrunfromsuspathc)
-	* [Suspicious.RunFromSusPath.D](#suspiciousrunfromsuspathd)
-	* [Suspicious.RunFromSusPath.E](#suspiciousrunfromsuspathe)
+	* [Telemetry.RunFromSusPath.A](#telemetryrunfromsuspatha)
 * [Telemetry.TerminalServer](#telemetryterminalserver)
 	* [Telemetry.TerminalServer.A](#telemetryterminalservera)
 * [Template](#template)
@@ -289,15 +288,50 @@ When the source process`*`initializes the following actions, HIPS module should
 ***rule.json hash: 8407b3ae9312f1ebc1145986020e3ff3cd72543e98e6ded29b064a7ccf875ea8***
 # Suspicious.RunFromSusPath
 
-## Telemetry.RunFromSusPath.E
+## Suspicious.RunFromSusPath.A
 
-Status: Disabled
+Status: Enabled
 
 Behavioral Description:   
 When the source process`*`initializes the following actions, HIPS module should let the user decide them.
+- `Execute` the program under the path `*\Users\*\AppData\Roaming\>`
+- `Execute` the program under the path `*\Users\*\AppData\>`
+- `Execute` the program under the path `*\Users\>\>`
+- `Execute` the program under the path `*\ProgramData\>`
+- `Execute` the program under the path `*\Program Files\>`
+- `Execute` the program under the path `*\Program Files (x86)\>`
+- `Execute` the program under the path `*\Users\*\AppData\Local\>`
+- `Execute` the program under the path `*\Users\>\Documents\>`
+- `Execute` the program under the path `*\Users\>\Documents\>\>`
+- `Read` the file under the path `*\Users\Public\>.bat`
+
+## Suspicious.RunFromSusPath.B
+
+Status: Enabled
+
+Behavioral Description:   
+When the source process`*`initializes the following actions, HIPS module should let the user decide them.
+- `Execute` the program under the path `*\Recycler\*`
+- `Execute` the program under the path `*\$RECYCLE.BIN\*`
+- `Execute` the program under the path `*\System Volume Information\*`
+
+## Suspicious.RunFromSusPath.C
+
+Status: Enabled
+
+Behavioral Description:   
+When the source process`*`initializes the following actions, HIPS module should let the user decide them.
+- `Execute` the program under the path `*\ProgramData\>\>.exe`
+
+## Suspicious.RunFromSusPath.D
+
+Status: Enabled
+
+Behavioral Description:   
+When the source process`*\Windows\Sys?????\>`initializes the following actions, HIPS module should let the user decide them.
 - `Execute` the program under the path `*\Users\*\AppData\Roaming\>\>.exe`
 
-***rule.json hash: ae7bf2ac35fb32eee6f78358c21c58b8e16d1e3204d61c29e3504a940ca0b6a1***
+***rule.json hash: 0ce318e7bf946e22f9b9bc6bb13188f0e1fc43c42d10a7699f0d4a0c6af16cb7***
 # Suspicious.ScriptHost
 
 ## Suspicious.ScriptHost.A
@@ -431,58 +465,15 @@ When the source process`*`initializes the following actions, HIPS module should
 ***rule.json hash: 04c8f6e13bbfc0027141f86bf678a2573bfd46326051c1753b2930bfdc2d1d7a***
 # Telemetry.RunFromSusPath
 
-## Suspicious.RunFromSusPath.A
-
-Status: Enabled
-
-Behavioral Description:   
-When the source process`*`initializes the following actions, HIPS module should let the user decide them.
-- `Execute` the program under the path `*\Users\*\AppData\Roaming\>`
-- `Execute` the program under the path `*\Users\*\AppData\>`
-- `Execute` the program under the path `*\Users\>\>`
-- `Execute` the program under the path `*\ProgramData\>`
-- `Execute` the program under the path `*\Program Files\>`
-- `Execute` the program under the path `*\Program Files (x86)\>`
-- `Execute` the program under the path `*\Users\*\AppData\Local\>`
-- `Execute` the program under the path `*\Users\>\Documents\>`
-- `Execute` the program under the path `*\Users\>\Documents\>\>`
-- `Read` the file under the path `*\Users\Public\>.bat`
-
-## Suspicious.RunFromSusPath.B
-
-Status: Enabled
-
-Behavioral Description:   
-When the source process`*`initializes the following actions, HIPS module should let the user decide them.
-- `Execute` the program under the path `*\Recycler\*`
-- `Execute` the program under the path `*\$RECYCLE.BIN\*`
-- `Execute` the program under the path `*\System Volume Information\*`
-
-## Suspicious.RunFromSusPath.C
-
-Status: Disabled
-
-Behavioral Description:   
-When the source process`*`initializes the following actions, HIPS module should let the user decide them.
-- `Execute` the program under the path `*\ProgramData\>\>.exe`
-
-## Suspicious.RunFromSusPath.D
-
-Status: Enabled
-
-Behavioral Description:   
-When the source process`*\Windows\Sys?????\>`initializes the following actions, HIPS module should let the user decide them.
-- `Execute` the program under the path `*\Users\*\AppData\Roaming\>\>.exe`
-
-## Suspicious.RunFromSusPath.E
+## Telemetry.RunFromSusPath.A
 
 Status: Disabled
 
 Behavioral Description:   
 When the source process`*`initializes the following actions, HIPS module should let the user decide them.
 - `Execute` the program under the path `*\Users\*\AppData\Roaming\>\>.exe`
 
-***rule.json hash: 08f7e3dc7ada40ee0b6cce1ef341404eb3de0be6da37d852a0549a1c049944c2***
+***rule.json hash: 8e649f1c95f70ea514564927537534ec4e4d61a9dc322d163fff85aab12fd612***
 # Telemetry.TerminalServer
 
 ## Telemetry.TerminalServer.A

rules/Suspicious.RunFromSusPath/README.md

@@ -5,14 +5,13 @@
 目录
 ==
 
-* [Telemetry.RunFromSusPath](#telemetryrunfromsuspath)
+* [Suspicious.RunFromSusPath](#suspiciousrunfromsuspath)
 	* [Suspicious.RunFromSusPath.A](#suspiciousrunfromsuspatha)
 	* [Suspicious.RunFromSusPath.B](#suspiciousrunfromsuspathb)
 	* [Suspicious.RunFromSusPath.C](#suspiciousrunfromsuspathc)
 	* [Suspicious.RunFromSusPath.D](#suspiciousrunfromsuspathd)
-	* [Suspicious.RunFromSusPath.E](#suspiciousrunfromsuspathe)
 
-# Telemetry.RunFromSusPath
+# Suspicious.RunFromSusPath
 
 ## Suspicious.RunFromSusPath.A
 
@@ -41,7 +40,7 @@
 
 ## Suspicious.RunFromSusPath.C
 
-状态：未启用
+状态：启用
 
 行为描述：源程序`*`做出以下操作时，提示用户处理
 - 对路径为`*\ProgramData\>\>.exe`的程序进行**执行**操作
@@ -52,12 +51,5 @@
 
 行为描述：源程序`*\Windows\Sys?????\>`做出以下操作时，提示用户处理
 - 对路径为`*\Users\*\AppData\Roaming\>\>.exe`的程序进行**执行**操作
-
-## Suspicious.RunFromSusPath.E
-
-状态：未启用
-
-行为描述：源程序`*`做出以下操作时，提示用户处理
-- 对路径为`*\Users\*\AppData\Roaming\>\>.exe`的程序进行**执行**操作
 
-***rule.json hash: 08f7e3dc7ada40ee0b6cce1ef341404eb3de0be6da37d852a0549a1c049944c2***
+***rule.json hash: 0ce318e7bf946e22f9b9bc6bb13188f0e1fc43c42d10a7699f0d4a0c6af16cb7***

rules/Suspicious.RunFromSusPath/README_en_us.md

@@ -5,14 +5,13 @@
 Contents
 ========
 
-* [Telemetry.RunFromSusPath](#telemetryrunfromsuspath)
+* [Suspicious.RunFromSusPath](#suspiciousrunfromsuspath)
 	* [Suspicious.RunFromSusPath.A](#suspiciousrunfromsuspatha)
 	* [Suspicious.RunFromSusPath.B](#suspiciousrunfromsuspathb)
 	* [Suspicious.RunFromSusPath.C](#suspiciousrunfromsuspathc)
 	* [Suspicious.RunFromSusPath.D](#suspiciousrunfromsuspathd)
-	* [Suspicious.RunFromSusPath.E](#suspiciousrunfromsuspathe)
 
-# Telemetry.RunFromSusPath
+# Suspicious.RunFromSusPath
 
 ## Suspicious.RunFromSusPath.A
 
@@ -43,7 +42,7 @@ When the source process`*`initializes the following actions, HIPS module should
 
 ## Suspicious.RunFromSusPath.C
 
-Status: Disabled
+Status: Enabled
 
 Behavioral Description:   
 When the source process`*`initializes the following actions, HIPS module should let the user decide them.
@@ -56,13 +55,5 @@ Status: Enabled
 Behavioral Description:   
 When the source process`*\Windows\Sys?????\>`initializes the following actions, HIPS module should let the user decide them.
 - `Execute` the program under the path `*\Users\*\AppData\Roaming\>\>.exe`
-
-## Suspicious.RunFromSusPath.E
-
-Status: Disabled
-
-Behavioral Description:   
-When the source process`*`initializes the following actions, HIPS module should let the user decide them.
-- `Execute` the program under the path `*\Users\*\AppData\Roaming\>\>.exe`
 
-***rule.json hash: 08f7e3dc7ada40ee0b6cce1ef341404eb3de0be6da37d852a0549a1c049944c2***
+***rule.json hash: 0ce318e7bf946e22f9b9bc6bb13188f0e1fc43c42d10a7699f0d4a0c6af16cb7***

rules/Telemetry.RunFromSusPath/README.md

@@ -5,16 +5,16 @@
 目录
 ==
 
-* [Suspicious.RunFromSusPath](#suspiciousrunfromsuspath)
-	* [Telemetry.RunFromSusPath.E](#telemetryrunfromsuspathe)
+* [Telemetry.RunFromSusPath](#telemetryrunfromsuspath)
+	* [Telemetry.RunFromSusPath.A](#telemetryrunfromsuspatha)
 
-# Suspicious.RunFromSusPath
+# Telemetry.RunFromSusPath
 
-## Telemetry.RunFromSusPath.E
+## Telemetry.RunFromSusPath.A
 
 状态：未启用
 
 行为描述：源程序`*`做出以下操作时，提示用户处理
 - 对路径为`*\Users\*\AppData\Roaming\>\>.exe`的程序进行**执行**操作
 
-***rule.json hash: ae7bf2ac35fb32eee6f78358c21c58b8e16d1e3204d61c29e3504a940ca0b6a1***
+***rule.json hash: 8e649f1c95f70ea514564927537534ec4e4d61a9dc322d163fff85aab12fd612***