diff --git a/sigma/builtin/placeholder/security/win_security_exploit_cve_2020_1472.yml b/sigma/builtin/placeholder/security/win_security_exploit_cve_2020_1472.yml
deleted file mode 100644
index d4ad8aa54..000000000
--- a/sigma/builtin/placeholder/security/win_security_exploit_cve_2020_1472.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Potential Zerologon (CVE-2020-1472) Exploitation
-id: dd7876d8-0f09-11eb-adc1-0242ac120002
-status: experimental
-description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon
-    (CVE-2020-1472)
-references:
-    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
-    - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
-author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
-date: 2020/10/15
-modified: 2023/12/15
-tags:
-    - attack.privilege_escalation
-    - attack.t1068
-    - cve.2020.1472
-logsource:
-    product: windows
-    service: security
-detection:
-    security:
-        Channel: Security
-    selection:
-        EventID: 4742
-        SubjectUserName: ANONYMOUS LOGON
-        TargetUserName|expand: '%DC-MACHINE-NAME%'
-    filter_main:
-        PasswordLastSet: '-'
-    condition: security and (selection and not filter_main)
-falsepositives:
-    - Automatic DC computer account password change
-    - Legitimate DC computer account password change
-level: high
-ruletype: Sigma
diff --git a/sigma/builtin/placeholder/security/win_security_potential_pass_the_hash.yml b/sigma/builtin/placeholder/security/win_security_potential_pass_the_hash.yml
deleted file mode 100644
index e469b8c80..000000000
--- a/sigma/builtin/placeholder/security/win_security_potential_pass_the_hash.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Potential Pass the Hash Activity
-id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
-status: test
-description: Detects the attack technique pass the hash which is used to move laterally
-    inside the network
-references:
-    - https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events
-author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
-date: 2017/03/08
-modified: 2023/12/15
-tags:
-    - attack.lateral_movement
-    - attack.t1550.002
-    - car.2016-04-004
-logsource:
-    product: windows
-    service: security
-    definition: The successful use of PtH for lateral movement between workstations
-        would trigger event ID 4624, a failed logon attempt would trigger an event
-        ID 4625
-detection:
-    security:
-        Channel: Security
-    selection:
-        EventID:
-            - 4624
-            - 4625
-        LogonType: 3
-        LogonProcessName: NtLmSsp
-        WorkstationName|expand: '%Workstations%'
-        ComputerName|expand: '%Workstations%'
-    filter:
-        TargetUserName: ANONYMOUS LOGON
-    condition: security and (selection and not filter)
-falsepositives:
-    - Administrator activity
-level: medium
-ruletype: Sigma
diff --git a/sigma/builtin/placeholder/security/win_security_remote_registry_management_via_reg.yml b/sigma/builtin/placeholder/security/win_security_remote_registry_management_via_reg.yml
deleted file mode 100644
index 5f3d733ea..000000000
--- a/sigma/builtin/placeholder/security/win_security_remote_registry_management_via_reg.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Remote Registry Management Using Reg Utility
-id: 68fcba0d-73a5-475e-a915-e8b4c576827e
-status: test
-description: Remote registry management using REG utility from non-admin workstation
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/10/22
-modified: 2023/12/15
-tags:
-    - attack.credential_access
-    - attack.defense_evasion
-    - attack.discovery
-    - attack.s0075
-    - attack.t1012
-    - attack.t1112
-    - attack.t1552.002
-logsource:
-    product: windows
-    service: security
-detection:
-    security:
-        Channel: Security
-    selection:
-        EventID: 5145
-        RelativeTargetName|contains: \winreg
-    filter_main:
-        IpAddress|expand: '%Admins_Workstations%'
-    condition: security and (selection and not filter_main)
-falsepositives:
-    - Legitimate usage of remote registry management by administrator
-level: medium
-ruletype: Sigma
diff --git a/sigma/builtin/placeholder/security/win_security_susp_interactive_logons.yml b/sigma/builtin/placeholder/security/win_security_susp_interactive_logons.yml
deleted file mode 100644
index b14005520..000000000
--- a/sigma/builtin/placeholder/security/win_security_susp_interactive_logons.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Interactive Logon to Server Systems
-id: 3ff152b2-1388-4984-9cd9-a323323fdadf
-status: test
-description: Detects interactive console logons to Server Systems
-author: Florian Roth (Nextron Systems)
-date: 2017/03/17
-modified: 2023/12/15
-tags:
-    - attack.lateral_movement
-    - attack.t1078
-logsource:
-    product: windows
-    service: security
-detection:
-    security:
-        Channel: Security
-    selection:
-        EventID:
-            - 528
-            - 529
-            - 4624
-            - 4625
-        LogonType: 2
-        ComputerName|expand:
-            - '%ServerSystems%'
-            - '%DomainControllers%'
-    filter_main:
-        LogonProcessName: Advapi
-        ComputerName|expand: '%Workstations%'
-    condition: security and (selection and not filter_main)
-falsepositives:
-    - Administrative activity via KVM or ILO board
-level: medium
-ruletype: Sigma