Showing preview only (8,272K chars total). Download the full file or copy to clipboard to get everything.
Repository: SigmaHQ/sigma
Branch: master
Commit: a15dbdaa057a
Files: 4472
Total size: 6.8 MB
Directory structure:
gitextract_6lfx6dd0/
├── .gitattributes
├── .github/
│ ├── FUNDING.yml
│ ├── ISSUE_TEMPLATE/
│ │ ├── false_positive_report.yml
│ │ └── rule_proposal.md
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── labeler.yml
│ ├── latest_archiver_output.md
│ └── workflows/
│ ├── goodlog-tests.yml
│ ├── greetings.yml
│ ├── known-FPs.csv
│ ├── matchgrep.sh
│ ├── pr-labeler.yml
│ ├── ref-archiver.yml
│ ├── regression-tests.yml
│ ├── release.yml
│ ├── sigma-rule-deprecated.yml
│ ├── sigma-rule-promoter.yml
│ ├── sigma-test.yml
│ ├── sigma-validation.yml
│ └── update-heatmap.yml
├── .gitignore
├── .yamllint
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── Releases.md
├── deprecated/
│ ├── README.md
│ ├── cloud/
│ │ ├── azure_app_credential_modification.yml
│ │ └── azure_app_permissions_for_api.yml
│ ├── deprecated.csv
│ ├── deprecated.json
│ ├── linux/
│ │ ├── lnx_auditd_alter_bash_profile.yml
│ │ ├── lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
│ │ └── lnx_space_after_filename_.yml
│ ├── macos/
│ │ ├── proc_creation_macos_add_to_admin_group.yml
│ │ └── proc_creation_macos_malware_amos_filegrabber_exec.yml
│ ├── other/
│ │ └── generic_brute_force.yml
│ ├── web/
│ │ ├── proxy_apt_domestic_kitten.yml
│ │ ├── proxy_cobalt_amazon.yml
│ │ ├── proxy_cobalt_malformed_uas.yml
│ │ ├── proxy_cobalt_ocsp.yml
│ │ ├── proxy_cobalt_onedrive.yml
│ │ ├── proxy_ios_implant.yml
│ │ └── proxy_webdav_search_ms.yml
│ └── windows/
│ ├── create_remote_thread_win_susp_remote_thread_target.yml
│ ├── driver_load_win_mal_creddumper.yml
│ ├── driver_load_win_mal_poortry_driver.yml
│ ├── driver_load_win_powershell_script_installed_as_service.yml
│ ├── driver_load_win_vuln_avast_anti_rootkit_driver.yml
│ ├── driver_load_win_vuln_dell_driver.yml
│ ├── driver_load_win_vuln_drivers_names.yml
│ ├── driver_load_win_vuln_gigabyte_driver.yml
│ ├── driver_load_win_vuln_hw_driver.yml
│ ├── driver_load_win_vuln_lenovo_driver.yml
│ ├── file_event_win_access_susp_teams.yml
│ ├── file_event_win_access_susp_unattend_xml.yml
│ ├── file_event_win_crackmapexec_patterns.yml
│ ├── file_event_win_hktl_createminidump.yml
│ ├── file_event_win_lsass_memory_dump_file_creation.yml
│ ├── file_event_win_mimikatz_memssp_log_file.yml
│ ├── file_event_win_office_outlook_rdp_file_creation.yml
│ ├── file_event_win_susp_clr_logs.yml
│ ├── image_load_alternate_powershell_hosts_moduleload.yml
│ ├── image_load_office_dsparse_dll_load.yml
│ ├── image_load_office_kerberos_dll_load.yml
│ ├── image_load_side_load_advapi32.yml
│ ├── image_load_side_load_scm.yml
│ ├── image_load_side_load_svchost_dlls.yml
│ ├── image_load_susp_uncommon_image_load.yml
│ ├── image_load_susp_winword_wmidll_load.yml
│ ├── net_connection_win_binary_github_com.yml
│ ├── net_connection_win_reddit_api_non_browser_access.yml
│ ├── net_connection_win_susp_epmap.yml
│ ├── pipe_created_psexec_pipes_artifacts.yml
│ ├── posh_pm_powercat.yml
│ ├── posh_ps_access_to_chrome_login_data.yml
│ ├── posh_ps_azurehound_commands.yml
│ ├── posh_ps_cl_invocation_lolscript.yml
│ ├── posh_ps_cl_mutexverifiers_lolscript.yml
│ ├── posh_ps_dnscat_execution.yml
│ ├── posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
│ ├── posh_ps_file_and_directory_discovery.yml
│ ├── posh_ps_invoke_nightmare.yml
│ ├── posh_ps_susp_gwmi.yml
│ ├── powershell_ps_susp_win32_shadowcopy.yml
│ ├── powershell_suspicious_download.yml
│ ├── powershell_suspicious_invocation_generic.yml
│ ├── powershell_suspicious_invocation_specific.yml
│ ├── powershell_syncappvpublishingserver_exe.yml
│ ├── proc_access_win_in_memory_assembly_execution.yml
│ ├── proc_access_win_lazagne_cred_dump_lsass_access.yml
│ ├── proc_access_win_lsass_susp_access.yml
│ ├── proc_access_win_pypykatz_cred_dump_lsass_access.yml
│ ├── proc_access_win_susp_invoke_patchingapi.yml
│ ├── proc_creation_win_apt_apt29_thinktanks.yml
│ ├── proc_creation_win_apt_dragonfly.yml
│ ├── proc_creation_win_apt_gallium.yml
│ ├── proc_creation_win_apt_hurricane_panda.yml
│ ├── proc_creation_win_apt_lazarus_activity_apr21.yml
│ ├── proc_creation_win_apt_lazarus_loader.yml
│ ├── proc_creation_win_apt_muddywater_dnstunnel.yml
│ ├── proc_creation_win_apt_ta505_dropper.yml
│ ├── proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
│ ├── proc_creation_win_certutil_susp_execution.yml
│ ├── proc_creation_win_cmd_read_contents.yml
│ ├── proc_creation_win_cmd_redirect_to_stream.yml
│ ├── proc_creation_win_credential_acquisition_registry_hive_dumping.yml
│ ├── proc_creation_win_cscript_vbs.yml
│ ├── proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml
│ ├── proc_creation_win_filefix_browsers.yml
│ ├── proc_creation_win_indirect_cmd.yml
│ ├── proc_creation_win_indirect_command_execution_forfiles.yml
│ ├── proc_creation_win_invoke_obfuscation_via_rundll.yml
│ ├── proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
│ ├── proc_creation_win_lolbas_execution_of_wuauclt.yml
│ ├── proc_creation_win_lolbin_findstr.yml
│ ├── proc_creation_win_lolbin_office.yml
│ ├── proc_creation_win_lolbin_rdrleakdiag.yml
│ ├── proc_creation_win_lolbins_by_office_applications.yml
│ ├── proc_creation_win_mal_ryuk.yml
│ ├── proc_creation_win_malware_trickbot_recon_activity.yml
│ ├── proc_creation_win_mavinject_proc_inj.yml
│ ├── proc_creation_win_msdt_diagcab.yml
│ ├── proc_creation_win_new_service_creation.yml
│ ├── proc_creation_win_nslookup_pwsh_download_cradle.yml
│ ├── proc_creation_win_odbcconf_susp_exec.yml
│ ├── proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
│ ├── proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
│ ├── proc_creation_win_office_spawning_wmi_commandline.yml
│ ├── proc_creation_win_possible_applocker_bypass.yml
│ ├── proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml
│ ├── proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml
│ ├── proc_creation_win_powershell_base64_listing_shadowcopy.yml
│ ├── proc_creation_win_powershell_base64_shellcode.yml
│ ├── proc_creation_win_powershell_bitsjob.yml
│ ├── proc_creation_win_powershell_download_cradles.yml
│ ├── proc_creation_win_powershell_service_modification.yml
│ ├── proc_creation_win_powershell_susp_ps_downloadfile.yml
│ ├── proc_creation_win_powershell_xor_encoded_command.yml
│ ├── proc_creation_win_reg_dump_sam.yml
│ ├── proc_creation_win_regsvr32_anomalies.yml
│ ├── proc_creation_win_renamed_paexec.yml
│ ├── proc_creation_win_renamed_powershell.yml
│ ├── proc_creation_win_renamed_psexec.yml
│ ├── proc_creation_win_renamed_rundll32.yml
│ ├── proc_creation_win_root_certificate_installed.yml
│ ├── proc_creation_win_run_from_zip.yml
│ ├── proc_creation_win_rundll32_js_runhtmlapplication.yml
│ ├── proc_creation_win_rundll32_script_run.yml
│ ├── proc_creation_win_sc_delete_av_services.yml
│ ├── proc_creation_win_schtasks_user_temp.yml
│ ├── proc_creation_win_service_stop.yml
│ ├── proc_creation_win_susp_bitstransfer.yml
│ ├── proc_creation_win_susp_cmd_exectution_via_wmi.yml
│ ├── proc_creation_win_susp_commandline_chars.yml
│ ├── proc_creation_win_susp_lolbin_non_c_drive.yml
│ ├── proc_creation_win_susp_run_folder.yml
│ ├── proc_creation_win_susp_squirrel_lolbin.yml
│ ├── proc_creation_win_sysinternals_psexec_service_execution.yml
│ ├── proc_creation_win_sysinternals_psexesvc_start.yml
│ ├── proc_creation_win_whoami_as_system.yml
│ ├── proc_creation_win_whoami_execution.yml
│ ├── proc_creation_win_winword_dll_load.yml
│ ├── proc_creation_win_wmic_execution_via_office_process.yml
│ ├── proc_creation_win_wmic_remote_command.yml
│ ├── proc_creation_win_wmic_remote_service.yml
│ ├── proc_creation_win_wuauclt_execution.yml
│ ├── process_creation_syncappvpublishingserver_exe.yml
│ ├── registry_add_sysinternals_sdelete_registry_keys.yml
│ ├── registry_event_asep_reg_keys_modification.yml
│ ├── registry_set_abusing_windows_telemetry_for_persistence.yml
│ ├── registry_set_add_hidden_user.yml
│ ├── registry_set_creation_service_uncommon_folder.yml
│ ├── registry_set_disable_microsoft_office_security_features.yml
│ ├── registry_set_malware_adwind.yml
│ ├── registry_set_office_security.yml
│ ├── registry_set_persistence_com_hijacking_susp_locations.yml
│ ├── registry_set_persistence_search_order.yml
│ ├── registry_set_silentprocessexit.yml
│ ├── sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
│ ├── sysmon_dcom_iertutil_dll_hijack.yml
│ ├── sysmon_mimikatz_detection_lsass.yml
│ ├── sysmon_powershell_execution_moduleload.yml
│ ├── sysmon_rclone_execution.yml
│ ├── win_defender_disabled.yml
│ ├── win_dsquery_domain_trust_discovery.yml
│ ├── win_lateral_movement_condrv.yml
│ ├── win_security_event_log_cleared.yml
│ ├── win_security_group_modification_logging.yml
│ ├── win_security_lolbas_execution_of_nltest.yml
│ ├── win_security_windows_defender_exclusions_write_deleted.yml
│ ├── win_susp_esentutl_activity.yml
│ ├── win_susp_rclone_exec.yml
│ ├── win_susp_vssadmin_ntds_activity.yml
│ ├── win_system_service_install_susp_double_ampersand.yml
│ └── win_system_susp_sam_dump.yml
├── documentation/
│ ├── README.md
│ ├── logsource-guides/
│ │ ├── other/
│ │ │ └── antivirus.md
│ │ └── windows/
│ │ ├── category/
│ │ │ ├── process_creation.md
│ │ │ ├── ps_module.md
│ │ │ ├── ps_script.md
│ │ │ ├── registry_add.md
│ │ │ ├── registry_delete.md
│ │ │ ├── registry_event.md
│ │ │ ├── registry_rename.md
│ │ │ └── registry_set.md
│ │ └── service/
│ │ ├── powershell.md
│ │ └── security.md
│ └── tools/
│ └── sigma-logsource-checker.py
├── other/
│ ├── godmode_sigma_rule.yml
│ └── sigma_attack_nav_coverage.json
├── regression_data/
│ ├── rules/
│ │ └── windows/
│ │ ├── file/
│ │ │ └── file_event/
│ │ │ ├── file_event_win_advanced_ip_scanner/
│ │ │ │ ├── fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx
│ │ │ │ ├── fed85bf9-e075-4280-9159-fbe8a023d6fa.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_anydesk_artefact/
│ │ │ │ ├── 0b9ad457-2554-44c1-82c2-d56a99c42377.evtx
│ │ │ │ ├── 0b9ad457-2554-44c1-82c2-d56a99c42377.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_create_evtx_non_common_locations/
│ │ │ │ ├── 65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx
│ │ │ │ ├── 65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_create_non_existent_dlls/
│ │ │ │ ├── df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx
│ │ │ │ ├── df6ecb8b-7822-4f4b-b412-08f524b4576c.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_creation_new_shim_database/
│ │ │ │ ├── ee63c85c-6d51-4d12-ad09-04e25877a947.evtx
│ │ │ │ ├── ee63c85c-6d51-4d12-ad09-04e25877a947.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_creation_system_dll_files/
│ │ │ │ ├── 13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx
│ │ │ │ ├── 13c02350-4177-4e45-ac17-cf7ca628ff5e.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_creation_system_file/
│ │ │ │ ├── d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx
│ │ │ │ ├── d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_cred_dump_tools_dropped_files/
│ │ │ │ ├── 8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx
│ │ │ │ ├── 8fbf3271-1ef6-4e94-8210-03c2317947f6.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_dump_file_susp_creation/
│ │ │ │ ├── aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx
│ │ │ │ ├── aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_susp_legitimate_app_dropping_in_uncommon_location/
│ │ │ │ ├── 1cf465a1-2609-4c15-9b66-c32dbe4bfd67.evtx
│ │ │ │ ├── 1cf465a1-2609-4c15-9b66-c32dbe4bfd67.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_susp_lnk_double_extension/
│ │ │ │ ├── 3215aa19-f060-4332-86d5-5602511f3ca8.evtx
│ │ │ │ ├── 3215aa19-f060-4332-86d5-5602511f3ca8.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_susp_public_folder_extension/
│ │ │ │ ├── b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx
│ │ │ │ ├── b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json
│ │ │ │ └── info.yml
│ │ │ ├── file_event_win_susp_recycle_bin_fake_exec/
│ │ │ │ ├── cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx
│ │ │ │ ├── cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json
│ │ │ │ └── info.yml
│ │ │ └── file_event_win_taskmgr_lsass_dump/
│ │ │ ├── 69ca12af-119d-44ed-b50f-a47af0ebc364.evtx
│ │ │ ├── 69ca12af-119d-44ed-b50f-a47af0ebc364.json
│ │ │ └── info.yml
│ │ ├── image_load/
│ │ │ ├── image_load_side_load_cpl_from_non_system_location/
│ │ │ │ ├── 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.evtx
│ │ │ │ ├── 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.json
│ │ │ │ └── info.yml
│ │ │ └── image_load_win_susp_dbgcore_dbghelp_load/
│ │ │ ├── 416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx
│ │ │ ├── 416bc4a2-7217-4519-8dc7-c3271817f1d5.json
│ │ │ └── info.yml
│ │ ├── process_access/
│ │ │ ├── proc_access_win_susp_dbgcore_dbghelp_load/
│ │ │ │ ├── 9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx
│ │ │ │ ├── 9f5c1d59-33be-4e60-bcab-85d2f566effd.json
│ │ │ │ └── info.yml
│ │ │ └── proc_access_win_werfaultsecure_msmpeng_access/
│ │ │ ├── 387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx
│ │ │ ├── 387df17d-3b04-448f-8669-9e7fd5e5fd8c.json
│ │ │ └── info.yml
│ │ ├── process_creation/
│ │ │ ├── proc_creation_win_amsi_registry_tampering/
│ │ │ │ ├── 7dbbcac2-57a0-45ac-b306-ff30a8bd2981.evtx
│ │ │ │ ├── 7dbbcac2-57a0-45ac-b306-ff30a8bd2981.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_bitsadmin_download/
│ │ │ │ ├── d059842b-6b9d-4ed1-b5c3-5b89143c6ede.evtx
│ │ │ │ ├── d059842b-6b9d-4ed1-b5c3-5b89143c6ede.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_bitsadmin_download_direct_ip/
│ │ │ │ ├── 99c840f2-2012-46fd-9141-c761987550ef.evtx
│ │ │ │ ├── 99c840f2-2012-46fd-9141-c761987550ef.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_bitsadmin_download_file_sharing_domains/
│ │ │ │ ├── 8518ed3d-f7c9-4601-a26c-f361a4256a0c.evtx
│ │ │ │ ├── 8518ed3d-f7c9-4601-a26c-f361a4256a0c.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_bitsadmin_download_susp_extensions/
│ │ │ │ ├── 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.evtx
│ │ │ │ ├── 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_bitsadmin_download_susp_targetfolder/
│ │ │ │ ├── 2ddef153-167b-4e89-86b6-757a9e65dcac.evtx
│ │ │ │ ├── 2ddef153-167b-4e89-86b6-757a9e65dcac.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_chromium_headless_file_download/
│ │ │ │ ├── 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx
│ │ │ │ ├── 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_chromium_load_extension/
│ │ │ │ ├── 88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx
│ │ │ │ ├── 88d6e60c-759d-4ac1-a447-c0f1466c2d21.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_chromium_mockbin_abuse/
│ │ │ │ ├── 1c526788-0abe-4713-862f-b520da5e5316.evtx
│ │ │ │ ├── 1c526788-0abe-4713-862f-b520da5e5316.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_chromium_susp_load_extension/
│ │ │ │ ├── 27ba3207-dd30-4812-abbf-5d20c57d474e.evtx
│ │ │ │ ├── 27ba3207-dd30-4812-abbf-5d20c57d474e.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_inline_file_download/
│ │ │ │ ├── 94771a71-ba41-4b6e-a757-b531372eaab6.evtx
│ │ │ │ ├── 94771a71-ba41-4b6e-a757-b531372eaab6.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_browsers_tor_execution/
│ │ │ │ ├── 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx
│ │ │ │ ├── 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_certificate_installation/
│ │ │ │ ├── d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx
│ │ │ │ ├── d2125259-ddea-4c1c-9c22-977eb5b29cf0.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_decode/
│ │ │ │ ├── cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx
│ │ │ │ ├── cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_download/
│ │ │ │ ├── 19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx
│ │ │ │ ├── 19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_download_direct_ip/
│ │ │ │ ├── 13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx
│ │ │ │ ├── 13e6fe51-d478-4c7e-b0f2-6da9b400a829.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_download_file_sharing_domains/
│ │ │ │ ├── 42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx
│ │ │ │ ├── 42a5f1e7-9603-4f6d-97ae-3f37d130d794.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_encode/
│ │ │ │ ├── e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx
│ │ │ │ ├── e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_encode_susp_extensions/
│ │ │ │ ├── ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx
│ │ │ │ ├── ea0cdc3e-2239-4f26-a947-4e8f8224e464.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_encode_susp_location/
│ │ │ │ ├── 82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx
│ │ │ │ ├── 82a6714f-4899-4f16-9c1e-9a333544d4c3.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_export_pfx/
│ │ │ │ ├── 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx
│ │ │ │ ├── 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_certutil_ntlm_coercion/
│ │ │ │ ├── 6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx
│ │ │ │ ├── 6c6d9280-e6d0-4b9d-80ac-254701b64916.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_chcp_codepage_lookup/
│ │ │ │ ├── 7090adee-82e2-4269-bd59-80691e7c6338.evtx
│ │ │ │ ├── 7090adee-82e2-4269-bd59-80691e7c6338.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_chcp_codepage_switch/
│ │ │ │ ├── c7942406-33dd-4377-a564-0f62db0593a3.evtx
│ │ │ │ ├── c7942406-33dd-4377-a564-0f62db0593a3.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cipher_overwrite_deleted_data/
│ │ │ │ ├── 4b046706-5789-4673-b111-66f25fe99534.evtx
│ │ │ │ ├── 4b046706-5789-4673-b111-66f25fe99534.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_clip_execution/
│ │ │ │ ├── ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx
│ │ │ │ ├── ddeff553-5233-4ae9-bbab-d64d2bd634be.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmd_assoc_execution/
│ │ │ │ ├── 3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx
│ │ │ │ ├── 3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmd_dir_execution/
│ │ │ │ ├── 7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx
│ │ │ │ ├── 7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmd_launched_with_hidden_start_flag/
│ │ │ │ ├── 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx
│ │ │ │ ├── 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmd_mklink_osk_cmd/
│ │ │ │ ├── e9b61244-893f-427c-b287-3e708f321c6b.evtx
│ │ │ │ ├── e9b61244-893f-427c-b287-3e708f321c6b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmd_rmdir_execution/
│ │ │ │ ├── 41ca393d-538c-408a-ac27-cf1e038be80c.evtx
│ │ │ │ ├── 41ca393d-538c-408a-ac27-cf1e038be80c.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmdkey_adding_generic_creds/
│ │ │ │ ├── b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx
│ │ │ │ ├── b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_cmdkey_recon/
│ │ │ │ ├── 07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx
│ │ │ │ ├── 07f8bdc2-c9b3-472a-9817-5a670b872f53.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_conhost_headless_powershell/
│ │ │ │ ├── 056c7317-9a09-4bd4-9067-d051312752ea.evtx
│ │ │ │ ├── 056c7317-9a09-4bd4-9067-d051312752ea.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_credential_guard_registry_tampering/
│ │ │ │ ├── c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.evtx
│ │ │ │ ├── c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_cookie_hijacking/
│ │ │ │ ├── 5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx
│ │ │ │ ├── 5a6e1e16-07de-48d8-8aae-faa766c05e88.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_custom_user_agent/
│ │ │ │ ├── 85de1f22-d189-44e4-8239-dc276b45379b.evtx
│ │ │ │ ├── 85de1f22-d189-44e4-8239-dc276b45379b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_download_direct_ip_exec/
│ │ │ │ ├── 9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx
│ │ │ │ ├── 9cc85849-3b02-4cb5-b371-3a1ff54f2218.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_download_direct_ip_susp_extensions/
│ │ │ │ ├── 5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx
│ │ │ │ ├── 5cb299fc-5fb1-4d07-b989-0644c68b6043.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_download_susp_file_sharing_domains/
│ │ │ │ ├── 56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx
│ │ │ │ ├── 56454143-524f-49fb-b1c6-3fb8b1ad41fb.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_insecure_connection/
│ │ │ │ ├── cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx
│ │ │ │ ├── cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_insecure_proxy_or_doh/
│ │ │ │ ├── 2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx
│ │ │ │ ├── 2c1486f5-02e8-4f86-9099-b97f2da4ed77.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_local_file_read/
│ │ │ │ ├── aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx
│ │ │ │ ├── aa6f6ea6-0676-40dd-b510-6e46f02d8867.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_curl_susp_download/
│ │ │ │ ├── e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx
│ │ │ │ ├── e218595b-bbe7-4ee5-8a96-f32a24ad3468.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_devcon_disable_vmci_driver/
│ │ │ │ ├── 85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx
│ │ │ │ ├── 85f520e7-6f5e-43ca-874c-222e5bf9c0de.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_dirlister_execution/
│ │ │ │ ├── b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx
│ │ │ │ ├── b4dc61f5-6cce-468e-a608-b48b469feaa2.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_discovery_via_reg_queries/
│ │ │ │ ├── 0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx
│ │ │ │ ├── 0022869c-49f7-4ff2-ba03-85ac42ddac58.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_dism_remove/
│ │ │ │ ├── 43e32da2-fdd0-4156-90de-50dfd62636f9.evtx
│ │ │ │ ├── 43e32da2-fdd0-4156-90de-50dfd62636f9.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_driverquery_recon/
│ │ │ │ ├── 9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx
│ │ │ │ ├── 9fc3072c-dc8f-4bf7-b231-18950000fadd.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_driverquery_usage/
│ │ │ │ ├── a20def93-0709-4eae-9bd2-31206e21e6b2.evtx
│ │ │ │ ├── a20def93-0709-4eae-9bd2-31206e21e6b2.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_dsquery_domain_trust_discovery/
│ │ │ │ ├── 3bad990e-4848-4a78-9530-b427d854aac0.evtx
│ │ │ │ ├── 3bad990e-4848-4a78-9530-b427d854aac0.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_dtrace_kernel_dump/
│ │ │ │ ├── 7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx
│ │ │ │ ├── 7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_explorer_folder_shortcut_via_shell_binary/
│ │ │ │ ├── c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx
│ │ │ │ ├── c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_findstr_gpp_passwords/
│ │ │ │ ├── 91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx
│ │ │ │ ├── 91a2c315-9ee6-4052-a853-6f6a8238f90d.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_findstr_lsass/
│ │ │ │ ├── fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx
│ │ │ │ ├── fe63010f-8823-4864-a96b-a7b4a0f7b929.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_findstr_recon_everyone/
│ │ │ │ ├── 47e4bab7-c626-47dc-967b-255608c9a920.evtx
│ │ │ │ ├── 47e4bab7-c626-47dc-967b-255608c9a920.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_findstr_recon_pipe_output/
│ │ │ │ ├── ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx
│ │ │ │ ├── ccb5742c-c248-4982-8c5c-5571b9275ad3.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_findstr_security_keyword_lookup/
│ │ │ │ ├── 4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx
│ │ │ │ ├── 4fe074b4-b833-4081-8f24-7dcfeca72b42.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_finger_execution/
│ │ │ │ ├── af491bca-e752-4b44-9c86-df5680533dbc.evtx
│ │ │ │ ├── af491bca-e752-4b44-9c86-df5680533dbc.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_github_self_hosted_runner/
│ │ │ │ ├── 5bac7a56-da88-4c27-922e-c81e113b20cb.evtx
│ │ │ │ ├── 5bac7a56-da88-4c27-922e-c81e113b20cb.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_gpresult_execution/
│ │ │ │ ├── e56d3073-83ff-4021-90fe-c658e0709e72.evtx
│ │ │ │ ├── e56d3073-83ff-4021-90fe-c658e0709e72.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_hh_chm_execution/
│ │ │ │ ├── 68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx
│ │ │ │ ├── 68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_hktl_edr_freeze/
│ │ │ │ ├── c598cc0c-9e70-4852-b9eb-8921af79f598.evtx
│ │ │ │ ├── c598cc0c-9e70-4852-b9eb-8921af79f598.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_hktl_wsass/
│ │ │ │ ├── 589ac73f-8e12-409c-964e-31a2f5775ae2.evtx
│ │ │ │ ├── 589ac73f-8e12-409c-964e-31a2f5775ae2.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_hvci_registry_tampering/
│ │ │ │ ├── 6225c53a-a96e-4235-b28f-8d7997cd96eb.evtx
│ │ │ │ ├── 6225c53a-a96e-4235-b28f-8d7997cd96eb.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_adfind_enumeration/
│ │ │ │ ├── 455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx
│ │ │ │ ├── 455b9d50-15a1-4b99-853f-8d37655a4c1b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_adfind_execution/
│ │ │ │ ├── 514e7e3e-b3b4-4a67-af60-be20f139198b.evtx
│ │ │ │ ├── 514e7e3e-b3b4-4a67-af60-be20f139198b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_adfind_susp_usage/
│ │ │ │ ├── 9a132afa-654e-11eb-ae93-0242ac130002.evtx
│ │ │ │ ├── 9a132afa-654e-11eb-ae93-0242ac130002.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_advanced_ip_scanner/
│ │ │ │ ├── bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx
│ │ │ │ ├── bef37fa2-f205-4a7b-b484-0759bfd5f86f.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_advanced_port_scanner/
│ │ │ │ ├── 54773c5f-f1cc-4703-9126-2f797d96a69d.evtx
│ │ │ │ ├── 54773c5f-f1cc-4703-9126-2f797d96a69d.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_advancedrun/
│ │ │ │ ├── d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx
│ │ │ │ ├── d2b749ee-4225-417e-b20e-a8d2193cbb84.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_advancedrun_priv_user/
│ │ │ │ ├── fa00b701-44c6-4679-994d-5a18afa8a707.evtx
│ │ │ │ ├── fa00b701-44c6-4679-994d-5a18afa8a707.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_pua_kdu_driver_tool/
│ │ │ │ ├── e76ca062-4de0-4d79-8d90-160a0d335eca.evtx
│ │ │ │ ├── e76ca062-4de0-4d79-8d90-160a0d335eca.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_reg_add_run_key/
│ │ │ │ ├── de587dce-915e-4218-aac4-835ca6af6f70.evtx
│ │ │ │ ├── de587dce-915e-4218-aac4-835ca6af6f70.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_reg_add_safeboot/
│ │ │ │ ├── d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx
│ │ │ │ ├── d7662ff6-9e97-4596-a61d-9839e32dee8d.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_reg_system_language_discovery/
│ │ │ │ ├── c43a5405-e8e1-4221-9ac9-dbe3fa14e886.evtx
│ │ │ │ ├── c43a5405-e8e1-4221-9ac9-dbe3fa14e886.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_registry_special_accounts_hide_user/
│ │ │ │ ├── 9ec9fb1b-e059-4489-9642-f270c207923d.evtx
│ │ │ │ ├── 9ec9fb1b-e059-4489-9642-f270c207923d.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_adfind/
│ │ │ │ ├── df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx
│ │ │ │ ├── df55196f-f105-44d3-a675-e9dfb6cc2f2b.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_binary/
│ │ │ │ ├── 36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx
│ │ │ │ ├── 36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_binary_highly_relevant/
│ │ │ │ ├── 0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx
│ │ │ │ ├── 0ba1da6d-b6ce-4366-828c-18826c9de23e.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_curl/
│ │ │ │ ├── 7530cd3d-7671-43e3-b209-976966f6ea48.evtx
│ │ │ │ ├── 7530cd3d-7671-43e3-b209-976966f6ea48.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_ftp/
│ │ │ │ ├── 277a4393-446c-449a-b0ed-7fdc7795244c.evtx
│ │ │ │ ├── 277a4393-446c-449a-b0ed-7fdc7795244c.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_renamed_msdt/
│ │ │ │ ├── bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx
│ │ │ │ ├── bd1c6866-65fc-44b2-be51-5588fcff82b9.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_sc_stop_service/
│ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx
│ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.json
│ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_susp_eventlog_content_recon/
│ │ │ │ ├── beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.evtx
│ │ │ │ ├── beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_susp_system_exe_anomaly/
│ │ │ │ ├── e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx
│ │ │ │ ├── e4a6b256-3e47-40fc-89d2-7a477edd6915.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_svchost_masqueraded_execution/
│ │ │ │ ├── be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx
│ │ │ │ ├── be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_user_shell_folders_registry_modification/
│ │ │ │ ├── 8f3ab69a-aa22-4943-aa58-e0a52fdf6818.evtx
│ │ │ │ ├── 8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json
│ │ │ │ └── info.yml
│ │ │ ├── proc_creation_win_vulnerable_driver_blocklist_registry_tampering/
│ │ │ │ ├── 22154f0e-5132-4a54-aa78-cc62f6def531.evtx
│ │ │ │ ├── 22154f0e-5132-4a54-aa78-cc62f6def531.json
│ │ │ │ └── info.yml
│ │ │ └── proc_creation_win_werfaultsecure_abuse/
│ │ │ ├── 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx
│ │ │ ├── 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json
│ │ │ └── info.yml
│ │ ├── registry/
│ │ │ ├── registry_delete/
│ │ │ │ ├── registry_delete_disable_credential_guard/
│ │ │ │ │ ├── d645ef86-2396-48a1-a2b6-b629ca3f57ff.evtx
│ │ │ │ │ ├── d645ef86-2396-48a1-a2b6-b629ca3f57ff.json
│ │ │ │ │ └── info.yml
│ │ │ │ ├── registry_delete_removal_amsi_registry_key/
│ │ │ │ │ ├── 41d1058a-aea7-4952-9293-29eaaf516465.evtx
│ │ │ │ │ ├── 41d1058a-aea7-4952-9293-29eaaf516465.json
│ │ │ │ │ └── info.yml
│ │ │ │ ├── registry_delete_runmru/
│ │ │ │ │ ├── 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx
│ │ │ │ │ ├── 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json
│ │ │ │ │ └── info.yml
│ │ │ │ ├── registry_delete_schtasks_hide_task_via_index_value_removal/
│ │ │ │ │ ├── 526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx
│ │ │ │ │ ├── 526cc8bc-1cdc-48ad-8b26-f19bff969cec.json
│ │ │ │ │ └── info.yml
│ │ │ │ └── registry_delete_schtasks_hide_task_via_sd_value_removal/
│ │ │ │ ├── acd74772-5f88-45c7-956b-6a7b36c294d2.evtx
│ │ │ │ ├── acd74772-5f88-45c7-956b-6a7b36c294d2.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_event/
│ │ │ │ └── registry_event_add_local_hidden_user/
│ │ │ │ ├── 460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx
│ │ │ │ ├── 460479f3-80b7-42da-9c43-2cc1d54dbccd.json
│ │ │ │ └── info.yml
│ │ │ └── registry_set/
│ │ │ ├── registry_set_add_load_service_in_safe_mode/
│ │ │ │ ├── 1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx
│ │ │ │ ├── 1547e27c-3974-43e2-a7d7-7f484fb928ec.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_add_port_monitor/
│ │ │ │ ├── 944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx
│ │ │ │ ├── 944e8941-f6f6-4ee8-ac05-1c224e923c0e.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_allow_rdp_remote_assistance_feature/
│ │ │ │ ├── 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx
│ │ │ │ ├── 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_amsi_disable/
│ │ │ │ ├── aa37cbb0-da36-42cb-a90f-fdf216fc7467.evtx
│ │ │ │ ├── aa37cbb0-da36-42cb-a90f-fdf216fc7467.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_bypass_uac_using_delegateexecute/
│ │ │ │ ├── 46dd5308-4572-4d12-aa43-8938f0184d4f.evtx
│ │ │ │ ├── 46dd5308-4572-4d12-aa43-8938f0184d4f.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_bypass_uac_using_eventviewer/
│ │ │ │ ├── 674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx
│ │ │ │ ├── 674202d0-b22a-4af4-ae5f-2eda1f3da1af.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_bypass_uac_using_silentcleanup_task/
│ │ │ │ ├── 724ea201-6514-4f38-9739-e5973c34f49a.evtx
│ │ │ │ ├── 724ea201-6514-4f38-9739-e5973c34f49a.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_change_rdp_port/
│ │ │ │ ├── 509e84b9-a71a-40e0-834f-05470369bd1e.evtx
│ │ │ │ ├── 509e84b9-a71a-40e0-834f-05470369bd1e.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_change_security_zones/
│ │ │ │ ├── 45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx
│ │ │ │ ├── 45e112d0-7759-4c2a-aa36-9f8fb79d3393.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_credential_guard_disabled/
│ │ │ │ ├── 73921b9c-cafd-4446-b0c6-fdb0ace42bc0.evtx
│ │ │ │ ├── 73921b9c-cafd-4446-b0c6-fdb0ace42bc0.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/
│ │ │ │ ├── 8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx
│ │ │ │ ├── 8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_disable_administrative_share/
│ │ │ │ ├── c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx
│ │ │ │ ├── c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_disable_defender_firewall/
│ │ │ │ ├── 974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx
│ │ │ │ ├── 974515da-6cc5-4c95-ae65-f97f9150ec7f.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_disable_security_center_notifications/
│ │ │ │ ├── 3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx
│ │ │ │ ├── 3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_persistence_amsi_providers/
│ │ │ │ ├── 33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx
│ │ │ │ ├── 33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_persistence_com_key_linking/
│ │ │ │ ├── 9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx
│ │ │ │ ├── 9b0f8a61-91b2-464f-aceb-0527e0a45020.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_persistence_logon_scripts_userinitmprlogonscript/
│ │ │ │ ├── 9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx
│ │ │ │ ├── 9ace0707-b560-49b8-b6ca-5148b42f39fb.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_powershell_logging_disabled/
│ │ │ │ ├── fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx
│ │ │ │ ├── fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_pua_sysinternals_execution_via_eula/
│ │ │ │ ├── 25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx
│ │ │ │ ├── 25ffa65d-76d8-4da5-a832-3f2b0136e133.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_pua_sysinternals_renamed_execution_via_eula/
│ │ │ │ ├── f50f3c09-557d-492d-81db-9064a8d4e211.evtx
│ │ │ │ ├── f50f3c09-557d-492d-81db-9064a8d4e211.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_pua_sysinternals_susp_execution_via_eula/
│ │ │ │ ├── c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx
│ │ │ │ ├── c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_special_accounts/
│ │ │ │ ├── f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx
│ │ │ │ ├── f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json
│ │ │ │ └── info.yml
│ │ │ ├── registry_set_susp_user_shell_folders/
│ │ │ │ ├── 9c226817-8dc9-46c2-a58d-66655aafd7dc.evtx
│ │ │ │ ├── 9c226817-8dc9-46c2-a58d-66655aafd7dc.json
│ │ │ │ └── info.yml
│ │ │ └── registry_set_vulnerable_driver_blocklist_disable/
│ │ │ ├── d526c60a-e236-4011-b165-831ffa52ab70.evtx
│ │ │ ├── d526c60a-e236-4011-b165-831ffa52ab70.json
│ │ │ └── info.yml
│ │ └── sysmon/
│ │ └── sysmon_config_modification/
│ │ ├── 8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx
│ │ ├── 8ac03a65-6c84-4116-acad-dc1558ff7a77.json
│ │ └── info.yml
│ ├── rules-emerging-threats/
│ │ └── 2025/
│ │ ├── Exploits/
│ │ │ └── CVE-2025-55182/
│ │ │ └── proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/
│ │ │ ├── 271de298-cc0e-4842-acd8-079a0a99ea65.evtx
│ │ │ ├── 271de298-cc0e-4842-acd8-079a0a99ea65.json
│ │ │ └── info.yml
│ │ └── Malware/
│ │ └── Grixba/
│ │ └── proc_creation_win_malware_grixba_recon/
│ │ ├── af688c76-4ce4-4309-bfdd-e896f01acf27.evtx
│ │ ├── af688c76-4ce4-4309-bfdd-e896f01acf27.json
│ │ └── info.yml
│ └── rules-threat-hunting/
│ └── windows/
│ └── image_load/
│ └── image_load_win_werfaultsecure_dbgcore_dbghelp_load/
│ ├── 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx
│ ├── 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json
│ └── info.yml
├── rules/
│ ├── README.md
│ ├── application/
│ │ ├── bitbucket/
│ │ │ └── audit/
│ │ │ ├── bitbucket_audit_full_data_export_triggered.yml
│ │ │ ├── bitbucket_audit_global_permissions_change_detected.yml
│ │ │ ├── bitbucket_audit_global_secret_scanning_rule_deleted.yml
│ │ │ ├── bitbucket_audit_global_ssh_settings_change_detected.yml
│ │ │ ├── bitbucket_audit_log_configuration_update_detected.yml
│ │ │ ├── bitbucket_audit_project_secret_scanning_allowlist_added.yml
│ │ │ ├── bitbucket_audit_secret_scanning_exempt_repository_detected.yml
│ │ │ ├── bitbucket_audit_secret_scanning_rule_deleted.yml
│ │ │ ├── bitbucket_audit_unauthorized_access_detected.yml
│ │ │ ├── bitbucket_audit_unauthorized_full_data_export_triggered.yml
│ │ │ ├── bitbucket_audit_user_details_export_attempt_detected.yml
│ │ │ ├── bitbucket_audit_user_login_failure_detected.yml
│ │ │ ├── bitbucket_audit_user_login_failure_via_ssh_detected.yml
│ │ │ └── bitbucket_audit_user_permissions_export_attempt_detected.yml
│ │ ├── django/
│ │ │ └── appframework_django_exceptions.yml
│ │ ├── github/
│ │ │ └── audit/
│ │ │ ├── github_delete_action_invoked.yml
│ │ │ ├── github_disable_high_risk_configuration.yml
│ │ │ ├── github_disabled_outdated_dependency_or_vulnerability.yml
│ │ │ ├── github_fork_private_repos_enabled_or_cleared.yml
│ │ │ ├── github_new_org_member.yml
│ │ │ ├── github_new_secret_created.yml
│ │ │ ├── github_outside_collaborator_detected.yml
│ │ │ ├── github_pages_site_changed_to_public.yml
│ │ │ ├── github_push_protection_bypass_detected.yml
│ │ │ ├── github_push_protection_disabled.yml
│ │ │ ├── github_repo_or_org_transferred.yml
│ │ │ ├── github_repository_archive_status_changed.yml
│ │ │ ├── github_secret_scanning_feature_disabled.yml
│ │ │ ├── github_self_hosted_runner_changes_detected.yml
│ │ │ └── github_ssh_certificate_config_changed.yml
│ │ ├── jvm/
│ │ │ ├── java_jndi_injection_exploitation_attempt.yml
│ │ │ ├── java_local_file_read.yml
│ │ │ ├── java_ognl_injection_exploitation_attempt.yml
│ │ │ ├── java_rce_exploitation_attempt.yml
│ │ │ └── java_xxe_exploitation_attempt.yml
│ │ ├── kubernetes/
│ │ │ └── audit/
│ │ │ ├── kubernetes_audit_change_admission_controller.yml
│ │ │ ├── kubernetes_audit_cronjob_modification.yml
│ │ │ ├── kubernetes_audit_deployment_deleted.yml
│ │ │ ├── kubernetes_audit_events_deleted.yml
│ │ │ ├── kubernetes_audit_exec_into_container.yml
│ │ │ ├── kubernetes_audit_hostpath_mount.yml
│ │ │ ├── kubernetes_audit_pod_in_system_namespace.yml
│ │ │ ├── kubernetes_audit_privileged_pod_creation.yml
│ │ │ ├── kubernetes_audit_rbac_permisions_listing.yml
│ │ │ ├── kubernetes_audit_rolebinding_modification.yml
│ │ │ ├── kubernetes_audit_secrets_enumeration.yml
│ │ │ ├── kubernetes_audit_secrets_modified_or_deleted.yml
│ │ │ ├── kubernetes_audit_serviceaccount_creation.yml
│ │ │ ├── kubernetes_audit_sidecar_injection.yml
│ │ │ └── kubernetes_audit_unauthorized_unauthenticated_actions.yml
│ │ ├── nodejs/
│ │ │ └── nodejs_rce_exploitation_attempt.yml
│ │ ├── opencanary/
│ │ │ ├── opencanary_ftp_login_attempt.yml
│ │ │ ├── opencanary_git_clone_request.yml
│ │ │ ├── opencanary_http_get.yml
│ │ │ ├── opencanary_http_post_login_attempt.yml
│ │ │ ├── opencanary_httpproxy_login_attempt.yml
│ │ │ ├── opencanary_mssql_login_sqlauth.yml
│ │ │ ├── opencanary_mssql_login_winauth.yml
│ │ │ ├── opencanary_mysql_login_attempt.yml
│ │ │ ├── opencanary_ntp_monlist.yml
│ │ │ ├── opencanary_portscan_nmap_fin_scan.yaml
│ │ │ ├── opencanary_portscan_nmap_null_scan.yaml
│ │ │ ├── opencanary_portscan_nmap_os_scan.yaml
│ │ │ ├── opencanary_portscan_nmap_xmas_scan.yaml
│ │ │ ├── opencanary_portscan_syn_scan.yaml
│ │ │ ├── opencanary_rdp_connection_attempt.yaml
│ │ │ ├── opencanary_redis_command.yml
│ │ │ ├── opencanary_sip_request.yml
│ │ │ ├── opencanary_smb_file_open.yml
│ │ │ ├── opencanary_snmp_cmd.yml
│ │ │ ├── opencanary_ssh_login_attempt.yml
│ │ │ ├── opencanary_ssh_new_connection.yml
│ │ │ ├── opencanary_telnet_login_attempt.yml
│ │ │ ├── opencanary_tftp_request.yml
│ │ │ └── opencanary_vnc_connection_attempt.yml
│ │ ├── python/
│ │ │ └── app_python_sql_exceptions.yml
│ │ ├── rpc_firewall/
│ │ │ ├── rpc_firewall_atsvc_lateral_movement.yml
│ │ │ ├── rpc_firewall_atsvc_recon.yml
│ │ │ ├── rpc_firewall_dcsync_attack.yml
│ │ │ ├── rpc_firewall_efs_abuse.yml
│ │ │ ├── rpc_firewall_eventlog_recon.yml
│ │ │ ├── rpc_firewall_itaskschedulerservice_lateral_movement.yml
│ │ │ ├── rpc_firewall_itaskschedulerservice_recon.yml
│ │ │ ├── rpc_firewall_printing_lateral_movement.yml
│ │ │ ├── rpc_firewall_remote_dcom_or_wmi.yml
│ │ │ ├── rpc_firewall_remote_registry_lateral_movement.yml
│ │ │ ├── rpc_firewall_remote_registry_recon.yml
│ │ │ ├── rpc_firewall_remote_server_service_abuse.yml
│ │ │ ├── rpc_firewall_remote_service_lateral_movement.yml
│ │ │ ├── rpc_firewall_sasec_lateral_movement.yml
│ │ │ ├── rpc_firewall_sasec_recon.yml
│ │ │ ├── rpc_firewall_sharphound_recon_account.yml
│ │ │ └── rpc_firewall_sharphound_recon_sessions.yml
│ │ ├── ruby/
│ │ │ └── appframework_ruby_on_rails_exceptions.yml
│ │ ├── spring/
│ │ │ ├── spring_application_exceptions.yml
│ │ │ └── spring_spel_injection.yml
│ │ ├── sql/
│ │ │ └── app_sqlinjection_errors.yml
│ │ └── velocity/
│ │ └── velocity_ssti_injection.yml
│ ├── category/
│ │ ├── antivirus/
│ │ │ ├── av_exploiting.yml
│ │ │ ├── av_hacktool.yml
│ │ │ ├── av_password_dumper.yml
│ │ │ ├── av_ransomware.yml
│ │ │ ├── av_relevant_files.yml
│ │ │ └── av_webshell.yml
│ │ └── database/
│ │ └── db_anomalous_query.yml
│ ├── cloud/
│ │ ├── aws/
│ │ │ └── cloudtrail/
│ │ │ ├── aws_cloudtrail_bucket_deleted.yml
│ │ │ ├── aws_cloudtrail_console_login_failed_authentication.yml
│ │ │ ├── aws_cloudtrail_console_login_success_without_mfa.yml
│ │ │ ├── aws_cloudtrail_disable_logging.yml
│ │ │ ├── aws_cloudtrail_guardduty_detector_deleted_or_updated.yml
│ │ │ ├── aws_cloudtrail_imds_malicious_usage.yml
│ │ │ ├── aws_cloudtrail_new_acl_entries.yml
│ │ │ ├── aws_cloudtrail_new_route_added.yml
│ │ │ ├── aws_cloudtrail_pua_trufflehog.yml
│ │ │ ├── aws_cloudtrail_region_enabled.yml
│ │ │ ├── aws_cloudtrail_security_group_change_ingress_egress.yml
│ │ │ ├── aws_cloudtrail_security_group_change_loadbalancer.yml
│ │ │ ├── aws_cloudtrail_security_group_change_rds.yml
│ │ │ ├── aws_cloudtrail_ssm_malicious_usage.yml
│ │ │ ├── aws_cloudtrail_vpc_flow_logs_deleted.yml
│ │ │ ├── aws_config_disable_recording.yml
│ │ │ ├── aws_console_getsignintoken.yml
│ │ │ ├── aws_delete_identity.yml
│ │ │ ├── aws_delete_saml_provider.yml
│ │ │ ├── aws_disable_bucket_versioning.yml
│ │ │ ├── aws_ec2_disable_encryption.yml
│ │ │ ├── aws_ec2_import_key_pair_activity.yml
│ │ │ ├── aws_ec2_startup_script_change.yml
│ │ │ ├── aws_ec2_vm_export_failure.yml
│ │ │ ├── aws_ecs_task_definition_cred_endpoint_query.yml
│ │ │ ├── aws_efs_fileshare_modified_or_deleted.yml
│ │ │ ├── aws_efs_fileshare_mount_modified_or_deleted.yml
│ │ │ ├── aws_eks_cluster_created_or_deleted.yml
│ │ │ ├── aws_elasticache_security_group_created.yml
│ │ │ ├── aws_elasticache_security_group_modified_or_deleted.yml
│ │ │ ├── aws_enum_buckets.yml
│ │ │ ├── aws_guardduty_disruption.yml
│ │ │ ├── aws_iam_backdoor_users_keys.yml
│ │ │ ├── aws_iam_s3browser_loginprofile_creation.yml
│ │ │ ├── aws_iam_s3browser_templated_s3_bucket_policy_creation.yml
│ │ │ ├── aws_iam_s3browser_user_or_accesskey_creation.yml
│ │ │ ├── aws_kms_import_key_material.yml
│ │ │ ├── aws_lambda_function_url.yml
│ │ │ ├── aws_new_lambda_layer_attached.yml
│ │ │ ├── aws_passed_role_to_glue_development_endpoint.yml
│ │ │ ├── aws_rds_change_master_password.yml
│ │ │ ├── aws_rds_dbcluster_actions.yml
│ │ │ ├── aws_rds_public_db_restore.yml
│ │ │ ├── aws_root_account_usage.yml
│ │ │ ├── aws_route_53_domain_transferred_lock_disabled.yml
│ │ │ ├── aws_route_53_domain_transferred_to_another_account.yml
│ │ │ ├── aws_s3_data_management_tampering.yml
│ │ │ ├── aws_securityhub_finding_evasion.yml
│ │ │ ├── aws_snapshot_backup_exfiltration.yml
│ │ │ ├── aws_sso_idp_change.yml
│ │ │ ├── aws_sts_assumerole_misuse.yml
│ │ │ ├── aws_sts_getcalleridentity_trufflehog.yml
│ │ │ ├── aws_sts_getsessiontoken_misuse.yml
│ │ │ ├── aws_susp_saml_activity.yml
│ │ │ └── aws_update_login_profile.yml
│ │ ├── azure/
│ │ │ ├── activity_logs/
│ │ │ │ ├── azure_aadhybridhealth_adfs_new_server.yml
│ │ │ │ ├── azure_aadhybridhealth_adfs_service_delete.yml
│ │ │ │ ├── azure_ad_user_added_to_admin_role.yml
│ │ │ │ ├── azure_application_deleted.yml
│ │ │ │ ├── azure_application_gateway_modified_or_deleted.yml
│ │ │ │ ├── azure_application_security_group_modified_or_deleted.yml
│ │ │ │ ├── azure_container_registry_created_or_deleted.yml
│ │ │ │ ├── azure_creating_number_of_resources_detection.yml
│ │ │ │ ├── azure_device_no_longer_managed_or_compliant.yml
│ │ │ │ ├── azure_device_or_configuration_modified_or_deleted.yml
│ │ │ │ ├── azure_dns_zone_modified_or_deleted.yml
│ │ │ │ ├── azure_firewall_modified_or_deleted.yml
│ │ │ │ ├── azure_firewall_rule_collection_modified_or_deleted.yml
│ │ │ │ ├── azure_granting_permission_detection.yml
│ │ │ │ ├── azure_keyvault_key_modified_or_deleted.yml
│ │ │ │ ├── azure_keyvault_modified_or_deleted.yml
│ │ │ │ ├── azure_keyvault_secrets_modified_or_deleted.yml
│ │ │ │ ├── azure_kubernetes_admission_controller.yml
│ │ │ │ ├── azure_kubernetes_cluster_created_or_deleted.yml
│ │ │ │ ├── azure_kubernetes_cronjob.yml
│ │ │ │ ├── azure_kubernetes_events_deleted.yml
│ │ │ │ ├── azure_kubernetes_network_policy_change.yml
│ │ │ │ ├── azure_kubernetes_pods_deleted.yml
│ │ │ │ ├── azure_kubernetes_role_access.yml
│ │ │ │ ├── azure_kubernetes_rolebinding_modified_or_deleted.yml
│ │ │ │ ├── azure_kubernetes_secret_or_config_object_access.yml
│ │ │ │ ├── azure_kubernetes_service_account_modified_or_deleted.yml
│ │ │ │ ├── azure_mfa_disabled.yml
│ │ │ │ ├── azure_network_firewall_policy_modified_or_deleted.yml
│ │ │ │ ├── azure_network_firewall_rule_modified_or_deleted.yml
│ │ │ │ ├── azure_network_p2s_vpn_modified_or_deleted.yml
│ │ │ │ ├── azure_network_security_modified_or_deleted.yml
│ │ │ │ ├── azure_network_virtual_device_modified_or_deleted.yml
│ │ │ │ ├── azure_new_cloudshell_created.yml
│ │ │ │ ├── azure_owner_removed_from_application_or_service_principal.yml
│ │ │ │ ├── azure_rare_operations.yml
│ │ │ │ ├── azure_service_principal_created.yml
│ │ │ │ ├── azure_service_principal_removed.yml
│ │ │ │ ├── azure_subscription_permissions_elevation_via_activitylogs.yml
│ │ │ │ ├── azure_suppression_rule_created.yml
│ │ │ │ ├── azure_virtual_network_modified_or_deleted.yml
│ │ │ │ └── azure_vpn_connection_modified_or_deleted.yml
│ │ │ ├── audit_logs/
│ │ │ │ ├── azure_aad_secops_ca_policy_removedby_bad_actor.yml
│ │ │ │ ├── azure_aad_secops_ca_policy_updatedby_bad_actor.yml
│ │ │ │ ├── azure_aad_secops_new_ca_policy_addedby_bad_actor.yml
│ │ │ │ ├── azure_ad_account_created_deleted.yml
│ │ │ │ ├── azure_ad_bitlocker_key_retrieval.yml
│ │ │ │ ├── azure_ad_certificate_based_authencation_enabled.yml
│ │ │ │ ├── azure_ad_device_registration_policy_changes.yml
│ │ │ │ ├── azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml
│ │ │ │ ├── azure_ad_new_root_ca_added.yml
│ │ │ │ ├── azure_ad_users_added_to_device_admin_roles.yml
│ │ │ │ ├── azure_app_appid_uri_changes.yml
│ │ │ │ ├── azure_app_credential_added.yml
│ │ │ │ ├── azure_app_delegated_permissions_all_users.yml
│ │ │ │ ├── azure_app_end_user_consent.yml
│ │ │ │ ├── azure_app_end_user_consent_blocked.yml
│ │ │ │ ├── azure_app_owner_added.yml
│ │ │ │ ├── azure_app_permissions_msft.yml
│ │ │ │ ├── azure_app_privileged_permissions.yml
│ │ │ │ ├── azure_app_role_added.yml
│ │ │ │ ├── azure_app_uri_modifications.yml
│ │ │ │ ├── azure_auditlogs_laps_credential_dumping.yml
│ │ │ │ ├── azure_change_to_authentication_method.yml
│ │ │ │ ├── azure_federation_modified.yml
│ │ │ │ ├── azure_group_user_addition_ca_modification.yml
│ │ │ │ ├── azure_group_user_removal_ca_modification.yml
│ │ │ │ ├── azure_guest_invite_failure.yml
│ │ │ │ ├── azure_guest_to_member.yml
│ │ │ │ ├── azure_pim_activation_approve_deny.yml
│ │ │ │ ├── azure_pim_alerts_disabled.yml
│ │ │ │ ├── azure_pim_change_settings.yml
│ │ │ │ ├── azure_priviledged_role_assignment_add.yml
│ │ │ │ ├── azure_priviledged_role_assignment_bulk_change.yml
│ │ │ │ ├── azure_privileged_account_creation.yml
│ │ │ │ ├── azure_subscription_permissions_elevation_via_auditlogs.yml
│ │ │ │ ├── azure_tap_added.yml
│ │ │ │ ├── azure_update_risk_and_mfa_registration_policy.yml
│ │ │ │ ├── azure_user_account_mfa_disable.yml
│ │ │ │ └── azure_user_password_change.yml
│ │ │ ├── identity_protection/
│ │ │ │ ├── azure_identity_protection_anomalous_token.yml
│ │ │ │ ├── azure_identity_protection_anomalous_user.yml
│ │ │ │ ├── azure_identity_protection_anonymous_ip_activity.yml
│ │ │ │ ├── azure_identity_protection_anonymous_ip_address.yml
│ │ │ │ ├── azure_identity_protection_atypical_travel.yml
│ │ │ │ ├── azure_identity_protection_impossible_travel.yml
│ │ │ │ ├── azure_identity_protection_inbox_forwarding_rule.yml
│ │ │ │ ├── azure_identity_protection_inbox_manipulation.yml
│ │ │ │ ├── azure_identity_protection_leaked_credentials.yml
│ │ │ │ ├── azure_identity_protection_malicious_ip_address.yml
│ │ │ │ ├── azure_identity_protection_malicious_ip_address_suspicious.yml
│ │ │ │ ├── azure_identity_protection_malware_linked_ip.yml
│ │ │ │ ├── azure_identity_protection_new_coutry_region.yml
│ │ │ │ ├── azure_identity_protection_password_spray.yml
│ │ │ │ ├── azure_identity_protection_prt_access.yml
│ │ │ │ ├── azure_identity_protection_suspicious_browser.yml
│ │ │ │ ├── azure_identity_protection_threat_intel.yml
│ │ │ │ ├── azure_identity_protection_token_issuer_anomaly.yml
│ │ │ │ └── azure_identity_protection_unfamilar_sign_in.yml
│ │ │ ├── privileged_identity_management/
│ │ │ │ ├── azure_pim_account_stale.yml
│ │ │ │ ├── azure_pim_invalid_license.yml
│ │ │ │ ├── azure_pim_role_assigned_outside_of_pim.yml
│ │ │ │ ├── azure_pim_role_frequent_activation.yml
│ │ │ │ ├── azure_pim_role_no_mfa_required.yml
│ │ │ │ ├── azure_pim_role_not_used.yml
│ │ │ │ └── azure_pim_too_many_global_admins.yml
│ │ │ └── signin_logs/
│ │ │ ├── azure_account_lockout.yml
│ │ │ ├── azure_ad_auth_failure_increase.yml
│ │ │ ├── azure_ad_auth_sucess_increase.yml
│ │ │ ├── azure_ad_auth_to_important_apps_using_single_factor_auth.yml
│ │ │ ├── azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml
│ │ │ ├── azure_ad_azurehound_discovery.yml
│ │ │ ├── azure_ad_device_registration_or_join_without_mfa.yml
│ │ │ ├── azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml
│ │ │ ├── azure_ad_only_single_factor_auth_required.yml
│ │ │ ├── azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml
│ │ │ ├── azure_ad_sign_ins_from_noncompliant_devices.yml
│ │ │ ├── azure_ad_sign_ins_from_unknown_devices.yml
│ │ │ ├── azure_ad_suspicious_signin_bypassing_mfa.yml
│ │ │ ├── azure_app_device_code_authentication.yml
│ │ │ ├── azure_app_ropc_authentication.yml
│ │ │ ├── azure_blocked_account_attempt.yml
│ │ │ ├── azure_conditional_access_failure.yml
│ │ │ ├── azure_legacy_authentication_protocols.yml
│ │ │ ├── azure_login_to_disabled_account.yml
│ │ │ ├── azure_mfa_denies.yml
│ │ │ ├── azure_mfa_interrupted.yml
│ │ │ ├── azure_unusual_authentication_interruption.yml
│ │ │ ├── azure_user_login_blocked_by_conditional_access.yml
│ │ │ └── azure_users_authenticating_to_other_azure_ad_tenants.yml
│ │ ├── gcp/
│ │ │ ├── audit/
│ │ │ │ ├── gcp_access_policy_deleted.yml
│ │ │ │ ├── gcp_breakglass_container_workload_deployed.yml
│ │ │ │ ├── gcp_bucket_enumeration.yml
│ │ │ │ ├── gcp_bucket_modified_or_deleted.yml
│ │ │ │ ├── gcp_dlp_re_identifies_sensitive_information.yml
│ │ │ │ ├── gcp_dns_zone_modified_or_deleted.yml
│ │ │ │ ├── gcp_firewall_rule_modified_or_deleted.yml
│ │ │ │ ├── gcp_full_network_traffic_packet_capture.yml
│ │ │ │ ├── gcp_kubernetes_admission_controller.yml
│ │ │ │ ├── gcp_kubernetes_cronjob.yml
│ │ │ │ ├── gcp_kubernetes_rolebinding.yml
│ │ │ │ ├── gcp_kubernetes_secrets_modified_or_deleted.yml
│ │ │ │ ├── gcp_service_account_disabled_or_deleted.yml
│ │ │ │ ├── gcp_service_account_modified.yml
│ │ │ │ ├── gcp_sql_database_modified_or_deleted.yml
│ │ │ │ └── gcp_vpn_tunnel_modified_or_deleted.yml
│ │ │ └── gworkspace/
│ │ │ ├── gcp_gworkspace_application_access_levels_modified.yml
│ │ │ ├── gcp_gworkspace_application_removed.yml
│ │ │ ├── gcp_gworkspace_granted_domain_api_access.yml
│ │ │ ├── gcp_gworkspace_mfa_disabled.yml
│ │ │ ├── gcp_gworkspace_role_modified_or_deleted.yml
│ │ │ ├── gcp_gworkspace_role_privilege_deleted.yml
│ │ │ └── gcp_gworkspace_user_granted_admin_privileges.yml
│ │ └── m365/
│ │ ├── audit/
│ │ │ ├── microsoft365_bypass_conditional_access.yml
│ │ │ ├── microsoft365_disabling_mfa.yml
│ │ │ └── microsoft365_new_federated_domain_added_audit.yml
│ │ ├── exchange/
│ │ │ └── microsoft365_new_federated_domain_added_exchange.yml
│ │ ├── threat_detection/
│ │ │ └── microsoft365_from_susp_ip_addresses.yml
│ │ └── threat_management/
│ │ ├── microsoft365_activity_by_terminated_user.yml
│ │ ├── microsoft365_activity_from_anonymous_ip_addresses.yml
│ │ ├── microsoft365_activity_from_infrequent_country.yml
│ │ ├── microsoft365_data_exfiltration_to_unsanctioned_app.yml
│ │ ├── microsoft365_impossible_travel_activity.yml
│ │ ├── microsoft365_logon_from_risky_ip_address.yml
│ │ ├── microsoft365_potential_ransomware_activity.yml
│ │ ├── microsoft365_pst_export_alert.yml
│ │ ├── microsoft365_pst_export_alert_using_new_compliancesearchaction.yml
│ │ ├── microsoft365_susp_inbox_forwarding.yml
│ │ ├── microsoft365_susp_oauth_app_file_download_activities.yml
│ │ ├── microsoft365_unusual_volume_of_file_deletion.yml
│ │ └── microsoft365_user_restricted_from_sending_email.yml
│ ├── identity/
│ │ ├── cisco_duo/
│ │ │ └── cisco_duo_mfa_bypass_via_bypass_code.yml
│ │ ├── okta/
│ │ │ ├── okta_admin_activity_from_proxy_query.yml
│ │ │ ├── okta_admin_role_assigned_to_user_or_group.yml
│ │ │ ├── okta_admin_role_assignment_created.yml
│ │ │ ├── okta_api_token_created.yml
│ │ │ ├── okta_api_token_revoked.yml
│ │ │ ├── okta_application_modified_or_deleted.yml
│ │ │ ├── okta_application_sign_on_policy_modified_or_deleted.yml
│ │ │ ├── okta_fastpass_phishing_detection.yml
│ │ │ ├── okta_identity_provider_created.yml
│ │ │ ├── okta_mfa_reset_or_deactivated.yml
│ │ │ ├── okta_network_zone_deactivated_or_deleted.yml
│ │ │ ├── okta_new_behaviours_admin_console.yml
│ │ │ ├── okta_password_in_alternateid_field.yml
│ │ │ ├── okta_policy_modified_or_deleted.yml
│ │ │ ├── okta_policy_rule_modified_or_deleted.yml
│ │ │ ├── okta_security_threat_detected.yml
│ │ │ ├── okta_suspicious_activity_enduser_report.yml
│ │ │ ├── okta_unauthorized_access_to_app.yml
│ │ │ ├── okta_user_account_locked_out.yml
│ │ │ ├── okta_user_created.yml
│ │ │ └── okta_user_session_start_via_anonymised_proxy.yml
│ │ └── onelogin/
│ │ ├── onelogin_assumed_another_user.yml
│ │ └── onelogin_user_account_locked.yml
│ ├── linux/
│ │ ├── auditd/
│ │ │ ├── execve/
│ │ │ │ ├── lnx_auditd_binary_padding.yml
│ │ │ │ ├── lnx_auditd_bpfdoor_port_redirect.yml
│ │ │ │ ├── lnx_auditd_capabilities_discovery.yml
│ │ │ │ ├── lnx_auditd_change_file_time_attr.yml
│ │ │ │ ├── lnx_auditd_chattr_immutable_removal.yml
│ │ │ │ ├── lnx_auditd_clipboard_collection.yml
│ │ │ │ ├── lnx_auditd_clipboard_image_collection.yml
│ │ │ │ ├── lnx_auditd_coinminer.yml
│ │ │ │ ├── lnx_auditd_data_compressed.yml
│ │ │ │ ├── lnx_auditd_data_exfil_wget.yml
│ │ │ │ ├── lnx_auditd_dd_delete_file.yml
│ │ │ │ ├── lnx_auditd_file_or_folder_permissions.yml
│ │ │ │ ├── lnx_auditd_find_cred_in_files.yml
│ │ │ │ ├── lnx_auditd_hidden_files_directories.yml
│ │ │ │ ├── lnx_auditd_hidden_zip_files_steganography.yml
│ │ │ │ ├── lnx_auditd_masquerading_crond.yml
│ │ │ │ ├── lnx_auditd_modify_system_firewall.yml
│ │ │ │ ├── lnx_auditd_network_sniffing.yml
│ │ │ │ ├── lnx_auditd_screencapture_import.yml
│ │ │ │ ├── lnx_auditd_screencaputre_xwd.yml
│ │ │ │ ├── lnx_auditd_steghide_embed_steganography.yml
│ │ │ │ ├── lnx_auditd_steghide_extract_steganography.yml
│ │ │ │ ├── lnx_auditd_susp_cmds.yml
│ │ │ │ ├── lnx_auditd_susp_histfile_operations.yml
│ │ │ │ ├── lnx_auditd_susp_service_reload_or_restart.yml
│ │ │ │ ├── lnx_auditd_system_shutdown_reboot.yml
│ │ │ │ ├── lnx_auditd_unzip_hidden_zip_files_steganography.yml
│ │ │ │ └── lnx_auditd_user_discovery.yml
│ │ │ ├── lnx_auditd_audio_capture.yml
│ │ │ ├── lnx_auditd_disable_aslr_protection.yml
│ │ │ ├── lnx_auditd_keylogging_with_pam_d.yml
│ │ │ ├── lnx_auditd_password_policy_discovery.yml
│ │ │ ├── lnx_auditd_susp_c2_commands.yml
│ │ │ ├── lnx_auditd_system_info_discovery.yml
│ │ │ ├── path/
│ │ │ │ ├── lnx_auditd_auditing_config_change.yml
│ │ │ │ ├── lnx_auditd_bpfdoor_file_accessed.yml
│ │ │ │ ├── lnx_auditd_hidden_binary_execution.yml
│ │ │ │ ├── lnx_auditd_ld_so_preload_mod.yml
│ │ │ │ ├── lnx_auditd_logging_config_change.yml
│ │ │ │ ├── lnx_auditd_magic_system_request_key.yml
│ │ │ │ ├── lnx_auditd_system_info_discovery2.yml
│ │ │ │ ├── lnx_auditd_systemd_service_creation.yml
│ │ │ │ └── lnx_auditd_unix_shell_configuration_modification.yml
│ │ │ ├── service_stop/
│ │ │ │ └── lnx_auditd_disable_system_firewall.yml
│ │ │ └── syscall/
│ │ │ ├── lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml
│ │ │ ├── lnx_auditd_create_account.yml
│ │ │ ├── lnx_auditd_load_module_insmod.yml
│ │ │ ├── lnx_auditd_network_service_scanning.yml
│ │ │ ├── lnx_auditd_split_file_into_pieces.yml
│ │ │ ├── lnx_auditd_susp_discovery_sysinfo_syscall.yml
│ │ │ ├── lnx_auditd_susp_exe_folders.yml
│ │ │ ├── lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml
│ │ │ └── lnx_auditd_web_rce.yml
│ │ ├── builtin/
│ │ │ ├── clamav/
│ │ │ │ └── lnx_clamav_relevant_message.yml
│ │ │ ├── cron/
│ │ │ │ └── lnx_cron_crontab_file_modification.yml
│ │ │ ├── guacamole/
│ │ │ │ └── lnx_guacamole_susp_guacamole.yml
│ │ │ ├── lnx_apt_equationgroup_lnx.yml
│ │ │ ├── lnx_buffer_overflows.yml
│ │ │ ├── lnx_clear_syslog.yml
│ │ │ ├── lnx_file_copy.yml
│ │ │ ├── lnx_ldso_preload_injection.yml
│ │ │ ├── lnx_potential_susp_ebpf_activity.yml
│ │ │ ├── lnx_privileged_user_creation.yml
│ │ │ ├── lnx_shell_clear_cmd_history.yml
│ │ │ ├── lnx_shell_susp_commands.yml
│ │ │ ├── lnx_shell_susp_log_entries.yml
│ │ │ ├── lnx_shell_susp_rev_shells.yml
│ │ │ ├── lnx_shellshock.yml
│ │ │ ├── lnx_susp_dev_tcp.yml
│ │ │ ├── lnx_susp_jexboss.yml
│ │ │ ├── lnx_symlink_etc_passwd.yml
│ │ │ ├── sshd/
│ │ │ │ └── lnx_sshd_susp_ssh.yml
│ │ │ ├── syslog/
│ │ │ │ ├── lnx_syslog_security_tools_disabling_syslog.yml
│ │ │ │ └── lnx_syslog_susp_named.yml
│ │ │ └── vsftpd/
│ │ │ └── lnx_vsftpd_susp_error_messages.yml
│ │ ├── file_event/
│ │ │ ├── file_event_lnx_doas_conf_creation.yml
│ │ │ ├── file_event_lnx_persistence_cron_files.yml
│ │ │ ├── file_event_lnx_persistence_sudoers_files.yml
│ │ │ ├── file_event_lnx_susp_filename_with_embedded_base64_command.yml
│ │ │ ├── file_event_lnx_susp_shell_script_under_profile_directory.yml
│ │ │ ├── file_event_lnx_triple_cross_rootkit_lock_file.yml
│ │ │ ├── file_event_lnx_triple_cross_rootkit_persistence.yml
│ │ │ └── file_event_lnx_wget_download_file_in_tmp_dir.yml
│ │ ├── network_connection/
│ │ │ ├── net_connection_lnx_back_connect_shell_dev.yml
│ │ │ ├── net_connection_lnx_crypto_mining_indicators.yml
│ │ │ ├── net_connection_lnx_domain_localtonet_tunnel.yml
│ │ │ ├── net_connection_lnx_ngrok_tunnel.yml
│ │ │ └── net_connection_lnx_susp_malware_callback_port.yml
│ │ └── process_creation/
│ │ ├── proc_creation_lnx_apt_shell_execution.yml
│ │ ├── proc_creation_lnx_at_command.yml
│ │ ├── proc_creation_lnx_auditctl_clear_rules.yml
│ │ ├── proc_creation_lnx_av_kaspersky_av_disabled.yml
│ │ ├── proc_creation_lnx_awk_shell_spawn.yml
│ │ ├── proc_creation_lnx_base64_decode.yml
│ │ ├── proc_creation_lnx_base64_execution.yml
│ │ ├── proc_creation_lnx_base64_shebang_cli.yml
│ │ ├── proc_creation_lnx_bash_interactive_shell.yml
│ │ ├── proc_creation_lnx_bpf_kprob_tracing_enabled.yml
│ │ ├── proc_creation_lnx_bpftrace_unsafe_option_usage.yml
│ │ ├── proc_creation_lnx_cap_setgid.yml
│ │ ├── proc_creation_lnx_cap_setuid.yml
│ │ ├── proc_creation_lnx_capa_discovery.yml
│ │ ├── proc_creation_lnx_capsh_shell_invocation.yml
│ │ ├── proc_creation_lnx_chattr_immutable_removal.yml
│ │ ├── proc_creation_lnx_chroot_execution.yml
│ │ ├── proc_creation_lnx_clear_logs.yml
│ │ ├── proc_creation_lnx_clear_syslog.yml
│ │ ├── proc_creation_lnx_clipboard_collection.yml
│ │ ├── proc_creation_lnx_cp_passwd_or_shadow_tmp.yml
│ │ ├── proc_creation_lnx_crontab_enumeration.yml
│ │ ├── proc_creation_lnx_crontab_removal.yml
│ │ ├── proc_creation_lnx_crypto_mining.yml
│ │ ├── proc_creation_lnx_curl_usage.yml
│ │ ├── proc_creation_lnx_curl_wget_exec_tmp.yml
│ │ ├── proc_creation_lnx_dd_file_overwrite.yml
│ │ ├── proc_creation_lnx_dd_process_injection.yml
│ │ ├── proc_creation_lnx_disable_ufw.yml
│ │ ├── proc_creation_lnx_doas_execution.yml
│ │ ├── proc_creation_lnx_env_shell_invocation.yml
│ │ ├── proc_creation_lnx_esxcli_network_discovery.yml
│ │ ├── proc_creation_lnx_esxcli_permission_change_admin.yml
│ │ ├── proc_creation_lnx_esxcli_storage_discovery.yml
│ │ ├── proc_creation_lnx_esxcli_syslog_config_change.yml
│ │ ├── proc_creation_lnx_esxcli_system_discovery.yml
│ │ ├── proc_creation_lnx_esxcli_user_account_creation.yml
│ │ ├── proc_creation_lnx_esxcli_vm_discovery.yml
│ │ ├── proc_creation_lnx_esxcli_vm_kill.yml
│ │ ├── proc_creation_lnx_esxcli_vsan_discovery.yml
│ │ ├── proc_creation_lnx_file_and_directory_discovery.yml
│ │ ├── proc_creation_lnx_file_deletion.yml
│ │ ├── proc_creation_lnx_find_shell_execution.yml
│ │ ├── proc_creation_lnx_flock_shell_execution.yml
│ │ ├── proc_creation_lnx_gcc_shell_execution.yml
│ │ ├── proc_creation_lnx_git_shell_execution.yml
│ │ ├── proc_creation_lnx_grep_os_arch_discovery.yml
│ │ ├── proc_creation_lnx_groupdel.yml
│ │ ├── proc_creation_lnx_install_root_certificate.yml
│ │ ├── proc_creation_lnx_install_suspicious_packages.yml
│ │ ├── proc_creation_lnx_iptables_flush_ufw.yml
│ │ ├── proc_creation_lnx_local_account.yml
│ │ ├── proc_creation_lnx_local_groups.yml
│ │ ├── proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml
│ │ ├── proc_creation_lnx_mkfifo_named_pipe_creation.yml
│ │ ├── proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml
│ │ ├── proc_creation_lnx_mount_hidepid.yml
│ │ ├── proc_creation_lnx_netcat_reverse_shell.yml
│ │ ├── proc_creation_lnx_nice_shell_execution.yml
│ │ ├── proc_creation_lnx_nohup.yml
│ │ ├── proc_creation_lnx_nohup_susp_execution.yml
│ │ ├── proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
│ │ ├── proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
│ │ ├── proc_creation_lnx_perl_reverse_shell.yml
│ │ ├── proc_creation_lnx_php_reverse_shell.yml
│ │ ├── proc_creation_lnx_pnscan_binary_cli_pattern.yml
│ │ ├── proc_creation_lnx_proxy_connection.yml
│ │ ├── proc_creation_lnx_pua_trufflehog.yml
│ │ ├── proc_creation_lnx_python_http_server_execution.yml
│ │ ├── proc_creation_lnx_python_pty_spawn.yml
│ │ ├── proc_creation_lnx_python_reverse_shell.yml
│ │ ├── proc_creation_lnx_python_shell_os_system.yml
│ │ ├── proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml
│ │ ├── proc_creation_lnx_remote_system_discovery.yml
│ │ ├── proc_creation_lnx_remove_package.yml
│ │ ├── proc_creation_lnx_rsync_shell_execution.yml
│ │ ├── proc_creation_lnx_rsync_shell_spawn.yml
│ │ ├── proc_creation_lnx_ruby_reverse_shell.yml
│ │ ├── proc_creation_lnx_schedule_task_job_cron.yml
│ │ ├── proc_creation_lnx_security_software_discovery.yml
│ │ ├── proc_creation_lnx_security_tools_disabling.yml
│ │ ├── proc_creation_lnx_services_stop_and_disable.yml
│ │ ├── proc_creation_lnx_setgid_setuid.yml
│ │ ├── proc_creation_lnx_ssh_shell_execution.yml
│ │ ├── proc_creation_lnx_ssm_agent_abuse.yml
│ │ ├── proc_creation_lnx_susp_chmod_directories.yml
│ │ ├── proc_creation_lnx_susp_container_residence_discovery.yml
│ │ ├── proc_creation_lnx_susp_curl_fileupload.yml
│ │ ├── proc_creation_lnx_susp_curl_useragent.yml
│ │ ├── proc_creation_lnx_susp_dockerenv_recon.yml
│ │ ├── proc_creation_lnx_susp_execution_tmp_folder.yml
│ │ ├── proc_creation_lnx_susp_find_execution.yml
│ │ ├── proc_creation_lnx_susp_git_clone.yml
│ │ ├── proc_creation_lnx_susp_history_delete.yml
│ │ ├── proc_creation_lnx_susp_history_recon.yml
│ │ ├── proc_creation_lnx_susp_hktl_execution.yml
│ │ ├── proc_creation_lnx_susp_inod_listing.yml
│ │ ├── proc_creation_lnx_susp_interactive_bash.yml
│ │ ├── proc_creation_lnx_susp_java_children.yml
│ │ ├── proc_creation_lnx_susp_network_utilities_execution.yml
│ │ ├── proc_creation_lnx_susp_pipe_shell.yml
│ │ ├── proc_creation_lnx_susp_process_reading_sudoers.yml
│ │ ├── proc_creation_lnx_susp_recon_indicators.yml
│ │ ├── proc_creation_lnx_susp_sensitive_file_access.yml
│ │ ├── proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml
│ │ ├── proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml
│ │ ├── proc_creation_lnx_system_info_discovery.yml
│ │ ├── proc_creation_lnx_system_network_connections_discovery.yml
│ │ ├── proc_creation_lnx_system_network_discovery.yml
│ │ ├── proc_creation_lnx_systemctl_mask_power_settings.yml
│ │ ├── proc_creation_lnx_touch_susp.yml
│ │ ├── proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml
│ │ ├── proc_creation_lnx_triple_cross_rootkit_install.yml
│ │ ├── proc_creation_lnx_userdel.yml
│ │ ├── proc_creation_lnx_usermod_susp_group.yml
│ │ ├── proc_creation_lnx_vim_shell_execution.yml
│ │ ├── proc_creation_lnx_webshell_detection.yml
│ │ ├── proc_creation_lnx_wget_download_suspicious_directory.yml
│ │ └── proc_creation_lnx_xterm_reverse_shell.yml
│ ├── macos/
│ │ ├── file_event/
│ │ │ ├── file_event_macos_emond_launch_daemon.yml
│ │ │ └── file_event_macos_susp_startup_item_created.yml
│ │ └── process_creation/
│ │ ├── proc_creation_macos_applescript.yml
│ │ ├── proc_creation_macos_base64_decode.yml
│ │ ├── proc_creation_macos_binary_padding.yml
│ │ ├── proc_creation_macos_change_file_time_attr.yml
│ │ ├── proc_creation_macos_chflags_hidden_flag.yml
│ │ ├── proc_creation_macos_clear_system_logs.yml
│ │ ├── proc_creation_macos_clipboard_data_via_osascript.yml
│ │ ├── proc_creation_macos_create_account.yml
│ │ ├── proc_creation_macos_create_hidden_account.yml
│ │ ├── proc_creation_macos_creds_from_keychain.yml
│ │ ├── proc_creation_macos_csrutil_disable.yml
│ │ ├── proc_creation_macos_csrutil_status.yml
│ │ ├── proc_creation_macos_disable_security_tools.yml
│ │ ├── proc_creation_macos_dscl_add_user_to_admin_group.yml
│ │ ├── proc_creation_macos_dseditgroup_add_to_admin_group.yml
│ │ ├── proc_creation_macos_dsenableroot_enable_root_account.yml
│ │ ├── proc_creation_macos_file_and_directory_discovery.yml
│ │ ├── proc_creation_macos_find_cred_in_files.yml
│ │ ├── proc_creation_macos_gui_input_capture.yml
│ │ ├── proc_creation_macos_hdiutil_create.yml
│ │ ├── proc_creation_macos_hdiutil_mount.yml
│ │ ├── proc_creation_macos_installer_susp_child_process.yml
│ │ ├── proc_creation_macos_ioreg_discovery.yml
│ │ ├── proc_creation_macos_jamf_susp_child.yml
│ │ ├── proc_creation_macos_jamf_usage.yml
│ │ ├── proc_creation_macos_jxa_in_memory_execution.yml
│ │ ├── proc_creation_macos_launchctl_execution.yml
│ │ ├── proc_creation_macos_local_account.yml
│ │ ├── proc_creation_macos_local_groups.yml
│ │ ├── proc_creation_macos_network_service_scanning.yml
│ │ ├── proc_creation_macos_network_sniffing.yml
│ │ ├── proc_creation_macos_nscurl_usage.yml
│ │ ├── proc_creation_macos_office_susp_child_processes.yml
│ │ ├── proc_creation_macos_osacompile_runonly_execution.yml
│ │ ├── proc_creation_macos_payload_decoded_and_decrypted.yml
│ │ ├── proc_creation_macos_persistence_via_plistbuddy.yml
│ │ ├── proc_creation_macos_remote_access_tools_meshagent_arguments.yml
│ │ ├── proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml
│ │ ├── proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml
│ │ ├── proc_creation_macos_remote_system_discovery.yml
│ │ ├── proc_creation_macos_schedule_task_job_cron.yml
│ │ ├── proc_creation_macos_screencapture.yml
│ │ ├── proc_creation_macos_security_software_discovery.yml
│ │ ├── proc_creation_macos_space_after_filename.yml
│ │ ├── proc_creation_macos_split_file_into_pieces.yml
│ │ ├── proc_creation_macos_susp_browser_child_process.yml
│ │ ├── proc_creation_macos_susp_execution_macos_script_editor.yml
│ │ ├── proc_creation_macos_susp_find_execution.yml
│ │ ├── proc_creation_macos_susp_histfile_operations.yml
│ │ ├── proc_creation_macos_susp_in_memory_download_and_compile.yml
│ │ ├── proc_creation_macos_susp_macos_firmware_activity.yml
│ │ ├── proc_creation_macos_susp_system_network_discovery.yml
│ │ ├── proc_creation_macos_suspicious_applet_behaviour.yml
│ │ ├── proc_creation_macos_swvers_discovery.yml
│ │ ├── proc_creation_macos_sysadminctl_add_user_to_admin_group.yml
│ │ ├── proc_creation_macos_sysadminctl_enable_guest_account.yml
│ │ ├── proc_creation_macos_sysctl_discovery.yml
│ │ ├── proc_creation_macos_system_network_connections_discovery.yml
│ │ ├── proc_creation_macos_system_profiler_discovery.yml
│ │ ├── proc_creation_macos_system_shutdown_reboot.yml
│ │ ├── proc_creation_macos_tail_base64_decode_from_image.yml
│ │ ├── proc_creation_macos_tmutil_delete_backup.yml
│ │ ├── proc_creation_macos_tmutil_disable_backup.yml
│ │ ├── proc_creation_macos_tmutil_exclude_file_from_backup.yml
│ │ ├── proc_creation_macos_wizardupdate_malware_infection.yml
│ │ ├── proc_creation_macos_xattr_gatekeeper_bypass.yml
│ │ └── proc_creation_macos_xcsset_malware_infection.yml
│ ├── network/
│ │ ├── cisco/
│ │ │ ├── aaa/
│ │ │ │ ├── cisco_cli_clear_logs.yml
│ │ │ │ ├── cisco_cli_collect_data.yml
│ │ │ │ ├── cisco_cli_crypto_actions.yml
│ │ │ │ ├── cisco_cli_disable_logging.yml
│ │ │ │ ├── cisco_cli_discovery.yml
│ │ │ │ ├── cisco_cli_dos.yml
│ │ │ │ ├── cisco_cli_file_deletion.yml
│ │ │ │ ├── cisco_cli_input_capture.yml
│ │ │ │ ├── cisco_cli_local_accounts.yml
│ │ │ │ ├── cisco_cli_modify_config.yml
│ │ │ │ ├── cisco_cli_moving_data.yml
│ │ │ │ └── cisco_cli_net_sniff.yml
│ │ │ ├── bgp/
│ │ │ │ └── cisco_bgp_md5_auth_failed.yml
│ │ │ └── ldp/
│ │ │ └── cisco_ldp_md5_auth_failed.yml
│ │ ├── dns/
│ │ │ ├── net_dns_external_service_interaction_domains.yml
│ │ │ ├── net_dns_mal_cobaltstrike.yml
│ │ │ ├── net_dns_pua_cryptocoin_mining_xmr.yml
│ │ │ ├── net_dns_susp_b64_queries.yml
│ │ │ ├── net_dns_susp_telegram_api.yml
│ │ │ ├── net_dns_susp_txt_exec_strings.yml
│ │ │ └── net_dns_wannacry_killswitch_domain.yml
│ │ ├── firewall/
│ │ │ └── net_firewall_cleartext_protocols.yml
│ │ ├── fortinet/
│ │ │ └── fortigate/
│ │ │ ├── fortinet_fortigate_new_admin_account_created.yml
│ │ │ ├── fortinet_fortigate_new_firewall_address_object.yml
│ │ │ ├── fortinet_fortigate_new_firewall_policy_added.yml
│ │ │ ├── fortinet_fortigate_new_local_user_created.yml
│ │ │ ├── fortinet_fortigate_new_vpn_ssl_web_portal.yml
│ │ │ ├── fortinet_fortigate_user_group_modified.yml
│ │ │ └── fortinet_fortigate_vpn_ssl_settings_modified.yml
│ │ ├── huawei/
│ │ │ └── bgp/
│ │ │ └── huawei_bgp_auth_failed.yml
│ │ ├── juniper/
│ │ │ └── bgp/
│ │ │ └── juniper_bgp_missing_md5.yml
│ │ └── zeek/
│ │ ├── zeek_dce_rpc_mitre_bzar_execution.yml
│ │ ├── zeek_dce_rpc_mitre_bzar_persistence.yml
│ │ ├── zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
│ │ ├── zeek_dce_rpc_smb_spoolss_named_pipe.yml
│ │ ├── zeek_default_cobalt_strike_certificate.yml
│ │ ├── zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml
│ │ ├── zeek_dns_mining_pools.yml
│ │ ├── zeek_dns_nkn.yml
│ │ ├── zeek_dns_susp_zbit_flag.yml
│ │ ├── zeek_dns_torproxy.yml
│ │ ├── zeek_http_executable_download_from_webdav.yml
│ │ ├── zeek_http_susp_file_ext_from_susp_tld.yml
│ │ ├── zeek_http_webdav_put_request.yml
│ │ ├── zeek_rdp_public_listener.yml
│ │ ├── zeek_smb_converted_win_atsvc_task.yml
│ │ ├── zeek_smb_converted_win_impacket_secretdump.yml
│ │ ├── zeek_smb_converted_win_lm_namedpipe.yml
│ │ ├── zeek_smb_converted_win_susp_psexec.yml
│ │ ├── zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
│ │ ├── zeek_smb_converted_win_transferring_files_with_credential_data.yml
│ │ └── zeek_susp_kerberos_rc4.yml
│ ├── web/
│ │ ├── product/
│ │ │ ├── apache/
│ │ │ │ ├── web_apache_segfault.yml
│ │ │ │ └── web_apache_threading_error.yml
│ │ │ └── nginx/
│ │ │ └── web_nginx_core_dump.yml
│ │ ├── proxy_generic/
│ │ │ ├── proxy_download_susp_dyndns.yml
│ │ │ ├── proxy_download_susp_tlds_blacklist.yml
│ │ │ ├── proxy_download_susp_tlds_whitelist.yml
│ │ │ ├── proxy_downloadcradle_webdav.yml
│ │ │ ├── proxy_f5_tm_utility_bash_api_request.yml
│ │ │ ├── proxy_hello_world_user_agent.yml
│ │ │ ├── proxy_hktl_baby_shark_default_agent_url.yml
│ │ │ ├── proxy_hktl_cobalt_strike_malleable_c2_requests.yml
│ │ │ ├── proxy_hktl_empire_ua_uri_patterns.yml
│ │ │ ├── proxy_pua_advanced_ip_scanner_update_check.yml
│ │ │ ├── proxy_pwndrop.yml
│ │ │ ├── proxy_raw_paste_service_access.yml
│ │ │ ├── proxy_susp_flash_download_loc.yml
│ │ │ ├── proxy_susp_ipfs_cred_harvest.yml
│ │ │ ├── proxy_telegram_api.yml
│ │ │ ├── proxy_ua_apt.yml
│ │ │ ├── proxy_ua_base64_encoded.yml
│ │ │ ├── proxy_ua_bitsadmin_susp_ip.yml
│ │ │ ├── proxy_ua_bitsadmin_susp_tld.yml
│ │ │ ├── proxy_ua_cryptominer.yml
│ │ │ ├── proxy_ua_empty.yml
│ │ │ ├── proxy_ua_frameworks.yml
│ │ │ ├── proxy_ua_hacktool.yml
│ │ │ ├── proxy_ua_malware.yml
│ │ │ ├── proxy_ua_powershell.yml
│ │ │ ├── proxy_ua_rclone.yml
│ │ │ ├── proxy_ua_susp.yml
│ │ │ ├── proxy_ua_susp_base64.yml
│ │ │ └── proxy_webdav_external_execution.yml
│ │ └── webserver_generic/
│ │ ├── web_f5_tm_utility_bash_api_request.yml
│ │ ├── web_iis_tilt_shortname_scan.yml
│ │ ├── web_java_payload_in_access_logs.yml
│ │ ├── web_jndi_exploit.yml
│ │ ├── web_path_traversal_exploitation_attempt.yml
│ │ ├── web_source_code_enumeration.yml
│ │ ├── web_sql_injection_in_access_logs.yml
│ │ ├── web_ssti_in_access_logs.yml
│ │ ├── web_susp_useragents.yml
│ │ ├── web_susp_windows_path_uri.yml
│ │ ├── web_webshell_regeorg.yml
│ │ ├── web_win_webshells_in_access_logs.yml
│ │ └── web_xss_in_access_logs.yml
│ └── windows/
│ ├── builtin/
│ │ ├── application/
│ │ │ ├── Other/
│ │ │ │ └── win_av_relevant_match.yml
│ │ │ ├── application_error/
│ │ │ │ ├── win_application_error_lsass_crash.yml
│ │ │ │ └── win_application_error_msmpeng_crash.yml
│ │ │ ├── esent/
│ │ │ │ ├── win_esent_ntdsutil_abuse.yml
│ │ │ │ └── win_esent_ntdsutil_abuse_susp_location.yml
│ │ │ ├── microsoft-windows_audit_cve/
│ │ │ │ └── win_audit_cve.yml
│ │ │ ├── microsoft_windows_backup/
│ │ │ │ └── win_susp_backup_delete.yml
│ │ │ ├── microsoft_windows_software_restriction_policies/
│ │ │ │ └── win_software_restriction_policies_block.yml
│ │ │ ├── msiinstaller/
│ │ │ │ ├── win_builtin_remove_application.yml
│ │ │ │ ├── win_msi_install_from_susp_locations.yml
│ │ │ │ ├── win_msi_install_from_web.yml
│ │ │ │ └── win_software_atera_rmm_agent_install.yml
│ │ │ ├── mssqlserver/
│ │ │ │ ├── win_mssql_add_sysadmin_account.yml
│ │ │ │ ├── win_mssql_destructive_query.yml
│ │ │ │ ├── win_mssql_disable_audit_settings.yml
│ │ │ │ ├── win_mssql_failed_logon.yml
│ │ │ │ ├── win_mssql_failed_logon_from_external_network.yml
│ │ │ │ ├── win_mssql_sp_procoption_set.yml
│ │ │ │ ├── win_mssql_xp_cmdshell_audit_log.yml
│ │ │ │ └── win_mssql_xp_cmdshell_change.yml
│ │ │ ├── screenconnect/
│ │ │ │ ├── win_app_remote_access_tools_screenconnect_command_exec.yml
│ │ │ │ └── win_app_remote_access_tools_screenconnect_file_transfer.yml
│ │ │ └── windows_error_reporting/
│ │ │ └── win_application_msmpeng_crash_wer.yml
│ │ ├── applocker/
│ │ │ └── win_applocker_application_was_prevented_from_running.yml
│ │ ├── appmodel_runtime/
│ │ │ └── win_appmodel_runtime_sysinternals_tools_appx_execution.yml
│ │ ├── appxdeployment_server/
│ │ │ ├── win_appxdeployment_server_applocker_block.yml
│ │ │ ├── win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml
│ │ │ ├── win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml
│ │ │ ├── win_appxdeployment_server_appx_package_in_staging_directory.yml
│ │ │ ├── win_appxdeployment_server_mal_appx_names.yml
│ │ │ ├── win_appxdeployment_server_policy_block.yml
│ │ │ ├── win_appxdeployment_server_uncommon_package_locations.yml
│ │ │ ├── win_appxpackaging_server_full_trust_package_installation.yml
│ │ │ └── win_appxpackaging_server_unsigned_package_installation.yml
│ │ ├── appxpackaging_om/
│ │ │ └── win_appxpackaging_om_sups_appx_signature.yml
│ │ ├── bits_client/
│ │ │ ├── win_bits_client_new_job_via_bitsadmin.yml
│ │ │ ├── win_bits_client_new_job_via_powershell.yml
│ │ │ ├── win_bits_client_new_transfer_saving_susp_extensions.yml
│ │ │ ├── win_bits_client_new_transfer_via_file_sharing_domains.yml
│ │ │ ├── win_bits_client_new_transfer_via_ip_address.yml
│ │ │ ├── win_bits_client_new_transfer_via_uncommon_tld.yml
│ │ │ └── win_bits_client_new_trasnfer_susp_local_folder.yml
│ │ ├── capi2/
│ │ │ └── win_capi2_acquire_certificate_private_key.yml
│ │ ├── certificate_services_client_lifecycle_system/
│ │ │ └── win_certificateservicesclient_lifecycle_system_cert_exported.yml
│ │ ├── code_integrity/
│ │ │ ├── win_codeintegrity_attempted_dll_load.yml
│ │ │ ├── win_codeintegrity_blocked_protected_process_file.yml
│ │ │ ├── win_codeintegrity_enforced_policy_block.yml
│ │ │ ├── win_codeintegrity_revoked_driver_blocked.yml
│ │ │ ├── win_codeintegrity_revoked_driver_loaded.yml
│ │ │ ├── win_codeintegrity_revoked_image_blocked.yml
│ │ │ ├── win_codeintegrity_revoked_image_loaded.yml
│ │ │ ├── win_codeintegrity_unsigned_driver_loaded.yml
│ │ │ ├── win_codeintegrity_unsigned_image_loaded.yml
│ │ │ └── win_codeintegrity_whql_failure.yml
│ │ ├── diagnosis/
│ │ │ └── scripted/
│ │ │ └── win_diagnosis_scripted_load_remote_diagcab.yml
│ │ ├── dns_client/
│ │ │ ├── win_dns_client_anonymfiles_com.yml
│ │ │ ├── win_dns_client_mal_cobaltstrike.yml
│ │ │ ├── win_dns_client_mega_nz.yml
│ │ │ ├── win_dns_client_put_io.yml
│ │ │ ├── win_dns_client_tor_onion.yml
│ │ │ └── win_dns_client_ufile_io.yml
│ │ ├── dns_server/
│ │ │ ├── win_dns_server_failed_dns_zone_transfer.yml
│ │ │ └── win_dns_server_susp_server_level_plugin_dll.yml
│ │ ├── driverframeworks/
│ │ │ └── win_usb_device_plugged.yml
│ │ ├── firewall_as/
│ │ │ ├── win_firewall_as_add_rule.yml
│ │ │ ├── win_firewall_as_add_rule_susp_folder.yml
│ │ │ ├── win_firewall_as_add_rule_wmiprvse.yml
│ │ │ ├── win_firewall_as_delete_all_rules.yml
│ │ │ ├── win_firewall_as_delete_rule.yml
│ │ │ ├── win_firewall_as_failed_load_gpo.yml
│ │ │ ├── win_firewall_as_reset_config.yml
│ │ │ └── win_firewall_as_setting_change.yml
│ │ ├── iis-configuration/
│ │ │ ├── win_iis_logging_etw_disabled.yml
│ │ │ ├── win_iis_logging_http_disabled.yml
│ │ │ ├── win_iis_module_added.yml
│ │ │ └── win_iis_module_removed.yml
│ │ ├── ldap/
│ │ │ └── win_ldap_recon.yml
│ │ ├── lsa_server/
│ │ │ └── win_lsa_server_normal_user_admin.yml
│ │ ├── msexchange/
│ │ │ ├── win_exchange_proxylogon_oabvirtualdir.yml
│ │ │ ├── win_exchange_proxyshell_certificate_generation.yml
│ │ │ ├── win_exchange_proxyshell_mailbox_export.yml
│ │ │ ├── win_exchange_proxyshell_remove_mailbox_export.yml
│ │ │ ├── win_exchange_set_oabvirtualdirectory_externalurl.yml
│ │ │ ├── win_exchange_transportagent.yml
│ │ │ └── win_exchange_transportagent_failed.yml
│ │ ├── ntlm/
│ │ │ ├── win_susp_ntlm_auth.yml
│ │ │ ├── win_susp_ntlm_brute_force.yml
│ │ │ └── win_susp_ntlm_rdp.yml
│ │ ├── openssh/
│ │ │ └── win_sshd_openssh_server_listening_on_socket.yml
│ │ ├── security/
│ │ │ ├── account_management/
│ │ │ │ ├── win_security_access_token_abuse.yml
│ │ │ │ ├── win_security_admin_rdp_login.yml
│ │ │ │ ├── win_security_diagtrack_eop_default_login_username.yml
│ │ │ │ ├── win_security_member_added_security_enabled_global_group.yml
│ │ │ │ ├── win_security_member_removed_security_enabled_global_group.yml
│ │ │ │ ├── win_security_overpass_the_hash.yml
│ │ │ │ ├── win_security_pass_the_hash_2.yml
│ │ │ │ ├── win_security_rdp_localhost_login.yml
│ │ │ │ ├── win_security_security_enabled_global_group_deleted.yml
│ │ │ │ ├── win_security_successful_external_remote_rdp_login.yml
│ │ │ │ ├── win_security_successful_external_remote_smb_login.yml
│ │ │ │ ├── win_security_susp_failed_logon_source.yml
│ │ │ │ ├── win_security_susp_logon_newcredentials.yml
│ │ │ │ ├── win_security_susp_privesc_kerberos_relay_over_ldap.yml
│ │ │ │ ├── win_security_susp_rottenpotato.yml
│ │ │ │ └── win_security_susp_wmi_login.yml
│ │ │ ├── object_access/
│ │ │ │ └── win_security_wfp_endpoint_agent_blocked.yml
│ │ │ ├── win_security_aadhealth_mon_agent_regkey_access.yml
│ │ │ ├── win_security_aadhealth_svc_agent_regkey_access.yml
│ │ │ ├── win_security_account_backdoor_dcsync_rights.yml
│ │ │ ├── win_security_account_discovery.yml
│ │ │ ├── win_security_ad_object_writedac_access.yml
│ │ │ ├── win_security_ad_replication_non_machine_account.yml
│ │ │ ├── win_security_ad_user_enumeration.yml
│ │ │ ├── win_security_adcs_certificate_template_configuration_vulnerability.yml
│ │ │ ├── win_security_adcs_certificate_template_configuration_vulnerability_eku.yml
│ │ │ ├── win_security_add_remove_computer.yml
│ │ │ ├── win_security_admin_share_access.yml
│ │ │ ├── win_security_alert_active_directory_user_control.yml
│ │ │ ├── win_security_alert_ad_user_backdoors.yml
│ │ │ ├── win_security_alert_enable_weak_encryption.yml
│ │ │ ├── win_security_alert_ruler.yml
│ │ │ ├── win_security_atsvc_task.yml
│ │ │ ├── win_security_audit_log_cleared.yml
│ │ │ ├── win_security_camera_microphone_access.yml
│ │ │ ├── win_security_cobaltstrike_service_installs.yml
│ │ │ ├── win_security_codeintegrity_check_failure.yml
│ │ │ ├── win_security_dce_rpc_smb_spoolss_named_pipe.yml
│ │ │ ├── win_security_dcom_iertutil_dll_hijack.yml
│ │ │ ├── win_security_dcsync.yml
│ │ │ ├── win_security_default_domain_gpo_modification.yml
│ │ │ ├── win_security_device_installation_blocked.yml
│ │ │ ├── win_security_disable_event_auditing.yml
│ │ │ ├── win_security_disable_event_auditing_critical.yml
│ │ │ ├── win_security_dot_net_etw_tamper.yml
│ │ │ ├── win_security_dpapi_domain_backupkey_extraction.yml
│ │ │ ├── win_security_dpapi_domain_masterkey_backup_attempt.yml
│ │ │ ├── win_security_external_device.yml
│ │ │ ├── win_security_gpo_scheduledtasks.yml
│ │ │ ├── win_security_hidden_user_creation.yml
│ │ │ ├── win_security_hktl_edr_silencer.yml
│ │ │ ├── win_security_hktl_nofilter.yml
│ │ │ ├── win_security_hybridconnectionmgr_svc_installation.yml
│ │ │ ├── win_security_impacket_psexec.yml
│ │ │ ├── win_security_impacket_secretdump.yml
│ │ │ ├── win_security_invoke_obfuscation_clip_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_obfuscated_iex_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_stdin_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_var_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_compress_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_rundll_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_stdin_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_use_clip_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_use_mshta_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_use_rundll32_services_security.yml
│ │ │ ├── win_security_invoke_obfuscation_via_var_services_security.yml
│ │ │ ├── win_security_iso_mount.yml
│ │ │ ├── win_security_kerberoasting_activity.yml
│ │ │ ├── win_security_kerberos_asrep_roasting.yml
│ │ │ ├── win_security_kerberos_coercion_via_dns_object.yml
│ │ │ ├── win_security_lm_namedpipe.yml
│ │ │ ├── win_security_lsass_access_non_system_account.yml
│ │ │ ├── win_security_mal_creddumper.yml
│ │ │ ├── win_security_mal_wceaux_dll.yml
│ │ │ ├── win_security_metasploit_authentication.yml
│ │ │ ├── win_security_metasploit_or_impacket_smb_psexec_service_install.yml
│ │ │ ├── win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
│ │ │ ├── win_security_net_ntlm_downgrade.yml
│ │ │ ├── win_security_net_share_obj_susp_desktop_ini.yml
│ │ │ ├── win_security_new_or_renamed_user_account_with_dollar_sign.yml
│ │ │ ├── win_security_not_allowed_rdp_access.yml
│ │ │ ├── win_security_password_policy_enumerated.yml
│ │ │ ├── win_security_pcap_drivers.yml
│ │ │ ├── win_security_petitpotam_network_share.yml
│ │ │ ├── win_security_petitpotam_susp_tgt_request.yml
│ │ │ ├── win_security_possible_dc_shadow.yml
│ │ │ ├── win_security_powershell_script_installed_as_service.yml
│ │ │ ├── win_security_protected_storage_service_access.yml
│ │ │ ├── win_security_rdp_reverse_tunnel.yml
│ │ │ ├── win_security_register_new_logon_process_by_rubeus.yml
│ │ │ ├── win_security_registry_permissions_weakness_check.yml
│ │ │ ├── win_security_remote_powershell_session.yml
│ │ │ ├── win_security_replay_attack_detected.yml
│ │ │ ├── win_security_sam_registry_hive_handle_request.yml
│ │ │ ├── win_security_scm_database_handle_failure.yml
│ │ │ ├── win_security_scm_database_privileged_operation.yml
│ │ │ ├── win_security_sdelete_potential_secure_deletion.yml
│ │ │ ├── win_security_service_install_remote_access_software.yml
│ │ │ ├── win_security_service_installation_by_unusal_client.yml
│ │ │ ├── win_security_signal_sensitive_config_access.yml
│ │ │ ├── win_security_smb_file_creation_admin_shares.yml
│ │ │ ├── win_security_susp_add_domain_trust.yml
│ │ │ ├── win_security_susp_add_sid_history.yml
│ │ │ ├── win_security_susp_computer_name.yml
│ │ │ ├── win_security_susp_dsrm_password_change.yml
│ │ │ ├── win_security_susp_failed_logon_reasons.yml
│ │ │ ├── win_security_susp_group_policy_abuse_privilege_addition.yml
│ │ │ ├── win_security_susp_group_policy_startup_script_added_to_gpo.yml
│ │ │ ├── win_security_susp_kerberos_manipulation.yml
│ │ │ ├── win_security_susp_ldap_dataexchange.yml
│ │ │ ├── win_security_susp_local_anon_logon_created.yml
│ │ │ ├── win_security_susp_logon_explicit_credentials.yml
│ │ │ ├── win_security_susp_lsass_dump.yml
│ │ │ ├── win_security_susp_lsass_dump_generic.yml
│ │ │ ├── win_security_susp_net_recon_activity.yml
│ │ │ ├── win_security_susp_opened_encrypted_zip.yml
│ │ │ ├── win_security_susp_opened_encrypted_zip_filename.yml
│ │ │ ├── win_security_susp_opened_encrypted_zip_outlook.yml
│ │ │ ├── win_security_susp_outbound_kerberos_connection.yml
│ │ │ ├── win_security_susp_possible_shadow_credentials_added.yml
│ │ │ ├── win_security_susp_psexec.yml
│ │ │ ├── win_security_susp_raccess_sensitive_fext.yml
│ │ │ ├── win_security_susp_rc4_kerberos.yml
│ │ │ ├── win_security_susp_scheduled_task_creation.yml
│ │ │ ├── win_security_susp_scheduled_task_delete_or_disable.yml
│ │ │ ├── win_security_susp_scheduled_task_update.yml
│ │ │ ├── win_security_susp_time_modification.yml
│ │ │ ├── win_security_svcctl_remote_service.yml
│ │ │ ├── win_security_syskey_registry_access.yml
│ │ │ ├── win_security_sysmon_channel_reference_deletion.yml
│ │ │ ├── win_security_tap_driver_installation.yml
│ │ │ ├── win_security_teams_suspicious_objectaccess.yml
│ │ │ ├── win_security_transf_files_with_cred_data_via_network_shares.yml
│ │ │ ├── win_security_user_added_to_local_administrators.yml
│ │ │ ├── win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml
│ │ │ ├── win_security_user_creation.yml
│ │ │ ├── win_security_user_driver_loaded.yml
│ │ │ ├── win_security_user_logoff.yml
│ │ │ ├── win_security_vssaudit_secevent_source_registration.yml
│ │ │ ├── win_security_windows_defender_exclusions_registry_modified.yml
│ │ │ ├── win_security_windows_defender_exclusions_write_access.yml
│ │ │ ├── win_security_wmi_persistence.yml
│ │ │ ├── win_security_wmiprvse_wbemcomn_dll_hijack.yml
│ │ │ └── win_security_workstation_was_locked.yml
│ │ ├── security_mitigations/
│ │ │ ├── win_security_mitigations_defender_load_unsigned_dll.yml
│ │ │ └── win_security_mitigations_unsigned_dll_from_susp_location.yml
│ │ ├── servicebus/
│ │ │ └── win_hybridconnectionmgr_svc_running.yml
│ │ ├── shell_core/
│ │ │ └── win_shell_core_susp_packages_installed.yml
│ │ ├── smbclient/
│ │ │ └── security/
│ │ │ └── win_smbclient_security_susp_failed_guest_logon.yml
│ │ ├── smbserver/
│ │ │ └── connectivity/
│ │ │ └── win_smbserver_connectivity_unsigned_and_unencrypted_share_connection.yml
│ │ ├── system/
│ │ │ ├── application_popup/
│ │ │ │ └── win_system_application_sysmon_crash.yml
│ │ │ ├── lsasrv/
│ │ │ │ └── win_system_lsasrv_ntlmv1.yml
│ │ │ ├── microsoft_windows_Iphlpsvc/
│ │ │ │ └── win_system_isatap_router_address_set.yml
│ │ │ ├── microsoft_windows_certification_authority/
│ │ │ │ └── win_system_adcs_enrollment_request_denied.yml
│ │ │ ├── microsoft_windows_dhcp_server/
│ │ │ │ ├── win_system_susp_dhcp_config.yml
│ │ │ │ └── win_system_susp_dhcp_config_failed.yml
│ │ │ ├── microsoft_windows_distributed_com/
│ │ │ │ └── win_system_lpe_indicators_tabtip.yml
│ │ │ ├── microsoft_windows_eventlog/
│ │ │ │ ├── win_system_eventlog_cleared.yml
│ │ │ │ └── win_system_susp_eventlog_cleared.yml
│ │ │ ├── microsoft_windows_kerberos_key_distribution_center/
│ │ │ │ ├── win_system_kdcsvc_cert_use_no_strong_mapping.yml
│ │ │ │ └── win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml
│ │ │ ├── microsoft_windows_kernel_general/
│ │ │ │ └── win_system_susp_critical_hive_location_access_bits_cleared.yml
│ │ │ ├── microsoft_windows_ntfs/
│ │ │ │ └── win_system_volume_shadow_copy_mount.yml
│ │ │ ├── microsoft_windows_wer_systemerrorreporting/
│ │ │ │ └── win_system_crash_dump_created.yml
│ │ │ ├── microsoft_windows_windows_update_client/
│ │ │ │ └── win_system_susp_system_update_error.yml
│ │ │ ├── netlogon/
│ │ │ │ ├── win_system_possible_zerologon_exploitation_using_wellknown_tools.yml
│ │ │ │ └── win_system_vul_cve_2020_1472.yml
│ │ │ ├── ntfs/
│ │ │ │ └── win_system_ntfs_vuln_exploit.yml
│ │ │ └── service_control_manager/
│ │ │ ├── win_system_cobaltstrike_service_installs.yml
│ │ │ ├── win_system_defender_disabled.yml
│ │ │ ├── win_system_hack_smbexec.yml
│ │ │ ├── win_system_invoke_obfuscation_clip_services.yml
│ │ │ ├── win_system_invoke_obfuscation_obfuscated_iex_services.yml
│ │ │ ├── win_system_invoke_obfuscation_stdin_services.yml
│ │ │ ├── win_system_invoke_obfuscation_var_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_compress_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_rundll_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_stdin_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_use_clip_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_use_mshta_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_use_rundll32_services.yml
│ │ │ ├── win_system_invoke_obfuscation_via_var_services.yml
│ │ │ ├── win_system_krbrelayup_service_installation.yml
│ │ │ ├── win_system_mal_creddumper.yml
│ │ │ ├── win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
│ │ │ ├── win_system_moriya_rootkit.yml
│ │ │ ├── win_system_powershell_script_installed_as_service.yml
│ │ │ ├── win_system_service_install_anydesk.yml
│ │ │ ├── win_system_service_install_csexecsvc.yml
│ │ │ ├── win_system_service_install_hacktools.yml
│ │ │ ├── win_system_service_install_mesh_agent.yml
│ │ │ ├── win_system_service_install_netsupport_manager.yml
│ │ │ ├── win_system_service_install_paexec.yml
│ │ │ ├── win_system_service_install_pdqdeploy.yml
│ │ │ ├── win_system_service_install_pdqdeploy_runner.yml
│ │ │ ├── win_system_service_install_pua_proceshacker.yml
│ │ │ ├── win_system_service_install_remcom.yml
│ │ │ ├── win_system_service_install_remote_access_software.yml
│ │ │ ├── win_system_service_install_remote_utilities.yml
│ │ │ ├── win_system_service_install_sliver.yml
│ │ │ ├── win_system_service_install_sups_unusal_client.yml
│ │ │ ├── win_system_service_install_susp.yml
│ │ │ ├── win_system_service_install_sysinternals_psexec.yml
│ │ │ ├── win_system_service_install_tacticalrmm.yml
│ │ │ ├── win_system_service_install_tap_driver.yml
│ │ │ ├── win_system_service_install_uncommon.yml
│ │ │ ├── win_system_service_terminated_error_generic.yml
│ │ │ ├── win_system_service_terminated_error_important.yml
│ │ │ ├── win_system_service_terminated_unexpectedly.yml
│ │ │ ├── win_system_susp_rtcore64_service_install.yml
│ │ │ ├── win_system_susp_service_installation_folder.yml
│ │ │ ├── win_system_susp_service_installation_folder_pattern.yml
│ │ │ └── win_system_susp_service_installation_script.yml
│ │ ├── taskscheduler/
│ │ │ ├── win_taskscheduler_execution_from_susp_locations.yml
│ │ │ ├── win_taskscheduler_lolbin_execution_via_task_scheduler.yml
│ │ │ └── win_taskscheduler_susp_schtasks_delete.yml
│ │ ├── terminalservices/
│ │ │ └── win_terminalservices_rdp_ngrok.yml
│ │ ├── win_alert_mimikatz_keywords.yml
│ │ ├── windefend/
│ │ │ ├── win_defender_antimalware_platform_expired.yml
│ │ │ ├── win_defender_asr_lsass_access.yml
│ │ │ ├── win_defender_asr_psexec_wmi.yml
│ │ │ ├── win_defender_config_change_exclusion_added.yml
│ │ │ ├── win_defender_config_change_exploit_guard_tamper.yml
│ │ │ ├── win_defender_config_change_sample_submission_consent.yml
│ │ │ ├── win_defender_history_delete.yml
│ │ │ ├── win_defender_malware_and_pua_scan_disabled.yml
│ │ │ ├── win_defender_malware_detected_amsi_source.yml
│ │ │ ├── win_defender_real_time_protection_disabled.yml
│ │ │ ├── win_defender_real_time_protection_errors.yml
│ │ │ ├── win_defender_restored_quarantine_file.yml
│ │ │ ├── win_defender_suspicious_features_tampering.yml
│ │ │ ├── win_defender_tamper_protection_trigger.yml
│ │ │ ├── win_defender_threat.yml
│ │ │ └── win_defender_virus_scan_disabled.yml
│ │ └── wmi/
│ │ └── win_wmi_persistence.yml
│ ├── create_remote_thread/
│ │ ├── create_remote_thread_win_hktl_cactustorch.yml
│ │ ├── create_remote_thread_win_hktl_cobaltstrike.yml
│ │ ├── create_remote_thread_win_keepass.yml
│ │ ├── create_remote_thread_win_mstsc_susp_location.yml
│ │ ├── create_remote_thread_win_powershell_lsass.yml
│ │ ├── create_remote_thread_win_powershell_susp_targets.yml
│ │ ├── create_remote_thread_win_susp_password_dumper_lsass.yml
│ │ ├── create_remote_thread_win_susp_relevant_source_image.yml
│ │ ├── create_remote_thread_win_susp_uncommon_source_image.yml
│ │ ├── create_remote_thread_win_susp_uncommon_target_image.yml
│ │ └── create_remote_thread_win_ttdinjec.yml
│ ├── create_stream_hash/
│ │ ├── create_stream_hash_ads_executable.yml
│ │ ├── create_stream_hash_creation_internet_file.yml
│ │ ├── create_stream_hash_file_sharing_domains_download_susp_extension.yml
│ │ ├── create_stream_hash_file_sharing_domains_download_unusual_extension.yml
│ │ ├── create_stream_hash_hktl_generic_download.yml
│ │ ├── create_stream_hash_regedit_export_to_ads.yml
│ │ ├── create_stream_hash_susp_ip_domains.yml
│ │ ├── create_stream_hash_winget_susp_package_source.yml
│ │ └── create_stream_hash_zip_tld_download.yml
│ ├── dns_query/
│ │ ├── dns_query_win_anonymfiles_com.yml
│ │ ├── dns_query_win_appinstaller.yml
│ │ ├── dns_query_win_cloudflared_communication.yml
│ │ ├── dns_query_win_common_malware_hosting_services.yml
│ │ ├── dns_query_win_devtunnels_communication.yml
│ │ ├── dns_query_win_dns_server_discovery_via_ldap_query.yml
│ │ ├── dns_query_win_domain_azurewebsites.yml
│ │ ├── dns_query_win_finger.yml
│ │ ├── dns_query_win_gup_query_to_uncommon_domains.yml
│ │ ├── dns_query_win_hybridconnectionmgr_servicebus.yml
│ │ ├── dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml
│ │ ├── dns_query_win_mal_cobaltstrike.yml
│ │ ├── dns_query_win_mega_nz.yml
│ │ ├── dns_query_win_onelaunch_update_service.yml
│ │ ├── dns_query_win_quickassist.yml
│ │ ├── dns_query_win_regsvr32_dns_query.yml
│ │ ├── dns_query_win_remote_access_software_domains_non_browsers.yml
│ │ ├── dns_query_win_susp_external_ip_lookup.yml
│ │ ├── dns_query_win_teamviewer_domain_query_by_uncommon_app.yml
│ │ ├── dns_query_win_tor_onion_domain_query.yml
│ │ ├── dns_query_win_ufile_io_query.yml
│ │ └── dns_query_win_vscode_tunnel_communication.yml
│ ├── driver_load/
│ │ ├── driver_load_win_mal_drivers.yml
│ │ ├── driver_load_win_mal_drivers_names.yml
│ │ ├── driver_load_win_pua_process_hacker.yml
│ │ ├── driver_load_win_pua_system_informer.yml
│ │ ├── driver_load_win_susp_temp_use.yml
│ │ ├── driver_load_win_vuln_drivers.yml
│ │ ├── driver_load_win_vuln_drivers_names.yml
│ │ ├── driver_load_win_vuln_hevd_driver.yml
│ │ ├── driver_load_win_vuln_winring0_driver.yml
│ │ └── driver_load_win_windivert.yml
│ ├── file/
│ │ ├── file_access/
│ │ │ ├── file_access_win_susp_credential_manager_access.yml
│ │ │ ├── file_access_win_susp_credhist.yml
│ │ │ ├── file_access_win_susp_crypto_currency_wallets.yml
│ │ │ ├── file_access_win_susp_dpapi_master_key_access.yml
│ │ │ ├── file_access_win_susp_gpo_files.yml
│ │ │ ├── file_access_win_susp_process_access_browser_cred_files.yml
│ │ │ └── file_access_win_teams_sensitive_files.yml
│ │ ├── file_change/
│ │ │ └── file_change_win_unusual_modification_by_dns_exe.yml
│ │ ├── file_delete/
│ │ │ ├── file_delete_win_delete_backup_file.yml
│ │ │ ├── file_delete_win_delete_event_log_files.yml
│ │ │ ├── file_delete_win_delete_exchange_powershell_logs.yml
│ │ │ ├── file_delete_win_delete_iis_access_logs.yml
│ │ │ ├── file_delete_win_delete_own_image.yml
│ │ │ ├── file_delete_win_delete_powershell_command_history.yml
│ │ │ ├── file_delete_win_delete_prefetch.yml
│ │ │ ├── file_delete_win_delete_teamviewer_logs.yml
│ │ │ ├── file_delete_win_delete_tomcat_logs.yml
│ │ │ ├── file_delete_win_sysinternals_sdelete_file_deletion.yml
│ │ │ ├── file_delete_win_unusual_deletion_by_dns_exe.yml
│ │ │ └── file_delete_win_zone_identifier_ads_uncommon.yml
│ │ ├── file_event/
│ │ │ ├── file_event_win_adsi_cache_creation_by_uncommon_tool.yml
│ │ │ ├── file_event_win_advanced_ip_scanner.yml
│ │ │ ├── file_event_win_anydesk_artefact.yml
│ │ │ ├── file_event_win_anydesk_writing_susp_binaries.yml
│ │ │ ├── file_event_win_arcsoc_susp_file_created.yml
│ │ │ ├── file_event_win_aspnet_temp_files.yml
│ │ │ ├── file_event_win_bloodhound_collection.yml
│ │ │ ├── file_event_win_comodo_itsm_potentially_suspicious_file_creation.yml
│ │ │ ├── file_event_win_create_evtx_non_common_locations.yml
│ │ │ ├── file_event_win_create_non_existent_dlls.yml
│ │ │ ├── file_event_win_creation_deno.yml
│ │ │ ├── file_event_win_creation_new_shim_database.yml
│ │ │ ├── file_event_win_creation_scr_binary_file.yml
│ │ │ ├── file_event_win_creation_system_dll_files.yml
│ │ │ ├── file_event_win_creation_system_file.yml
│ │ │ ├── file_event_win_creation_unquoted_service_path.yml
│ │ │ ├── file_event_win_cred_dump_tools_dropped_files.yml
│ │ │ ├── file_event_win_cscript_wscript_dropper.yml
│ │ │ ├── file_event_win_csexec_service.yml
│ │ │ ├── file_event_win_csharp_compile_artefact.yml
│ │ │ ├── file_event_win_dcom_iertutil_dll_hijack.yml
│ │ │ ├── file_event_win_desktop_ini_created_by_uncommon_process.yml
│ │ │ ├── file_event_win_dll_sideloading_space_path.yml
│ │ │ ├── file_event_win_dump_file_susp_creation.yml
│ │ │ ├── file_event_win_errorhandler_persistence.yml
│ │ │ ├── file_event_win_exchange_webshell_drop.yml
│ │ │ ├── file_event_win_exchange_webshell_drop_suspicious.yml
│ │ │ ├── file_event_win_gotoopener_artefact.yml
│ │ │ ├── file_event_win_gup_uncommon_file_creation.yml
│ │ │ ├── file_event_win_hktl_crackmapexec_indicators.yml
│ │ │ ├── file_event_win_hktl_dumpert.yml
│ │ │ ├── file_event_win_hktl_hivenightmare_file_exports.yml
│ │ │ ├── file_event_win_hktl_inveigh_artefacts.yml
│ │ │ ├── file_event_win_hktl_krbrelay_remote_ioc.yml
│ │ │ ├── file_event_win_hktl_mimikatz_files.yml
│ │ │ ├── file_event_win_hktl_nppspy.yml
│ │ │ ├── file_event_win_hktl_powerup_dllhijacking.yml
│ │ │ ├── file_event_win_hktl_quarkspw_filedump.yml
│ │ │ ├── file_event_win_hktl_remote_cred_dump.yml
│ │ │ ├── file_event_win_hktl_safetykatz.yml
│ │ │ ├── file_event_win_impacket_file_indicators.yml
│ │ │ ├── file_event_win_initial_access_dll_search_order_hijacking.yml
│ │ │ ├── file_event_win_install_teamviewer_desktop.yml
│ │ │ ├── file_event_win_iphlpapi_dll_sideloading.yml
│ │ │ ├── file_event_win_iso_file_mount.yml
│ │ │ ├── file_event_win_iso_file_recent.yml
│ │ │ ├── file_event_win_lolbin_gather_network_info_script_output.yml
│ │ │ ├── file_event_win_lsass_default_dump_file_names.yml
│ │ │ ├── file_event_win_lsass_shtinkering.yml
│ │ │ ├── file_event_win_lsass_werfault_dump.yml
│ │ │ ├── file_event_win_mal_adwind.yml
│ │ │ ├── file_event_win_mal_octopus_scanner.yml
│ │ │ ├── file_event_win_msdt_susp_directories.yml
│ │ │ ├── file_event_win_mysqld_uncommon_file_creation.yml
│ │ │ ├── file_event_win_net_cli_artefact.yml
│ │ │ ├── file_event_win_new_files_in_uncommon_appdata_folder.yml
│ │ │ ├── file_event_win_new_scr_file.yml
│ │ │ ├── file_event_win_notepad_plus_plus_persistence.yml
│ │ │ ├── file_event_win_ntds_dit_creation.yml
│ │ │ ├── file_event_win_ntds_dit_uncommon_parent_process.yml
│ │ │ ├── file_event_win_ntds_dit_uncommon_process.yml
│ │ │ ├── file_event_win_ntds_exfil_tools.yml
│ │ │ ├── file_event_win_office_addin_persistence.yml
│ │ │ ├── file_event_win_office_macro_files_created.yml
│ │ │ ├── file_event_win_office_macro_files_downloaded.yml
│ │ │ ├── file_event_win_office_macro_files_from_susp_process.yml
│ │ │ ├── file_event_win_office_onenote_files_in_susp_locations.yml
│ │ │ ├── file_event_win_office_onenote_susp_dropped_files.yml
│ │ │ ├── file_event_win_office_outlook_macro_creation.yml
│ │ │ ├── file_event_win_office_outlook_newform.yml
│ │ │ ├── file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml
│ │ │ ├── file_event_win_office_outlook_susp_macro_creation.yml
│ │ │ ├── file_event_win_office_publisher_files_in_susp_locations.yml
│ │ │ ├── file_event_win_office_startup_persistence.yml
│ │ │ ├── file_event_win_office_susp_file_extension.yml
│ │ │ ├── file_event_win_office_uncommon_file_startup.yml
│ │ │ ├── file_event_win_pcre_net_temp_file.yml
│ │ │ ├── file_event_win_perflogs_susp_files.yml
│ │ │ ├── file_event_win_powershell_drop_binary_or_script.yml
│ │ │ ├── file_event_win_powershell_drop_powershell.yml
│ │ │ ├── file_event_win_powershell_exploit_scripts.yml
│ │ │ ├── file_event_win_powershell_module_creation.yml
│ │ │ ├── file_event_win_powershell_module_susp_creation.yml
│ │ │ ├── file_event_win_powershell_module_uncommon_creation.yml
│ │ │ ├── file_event_win_powershell_startup_shortcuts.yml
│ │ │ ├── file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml
│ │ │ ├── file_event_win_rclone_config_files.yml
│ │ │ ├── file_event_win_rdp_file_susp_creation.yml
│ │ │ ├── file_event_win_redmimicry_winnti_filedrop.yml
│ │ │ ├── file_event_win_regedit_print_as_pdf.yml
│ │ │ ├── file_event_win_remcom_service.yml
│ │ │ ├── file_event_win_remote_access_tools_screenconnect_artefact.yml
│ │ │ ├── file_event_win_remote_access_tools_screenconnect_remote_file.yml
│ │ │ ├── file_event_win_ripzip_attack.yml
│ │ │ ├── file_event_win_sam_dump.yml
│ │ │ ├── file_event_win_sed_file_creation.yml
│ │ │ ├── file_event_win_shell_write_susp_directory.yml
│ │ │ ├── file_event_win_shell_write_susp_files_extensions.yml
│ │ │ ├── file_event_win_startup_folder_file_write.yml
│ │ │ ├── file_event_win_susp_colorcpl.yml
│ │ │ ├── file_event_win_susp_creation_by_mobsync.yml
│ │ │ ├── file_event_win_susp_default_gpo_dir_write.yml
│ │ │ ├── file_event_win_susp_desktop_txt.yml
│ │ │ ├── file_event_win_susp_desktopimgdownldr_file.yml
│ │ │ ├── file_event_win_susp_diagcab.yml
│ │ │ ├── file_event_win_susp_double_extension.yml
│ │ │ ├── file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml
│ │ │ ├── file_event_win_susp_exchange_aspx_write.yml
│ │ │ ├── file_event_win_susp_executable_creation.yml
│ │ │ ├── file_event_win_susp_file_write_in_webapps_root.yml
│ │ │ ├── file_event_win_susp_filewrite_in_sharepoint_layouts_dir.yml
│ │ │ ├── file_event_win_susp_get_variable.yml
│ │ │ ├── file_event_win_susp_hidden_dir_index_allocation.yml
│ │ │ ├── file_event_win_susp_homoglyph_filename.yml
│ │ │ ├── file_event_win_susp_legitimate_app_dropping_archive.yml
│ │ │ ├── file_event_win_susp_legitimate_app_dropping_exe.yml
│ │ │ ├── file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml
│ │ │ ├── file_event_win_susp_legitimate_app_dropping_script.yml
│ │ │ ├── file_event_win_susp_lnk_double_extension.yml
│ │ │ ├── file_event_win_susp_powershell_profile.yml
│ │ │ ├── file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml
│ │ │ ├── file_event_win_susp_public_folder_extension.yml
│ │ │ ├── file_event_win_susp_recycle_bin_fake_exec.yml
│ │ │ ├── file_event_win_susp_right_to_left_override_extension_spoofing.yml
│ │ │ ├── file_event_win_susp_spool_drivers_color_drop.yml
│ │ │ ├── file_event_win_susp_startup_folder_persistence.yml
│ │ │ ├── file_event_win_susp_system_interactive_powershell.yml
│ │ │ ├── file_event_win_susp_task_write.yml
│ │ │ ├── file_event_win_susp_teamviewer_remote_session.yml
│ │ │ ├── file_event_win_susp_vscode_powershell_profile.yml
│ │ │ ├── file_event_win_susp_wdac_policy_creation.yml
│ │ │ ├── file_event_win_susp_windows_terminal_profile.yml
│ │ │ ├── file_event_win_susp_winsxs_binary_creation.yml
│ │ │ ├── file_event_win_sysinternals_adexplorer_dump_written.yml
│ │ │ ├── file_event_win_sysinternals_livekd_default_dump_name.yml
│ │ │ ├── file_event_win_sysinternals_livekd_driver.yml
│ │ │ ├── file_event_win_sysinternals_livekd_driver_susp_creation.yml
│ │ │ ├── file_event_win_sysinternals_procexp_driver_susp_creation.yml
│ │ │ ├── file_event_win_sysinternals_procmon_driver_susp_creation.yml
│ │ │ ├── file_event_win_sysinternals_psexec_service.yml
│ │ │ ├── file_event_win_sysinternals_psexec_service_key.yml
│ │ │ ├── file_event_win_system32_local_folder_privilege_escalation.yml
│ │ │ ├── file_event_win_taskmgr_lsass_dump.yml
│ │ │ ├── file_event_win_tsclient_filewrite_startup.yml
│ │ │ ├── file_event_win_uac_bypass_consent_comctl32.yml
│ │ │ ├── file_event_win_uac_bypass_dotnet_profiler.yml
│ │ │ ├── file_event_win_uac_bypass_eventvwr.yml
│ │ │ ├── file_event_win_uac_bypass_idiagnostic_profile.yml
│ │ │ ├── file_event_win_uac_bypass_ieinstal.yml
│ │ │ ├── file_event_win_uac_bypass_msconfig_gui.yml
│ │ │ ├── file_event_win_uac_bypass_ntfs_reparse_point.yml
│ │ │ ├── file_event_win_uac_bypass_winsat.yml
│ │ │ ├── file_event_win_uac_bypass_wmp.yml
│ │ │ ├── file_event_win_vhd_download_via_browsers.yml
│ │ │ ├── file_event_win_vscode_tunnel_remote_creation_artefacts.yml
│ │ │ ├── file_event_win_vscode_tunnel_renamed_execution.yml
│ │ │ ├── file_event_win_webshell_creation_detect.yml
│ │ │ ├── file_event_win_werfault_dll_hijacking.yml
│ │ │ ├── file_event_win_winrar_file_creation_in_startup_folder.yml
│ │ │ ├── file_event_win_winrm_awl_bypass.yml
│ │ │ ├── file_event_win_wmi_persistence_script_event_consumer_write.yml
│ │ │ ├── file_event_win_wmiexec_default_filename.yml
│ │ │ ├── file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
│ │ │ ├── file_event_win_wpbbin_persistence.yml
│ │ │ └── file_event_win_writing_local_admin_share.yml
│ │ ├── file_executable_detected/
│ │ │ └── file_executable_detected_win_susp_embeded_sed_file.yml
│ │ └── file_rename/
│ │ └── file_rename_win_ransomware.yml
│ ├── image_load/
│ │ ├── image_load_clfs_load.yml
│ │ ├── image_load_cmstp_load_dll_from_susp_location.yml
│ │ ├── image_load_dll_amsi_suspicious_process.yml
│ │ ├── image_load_dll_azure_microsoft_account_token_provider_dll_load.yml
│ │ ├── image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml
│ │ ├── image_load_dll_credui_uncommon_process_load.yml
│ │ ├── image_load_dll_dbghelp_dbgcore_unsigned_load.yml
│ │ ├── image_load_dll_pcre_dotnet_dll_load.yml
│ │ ├── image_load_dll_rstrtmgr_suspicious_load.yml
│ │ ├── image_load_dll_rstrtmgr_uncommon_load.yml
│ │ ├── image_load_dll_sdiageng_load_by_msdt.yml
│ │ ├── image_load_dll_system_management_automation_susp_load.yml
│ │ ├── image_load_dll_tttracer_module_load.yml
│ │ ├── image_load_dll_unsigned_node_load.yml
│ │ ├── image_load_dll_vss_ps_susp_load.yml
│ │ ├── image_load_dll_vssapi_susp_load.yml
│ │ ├── image_load_dll_vsstrace_susp_load.yml
│ │ ├── image_load_hktl_sharpevtmute.yml
│ │ ├── image_load_hktl_silenttrinity_stager.yml
│ │ ├── image_load_iexplore_dcom_iertutil_dll_hijack.yml
│ │ ├── image_load_lsass_unsigned_image_load.yml
│ │ ├── image_load_office_dotnet_assembly_dll_load.yml
│ │ ├── image_load_office_dotnet_clr_dll_load.yml
│ │ ├── image_load_office_dotnet_gac_dll_load.yml
│ │ ├── image_load_office_excel_xll_susp_load.yml
│ │ ├── image_load_office_outlook_outlvba_load.yml
│ │ ├── image_load_office_powershell_dll_load.yml
│ │ ├── image_load_office_vbadll_load.yml
│ │ ├── image_load_rundll32_remote_share_load.yml
│ │ ├── image_load_scrcons_wmi_scripteventconsumer.yml
│ │ ├── image_load_side_load_7za.yml
│ │ ├── image_load_side_load_abused_dlls_susp_paths.yml
│ │ ├── image_load_side_load_antivirus.yml
│ │ ├── image_load_side_load_appverifui.yml
│ │ ├── image_load_side_load_aruba_networks_virtual_intranet_access.yml
│ │ ├── image_load_side_load_avkkid.yml
│ │ ├── image_load_side_load_ccleaner_du.yml
│ │ ├── image_load_side_load_ccleaner_reactivator.yml
│ │ ├── image_load_side_load_chrome_frame_helper.yml
│ │ ├── image_load_side_load_classicexplorer32.yml
│ │ ├── image_load_side_load_comctl32.yml
│ │ ├── image_load_side_load_coregen.yml
│ │ ├── image_load_side_load_cpl_from_non_system_location.yml
│ │ ├── image_load_side_load_dbgcore.yml
│ │ ├── image_load_side_load_dbghelp.yml
│ │ ├── image_load_side_load_dbgmodel.yml
│ │ ├── image_load_side_load_eacore.yml
│ │ ├── image_load_side_load_edputil.yml
│ │ ├── image_load_side_load_from_non_system_location.yml
│ │ ├── image_load_side_load_goopdate.yml
│ │ ├── image_load_side_load_gup_libcurl.yml
│ │ ├── image_load_side_load_iviewers.yml
│ │ ├── image_load_side_load_jli.yml
│ │ ├── image_load_side_load_jsschhlp.yml
│ │ ├── image_load_side_load_keyscrambler.yml
│ │ ├── image_load_side_load_libvlc.yml
│ │ ├── image_load_side_load_mfdetours.yml
│ │ ├── image_load_side_load_mfdetours_unsigned.yml
│ │ ├── image_load_side_load_mpsvc.yml
│ │ ├── image_load_side_load_mscorsvc.yml
│ │ ├── image_load_side_load_non_existent_dlls.yml
│ │ ├── image_load_side_load_office_dlls.yml
│ │ ├── image_load_side_load_python.yml
│ │ ├── image_load_side_load_rcdll.yml
│ │ ├── image_load_side_load_rjvplatform_default_location.yml
│ │ ├── image_load_side_load_rjvplatform_non_default_location.yml
│ │ ├── image_load_side_load_robform.yml
│ │ ├── image_load_side_load_shell_chrome_api.yml
│ │ ├── image_load_side_load_shelldispatch.yml
│ │ ├── image_load_side_load_smadhook.yml
│ │ ├── image_load_side_load_solidpdfcreator.yml
│ │ ├── image_load_side_load_third_party.yml
│ │ ├── image_load_side_load_ualapi.yml
│ │ ├── image_load_side_load_vivaldi_elf.yml
│ │ ├── image_load_side_load_vmguestlib.yml
│ │ ├── image_load_side_load_vmmap_dbghelp_signed.yml
│ │ ├── image_load_side_load_vmmap_dbghelp_unsigned.yml
│ │ ├── image_load_side_load_vmware_xfer.yml
│ │ ├── image_load_side_load_waveedit.yml
│ │ ├── image_load_side_load_wazuh.yml
│ │ ├── image_load_side_load_windows_defender.yml
│ │ ├── image_load_side_load_wwlib.yml
│ │ ├── image_load_susp_baaupdate_dll_load.yml
│ │ ├── image_load_susp_clickonce_unsigned_module_loaded.yml
│ │ ├── image_load_susp_dll_load_system_process.yml
│ │ ├── image_load_susp_python_image_load.yml
│ │ ├── image_load_susp_script_dotnet_clr_dll_load.yml
│ │ ├── image_load_susp_unsigned_dll.yml
│ │ ├── image_load_thor_unsigned_execution.yml
│ │ ├── image_load_uac_bypass_iscsicpl.yml
│ │ ├── image_load_uac_bypass_via_dism.yml
│ │ ├── image_load_win_mmc_loads_script_engine_dll.yml
│ │ ├── image_load_win_susp_dbgcore_dbghelp_load.yml
│ │ ├── image_load_win_trusted_path_bypass.yml
│ │ ├── image_load_wmi_persistence_commandline_event_consumer.yml
│ │ ├── image_load_wmic_remote_xsl_scripting_dlls.yml
│ │ ├── image_load_wmiprvse_wbemcomn_dll_hijack.yml
│ │ └── image_load_wsman_provider_image_load.yml
│ ├── network_connection/
│ │ ├── net_connection_win_addinutil_initiated.yml
│ │ ├── net_connection_win_adws_unusual_connection.yml
│ │ ├── net_connection_win_certutil_initiated_connection.yml
│ │ ├── net_connection_win_cmstp_initiated_connection.yml
│ │ ├── net_connection_win_dialer_initiated_connection.yml
│ │ ├── net_connection_win_domain_azurewebsites.yml
│ │ ├── net_connection_win_domain_btunnels.yml
│ │ ├── net_connection_win_domain_cloudflared_communication.yml
│ │ ├── net_connection_win_domain_crypto_mining_pools.yml
│ │ ├── net_connection_win_domain_dead_drop_resolvers.yml
│ │ ├── net_connection_win_domain_devtunnels.yml
│ │ ├── net_connection_win_domain_dropbox_api.yml
│ │ ├── net_connection_win_domain_external_ip_lookup.yml
│ │ ├── net_connection_win_domain_google_api_non_browser_access.yml
│ │ ├── net_connection_win_domain_localtonet_tunnel.yml
│ │ ├── net_connection_win_domain_mega_nz.yml
│ │ ├── net_connection_win_domain_ngrok.yml
│ │ ├── net_connection_win_domain_ngrok_tunnel.yml
│ │ ├── net_connection_win_domain_notion_api_susp_communication.yml
│ │ ├── net_connection_win_domain_portmap.yml
│ │ ├── net_connection_win_domain_telegram_api_non_browser_access.yml
│ │ ├── net_connection_win_domain_vscode_tunnel_connection.yml
│ │ ├── net_connection_win_eqnedt.yml
│ │ ├── net_connection_win_finger.yml
│ │ ├── net_connection_win_imewdbld.yml
│ │ ├── net_connection_win_notepad.yml
│ │ ├── net_connection_win_office_outbound_non_local_ip.yml
│ │ ├── net_connection_win_office_uncommon_ports.yml
│ │ ├── net_connection_win_python.yml
│ │ ├── net_connection_win_rdp_outbound_over_non_standard_tools.yml
│ │ ├── net_connection_win_rdp_reverse_tunnel.yml
│ │ ├── net_connection_win_rdp_to_http.yml
│ │ ├── net_connection_win_regasm_network_activity.yml
│ │ ├── net_connection_win_regsvr32_network_activity.yml
│ │ ├── net_connection_win_remote_access_tools_anydesk_incoming_connection.yml
│ │ ├── net_connection_win_rundll32_net_connections.yml
│ │ ├── net_connection_win_silenttrinity_stager_msbuild_activity.yml
│ │ ├── net_connection_win_susp_binary_no_cmdline.yml
│ │ ├── net_connection_win_susp_file_sharing_domains_susp_folders.yml
│ │ ├── net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml
│ │ ├── net_connection_win_susp_malware_callback_port.yml
│ │ ├── net_connection_win_susp_malware_callback_ports_uncommon.yml
│ │ ├── net_connection_win_susp_outbound_kerberos_connection.yml
│ │ ├── net_connection_win_susp_outbound_mobsync_connection.yml
│ │ ├── net_connection_win_susp_outbound_smtp_connections.yml
│ │ ├── net_connection_win_susp_remote_powershell_session.yml
│ │ ├── net_connection_win_winlogon_net_connections.yml
│ │ ├── net_connection_win_wordpad_uncommon_ports.yml
│ │ ├── net_connection_win_wscript_cscript_local_connection.yml
│ │ ├── net_connection_win_wscript_cscript_outbound_connection.yml
│ │ └── net_connection_win_wuauclt_network_connection.yml
│ ├── pipe_created/
│ │ ├── pipe_created_adfs_namedpipe_connection_uncommon_tool.yml
│ │ ├── pipe_created_hktl_cobaltstrike.yml
│ │ ├── pipe_created_hktl_cobaltstrike_re.yml
│ │ ├── pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml
│ │ ├── pipe_created_hktl_coercedpotato.yml
│ │ ├── pipe_created_hktl_diagtrack_eop.yml
│ │ ├── pipe_created_hktl_efspotato.yml
│ │ ├── pipe_created_hktl_generic_cred_dump_tools_pipes.yml
│ │ ├── pipe_created_hktl_koh_default_pipe.yml
│ │ ├── pipe_created_powershell_alternate_host_pipe.yml
│ │ ├── pipe_created_powershell_execution_pipe.yml
│ │ ├── pipe_created_pua_csexec_default_pipe.yml
│ │ ├── pipe_created_pua_paexec_default_pipe.yml
│ │ ├── pipe_created_pua_remcom_default_pipe.yml
│ │ ├── pipe_created_scrcons_wmi_consumer_namedpipe.yml
│ │ ├── pipe_created_susp_malicious_namedpipes.yml
│ │ └── pipe_created_sysinternals_psexec_default_pipe_susp_location.yml
│ ├── powershell/
│ │ ├── powershell_classic/
│ │ │ ├── posh_pc_abuse_nslookup_with_dns_records.yml
│ │ │ ├── posh_pc_delete_volume_shadow_copies.yml
│ │ │ ├── posh_pc_downgrade_attack.yml
│ │ │ ├── posh_pc_exe_calling_ps.yml
│ │ │ ├── posh_pc_powercat.yml
│ │ │ ├── posh_pc_remote_powershell_session.yml
│ │ │ ├── posh_pc_remotefxvgpudisablement_abuse.yml
│ │ │ ├── posh_pc_renamed_powershell.yml
│ │ │ ├── posh_pc_susp_download.yml
│ │ │ ├── posh_pc_susp_get_nettcpconnection.yml
│ │ │ ├── posh_pc_susp_zip_compress.yml
│ │ │ ├── posh_pc_tamper_windows_defender_set_mp.yml
│ │ │ └── posh_pc_wsman_com_provider_no_powershell.yml
│ │ ├── powershell_module/
│ │ │ ├── posh_pm_active_directory_module_dll_import.yml
│ │ │ ├── posh_pm_alternate_powershell_hosts.yml
│ │ │ ├── posh_pm_bad_opsec_artifacts.yml
│ │ │ ├── posh_pm_clear_powershell_history.yml
│ │ │ ├── posh_pm_decompress_commands.yml
│ │ │ ├── posh_pm_exploit_scripts.yml
│ │ │ ├── posh_pm_get_addbaccount.yml
│ │ │ ├── posh_pm_get_clipboard.yml
│ │ │ ├── posh_pm_hktl_evil_winrm_execution.yml
│ │ │ ├── posh_pm_invoke_obfuscation_clip.yml
│ │ │ ├── posh_pm_invoke_obfuscation_obfuscated_iex.yml
│ │ │ ├── posh_pm_invoke_obfuscation_stdin.yml
│ │ │ ├── posh_pm_invoke_obfuscation_var.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_compress.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_rundll.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_stdin.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_use_clip.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_use_mhsta.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_use_rundll32.yml
│ │ │ ├── posh_pm_invoke_obfuscation_via_var.yml
│ │ │ ├── posh_pm_malicious_commandlets.yml
│ │ │ ├── posh_pm_remote_powershell_session.yml
│ │ │ ├── posh_pm_remotefxvgpudisablement_abuse.yml
│ │ │ ├── posh_pm_susp_ad_group_reco.yml
│ │ │ ├── posh_pm_susp_download.yml
│ │ │ ├── posh_pm_susp_get_nettcpconnection.yml
│ │ │ ├── posh_pm_susp_invocation_generic.yml
│ │ │ ├── posh_pm_susp_invocation_specific.yml
│ │ │ ├── posh_pm_susp_local_group_reco.yml
│ │ │ ├── posh_pm_susp_reset_computermachinepassword.yml
│ │ │ ├── posh_pm_susp_smb_share_reco.yml
│ │ │ ├── posh_pm_susp_zip_compress.yml
│ │ │ └── posh_pm_syncappvpublishingserver_exe.yml
│ │ └── powershell_script/
│ │ ├── posh_ps_aadinternals_cmdlets_execution.yml
│ │ ├── posh_ps_access_to_browser_login_data.yml
│ │ ├── posh_ps_active_directory_module_dll_import.yml
│ │ ├── posh_ps_add_dnsclient_rule.yml
│ │ ├── posh_ps_add_windows_capability.yml
│ │ ├── posh_ps_adrecon_execution.yml
│ │ ├── posh_ps_amsi_bypass_pattern_nov22.yml
│ │ ├── posh_ps_amsi_null_bits_bypass.yml
│ │ ├── posh_ps_apt_silence_eda.yml
│ │ ├── posh_ps_as_rep_roasting.yml
│ │ ├── posh_ps_audio_exfiltration.yml
│ │ ├── posh_ps_automated_collection.yml
│ │ ├── posh_ps_capture_screenshots.yml
│ │ ├── posh_ps_clear_powershell_history.yml
│ │ ├── posh_ps_clearing_windows_console_history.yml
│ │ ├── posh_ps_cmdlet_scheduled_task.yml
│ │ ├── posh_ps_computer_discovery_get_adcomputer.yml
│ │ ├── posh_ps_copy_item_system_directory.yml
│ │ ├── posh_ps_cor_profiler.yml
│ │ ├── posh_ps_create_local_user.yml
│ │ ├── posh_ps_create_volume_shadow_copy.yml
│ │ ├── posh_ps_detect_vm_env.yml
│ │ ├── posh_ps_directorysearcher.yml
│ │ ├── posh_ps_directoryservices_accountmanagement.yml
│ │ ├── posh_ps_disable_psreadline_command_history.yml
│ │ ├── posh_ps_disable_windows_optional_feature.yml
│ │ ├── posh_ps_dotnet_assembly_from_file.yml
│ │ ├── posh_ps_download_com_cradles.yml
│ │ ├── posh_ps_dsinternals_cmdlets.yml
│ │ ├── posh_ps_dump_password_windows_credential_manager.yml
│ │ ├── posh_ps_enable_psremoting.yml
│ │ ├── posh_ps_enable_susp_windows_optional_feature.yml
│ │ ├── posh_ps_enumerate_password_windows_credential_manager.yml
│ │ ├── posh_ps_etw_trace_evasion.yml
│ │ ├── posh_ps_export_certificate.yml
│ │ ├── posh_ps_frombase64string_archive.yml
│ │ ├── posh_ps_get_acl_service.yml
│ │ ├── posh_ps_get_adcomputer.yml
│ │ ├── posh_ps_get_adgroup.yml
│ │ ├── posh_ps_get_adreplaccount.yml
│ │ ├── posh_ps_get_childitem_bookmarks.yml
│ │ ├── posh_ps_get_process_security_software_discovery.yml
│ │ ├── posh_ps_hktl_rubeus.yml
│ │ ├── posh_ps_hktl_winpwn.yml
│ │ ├── posh_ps_hotfix_enum.yml
│ │ ├── posh_ps_icmp_exfiltration.yml
│ │ ├── posh_ps_import_module_susp_dirs.yml
│ │ ├── posh_ps_install_unsigned_appx_packages.yml
│ │ ├── posh_ps_invoke_command_remote.yml
│ │ ├── posh_ps_invoke_dnsexfiltration.yml
│ │ ├── posh_ps_invoke_obfuscation_clip.yml
│ │ ├── posh_ps_invoke_obfuscation_obfuscated_iex.yml
│ │ ├── posh_ps_invoke_obfuscation_stdin.yml
│ │ ├── posh_ps_invoke_obfuscation_var.yml
│ │ ├── posh_ps_invoke_obfuscation_via_compress.yml
│ │ ├── posh_ps_invoke_obfuscation_via_rundll.yml
│ │ ├── posh_ps_invoke_obfuscation_via_stdin.yml
│ │ ├── posh_ps_invoke_obfuscation_via_use_clip.yml
│ │ ├── posh_ps_invoke_obfuscation_via_use_mhsta.yml
│ │ ├── posh_ps_invoke_obfuscation_via_use_rundll32.yml
│ │ ├── posh_ps_invoke_obfuscation_via_var.yml
│ │ ├── posh_ps_keylogging.yml
│ │ ├── posh_ps_localuser.yml
│ │ ├── posh_ps_mailboxexport_share.yml
│ │ ├── posh_ps_malicious_commandlets.yml
│ │ ├── posh_ps_malicious_keywords.yml
│ │ ├── posh_ps_memorydump_getstoragediagnosticinfo.yml
│ │ ├── posh_ps_modify_group_policy_settings.yml
│ │ ├── posh_ps_msxml_com.yml
│ │ ├── posh_ps_nishang_malicious_commandlets.yml
│ │ ├── posh_ps_ntfs_ads_access.yml
│ │ ├── posh_ps_office_comobject_registerxll.yml
│ │ ├── posh_ps_packet_capture.yml
│ │ ├── posh_ps_potential_invoke_mimikatz.yml
│ │ ├── posh_ps_potential_unconstrained_delegation_discovery.yml
│ │ ├── posh_ps_powershell_web_access_installation.yml
│ │ ├── posh_ps_powerview_malicious_commandlets.yml
│ │ ├── posh_ps_prompt_credentials.yml
│ │ ├── posh_ps_psasyncshell.yml
│ │ ├── posh_ps_psattack.yml
│ │ ├── posh_ps_remote_session_creation.yml
│ │ ├── posh_ps_remotefxvgpudisablement_abuse.yml
│ │ ├── posh_ps_request_kerberos_ticket.yml
│ │ ├── posh_ps_resolve_list_of_ip_from_file.yml
│ │ ├── posh_ps_root_certificate_installed.yml
│ │ ├── posh_ps_run_from_mount_diskimage.yml
│ │ ├── posh_ps_script_with_upload_capabilities.yml
│ │ ├── posh_ps_sensitive_file_discovery.yml
│ │ ├── posh_ps_set_acl.yml
│ │ ├── posh_ps_set_acl_susp_location.yml
│ │ ├── posh_ps_set_policies_to_unsecure_level.yml
│ │ ├── posh_ps_shellcode_b64.yml
│ │ ├── posh_ps_shellintel_malicious_commandlets.yml
│ │ ├── posh_ps_software_discovery.yml
│ │ ├── posh_ps_store_file_in_alternate_data_stream.yml
│ │ ├── posh_ps_susp_ace_tampering.yml
│ │ ├── posh_ps_susp_ad_group_reco.yml
│ │ ├── posh_ps_susp_alias_obfscuation.yml
│ │ ├── posh_ps_susp_clear_eventlog.yml
│ │ ├── posh_ps_susp_directory_enum.yml
│ │ ├── posh_ps_susp_download.yml
│ │ ├── posh_ps_susp_execute_batch_script.yml
│ │ ├── posh_ps_susp_extracting.yml
│ │ ├── posh_ps_susp_follina_execution.yml
│ │ ├── posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
│ │ ├── posh_ps_susp_get_current_user.yml
│ │ ├── posh_ps_susp_get_gpo.yml
│ │ ├── posh_ps_susp_get_process.yml
│ │ ├── posh_ps_susp_getprocess_lsass.yml
│ │ ├── posh_ps_susp_gettypefromclsid.yml
│ │ ├── posh_ps_susp_hyper_v_condlet.yml
│ │ ├── posh_ps_susp_invocation_generic.yml
│ │ ├── posh_ps_susp_invocation_specific.yml
│ │ ├── posh_ps_susp_invoke_webrequest_useragent.yml
│ │ ├── posh_ps_susp_iofilestream.yml
│ │ ├── posh_ps_susp_keylogger_activity.yml
│ │ ├── posh_ps_susp_keywords.yml
│ │ ├── posh_ps_susp_local_group_reco.yml
│ │ ├── posh_ps_susp_mail_acces.yml
│ │ ├── posh_ps_susp_mount_diskimage.yml
│ │ ├── posh_ps_susp_mounted_share_deletion.yml
│ │ ├── posh_ps_susp_networkcredential.yml
│ │ ├── posh_ps_susp_new_psdrive.yml
│ │ ├── posh_ps_susp_proxy_scripts.yml
│ │ ├── posh_ps_susp_recon_export.yml
│ │ ├── posh_ps_susp_remove_adgroupmember.yml
│ │ ├── posh_ps_susp_service_dacl_modification_set_service.yml
│ │ ├── posh_ps_susp_set_alias.yml
│ │ ├── posh_ps_susp_smb_share_reco.yml
│ │ ├── posh_ps_susp_ssl_keyword.yml
│ │ ├── posh_ps_susp_start_process.yml
│ │ ├── posh_ps_susp_unblock_file.yml
│ │ ├── posh_ps_susp_wallpaper.yml
│ │ ├── posh_ps_susp_win32_pnpentity.yml
│ │ ├── posh_ps_susp_win32_shadowcopy_deletion.yml
│ │ ├── posh_ps_susp_windowstyle.yml
│ │ ├── posh_ps_susp_write_eventlog.yml
│ │ ├── posh_ps_susp_zip_compress.yml
│ │ ├── posh_ps_syncappvpublishingserver_exe.yml
│ │ ├── posh_ps_tamper_windows_defender_rem_mp.yml
│ │ ├── posh_ps_tamper_windows_defender_set_mp.yml
│ │ ├── posh_ps_test_netconnection.yml
│ │ ├── posh_ps_timestomp.yml
│ │ ├── posh_ps_user_discovery_get_aduser.yml
│ │ ├── posh_ps_user_profile_tampering.yml
│ │ ├── posh_ps_using_set_service_to_hide_services.yml
│ │ ├── posh_ps_vbscript_registry_modification.yml
│ │ ├── posh_ps_veeam_credential_dumping_script.yml
│ │ ├── posh_ps_web_request_cmd_and_cmdlets.yml
│ │ ├── posh_ps_win32_nteventlogfile_usage.yml
│ │ ├── posh_ps_win32_product_install_msi.yml
│ │ ├── posh_ps_win_api_susp_access.yml
│ │ ├── posh_ps_win_defender_exclusions_added.yml
│ │ ├── posh_ps_windows_firewall_profile_disabled.yml
│ │ ├── posh_ps_winlogon_helper_dll.yml
│ │ ├── posh_ps_wmi_persistence.yml
│ │ ├── posh_ps_wmi_unquoted_service_search.yml
│ │ ├── posh_ps_wmimplant.yml
│ │ ├── posh_ps_x509enrollment.yml
│ │ └── posh_ps_xml_iex.yml
│ ├── process_access/
│ │ ├── proc_access_win_cmstp_execution_by_access.yml
│ │ ├── proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml
│ │ ├── proc_access_win_hktl_generic_access.yml
│ │ ├── proc_access_win_hktl_handlekatz_lsass_access.yml
│ │ ├── proc_access_win_hktl_littlecorporal_generated_maldoc.yml
│ │ ├── proc_access_win_hktl_sysmonente.yml
│ │ ├── proc_access_win_lsass_dump_comsvcs_dll.yml
│ │ ├── proc_access_win_lsass_dump_keyword_image.yml
│ │ ├── proc_access_win_lsass_memdump.yml
│ │ ├── proc_access_win_lsass_python_based_tool.yml
│ │ ├── proc_access_win_lsass_remote_access_trough_winrm.yml
│ │ ├── proc_access_win_lsass_seclogon_access.yml
│ │ ├── proc_access_win_lsass_susp_access_flag.yml
│ │ ├── proc_access_win_lsass_werfault.yml
│ │ ├── proc_access_win_lsass_whitelisted_process_names.yml
│ │ ├── proc_access_win_susp_all_access_uncommon_target.yml
│ │ ├── proc_access_win_susp_dbgcore_dbghelp_load.yml
│ │ ├── proc_access_win_susp_direct_ntopenprocess_call.yml
│ │ ├── proc_access_win_svchost_credential_dumping.yml
│ │ ├── proc_access_win_svchost_susp_access_request.yml
│ │ ├── proc_access_win_uac_bypass_editionupgrademanagerobj.yml
│ │ ├── proc_access_win_uac_bypass_wow64_logger.yml
│ │ └── proc_access_win_werfaultsecure_msmpeng_access.yml
│ ├── process_creation/
│ │ ├── proc_creation_win_7zip_exfil_dmp_files.yml
│ │ ├── proc_creation_win_7zip_password_compression.yml
│ │ ├── proc_creation_win_acccheckconsole_execution.yml
│ │ ├── proc_creation_win_addinutil_suspicious_cmdline.yml
│ │ ├── proc_creation_win_addinutil_uncommon_child_process.yml
│ │ ├── proc_creation_win_addinutil_uncommon_cmdline.yml
│ │ ├── proc_creation_win_addinutil_uncommon_dir_exec.yml
│ │ ├── proc_creation_win_adplus_memory_dump.yml
│ │ ├── proc_creation_win_agentexecutor_potential_abuse.yml
│ │ ├── proc_creation_win_agentexecutor_susp_usage.yml
│ │ ├── proc_creation_win_amsi_registry_tampering.yml
│ │ ├── proc_creation_win_appvlp_uncommon_child_process.yml
│ │ ├── proc_creation_win_arcsoc_susp_child_process.yml
│ │ ├── proc_creation_win_aspnet_compiler_exectuion.yml
│ │ ├── proc_creation_win_aspnet_compiler_susp_child_process.yml
│ │ ├── proc_creation_win_aspnet_compiler_susp_paths.yml
│ │ ├── proc_creation_win_at_interactive_execution.yml
│ │ ├── proc_creation_win_atbroker_uncommon_ats_execution.yml
│ │ ├── proc_creation_win_attrib_hiding_files.yml
│ │ ├── proc_creation_win_attrib_system_susp_paths.yml
│ │ ├── proc_creation_win_auditpol_nt_resource_kit_usage.yml
│ │ ├── proc_creation_win_auditpol_susp_execution.yml
│ │ ├── proc_creation_win_autorun_registry_modified_via_wmic.yml
│ │ ├── proc_creation_win_baaupdate_susp_child_process.yml
│ │ ├── proc_creation_win_bash_command_execution.yml
│ │ ├── proc_creation_win_bash_file_execution.yml
│ │ ├── proc_creation_win_bcdedit_boot_conf_tamper.yml
│ │ ├── proc_creation_win_bcdedit_susp_execution.yml
│ │ ├── proc_creation_win_bcp_export_data.yml
│ │ ├── proc_creation_win_bginfo_suspicious_child_process.yml
│ │ ├── proc_creation_win_bginfo_uncommon_child_process.yml
│ │ ├── proc_creation_win_bitlockertogo_execution.yml
│ │ ├── proc_creation_win_bitsadmin_download.yml
│ │ ├── proc_creation_win_bitsadmin_download_direct_ip.yml
│ │ ├── proc_creation_win_bitsadmin_download_file_sharing_domains.yml
│ │ ├── proc_creation_win_bitsadmin_download_susp_extensions.yml
│ │ ├── proc_creation_win_bitsadmin_download_susp_targetfolder.yml
│ │ ├── proc_creation_win_bitsadmin_potential_persistence.yml
│ │ ├── proc_creation_win_browsers_chromium_headless_debugging.yml
│ │ ├── proc_creation_win_browsers_chromium_headless_exec.yml
│ │ ├── proc_creation_win_browsers_chromium_headless_file_download.yml
│ │ ├── proc_creation_win_browsers_chromium_load_extension.yml
│ │ ├── proc_creation_win_browsers_chromium_mockbin_abuse.yml
│ │ ├── proc_creation_win_browsers_chromium_susp_load_extension.yml
│ │ ├── proc_creation_win_browsers_inline_file_download.yml
│ │ ├── proc_creation_win_browsers_remote_debugging.yml
│ │ ├── proc_creation_win_browsers_tor_execution.yml
│ │ ├── proc_creation_win_calc_uncommon_exec.yml
│ │ ├── proc_creation_win_cdb_arbitrary_command_execution.yml
│ │ ├── proc_creation_win_certmgr_certificate_installation.yml
│ │ ├── proc_creation_win_certoc_download.yml
│ │ ├── proc_creation_win_certoc_download_direct_ip.yml
│ │ ├── proc_creation_win_certoc_load_dll.yml
│ │ ├── proc_creation_win_certoc_load_dll_susp_locations.yml
│ │ ├── proc_creation_win_certreq_download.yml
│ │ ├── proc_creation_win_certutil_certificate_installation.yml
│ │ ├── proc_creation_win_certutil_decode.yml
│ │ ├── proc_creation_win_certutil_download.yml
│ │ ├── proc_creation_win_certutil_download_direct_ip.yml
│ │ ├── proc_creation_win_certutil_download_file_sharing_domains.yml
│ │ ├── proc_creation_win_certutil_encode.yml
│ │ ├── proc_creation_win_certutil_encode_susp_extensions.yml
│ │ ├── proc_creation_win_certutil_encode_susp_location.yml
│ │ ├── proc_creation_win_certutil_export_pfx.yml
│ │ ├── proc_creation_win_certutil_ntlm_coercion.yml
│ │ ├── proc_creation_win_chcp_codepage_lookup.yml
│ │ ├── proc_creation_win_chcp_codepage_switch.yml
│ │ ├── proc_creation_win_cipher_overwrite_deleted_data.yml
│ │ ├── proc_creation_win_citrix_trolleyexpress_procdump.yml
│ │ ├── proc_creation_win_clip_execution.yml
│ │ ├── proc_creation_win_cloudflared_portable_execution.yml
│ │ ├── proc_creation_win_cloudflared_quicktunnel_execution.yml
│ │ ├── proc_creation_win_cloudflared_tunnel_cleanup.yml
│ │ ├── proc_creation_win_cloudflared_tunnel_run.yml
│ │ ├── proc_creation_win_cmd_assoc_execution.yml
│ │ ├── proc_creation_win_cmd_assoc_tamper_exe_file_association.yml
│ │ ├── proc_creation_win_cmd_copy_dmp_from_share.yml
│ │ ├── proc_creation_win_cmd_curl_download_exec_combo.yml
│ │ ├── proc_creation_win_cmd_del_execution.yml
│ │ ├── proc_creation_win_cmd_del_greedy_deletion.yml
│ │ ├── proc_creation_win_cmd_dir_execution.yml
│ │ ├── proc_creation_win_cmd_dosfuscation.yml
│ │ ├── proc_creation_win_cmd_http_appdata.yml
│ │ ├── proc_creation_win_cmd_launched_with_hidden_start_flag.yml
│ │ ├── proc_creation_win_cmd_mklink_osk_cmd.yml
│ │ ├── proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml
│ │ ├── proc_creation_win_cmd_net_use_and_exec_combo.yml
│ │ ├── proc_creation_win_cmd_no_space_execution.yml
│ │ ├── proc_creation_win_cmd_ntdllpipe_redirect.yml
│ │ ├── proc_creation_win_cmd_path_traversal.yml
│ │ ├── proc_creation_win_cmd_ping_copy_combined_execution.yml
│ │ ├── proc_creation_win_cmd_ping_del_combined_execution.yml
│ │ ├── proc_creation_win_cmd_redirection_susp_folder.yml
│ │ ├── proc_creation_win_cmd_rmdir_execution.yml
│ │ ├── proc_creation_win_cmd_shadowcopy_access.yml
│ │ ├── proc_creation_win_cmd_stdin_redirect.yml
│ │ ├── proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml
│ │ ├── proc_creation_win_cmd_sticky_keys_replace.yml
│ │ ├── proc_creation_win_cmd_type_arbitrary_file_download.yml
│ │ ├── proc_creation_win_cmd_unusual_parent.yml
│ │ ├── proc_creation_win_cmdkey_adding_generic_creds.yml
│ │ ├── proc_creation_win_cmdkey_recon.yml
│ │ ├── proc_creation_win_cmdl32_arbitrary_file_download.yml
│ │ ├── proc_creation_win_cmstp_execution_by_creation.yml
│ │ ├── proc_creation_win_comodo_ssh_shellhost_cmd_spawn.yml
│ │ ├── proc_creation_win_configsecuritypolicy_download_file.yml
│ │ ├── proc_creation_win_conhost_headless_powershell.yml
│ │ ├── proc_creation_win_conhost_legacy_option.yml
│ │ ├── proc_creation_win_conhost_path_traversal.yml
│ │ ├── proc_creation_win_conhost_susp_child_process.yml
│ │ ├── proc_creation_win_conhost_susp_winshell_child_process.yml
│ │ ├── proc_creation_win_conhost_uncommon_parent.yml
│ │ ├── proc_creation_win_control_panel_item.yml
│ │ ├── proc_creation_win_createdump_lolbin_execution.yml
│ │ ├── proc_creation_win_credential_guard_registry_tampering.yml
│ │ ├── proc_creation_win_csc_susp_dynamic_compilation.yml
│ │ ├── proc_creation_win_csc_susp_parent.yml
│ │ ├── proc_creation_win_csi_execution.yml
│ │ ├── proc_creation_win_csi_use_of_csharp_console.yml
│ │ ├── proc_creation_win_csvde_export.yml
│ │ ├── proc_creation_win_curl_cookie_hijacking.yml
│ │ ├── proc_creation_win_curl_custom_user_agent.yml
│ │ ├── proc_creation_win_curl_download_direct_ip_exec.yml
│ │ ├── proc_creation_win_curl_download_direct_ip_susp_extensions.yml
│ │ ├── proc_creation_win_curl_download_susp_file_sharing_domains.yml
│ │ ├── proc_creation_win_curl_insecure_connection.yml
│ │ ├── proc_creation_win_curl_insecure_proxy_or_doh.yml
│ │ ├── proc_creation_win_curl_local_file_read.yml
│ │ ├── proc_creation_win_curl_susp_download.yml
│ │ ├── proc_creation_win_customshellhost_susp_exec.yml
│ │ ├── proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml
│ │ ├── proc_creation_win_defaultpack_uncommon_child_process.yml
│ │ ├── proc_creation_win_defender_default_action_modified.yml
│ │ ├── proc_creation_win_defender_remove_context_menu.yml
│ │ ├── proc_creation_win_desktopimgdownldr_remote_file_download.yml
│ │ ├── proc_creation_win_desktopimgdownldr_susp_execution.yml
│ │ ├── proc_creation_win_devcon_disable_vmci_driver.yml
│ │ ├── proc_creation_win_device_credential_deployment.yml
│ │ ├── proc_creation_win_deviceenroller_dll_sideloading.yml
│ │ ├── proc_creation_win_devinit_lolbin_usage.yml
│ │ ├── proc_creation_win_dfsvc_suspicious_child_processes.yml
│ │ ├── proc_creation_win_dirlister_execution.yml
│ │ ├── proc_creation_win_discovery_via_reg_queries.yml
│ │ ├── proc_creation_win_diskshadow_child_process_susp.yml
│ │ ├── proc_creation_win_diskshadow_script_mode_susp_ext.yml
│ │ ├── proc_creation_win_diskshadow_script_mode_susp_location.yml
│ │ ├── proc_creation_win_dism_enable_powershell_web_access_feature.yml
│ │ ├── proc_creation_win_dism_remove.yml
│ │ ├── proc_creation_win_dll_sideload_vmware_xfer.yml
│ │ ├── proc_creation_win_dllhost_no_cli_execution.yml
│ │ ├── proc_creation_win_dns_exfiltration_tools_execution.yml
│ │ ├── proc_creation_win_dns_susp_child_process.yml
│ │ ├── proc_creation_win_dnscmd_discovery.yml
│ │ ├── proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml
│ │ ├── proc_creation_win_dnx_execute_csharp_code.yml
│ │ ├── proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml
│ │ ├── proc_creation_win_dotnet_trace_lolbin_execution.yml
│ │ ├── proc_creation_win_dotnetdump_memory_dump.yml
│ │ ├── proc_creation_win_driverquery_recon.yml
│ │ ├── proc_creation_win_driverquery_usage.yml
│ │ ├── proc_creation_win_dsacls_abuse_permissions.yml
│ │ ├── proc_creation_win_dsacls_password_spray.yml
│ │ ├── proc_creation_win_dsquery_domain_trust_discovery.yml
│ │ ├── proc_creation_win_dtrace_kernel_dump.yml
│ │ ├── proc_creation_win_dump64_defender_av_bypass_rename.yml
│ │ ├── proc_creation_win_dumpminitool_execution.yml
│ │ ├── proc_creation_win_dumpminitool_susp_execution.yml
│ │ ├── proc_creation_win_dxcap_arbitrary_binary_execution.yml
│ │ ├── proc_creation_win_esentutl_params.yml
│ │ ├── proc_creation_win_esentutl_sensitive_file_copy.yml
│ │ ├── proc_creation_win_esentutl_webcache.yml
│ │ ├── proc_creation_win_event_logging_disable_via_key_minint.yml
│ │ ├── proc_creation_win_eventvwr_susp_child_process.yml
│ │ ├── proc_creation_win_expand_cabinet_files.yml
│ │ ├── proc_creation_win_explorer_break_process_tree.yml
│ │ ├── proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml
│ │ ├── proc_creation_win_explorer_nouaccheck.yml
│ │ ├── proc_creation_win_findstr_download.yml
│ │ ├── proc_creation_win_findstr_gpp_passwords.yml
│ │ ├── proc_creation_win_findstr_lnk.yml
│ │ ├── proc_creation_win_findstr_lsass.yml
│ │ ├── proc_creation_win_findstr_recon_everyone.yml
│ │ ├── proc_creation_win_findstr_recon_pipe_output.yml
│ │ ├── proc_creation_win_findstr_security_keyword_lookup.yml
│ │ ├── proc_creation_win_findstr_subfolder_search.yml
│ │ ├── proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml
│ │ ├── proc_creation_win_finger_execution.yml
│ │ ├── proc_creation_win_fltmc_unload_driver.yml
│ │ ├── proc_creation_win_fltmc_unload_driver_sysmon.yml
│ │ ├── proc_creation_win_forfiles_child_process_masquerading.yml
│ │ ├── proc_creation_win_forfiles_proxy_execution_.yml
│ │ ├── proc_creation_win_format_uncommon_filesystem_load.yml
│ │ ├── proc_creation_win_fsi_fsharp_code_execution.yml
│ │ ├── proc_creation_win_fsutil_drive_enumeration.yml
│ │ ├── proc_creation_win_fsutil_symlinkevaluation.yml
│ │ ├── proc_creation_win_fsutil_usage.yml
│ │ ├── proc_creation_win_ftp_arbitrary_command_execution.yml
│ │ ├── proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml
│ │ ├── proc_creation_win_git_susp_clone.yml
│ │ ├── proc_creation_win_github_self_hosted_runner.yml
│ │ ├── proc_creation_win_googleupdate_susp_child_process.yml
│ │ ├── proc_creation_win_gpg4win_decryption.yml
│ │ ├── proc_creation_win_gpg4win_encryption.yml
│ │ ├── proc_creation_win_gpg4win_portable_execution.yml
│ │ ├── proc_creation_win_gpg4win_susp_location.yml
│ │ ├── proc_creation_win_gpresult_execution.yml
│ │ ├── proc_creation_win_gup_arbitrary_binary_execution.yml
│ │ ├── proc_creation_win_gup_download.yml
│ │ ├── proc_creation_win_gup_susp_child_process.yml
│ │ ├── proc_creation_win_gup_suspicious_execution.yml
│ │ ├── proc_creation_win_hh_chm_execution.yml
│ │ ├── proc_creation_win_hh_chm_remote_download_or_execution.yml
│ │ ├── proc_creation_win_hh_html_help_susp_child_process.yml
│ │ ├── proc_creation_win_hh_susp_execution.yml
│ │ ├── proc_creation_win_hktl_adcspwn.yml
│ │ ├── proc_creation_win_hktl_bloodhound_sharphound.yml
│ │ ├── proc_creation_win_hktl_c3_rundll32_pattern.yml
│ │ ├── proc_creation_win_hktl_certify.yml
│ │ ├── proc_creation_win_hktl_certipy.yml
│ │ ├── proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml
│ │ ├── proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml
│ │ ├── proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml
│ │ ├── proc_creation_win_hktl_cobaltstrike_process_patterns.yml
│ │ ├── proc_creation_win_hktl_coercedpotato.yml
│ │ ├── proc_creation_win_hktl_covenant.yml
│ │ ├── proc_creation_win_hktl_crackmapexec_execution.yml
│ │ ├── proc_creation_win_hktl_crackmapexec_execution_patterns.yml
│ │ ├── proc_creation_win_hktl_crackmapexec_patterns.yml
│ │ ├── proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml
│ │ ├── proc_creation_win_hktl_createminidump.yml
│ │ ├── proc_creation_win_hktl_dinjector.yml
│ │ ├── proc_creation_win_hktl_doppelganger.yml
│ │ ├── proc_creation_win_hktl_dumpert.yml
│ │ ├── proc_creation_win_hktl_edr_freeze.yml
│ │ ├── proc_creation_win_hktl_edrsilencer.yml
│ │ ├── proc_creation_win_hktl_empire_powershell_launch.yml
│ │ ├── proc_creation_win_hktl_empire_powershell_uac_bypass.yml
│ │ ├── proc_creation_win_hktl_evil_winrm.yml
│ │ ├── proc_creation_win_hktl_execution_via_imphashes.yml
│ │ ├── proc_creation_win_hktl_execution_via_pe_metadata.yml
│ │ ├── proc_creation_win_hktl_gmer.yml
│ │ ├── proc_creation_win_hktl_handlekatz.yml
│ │ ├── proc_creation_win_hktl_hashcat.yml
│ │ ├── proc_creation_win_hktl_hollowreaper.yml
│ │ ├── proc_creation_win_hktl_htran_or_natbypass.yml
│ │ ├── proc_creation_win_hktl_hydra.yml
│ │ ├── proc_creation_win_hktl_impacket_lateral_movement.yml
│ │ ├── proc_creation_win_hktl_impacket_tools.yml
│ │ ├── proc_creation_win_hktl_impersonate.yml
│ │ ├── proc_creation_win_hktl_inveigh.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_clip.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_stdin.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_var.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_compress.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml
│ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_var.yml
│ │ ├── proc_creation_win_hktl_jlaive_batch_execution.yml
│ │ ├── proc_creation_win_hktl_koadic.yml
│ │ ├── proc_creation_win_hktl_krbrelay.yml
│ │ ├── proc_creation_win_hktl_krbrelay_remote.yml
│ │ ├── proc_creation_win_hktl_krbrelayup.yml
│ │ ├── proc_creation_win_hktl_lazagne.yml
│ │ ├── proc_creation_win_hktl_localpotato.yml
│ │ ├── proc_creation_win_hktl_meterpreter_getsystem.yml
│ │ ├── proc_creation_win_hktl_mimikatz_command_line.yml
│ │ ├── proc_creation_win_hktl_pchunter.yml
│ │ ├── proc_creation_win_hktl_powersploit_empire_default_schtasks.yml
│ │ ├── proc_creation_win_hktl_powertool.yml
│ │ ├── proc_creation_win_hktl_purplesharp_indicators.yml
│ │ ├── proc_creation_win_hktl_pypykatz.yml
│ │ ├── proc_creation_win_hktl_quarks_pwdump.yml
│ │ ├── proc_creation_win_hktl_redmimicry_winnti_playbook.yml
│ │ ├── proc_creation_win_hktl_relay_attacks_tools.yml
│ │ ├── proc_creation_win_hktl_rubeus.yml
│ │ ├── proc_creation_win_hktl_safetykatz.yml
│ │ ├── proc_creation_win_hktl_secutyxploded.yml
│ │ ├── proc_creation_win_hktl_selectmyparent.yml
│ │ ├── proc_creation_win_hktl_sharp_chisel.yml
│ │ ├── proc_creation_win_hktl_sharp_dpapi_execution.yml
│ │ ├── proc_creation_win_hktl_sharp_impersonation.yml
│ │ ├── proc_creation_win_hktl_sharp_ldap_monitor.yml
│ │ ├── proc_creation_win_hktl_sharpersist.yml
│ │ ├── proc_creation_win_hktl_sharpevtmute.yml
│ │ ├── proc_creation_win_hktl_sharpldapwhoami.yml
│ │ ├── proc_creation_win_hktl_sharpmove.yml
│ │ ├── proc_creation_win_hktl_sharpsuccessor_execution.yml
│ │ ├── proc_creation_win_hktl_sharpup.yml
│ │ ├── proc_creation_win_hktl_sharpview.yml
│ │ ├── proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml
│ │ ├── proc_creation_win_hktl_silenttrinity_stager.yml
│ │ ├── proc_creation_win_hktl_sliver_c2_execution_pattern.yml
│ │ ├── proc_creation_win_hktl_soaphound_execution.yml
│ │ ├── proc_creation_win_hktl_stracciatella_execution.yml
│ │ ├── proc_creation_win_hktl_sysmoneop.yml
│ │ ├── proc_creation_win_hktl_trufflesnout.yml
│ │ ├── proc_creation_win_hktl_uacme.yml
│ │ ├── proc_creation_win_hktl_wce.yml
│ │ ├── proc_creation_win_hktl_winpeas.yml
│ │ ├── proc_creation_win_hktl_winpwn.yml
│ │ ├── proc_creation_win_hktl_wmiexec_default_powershell.yml
│ │ ├── proc_creation_win_hktl_wsass.yml
│ │ ├── proc_creation_win_hktl_xordump.yml
│ │ ├── proc_creation_win_hktl_zipexec.yml
│ │ ├── proc_creation_win_hostname_execution.yml
│ │ ├── proc_creation_win_hvci_registry_tampering.yml
│ │ ├── proc_creation_win_hwp_exploits.yml
│ │ ├── proc_creation_win_hxtsr_masquerading.yml
│ │ ├── proc_creation_win_icacls_deny.yml
│ │ ├── proc_creation_win_ieexec_download.yml
│ │ ├── proc_creation_win_iexpress_susp_execution.yml
│ │ ├── proc_creation_win_iis_appcmd_http_logging.yml
│ │ ├── proc_creation_win_iis_appcmd_service_account_password_dumped.yml
│ │ ├── proc_creation_win_iis_appcmd_susp_module_install.yml
│ │ ├── proc_creation_win_iis_appcmd_susp_rewrite_rule.yml
│ │ ├── proc_creation_win_iis_connection_strings_decryption.yml
│ │ ├── proc_creation_win_iis_logs_deletion.yml
│ │ ├── proc_creation_win_iis_susp_module_registration.yml
│ │ ├── proc_creation_win_ilasm_il_code_compilation.yml
│ │ ├── proc_creation_win_imagingdevices_unusual_parents.yml
│ │ ├── proc_creation_win_imewbdld_download.yml
│ │ ├── proc_creation_win_infdefaultinstall_execute_sct_scripts.yml
│ │ ├── proc_creation_win_installutil_download.yml
│ │ ├── proc_creation_win_instalutil_no_log_execution.yml
│ │ ├── proc_creation_win_java_keytool_susp_child_process.yml
│ │ ├── proc_creation_win_java_manageengine_susp_child_process.yml
│ │ ├── proc_creation_win_java_remote_debugging.yml
│ │ ├── proc_creation_win_java_susp_child_process.yml
│ │ ├── proc_creation_win_java_susp_child_process_2.yml
│ │ ├── proc_creation_win_java_sysaidserver_susp_child_process.yml
│ │ ├── proc_creation_win_jsc_execution.yml
│ │ ├── proc_creation_win_kavremover_uncommon_execution.yml
│ │ ├── proc_creation_win_kd_execution.yml
│ │ ├── proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml
│ │ ├── proc_creation_win_keyscrambler_susp_child_process.yml
│ │ ├── proc_creation_win_ksetup_password_change_computer.yml
│ │ ├── proc_creation_win_ksetup_password_change_user.yml
│ │ ├── proc_creation_win_ldifde_export.yml
│ │ ├── proc_creation_win_ldifde_file_load.yml
│ │ ├── proc_creation_win_link_uncommon_parent_process.yml
│ │ ├── proc_creation_win_lodctr_performance_counter_tampering.yml
│ │ ├── proc_creation_win_logman_disable_eventlog.yml
│ │ ├── proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
│ │ ├── proc_creation_win_lolbin_devtoolslauncher.yml
│ │ ├── proc_creation_win_lolbin_diantz_ads.yml
│ │ ├── proc_creation_win_lolbin_diantz_remote_cab.yml
│ │ ├── proc_creation_win_lolbin_extrac32.yml
│ │ ├── proc_creation_win_lolbin_extrac32_ads.yml
│ │ ├── proc_creation_win_lolbin_gather_network_info.yml
│ │ ├── proc_creation_win_lolbin_gpscript.yml
│ │ ├── proc_creation_win_lolbin_ie4uinit.yml
│ │ ├── proc_creation_win_lolbin_launch_vsdevshell.yml
│ │ ├── proc_creation_win_lolbin_manage_bde.yml
│ │ ├── proc_creation_win_lolbin_mavinject_process_injection.yml
│ │ ├── proc_creation_win_lolbin_mpiexec.yml
│ │ ├── proc_creation_win_lolbin_msdeploy.yml
│ │ ├── proc_creation_win_lolbin_openconsole.yml
│ │ ├── proc_creation_win_lolbin_openwith.yml
│ │ ├── proc_creation_win_lolbin_pcalua.yml
│ │ ├── proc_creation_win_lolbin_pcwrun.yml
│ │ ├── proc_creation_win_lolbin_pcwrun_follina.yml
│ │ ├── proc_creation_win_lolbin_pcwutl.yml
│ │ ├── proc_creation_win_lolbin_pester.yml
│ │ ├── proc_creation_win_lolbin_pester_1.yml
│ │ ├── proc_creation_win_lolbin_printbrm.yml
│ │ ├── proc_creation_win_lolbin_pubprn.yml
│ │ ├── proc_creation_win_lolbin_rasautou_dll_execution.yml
│ │ ├── proc_creation_win_lolbin_register_app.yml
│ │ ├── proc_creation_win_lolbin_remote.yml
│ │ ├── proc_creation_win_lolbin_replace.yml
│ │ ├── proc_creation_win_lolbin_runexehelper.yml
│ │ ├── proc_creation_win_lolbin_runscripthelper.yml
│ │ ├── proc_creation_win_lolbin_scriptrunner.yml
│ │ ├── proc_creation_win_lolbin_settingsynchost.yml
│ │ ├── proc_creation_win_lolbin_sftp.yml
│ │ ├── proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
│ │ ├── proc_creation_win_lolbin_susp_grpconv.yml
│ │ ├── proc_creation_win_lolbin_susp_sqldumper_activity.yml
│ │ ├── proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
│ │ ├── proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
│ │ ├── proc_creation_win_lolbin_tracker.yml
│ │ ├── proc_creation_win_lolbin_ttdinject.yml
│ │ ├── proc_creation_win_lolbin_tttracer_mod_load.yml
│ │ ├── proc_creation_win_lolbin_unregmp2.yml
│ │ ├── proc_creation_win_lolbin_utilityfunctions.yml
│ │ ├── proc_creation_win_lolbin_visual_basic_compiler.yml
│ │ ├── proc_creation_win_lolbin_visualuiaverifynative.yml
│ │ ├── proc_creation_win_lolbin_vsiisexelauncher.yml
│ │ ├── proc_creation_win_lolbin_wfc.yml
│ │ ├── proc_creation_win_lolscript_register_app.yml
│ │ ├── proc_creation_win_lsass_process_clone.yml
│ │ ├── proc_creation_win_mftrace_child_process.yml
│ │ ├── proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml
│ │ ├── proc_creation_win_mmc_mmc20_lateral_movement.yml
│ │ ├── proc_creation_win_mmc_rlo_abuse_pattern.yml
│ │ ├── proc_creation_win_mmc_susp_child_process.yml
│ │ ├── proc_creation_win_mode_codepage_russian.yml
│ │ ├── proc_creation_win_mofcomp_execution.yml
│ │ ├── proc_creation_win_mpcmdrun_dll_sideload_defender.yml
│ │ ├── proc_creation_win_mpcmdrun_download_arbitrary_file.yml
│ │ ├── proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml
│ │ ├── proc_creation_win_msbuild_susp_parent_process.yml
│ │ ├── proc_creation_win_msdt_answer_file_exec.yml
│ │ ├── proc_creation_win_msdt_arbitrary_command_execution.yml
│ │ ├── proc_creation_win_msdt_susp_cab_options.yml
│ │ ├── proc_creation_win_msdt_susp_parent.yml
│ │ ├── proc_creation_win_msedge_proxy_download.yml
│ │ ├── proc_creation_win_mshta_http.yml
│ │ ├── proc_creation_win_mshta_inline_vbscript.yml
│ │ ├── proc_creation_win_mshta_javascript.yml
│ │ ├── proc_creation_win_mshta_lethalhta_technique.yml
│ │ ├── proc_creation_win_mshta_susp_child_processes.yml
│ │ ├── proc_creation_win_mshta_susp_execution.yml
│ │ ├── proc_creation_win_mshta_susp_pattern.yml
│ │ ├── proc_creation_win_msiexec_dll.yml
│ │ ├── proc_creation_win_msiexec_embedding.yml
│ │ ├── proc_creation_win_msiexec_execute_dll.yml
│ │ ├── proc_creation_win_msiexec_install_quiet.yml
│ │ ├── proc_creation_win_msiexec_install_remote.yml
│ │ ├── proc_creation_win_msiexec_masquerading.yml
│ │ ├── proc_creation_win_msiexec_web_install.yml
│ │ ├── proc_creation_win_msix_ai_stub_execution.yml
│ │ ├── proc_creation_win_msohtmed_download.yml
│ │ ├── proc_creation_win_mspub_download.yml
│ │ ├── proc_creation_win_msra_process_injection.yml
│ │ ├── proc_creation_win_mssql_sqlps_susp_execution.yml
│ │ ├── proc_creation_win_mssql_sqltoolsps_susp_execution.yml
│ │ ├── proc_creation_win_mssql_susp_child_process.yml
│ │ ├── proc_creation_win_mssql_veaam_susp_child_processes.yml
│ │ ├── proc_creation_win_mstsc_rdp_hijack_shadowing.yml
│ │ ├── proc_creation_win_mstsc_remote_connection.yml
│ │ ├── proc_creation_win_mstsc_run_local_rdp_file.yml
│ │ ├── proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml
│ │ ├── proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml
│ │ ├── proc_creation_win_msxsl_execution.yml
│ │ ├── proc_creation_win_msxsl_remote_execution.yml
│ │ ├── proc_creation_win_net_groups_and_accounts_recon.yml
│ │ ├── proc_creation_win_net_share_unmount.yml
│ │ ├── proc_creation_win_net_start_service.yml
│ │ ├── proc_creation_win_net_stop_service.yml
│ │ ├── proc_creation_win_net_use_mount_admin_share.yml
│ │ ├── proc_creation_win_net_use_mount_internet_share.yml
│ │ ├── proc_creation_win_net_use_mount_share.yml
│ │ ├── proc_creation_win_net_use_network_connections_discovery.yml
│ │ ├── proc_creation_win_net_use_password_plaintext.yml
│ │ ├── proc_creation_win_net_user_add.yml
│ │ ├── proc_creation_win_net_user_add_never_expire.yml
│ │ ├── proc_creation_win_net_user_default_accounts_manipulation.yml
│ │ ├── proc_creation_win_net_view_share_and_sessions_enum.yml
│ │ ├── proc_creation_win_netsh_fw_add_rule.yml
│ │ ├── proc_creation_win_netsh_fw_allow_program_in_susp_location.yml
│ │ ├── proc_creation_win_netsh_fw_allow_rdp.yml
│ │ ├── proc_creation_win_netsh_fw_delete_rule.yml
│ │ ├── proc_creation_win_netsh_fw_disable.yml
│ │ ├── proc_creation_win_netsh_fw_enable_group_rule.yml
│ │ ├── proc_creation_win_netsh_fw_rules_discovery.yml
│ │ ├── proc_creation_win_netsh_fw_set_rule.yml
│ │ ├── proc_creation_win_netsh_helper_dll_persistence.yml
│ │ ├── proc_creation_win_netsh_packet_capture.yml
│ │ ├── proc_creation_win_netsh_port_forwarding.yml
│ │ ├── proc_creation_win_netsh_port_forwarding_3389.yml
│ │ ├── proc_creation_win_netsh_wifi_credential_harvesting.yml
│ │ ├── proc_creation_win_nltest_execution.yml
│ │ ├── proc_creation_win_nltest_recon.yml
│ │ ├── proc_creation_win_node_abuse.yml
│ │ ├── proc_creation_win_node_adobe_creative_cloud_abuse.yml
│ │ ├── proc_creation_win_notepad_local_passwd_discovery.yml
│ │ ├── proc_creation_win_nslookup_domain_discovery.yml
│ │ ├── proc_creation_win_nslookup_poweshell_download.yml
│ │ ├── proc_creation_win_ntdsutil_susp_usage.yml
│ │ ├── proc_creation_win_ntdsutil_usage.yml
│ │ ├── proc_creation_win_odbcconf_driver_install.yml
│ │ ├── proc_creation_win_odbcconf_driver_install_susp.yml
│ │ ├── proc_creation_win_odbcconf_exec_susp_locations.yml
│ │ ├── proc_creation_win_odbcconf_register_dll_regsvr.yml
│ │ ├── proc_creation_win_odbcconf_register_dll_regsvr_susp.yml
│ │ ├── proc_creation_win_odbcconf_response_file.yml
│ │ ├── proc_creation_win_odbcconf_response_file_susp.yml
│ │ ├── proc_creation_win_odbcconf_uncommon_child_process.yml
│ │ ├── proc_creation_win_office_arbitrary_cli_download.yml
│ │ ├── proc_creation_win_office_excel_dcom_lateral_movement.yml
│ │ ├── proc_creation_win_office_exec_from_trusted_locations.yml
│ │ ├── proc_creation_win_office_onenote_embedded_script_execution.yml
│ │ ├── proc_creation_win_office_onenote_susp_child_processes.yml
│ │ ├── proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml
│ │ ├── proc_creation_win_office_outlook_execution_from_temp.yml
│ │ ├── proc_creation_win_office_outlook_susp_child_processes.yml
│ │ ├── proc_creation_win_office_outlook_susp_child_processes_remote.yml
│ │ ├── proc_creation_win_office_spawn_exe_from_users_directory.yml
│ │ ├── proc_creation_win_office_susp_child_processes.yml
│ │ ├── proc_creation_win_office_winword_dll_load.yml
│ │ ├── proc_creation_win_offlinescannershell_mpclient_sideloading.yml
│ │ ├── proc_creation_win_pdqdeploy_execution.yml
│ │ ├── proc_creation_win_pdqdeploy_runner_susp_children.yml
│ │ ├── proc_creation_win_perl_inline_command_execution.yml
│ │ ├── proc_creation_win_php_inline_command_execution.yml
│ │ ├── proc_creation_win_ping_hex_ip.yml
│ │ ├── proc_creation_win_pktmon_execution.yml
│ │ ├── proc_creation_win_plink_port_forwarding.yml
│ │ ├── proc_creation_win_plink_susp_tunneling.yml
│ │ ├── proc_creation_win_powercfg_execution.yml
│ │ ├── proc_creation_win_powershell_aadinternals_cmdlets_execution.yml
│ │ ├── proc_creation_win_powershell_active_directory_module_dll_import.yml
│ │ ├── proc_creation_win_powershell_add_windows_capability.yml
│ │ ├── proc_creation_win_powershell_amsi_init_failed_bypass.yml
│ │ ├── proc_creation_win_powershell_amsi_null_bits_bypass.yml
│ │ ├── proc_creation_win_powershell_audio_capture.yml
│ │ ├── proc_creation_win_powershell_base64_encoded_cmd.yml
│ │ ├── proc_creation_win_powershell_base64_encoded_cmd_patterns.yml
│ │ ├── proc_creation_win_powershell_base64_encoded_obfusc.yml
│ │ ├── proc_creation_win_powershell_base64_frombase64string.yml
│ │ ├── proc_creation_win_powershell_base64_hidden_flag.yml
│ │ ├── proc_creation_win_powershell_base64_iex.yml
│ │ ├── proc_creation_win_powershell_base64_invoke.yml
│ │ ├── proc_creation_win_powershell_base64_mppreference.yml
│ │ ├── proc_creation_win_powershell_base64_reflection_assembly_load.yml
│ │ ├── proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml
│ │ ├── proc_creation_win_powershell_base64_wmi_classes.yml
│ │ ├── proc_creation_win_powershell_cl_invocation.yml
│ │ ├── proc_creation_win_powershell_cl_loadassembly.yml
│ │ ├── proc_creation_win_powershell_cl_mutexverifiers.yml
│ │ ├── proc_creation_win_powershell_cmdline_convertto_securestring.yml
│ │ ├── proc_creation_win_powershell_cmdline_reversed_strings.yml
│ │ ├── proc_creation_win_powershell_cmdline_special_characters.yml
│ │ ├── proc_creation_win_powershell_comobject_msi.yml
│ │ ├── proc_creation_win_powershell_comobject_msi_remote.yml
│ │ ├── proc_creation_win_powershell_computer_discovery_get_adcomputer.yml
│ │ ├── proc_creation_win_powershell_console_history_file_access.yml
│ │ ├── proc_creation_win_powershell_create_service.yml
│ │ ├── proc_creation_win_powershell_decode_gzip.yml
│ │ ├── proc_creation_win_powershell_decrypt_pattern.yml
│ │ ├── proc_creation_win_powershell_defender_disable_feature.yml
│ │ ├── proc_creation_win_powershell_defender_exclusion.yml
│ │ ├── proc_creation_win_powershell_disable_defender_av_security_monitoring.yml
│ │ ├── proc_creation_win_powershell_disable_firewall.yml
│ │ ├── proc_creation_win_powershell_disable_ie_features.yml
│ │ ├── proc_creation_win_powershell_downgrade_attack.yml
│ │ ├── proc_creation_win_powershell_download_com_cradles.yml
│ │ ├── proc_creation_win_powershell_download_cradle_obfuscated.yml
│ │ ├── proc_creation_win_powershell_download_dll.yml
│ │ ├── proc_creation_win_powershell_download_iex.yml
│ │ ├── proc_creation_win_powershell_download_patterns.yml
│ │ ├── proc_creation_win_powershell_download_susp_file_sharing_domains.yml
│ │ ├── proc_creation_win_powershell_dsinternals_cmdlets.yml
│ │ ├── proc_creation_win_powershell_email_exfil.yml
│ │ ├── proc_creation_win_powershell_enable_susp_windows_optional_feature.yml
│ │ ├── proc_creation_win_powershell_encode.yml
│ │ ├── proc_creation_win_powershell_encoding_patterns.yml
│ │ ├── proc_creation_win_powershell_exec_data_file.yml
│ │ ├── proc_creation_win_powershell_export_certificate.yml
│ │ ├── proc_creation_win_powershell_frombase64string.yml
│ │ ├── proc_creation_win_powershell_frombase64string_archive.yml
│ │ ├── proc_creation_win_powershell_get_clipboard.yml
│ │ ├── proc_creation_win_powershell_get_localgroup_member_recon.yml
│ │ ├── proc_creation_win_powershell_getprocess_lsass.yml
│ │ ├── proc_creation_win_powershell_hide_services_via_set_service.yml
│ │ ├── proc_creation_win_powershell_iex_patterns.yml
│ │ ├── proc_creation_win_powershell_import_cert_susp_locations.yml
│ │ ├── proc_creation_win_powershell_import_module_susp_dirs.yml
│ │ ├── proc_creation_win_powershell_install_unsigned_appx_packages.yml
│ │ ├── proc_creation_win_powershell_invocation_specific.yml
│ │ ├── proc_creation_win_powershell_invoke_webrequest_direct_ip.yml
│ │ ├── proc_creation_win_powershell_invoke_webrequest_download.yml
│ │ ├── proc_creation_win_powershell_kerberos_kerberos_ticket_request_via_cli.yml
│ │ ├── proc_creation_win_powershell_mailboxexport_share.yml
│ │ ├── proc_creation_win_powershell_malicious_cmdlets.yml
│ │ ├── proc_creation_win_powershell_msexchange_transport_agent.yml
│ │ ├── proc_creation_win_powershell_non_interactive_execution.yml
│ │ ├── proc_creation_win_powershell_obfuscation_via_utf8.yml
│ │ ├── proc_creation_win_powershell_public_folder.yml
│ │ ├── proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml
│ │ ├── proc_creation_win_powershell_remove_mppreference.yml
│ │ ├── proc_creation_win_powershell_reverse_shell_connection.yml
│ │ ├── proc_creation_win_powershell_run_script_from_ads.yml
│ │ ├── proc_creation_win_powershell_run_script_from_input_stream.yml
│ │ ├── proc_creation_win_powershell_sam_access.yml
│ │ ├── proc_creation_win_powershell_script_engine_parent.yml
│ │ ├── proc_creation_win_powershell_service_dacl_modification_set_service.yml
│ │ ├── proc_creation_win_powershell_set_acl.yml
│ │ ├── proc_creation_win_powershell_set_acl_susp_location.yml
│ │ ├── proc_creation_win_powershell_set_policies_to_unsecure_level.yml
│ │ ├── proc_creation_win_powershell_set_service_disabled.yml
│ │ ├── proc_creation_win_powershell_shadowcopy_deletion.yml
│ │ ├── proc_creation_win_powershell_snapins_hafnium.yml
│ │ ├── proc_creation_win_powershell_stop_service.yml
│ │ ├── proc_creation_win_powershell_susp_download_patterns.yml
│ │ ├── proc_creation_win_powershell_susp_parameter_variation.yml
│ │ ├── proc_creation_win_powershell_susp_parent_process.yml
│ │ ├── proc_creation_win_powershell_susp_ps_appdata.yml
│ │ ├── proc_creation_win_powershell_token_obfuscation.yml
│ │ ├── proc_creation_win_powershell_uninstall_defender_feature.yml
│ │ ├── proc_creation_win_powershell_user_discovery_get_aduser.yml
│ │ ├── proc_creation_win_powershell_webclient_casing.yml
│ │ ├── proc_creation_win_powershell_x509enrollment.yml
│ │ ├── proc_creation_win_powershell_xor_commandline.yml
│ │ ├── proc_creation_win_powershell_zip_compress.yml
│ │ ├── proc_creation_win_presentationhost_download.yml
│ │ ├── proc_creation_win_presentationhost_uncommon_location_exec.yml
│ │ ├── proc_creation_win_pressanykey_lolbin_execution.yml
│ │ ├── proc_creation_win_print_remote_file_copy.yml
│ │ ├── proc_creation_win_protocolhandler_download.yml
│ │ ├── proc_creation_win_provlaunch_potential_abuse.yml
│ │ ├── proc_creation_win_provlaunch_susp_child_process.yml
│ │ ├── proc_creation_win_psr_capture_screenshots.yml
│ │ ├── proc_creation_win_pua_3proxy_execution.yml
│ │ ├── proc_creation_win_pua_adfind_enumeration.yml
│ │ ├── proc_creation_win_pua_adfind_execution.yml
│ │ ├── proc_creation_win_pua_adfind_susp_usage.yml
│ │ ├── proc_creation_win_pua_advanced_ip_scanner.yml
│ │ ├── proc_creation_win_pua_advanced_port_scanner.yml
│ │ ├── proc_creation_win_pua_advancedrun.yml
│ │ ├── proc_creation_win_pua_advancedrun_priv_user.yml
│ │ ├── proc_creation_win_pua_chisel.yml
│ │ ├── proc_creation_win_pua_cleanwipe.yml
│ │ ├── proc_creation_win_pua_crassus.yml
│ │ ├── proc_creation_win_pua_csexec.yml
│ │ ├── proc_creation_win_pua_defendercheck.yml
│ │ ├── proc_creation_win_pua_ditsnap.yml
│ │ ├── proc_creation_win_pua_frp.yml
│ │ ├── proc_creation_win_pua_iox.yml
│ │ ├── proc_creation_win_pua_kdu_driver_tool.yml
│ │ ├── proc_creation_win_pua_mouselock_execution.yml
│ │ ├── proc_creation_win_pua_netcat.yml
│ │ ├── proc_creation_win_pua_netscan.yml
│ │ ├── proc_creation_win_pua_ngrok.yml
│ │ ├── proc_creation_win_pua_nimgrab.yml
│ │ ├── proc_creation_win_pua_nimscan.yml
│ │ ├── proc_creation_win_pua_nircmd.yml
│ │ ├── proc_creation_win_pua_nircmd_as_system.yml
│ │ ├── proc_creation_win_pua_nmap_zenmap.yml
│ │ ├── proc_creation_win_pua_nps.yml
│ │ ├── proc_creation_win_pua_nsudo.yml
│ │ ├── proc_creation_win_pua_pingcastle.yml
│ │ ├── proc_creation_win_pua_pingcastle_script_parent.yml
│ │ ├── proc_creation_win_pua_process_hacker.yml
│ │ ├── proc_creation_win_pua_radmin.yml
│ │ ├── proc_creation_win_pua_rcedit_execution.yml
│ │ ├── proc_creation_win_pua_rclone_execution.yml
│ │ ├── proc_creation_win_pua_restic.yml
│ │ ├── proc_creation_win_pua_runxcmd.yml
│ │ ├── proc_creation_win_pua_seatbelt.yml
│ │ ├── proc_creation_win_pua_system_informer.yml
│ │ ├── proc_creation_win_pua_trufflehog.yml
│ │ ├── proc_creation_win_pua_webbrowserpassview.yml
│ │ ├── proc_creation_win_pua_wsudo_susp_execution.yml
│ │ ├── proc_creation_win_python_adidnsdump.yml
│ │ ├── proc_creation_win_python_inline_command_execution.yml
│ │ ├── proc_creation_win_python_pty_spawn.yml
│ │ ├── proc_creation_win_qemu_suspicious_execution.yml
│ │ ├── proc_creation_win_query_session_exfil.yml
│ │ ├── proc_creation_win_quickassist_execution.yml
│ │ ├── proc_creation_win_rar_compress_data.yml
│ │ ├── proc_creation_win_rar_compression_with_password.yml
│ │ ├── proc_creation_win_rar_susp_greedy_compression.yml
│ │ ├── proc_creation_win_rasdial_execution.yml
│ │ ├── proc_creation_win_rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.yml
│ │ ├── proc_creation_win_rdrleakdiag_process_dumping.yml
│ │ ├── proc_creation_win_reagentc_disable_windows_recovery_environment.yml
│ │ ├── proc_creation_win_reg_add_run_key.yml
│ │ ├── proc_creation_win_reg_add_safeboot.yml
│ │ ├── proc_creation_win_reg_bitlocker.yml
│ │ ├── proc_creation_win_reg_credential_access_via_password_filter.yml
│ │ ├── proc_creation_win_reg_defender_exclusion.yml
│ │ ├── proc_creation_win_reg_delete_runmru.yml
│ │ ├── proc_creation_win_reg_delete_safeboot.yml
│ │ ├── proc_creation_win_reg_delete_services.yml
│ │ ├── proc_creation_win_reg_desktop_background_change.yml
│ │ ├── proc_creation_win_reg_direct_asep_registry_keys_modification.yml
│ │ ├── proc_creation_win_reg_disable_defender_wmi_autologger.yml
│ │ ├── proc_creation_win_reg_disable_sec_services.yml
│ │ ├── proc_creation_win_reg_dumping_sensitive_hives.yml
│ │ ├── proc_creation_win_reg_enable_windows_recall.yml
│ │ ├── proc_creation_win_reg_enumeration_for_credentials_in_registry.yml
│ │ ├── proc_creation_win_reg_import_from_suspicious_paths.yml
│ │ ├── proc_creation_win_reg_lsa_disable_restricted_admin.yml
│ │ ├── proc_creation_win_reg_lsa_ppl_protection_disabled.yml
│ │ ├── proc_creation_win_reg_machineguid.yml
│ │ ├── proc_creation_win_reg_modify_group_policy_settings.yml
│ │ ├── proc_creation_win_reg_nolmhash.yml
│ │ ├── proc_creation_win_reg_query_registry.yml
│ │ ├── proc_creation_win_reg_rdp_keys_tamper.yml
│ │ ├── proc_creation_win_reg_screensaver.yml
│ │ ├── proc_creation_win_reg_service_imagepath_change.yml
│ │ ├── proc_creation_win_reg_software_discovery.yml
│ │ ├── proc_creation_win_reg_susp_paths.yml
│ │ ├── proc_creation_win_reg_system_language_discovery.yml
│ │ ├── proc_creation_win_reg_volsnap_disable.yml
│ │ ├── proc_creation_win_reg_windows_defender_tamper.yml
│ │ ├── proc_creation_win_reg_write_protect_for_storage_disabled.yml
│ │ ├── proc_creation_win_regasm_no_flag_or_dll_execution.yml
│ │ ├── proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml
│ │ ├── proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml
│ │ ├── proc_creation_win_regedit_export_critical_keys.yml
│ │ ├── proc_creation_win_regedit_export_keys.yml
│ │ ├── proc_creation_win_regedit_import_keys.yml
│ │ ├── proc_creation_win_regedit_import_keys_ads.yml
│ │ ├── proc_creation_win_regedit_trustedinstaller.yml
│ │ ├── proc_creation_win_regini_ads.yml
│ │ ├── proc_creation_win_regini_execution.yml
│ │ ├── proc_creation_win_registry_cimprovider_dll_load.yml
│ │ ├── proc_creation_win_registry_enumeration_for_credentials_cli.yml
│ │ ├── proc_creation_win_registry_export_of_thirdparty_creds.yml
│ │ ├── proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml
│ │ ├── proc_creation_win_registry_install_reg_debugger_backdoor.yml
│ │ ├── proc_creation_win_registry_logon_script.yml
│ │ ├── proc_creation_win_registry_new_network_provider.yml
│ │ ├── proc_creation_win_registry_office_disable_python_security_warnings.yml
│ │ ├── proc_creation_win_registry_privilege_escalation_via_service_key.yml
│ │ ├── proc_creation_win_registry_provlaunch_provisioning_command.yml
│ │ ├── proc_creation_win_registry_set_unsecure_powershell_policy.yml
│ │ ├── proc_creation_win_registry_special_accounts_hide_user.yml
│ │ ├── proc_creation_win_registry_typed_paths_persistence.yml
│ │ ├── proc_creation_win_regsvr32_flags_anomaly.yml
│ │ ├── proc_creation_win_regsvr32_http_ip_pattern.yml
│ │ ├── proc_creation_win_regsvr32_network_pattern.yml
│ │ ├── proc_creation_win_regsvr32_remote_share.yml
│ │ ├── proc_creation_win_regsvr32_susp_child_process.yml
│ │ ├── proc_creation_win_regsvr32_susp_exec_path_1.yml
│ │ ├── proc_creation_win_regsvr32_susp_exec_path_2.yml
│ │ ├── proc_creation_win_regsvr32_susp_extensions.yml
│ │ ├── proc_creation_win_regsvr32_susp_parent.yml
│ │ ├── proc_creation_win_regsvr32_uncommon_extension.yml
│ │ ├── proc_creation_win_remote_access_tools_anydesk.yml
│ │ ├── proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml
│ │ ├── proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml
│ │ ├── proc_creation_win_remote_access_tools_anydesk_silent_install.yml
│ │ ├── proc_creation_win_remote_access_tools_anydesk_susp_exec.yml
│ │ ├── proc_creation_win_remote_access_tools_gotoopener.yml
│ │ ├── proc_creation_win_remote_access_tools_logmein.yml
│ │ ├── proc_creation_win_remote_access_tools_meshagent_arguments.yml
│ │ ├── proc_creation_win_remote_access_tools_meshagent_exec.yml
│ │ ├── proc_creation_win_remote_access_tools_netsupport.yml
│ │ ├── proc_creation_win_remote_access_tools_netsupport_susp_exec.yml
│ │ ├── proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml
│ │ ├── proc_creation_win_remote_access_tools_rurat_non_default_location.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml
│ │ ├── proc_creation_win_remote_access_tools_screenconnect_webshell.yml
│ │ ├── proc_creation_win_remote_access_tools_simple_help.yml
│ │ ├── proc_creation_win_remote_access_tools_tacticalrmm_agent_registration_via_cli.yml
│ │ ├── proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml
│ │ ├── proc_creation_win_remote_access_tools_ultraviewer.yml
│ │ ├── proc_creation_win_remote_time_discovery.yml
│ │ ├── proc_creation_win_renamed_adfind.yml
│ │ ├── proc_creation_win_renamed_autohotkey.yml
│ │ ├── proc_creation_win_renamed_autoit.yml
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# Set the default behavior, in case people don't have core.autocrlf set.
* text=lf
# Explicitly declare text files you want to always be normalized and converted
# to native line endings on checkout.
*.c text
*.h text
*.csv text
*.sh text
*.py text
# Declare files that will always have CRLF line endings on checkout.
*.sln text eol=crlf
# Denote all files that are truly binary and should not be modified.
*.png binary
*.jpg binary
# force lf for Sigma rule
*.yml text eol=lf
================================================
FILE: .github/FUNDING.yml
================================================
# These are supported funding model platforms
github: [thomaspatzke]
patreon: # Replace with a single Patreon username
open_collective: # Replace with a single Open Collective username
ko_fi: # Replace with a single Ko-fi username
tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
liberapay: # Replace with a single Liberapay username
issuehunt: # Replace with a single IssueHunt username
otechie: # Replace with a single Otechie username
lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
================================================
FILE: .github/ISSUE_TEMPLATE/false_positive_report.yml
================================================
name: "False Positive Report"
description: Report false positives with SIGMA rules
labels: [False-Positive]
assignees:
- nasbench
body:
- type: input
attributes:
label: Rule UUID
placeholder: "f3be1b1d-eb3c-4ab1-b5e5-81e330fa2cd0"
description: |
You can copy the rule id from the `id` field in the rule.
validations:
required: true
- type: textarea
attributes:
label: Example EventLog
description: An event log example of the false positive in question
placeholder: |
SubjectLogonId 0x1d3f2a
NewProcessId 0x5f14
NewProcessName C:\Windows\System32\dllhost.exe
TokenElevationType %%1937
ProcessId 0x1270
CommandLine dllhost
TargetUserSid S-1-0-0
TargetUserName -
TargetDomainName -
TargetLogonId 0x0
ParentProcessName C:\Windows\System32\cmd.exe
validations:
required: true
- type: textarea
attributes:
label: Description
placeholder: This is just a placeholder description
description: |
Provide any additional information that you might think is helpful
validations:
required: true
================================================
FILE: .github/ISSUE_TEMPLATE/rule_proposal.md
================================================
---
name: "Rule Proposal"
about: Rule Idea Proposal
title: ''
labels: Rule
assignees:
- nasbench
---
### Description of the Idea of the Rule
<!--
A clear and concise description of idea of the rule.
-->
### Public References / Example Event Log
<!--
Additional references and logs if possible to ease the process of creating the rule
-->
================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
<!--
Thanks for your contribution. Please make sure to fill the contents of this template with the necessary information to ease and speed up the review process.
!!! PLEASE DO NOT DELETE ANY SECTION, COMMENT OR THE CONTENT OF THE TEMPLATE. !!!
-->
### Summary of the Pull Request
<!--
**Please note that this section is required and must be filled**
A short summary of your pull request.
-->
### Changelog
<!--
** Don't remove this comment **
You need to add one line for every changed file of the PR and prefix one of the following tags:
new: <title>
update: <title> - <optional comment>
fix: <title> - <optional comment>
remove: <title> - <optional comment>
chore: for non-detection related changes (e.g. dates/titles) and changes on workflow
e.g.
new: Brute-Force Attacks on Azure Admin Account
update: Suspicious Microsoft Office Child Process - add MSPUB.EXE
fix: Malware User Agent - remove legitimate Firefox UA
chore: workflow - update checkout version
remove: Suspicious Office Execution - deprecated in favour of 8f922766-a1d3-4b57-9966-b27de37fddd2
-->
### Example Log Event
<!--
Fill this in case of false positive fixes
-->
### Fixed Issues
<!--
Link the fixed issues here, in case your commit fixes issues with rules or code
-->
### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/)
================================================
FILE: .github/labeler.yml
================================================
Rules:
- changed-files:
- any-glob-to-any-file:
- 'deprecated/**'
- 'rules/**'
- 'rules-compliance/**'
- 'rules-dfir/**'
- 'rules-emerging-threats/**'
- 'rules-placeholder/**'
- 'rules-threat-hunting/**'
Emerging-Threats:
- changed-files:
- any-glob-to-any-file: 'rules-emerging-threats/**'
Threat-Hunting:
- changed-files:
- any-glob-to-any-file: 'rules-threat-hunting/**'
MacOS:
- changed-files:
- any-glob-to-any-file:
- 'rules/macos/**'
- 'rules-compliance/macos/**'
- 'rules-dfir/macos/**'
- 'rules-emerging-threats/macos/**'
- 'rules-placeholder/macos/**'
- 'rules-threat-hunting/macos/**'
Windows:
- changed-files:
- any-glob-to-any-file:
- 'rules/windows/**'
- 'rules-compliance/windows/**'
- 'rules-dfir/windows/**'
- 'rules-emerging-threats/windows/**'
- 'rules-placeholder/windows/**'
- 'rules-threat-hunting/windows/**'
Linux:
- changed-files:
- any-glob-to-any-file:
- 'rules/linux/**'
- 'rules-compliance/linux/**'
- 'rules-dfir/linux/**'
- 'rules-emerging-threats/linux/**'
- 'rules-placeholder/linux/**'
- 'rules-threat-hunting/linux/**'
Maintenance:
- changed-files:
- any-glob-to-any-file:
- 'documentation/**'
- 'tests/**'
- '.github/**'
- 'README.md'
- 'Releases.md'
Review Needed:
- changed-files:
- any-glob-to-any-file: '**'
================================================
FILE: .github/latest_archiver_output.md
================================================
# Reference Archiver Results
Last Execution: 2026-03-01 02:19:10
### Archiver Script Results
#### Newly Archived References
N/A
#### Already Archived References
- https://gtfobins.github.io/gtfobins/curl/
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
- https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
- https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
- https://github.com/clearvector/lambda-spy
- https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
- https://docs.python.org/2/library/simplehttpserver.html
- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
- https://www.chrisfarris.com/post/effective-aws-ransomware/
- https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md
- https://nvd.nist.gov/vuln/detail/CVE-2025-2825
- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178
#### Error While Archiving References
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f
- https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/
- https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
- https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
- https://www.cve.org/CVERecord?id=CVE-2024-1709
- https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
- https://unit42.paloaltonetworks.com/cve-2025-59287/
- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html
- https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
- https://x.com/Wietze/status/1933495426952421843
- https://paper.seebug.org/1495/
- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
- https://www.cisa.gov/stopransomware/ransomware-guide
- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector
- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
- https://localtonet.com/documents/supported-tunnels
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
- https://securelist.com/sidewinder-apt/114089/
- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://www.joesandbox.com/analysis/1605063/0/html
- https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
- https://intel.thedfirreport.com/eventReports/view/57
- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
- https://github.com/CoreyCBurton/DripLoaderNG
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
- https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
- https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy
- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://github.com/trufflesecurity/trufflehog
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
- https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc
- https://github.com/TwoSevenOneT/EDR-Freeze
- https://pentestlab.blog/2022/03/21/unconstrained-delegation/
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
- https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
- https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399
- https://redfoxsec.com/blog/ipv6-dns-takeover/
- https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
- https://unit42.paloaltonetworks.com/chromeloader-malware/
- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://x.com/cyberfeeddigest/status/1887041526397587859
- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
- https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
- https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
- https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html
- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
- https://twitter.com/Kostastsale/status/1480716528421011458
- https://www.fortiguard.com/psirt/FG-IR-22-398
- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
- https://dfir.ch/posts/linux_capabilities/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
- https://ss64.com/osx/sw_vers.html
- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
- https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
- https://blu.org/mhonarc/discuss/2001/04/msg00285.php
- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/
- https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://docs.microsoft.com/en-us/sql/tools/bcp-utility
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html
- https://lolbas-project.github.io/#/download
- https://man7.org/linux/man-pages/man2/personality.2.html
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.softperfect.com/products/networkscanner/
- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
- https://github.com/amidaware/tacticalrmm
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
- https://ngrok.com/blog-post/new-ngrok-domains
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
- https://github.com/mhaskar/FsquirtCPLPoC
- https://learn.microsoft.com/en-us/windows/wsl/install
- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack
- https://awscli.amazonaws.com/v2/documentation/api/2.14.0/reference/account/enable-region.html
- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
- https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin
- https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
- https://naikordian.github.io/blog/posts/brute-force-aws-console/
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
- https://securelist.com/apt41-in-africa/116986/
- https://tria.ge/231023-lpw85she57/behavioral2
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
- https://github.com/0xthirteen/SharpMove/
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
- https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
- https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray
- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
- https://juggernaut-sec.com/capabilities/#cap_setgid
- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
- https://pwn.guide/free/web/crushftp
- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps
- https://www.huntress.com/blog/silencing-the-edr-silencers
- https://vmois.dev/query-signal-desktop-messages-sqlite/
- https://tria.ge/231212-r1bpgaefar/behavioral2
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
- https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/
- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html
- https://feeds.alphasoc.net/bad-etlds.txt
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
- https://ss64.com/nt/set.html
- https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
- https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan
- https://github.com/Arno0x/DNSExfiltrator/
- https://x.com/wietze/status/1958302556033065292?s=12
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
- https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
- https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md
- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
- https://man7.org/linux/man-pages/man2/sysinfo.2.html
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon
- https://twitter.com/th3_protoCOL/status/1536788652889497600
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
- https://www.loobins.io/binaries/xattr/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://github.com/grayhatkiller/SharpExShell
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://adsecurity.org/?p=3377
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage
- https://x.com/byrne_emmy12099/status/1932346420226658668
- https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes
- https://moonlock.com/amos-backdoor-persistent-access
- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
- https://blog.axelarator.net/hunting-for-edr-freeze/
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://www.coreycburton.com/blog/driploader-case-study
- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
- https://ss64.com/nt/schtasks.html
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
- https://github.com/TwoSevenOneT/WSASS
- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
- https://github.com/JohnHammond/recaptcha-phish
- https://labs.nettitude.com/blog/introducing-sharpwsus/
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
- https://redcanary.com/blog/threat-intelligence/msix-installers/
- https://gtfobins.github.io/gtfobins/gawk/#shell
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://man7.org/linux/man-pages/man2/syslog.2.html
- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/
- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/
- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
- https://redcanary.com/blog/threat-detection/process-masquerading/
- https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
- https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091
- https://github.com/msanft/CVE-2025-55182
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
- https://github.com/h4rmy/KDU
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
- https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
- https://securelist.com/notepad-supply-chain-attack/118708/
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
- https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
- https://asec.ahnlab.com/en/40263/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/
- https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement
- https://github.com/rtecCyberSec/BitlockMove
- https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md
- https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
- https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
- https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
- https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/
- https://mrd0x.com/filefix-clickfix-alternative/
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
- https://gtfobins.github.io/gtfobins/capsh/#shell
- https://intel.thedfirreport.com/eventReports/view/70
- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
- https://x.com/Max_Mal_/status/1826179497084739829
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
- https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad
- https://www.scip.ch/en/?labs.20240523
- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/
- https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
- https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval
- https://nodejs.org/api/child_process.html#class-childprocess
- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
- https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
- https://docs.aws.amazon.com/accounts/latest/reference/API_EnableRegion.html
- https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/
- https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
- https://x.com/Threatlabz/status/1879956781360976155
- https://github.com/rapid7/metasploit-framework/issues/11337
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
- https://tria.ge/240731-jh4crsycnb/behavioral2
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1
- https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468
- https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
- https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://itm4n.github.io/cdpsvc-dll-hijacking/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://megatools.megous.com/
- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
- https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png
- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt
- https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
- https://trustedsec.com/blog/command-line-underdog-wmic-in-action
- https://github.com/mulwareX/CVE-2025-6218-POC
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
- https://x.com/JangPr0/status/1932034543026065833
- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs
- https://www.group-ib.com/resources/threat-research/red-curl-2.html
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
- https://github.com/rtecCyberSec/SpeechRuntimeMove
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address
- https://x.com/0x534c/status/1944694507787710685
- https://www.loobins.io/binaries/nscurl/
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
- https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://www.loobins.io/binaries/pbpaste/
- https://news.ycombinator.com/item?id=29504755
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html
- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
- https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- https://juggernaut-sec.com/capabilities/#cap_setuid
- https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/
- https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron
- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://notepad-plus-plus.org/news/v889-released/
- https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
- https://cert.gov.ua/article/6284080
- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
- https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3
- https://manual.cs50.io/2/personality
- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
- https://en.wikipedia.org/wiki/Right-to-left_override
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038
- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py
- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior
- https://github.com/logangoins/Krueger/tree/main
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events
- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/
- https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
- https://github.com/varwara/CVE-2024-35250
- https://linux.die.net/man/8/auditct
- https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
- https://bazaar.abuse.ch/browse/tag/one/
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
- https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
- https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
- https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV
- https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11
- https://jgspiers.com/audit-group-policy-changes/
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings
- https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md
- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
- https://x.com/0gtweet/status/1564131230941122561
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741
- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
- https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251
- https://www.man7.org/linux/man-pages/man1/systemctl.1.html
- https://gtfobins.github.io/gtfobins/rsync/#shell
- https://www.trendmicro.com/en_us/research/25/f/water-curse.html
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump
- https://www.youtube.com/watch?v=uSYvHUVU8xY
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
- https://man7.org/linux/man-pages/man1/dmesg.1.html
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
- https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
- https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site
- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
- https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
- https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
- https://docs.python.org/3/library/http.server.html
- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
- https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today
- https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://restic.net/
- https://woshub.com/disable-credential-guard-windows/
- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
- https://www.virustotal.com/gui/file/d2a4f52a9923336f119a52e531bbb1e66f18322fd8efa9af1a64b94f4d36dc97
- https://tria.ge/241231-j9yatstqbm/behavioral1
- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
- https://cert.gov.ua/article/6277849
- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect
- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows
- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.pcrisk.com/removal-guides/31853-funklocker-funksec-ransomware
- https://www.joesandbox.com/analysis/1467354/0/html
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44
- https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
- https://redcanary.com/threat-detection-report/techniques/installer-packages/
- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
- https://blog.sekoia.io/scattered-spider-laying-new-eggs/
- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
- https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
- https://man7.org/linux/man-pages/man8/setcap.8.html
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
- https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
- https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30
- https://adsecurity.org/?p=1785
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
- https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/
- https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4
- https://huntress.com/blog/esxi-vm-escape-exploit
- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
- https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
- https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
- https://taggart-tech.com/evildeno/
- https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f
- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
- https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
================================================
FILE: .github/workflows/goodlog-tests.yml
================================================
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
name: Goodlog Tests
on: [push, pull_request, merge_group, workflow_dispatch]
env:
EVTX_BASELINE_VERSION: v0.8.4
jobs:
check-baseline-win7:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 7 32-bit baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz
tar xzf win7-x86.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: |
chmod +x .github/workflows/matchgrep.sh
./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win10:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 10 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz
tar xzf win10-client.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: |
chmod +x .github/workflows/matchgrep.sh
./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win11:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 11 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz
tar xzf win11-client.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: |
chmod +x .github/workflows/matchgrep.sh
./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win11-2023:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 11 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client-2023.tgz
tar xzf win11-client-2023.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: |
chmod +x .github/workflows/matchgrep.sh
./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win2022:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 2022 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz
tar xzf win2022-evtx.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win2022-domain-controller:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 2022 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz
tar xzf win2022-ad.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win2022-0-20348-azure:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 2022.0.20348 Azure baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz
tar xzf win2022-0-20348-azure.tgz
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
- name: Show findings excluding known FPs
run: |
chmod +x .github/workflows/matchgrep.sh
./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
================================================
FILE: .github/workflows/greetings.yml
================================================
name: Greet First-Time Contributors
on:
pull_request:
types:
- opened
issues:
types:
- opened
permissions:
issues: write
pull-requests: write
id-token: write
contents: read
jobs:
greeting:
name: Greet First-Time Contributors
if: github.event_name == 'issues' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository)
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@v3
with:
issue_message: |
Welcome :wave:
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to `false positives` or `rule ideas`.
If you're reporting an issue related to the pySigma library please consider submitting it [here](https://github.com/SigmaHQ/pySigma)
Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:
pr_message: |
Welcome :wave:
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/) to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! :smiley:
================================================
FILE: .github/workflows/known-FPs.csv
================================================
RuleId;RuleName;MatchString
8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.*
ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;.*
db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3
db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe
96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;.*
1277f594-a7d1-4f28-a2d3-73af5cbeab43;Windows Shell File Write to Suspicious Folder;Computer: Agamemnon
e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell
8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;(sysmon-intense\.xml|sysmonconfig-trace\.xml)
8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: (evtx-PC|Agamemnon)
4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_
36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR
73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote
6741916F-B4FA-45A0-8BF8-8249C702033A;Added Rule in Windows Firewall with Advanced Security;\\Integration\\Integrator\.exe
00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4 Task: 0
162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer(_Service)?\.exe
cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.241
bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223
bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;146\.75\.117\.55
9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe
9494479d-d994-40bf-a8b1-eea890237021;Scheduled Task Creation From Potential Suspicious Parent Location;.*
81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore
6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey
43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore
c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe
69aeb277-f15f-4d2d-b32a-55e883609563;Disabling Windows Event Auditing;Computer: .*
ac175779-025a-4f12-98b0-acdaeb77ea85;PowerShell Script Run in AppData;\\Evernote-
1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC
734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6
734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe
7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe
949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon
949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: WinDev2310Eval
fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.*
100ef69e-3327-481c-8e5c-6d80d9507556;System Eventlog Cleared;.*
52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon
573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe
37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe
1a31b18a-f00c-4061-9900-f735b96c99fc;Remote Access Tool Services Have Been Installed - System;ServiceName: TeamViewer
c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Installed - Security;ServiceName: TeamViewer
b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\.exe
b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\.exe
b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe
65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe
65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: WIN-FPV0DSIC9O6.sigma.fr
a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: .*
4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.exe
4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.tmp
48bfd177-7cf2-412b-ad77-baf923489e82;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd.exe
87911521-7098-470b-a459-9a57fc80bdfd;Sysmon Configuration Updated;.*
0eb46774-f1ab-4a74-8238-1155855f2263;Disable Windows Defender Functionalities Via Registry Keys;.*
e9d4ab66-a532-4ef7-a502-66a9e4a34f5d;NTLMv1 Logon Between Client and Server;.*
ccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;httpd\.exe
9ae01559-cf7e-4f8e-8e14-4c290a1b4784;CredUI.DLL Load By Uncommon Process;Spotify\.exe
52182dfb-afb7-41db-b4bc-5336cb29b464;Suspicious File Download From File Sharing Websites;objects\.githubusercontent\.com
ce72ef99-22f1-43d4-8695-419dcb5d9330;Suspicious Windows Service Tampering;TeamViewer
dae8171c-5ec6-4396-b210-8466585b53e9;SCM Database Privileged Operation;0x277c6
3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781;OpenSSH Server Listening On Socket;.*
b69888d4-380c-45ce-9cf9-d9ce46e67821;Hidden Executable In NTFS Alternate Data Stream;.*
4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76;Potentially Suspicious AccessMask Requested From LSASS;\\setup\.exe
d99b79d2-0a6f-4f46-ad8b-260b6e17f982;Security Eventlog Cleared;Computer: WinDevEval
b28e58e4-2a72-4fae-bdee-0fbe904db642;Windows Defender Real-time Protection Disabled;Computer: WinDev2310Eval
ef9dcfed-690c-4c5d-a9d1-482cd422225c;Browser Execution In Headless Mode;.*
65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: (DESKTOP-6D0DBMB|WinDev2310Eval)
de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys Using Reg.EXE;\\Discord\\
24357373-078f-44ed-9ac4-6d334a668a11;Direct Autorun Keys Modification;Discord\.exe
8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe
c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.*
dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr
416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe
5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d;Cmd Launched with Hidden Start Flags to Suspicious Targets;xampp
558eebe5-f2ba-4104-b339-36f7902bcc1a;File Creation Date Changed to Another Year;(\\target\.exe|thm\.wxl|\\AppData\\Local\\Temp\\)
5e993621-67d4-488a-b9ae-b420d08b96cb;Service Installation in Suspicious Folder;\\\\AppData\\\\Local\\\\Temp\\\\MBAMInstallerService\.exe
================================================
FILE: .github/workflows/matchgrep.sh
================================================
#!/bin/bash
infile=$1
fps=$2
if [[ -z ${infile} || -z ${fps} ]]; then
>&2 echo "usage: $0 [json-file] [FPs.csv]"
exit 1
fi
if [[ ! -f ${infile} || ! -r ${infile} ]]; then
>&2 echo "${infile} is not a valid, readable file"
exit 2
fi
if [[ ! -f ${fps} || ! -r ${fps} ]]; then
>&2 echo "${fps} is not a valid, readable file"
exit 2
fi
# Exclude all rules with level "low"
findings=$(grep -v '"RuleLevel":"low"' "${infile}")
{
read -r # Skip CSV header
while IFS=\; read -r id _name fpstring; do
findings=$(echo "${findings}" | grep -iEv "\"RuleId\":\"${id}\".*${fpstring}")
done
} < "${fps}"
if [[ -z ${findings} ]]; then
echo "No matches found."
else
>&2 echo "Found matches:"
echo "${findings}"
>&2 echo
>&2 echo "Match overview:"
echo "${findings}" | jq -c '. | {RuleId, RuleTitle, RuleLevel}' | sort | uniq -c | sort -nr >&2
>&2 echo
>&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv"
exit 3
fi
================================================
FILE: .github/workflows/pr-labeler.yml
================================================
on:
pull_request_target:
types:
- opened
name: PR Labeler Workflow
jobs:
triage:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v6
================================================
FILE: .github/workflows/ref-archiver.yml
================================================
name: "Reference Archiver"
on:
#push:
# branches:
# - "*"
schedule:
- cron: "30 1 1,15 * *" # At 01:30 on day-of-month 1 and 15.
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
archive:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Execute Reference Archiver
run: |
pip install PyYAML argparse requests
python tests/reference-archiver.py
- name: Create Pull Request
uses: peter-evans/create-pull-request@v5
with:
reviewers: nasbench, frack113, phantinuss
delete-branch: true
branch: 'create-pull-request/reference-archiver'
commit-message: 'chore: archive new rule references and update cache file'
title: 'Archive New Rule References'
body: |
### Summary of the Pull Request
This PR update the cache file used to save already archived references with newly archived results
### Changelog
chore: archive new rule references and update cache file
### Example Log Event
N/A
### Fixed Issues
N/A
### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
================================================
FILE: .github/workflows/regression-tests.yml
================================================
name: Regression Tests
on: [push, pull_request, workflow_dispatch]
env:
EVTX_BASELINE_VERSION: v0.8.4
jobs:
true-positive-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: '3.11'
- name: Install Python dependencies
run: |
python -m pip install --upgrade pip
pip install pyyaml
- name: Download evtx-sigma-checker
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
chmod +x evtx-sigma-checker
- name: Run regression tests
run: |
python tests/regression_tests_runner.py --rules-paths rules rules-emerging-threats rules-threat-hunting --evtx-checker ./evtx-sigma-checker --thor-config tests/thor.yml --ignore-validation
================================================
FILE: .github/workflows/release.yml
================================================
on:
push:
tags:
- 'r*'
name: Create Release
jobs:
build:
name: Create Release
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Generate Changelog
run: |
prev_tag=$(git for-each-ref --sort=creatordate --format '%(refname:lstrip=2)' refs/tags | grep ^r | tail -2 | head -1)
curr_tag=$(git for-each-ref --sort=creatordate --format '%(refname:lstrip=2)' refs/tags | grep ^r | tail -1)
echo "Previous tag: ${prev_tag}"
echo "Current tag: ${curr_tag}"
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' -c) -gt 0 ]]; then echo "### New Rules" > changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' | sort -u | sed -e 's%^% - %' >> changes.txt
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' -c) -gt 0 ]]; then echo "### Updated Rules" >> changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort -u | sed -e 's%^% - %' >> changes.txt
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' -c) -gt 0 ]]; then echo "### Removed / Deprecated Rules" >> changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' | sort -u | sed -e 's%^% - %' >> changes.txt
if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' -c) -gt 0 ]]; then echo "### Fixed Rules" >> changes.txt; fi
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort -u | sed -e 's%^% - %' >> changes.txt
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP 'Merge PR #\d+ from \K(@\S+)' | sort -u > authors_raw.txt
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP "Co-authored-by: \K.*(?= <)" | sort -u | sed -e 's%^%@%' >> authors_raw.txt
git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP "Thanks: \K.*?(?=$| for)" | sort -u >> authors_raw.txt
LC_ALL=en_US.UTF-8 sort -u authors_raw.txt | grep -v 'dependabot\[bot\]' > authors.txt
cat changes.txt >> changelog.txt
echo "" >> changelog.txt
echo "### Acknowledgement" >> changelog.txt
echo "Thanks to $(perl -pe 's%\n%, %' authors.txt | sed 's%, $%%') for their contribution to this release" >> changelog.txt
echo "" >> changelog.txt
echo "" >> changelog.txt
echo "### Which Sigma rule package should I use?" >> changelog.txt
echo "A detailed explanation can be found in the [Releases.md](Releases.md) file. If you are new to Sigma, we recommend starting with the \"Core\" ruleset." >> changelog.txt
echo "" >> changelog.txt
echo "The [latest release package on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/linking-to-releases#linking-to-the-latest-release) can always be found [here](https://github.com/SigmaHQ/sigma/releases/latest)." >> changelog.txt
cat changelog.txt
- name: Build all release packages
run: |
python3 tests/sigma-package-release.py --min-status test --min-level high --rule-types generic --outfile sigma_core.zip
python3 tests/sigma-package-release.py --min-status test --min-level medium --rule-types generic --outfile sigma_core+.zip
python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types generic --outfile sigma_core++.zip
python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types et --outfile sigma_emerging_threats_addon.zip
python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types generic et --outfile sigma_all_rules.zip
- name: Create Release with Assets
id: create_release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref }}
name: Release ${{ github.ref_name }}
body_path: changelog.txt
token: ${{ secrets.GITHUB_TOKEN }}
draft: true
prerelease: false
files: |
sigma_core.zip
sigma_core+.zip
sigma_core++.zip
sigma_emerging_threats_addon.zip
sigma_all_rules.zip
================================================
FILE: .github/workflows/sigma-rule-deprecated.yml
================================================
name: "Create deprecated summary"
on:
#push:
# branches:
# - "*"
schedule:
- cron: "0 0 1 * *" # At 00:00 on day-of-month 1.
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
pull-master:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Execute deprecated rules script
run: |
pip install pySigma
python tests/deprecated_rules.py --format csv
python tests/deprecated_rules.py --format json
- name: Create Pull Request
uses: peter-evans/create-pull-request@v7
with:
reviewers: nasbench, frack113, phantinuss
delete-branch: true
commit-message: 'chore: update deprecated csv'
branch: 'create-pull-request/rule-deprecated'
title: 'Update deprecated.csv'
body: |
### Summary of the Pull Request
This PR updates the deprecated summary file `deprecated.csv` and `deprecated.json`
### Changelog
chore: update deprecated.csv and deprecated.json
### Example Log Event
N/A
### Fixed Issues
N/A
### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/tree/main/sigmahq)
================================================
FILE: .github/workflows/sigma-rule-promoter.yml
================================================
#name: "Promote Experimental Rules To Test"
#
#on:
# #push:
# # branches:
# # - "*"
# schedule:
# - cron: "0 0 1 * *" # At 00:00 on day-of-month 1.
#
# # Allows you to run this workflow manually from the Actions tab
# workflow_dispatch:
#
#jobs:
# pull-master:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v5
# with:
# submodules: true
# - name: Set up Python 3.11
# uses: actions/setup-python@v6
# with:
# python-version: 3.11
# - name: Execute Rule Promoter Script
# run: |
# pip install pySigma
# python tests/promote_rules_status.py
# - name: Create Pull Request
# uses: peter-evans/create-pull-request@v7
# with:
# reviewers: nasbench, frack113, phantinuss
# delete-branch: true
# commit-message: 'chore: promote older rules status from `experimental` to `test`'
# branch: 'create-pull-request/rule-promotion'
# title: 'Promote Older Rules From `experimental` to `test`'
# body: |
# ### Summary of the Pull Request
#
# This PR promotes and upgrade the status of rules that haven't been changed for over 300 days from `experimental` to `test`
#
# ### Changelog
#
# chore: promote older rules status from `experimental` to `test`
#
# ### Example Log Event
#
# N/A
#
# ### Fixed Issues
#
# N/A
#
# ### SigmaHQ Rule Creation Conventions
#
# - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
#
================================================
FILE: .github/workflows/sigma-test.yml
================================================
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
name: Sigma Rule Tests
on: [push, pull_request, merge_group, workflow_dispatch]
jobs:
yamllint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
with:
strict: true # fail on warnings as well
test-sigma-logsource:
runs-on: ubuntu-latest
needs: yamllint
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Test Sigma logsource
run: |
pip install PyYAML colorama
python tests/test_logsource.py
test-sigma-legacy:
runs-on: ubuntu-latest
needs: yamllint
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Test Sigma Rules
run: |
pip install PyYAML colorama
python tests/test_rules.py
sigma-check:
runs-on: ubuntu-latest
needs: yamllint
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Set up Python 3.11
uses: actions/setup-python@v6
with:
python-version: 3.11
- name: Install dependencies
run: |
pip install pysigma
pip install sigma-cli
pip install pySigma-validators-sigmahq==0.20.*
- name: Test Sigma Rule Syntax
run: |
sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules*
duplicate-id-check:
runs-on: ubuntu-latest
needs: yamllint
steps:
- uses: actions/checkout@v5
with:
submodules: true
- name: Check for duplicate IDs
shell: /usr/bin/bash {0} # Use bash without -e to enable exit code manipulation
run: |
grep -rh "^id: " rules* deprecated unsupported | sort | uniq -c | grep -vE "^\s+1 id: "; exit $(( $? ^ 1 ))
================================================
FILE: .github/workflows/sigma-validation.yml
================================================
name: Validate Sigma rules
on: [push, pull_request, merge_group, workflow_dispatch]
jobs:
sigma-rules-validator:
runs-on: ubuntu-latest
steps:
- name: Validate Sigma rules
uses: SigmaHQ/sigma-rules-validator@v1
with:
paths: |-
./rules
./rules-compliance
./rules-dfir
./rules-emerging-threats
./rules-placeholder
./rules-threat-hunting
schemaFile: ${{ github.workspace }}/tests/validate-sigma-schema/sigma-schema.json
================================================
FILE: .github/workflows/update-heatmap.yml
================================================
name: Generate Updated ATT&CK Heatmap
on:
schedule:
- cron: "0 0 1 * *"
workflow_dispatch:
jobs:
generate-heatmap:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v5
with:
submodules: true
- name: Install Sigma
run: pipx install sigma-cli
- name: Update Heatmap
run: sigma analyze attack count --min-score 0 --max-score 20 --min-color '#66b1ffff' --max-color '#ff66f4ff' ./other/sigma_attack_nav_coverage.json rule*
- name: Create Pull Request
uses: peter-evans/create-pull-request@v7
with:
reviewers: nasbench, frack113, phantinuss
delete-branch: true
commit-message: 'chore: update ATT&CK heatmap'
branch: 'create-pull-request/update-heatmap'
title: 'Update ATT&CK Heatmap Coverage'
body: |
### Summary of the Pull Request
This PR updates sigma_attack_nav_coverage.json to reflect the current rule coverage.
To generate a new SVG file, go to the [MITRE ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/SigmaHQ/sigma/master/other/sigma_attack_nav_coverage.json) and export a SVG via "Layer Controls" > "Export" (download icon) > "render layer to SVG".
### Changelog
chore: update ATT&CK heatmap
### Example Log Event
N/A
### Fixed Issues
N/A
### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
================================================
FILE: .gitignore
================================================
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
*.egg-info/
.installed.cfg
*.egg
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*,cover
.hypothesis/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
# Flask stuff:
instance/
.webassets-cache
# MacOS Finder
.DS_Store
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# IPython Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# dotenv
.env
# virtualenv
venv/
ENV/
# Spyder project settings
.spyderproject
# Rope project settings
.ropeproject
# vi(m)
*.swp
settings.json
# VisualStudio
.vs/
.vscode/launch.json
# sigma2attack
heatmap.json
================================================
FILE: .yamllint
================================================
# https://yamllint.readthedocs.io/en/latest/configuration.html
extends: default
ignore:
- .github/
- deprecated/
- other/godmode_sigma_rule.yml
- tests/
- unsupported/
rules:
comments:
require-starting-space: true
min-spaces-from-content: 1
comments-indentation: disable
document-start: {present: false}
empty-lines: {max: 2, max-start: 2, max-end: 2}
indentation: {spaces: 4, indent-sequences: whatever}
line-length: disable
new-line-at-end-of-file: enable
trailing-spaces: {}
================================================
FILE: CONTRIBUTING.md
================================================
# Contributing to Sigma 🧙♂️
First off, thank you for considering contributing to Sigma! Your help is invaluable in keeping this project up-to-date and useful for the community.
The following guidelines will help you understand how to contribute effectively.
## 📝 Reporting False Positives Or Proposing New Detection Rule Ideas 🔎
If you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the [GitHub repository](https://github.com/SigmaHQ/sigma/issues/new/choose) by selecting one of the available templates.
## 🛠️ Submitting Pull Requests (PRs)
1. Fork the [SigmaHQ repository](https://github.com/SigmaHQ/sigma) and clone your fork to your local machine.
2. Create a new branch for your changes:
```bash
git checkout -b your-feature-branch
```
3. Make your changes, and test them:
```bash
python tests/test_logsource.py
python tests/test_rules.py
```
4. Once the test is successful, commit the changes to your branch:
```bash
git add .
git commit -m "Your commit message"
```
5. Push your changes to your fork:
```bash
git push origin your-feature-branch
```
6. Create a new Pull Request (PR) against the upstream repository:
* Go to the [Sigma repository](https://github.com/SigmaHQ/sigma) on GitHub
* Click the "New Pull Request" button
* Choose your fork and your feature branch
* Add a clear and descriptive title and a detailed description of your changes
* Submit the Pull Request
## 📚 Adding or Updating Detection Rules
To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions documents](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.
Thank you for contributing to Sigma! 🧙♂️
================================================
FILE: LICENSE
================================================
# Licenses
The content of this repository is released under the following licenses:
- The Sigma specification (https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain
- The rules contained in the SigmaHQ repository (https://github.com/SigmaHQ) are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License)
================================================
FILE: README.md
================================================
# Sigma - Generic Signature Format for SIEM Systems
<a href="https://sigmahq.io/">
<p align="center">
<br />
<picture>
<source media="(prefers-color-scheme: dark)" srcset="./images/sigma_logo_dark.png">
<img width="454" alt="Sigma Logo" src="./images/sigma_logo_light.png">
</picture>
</p>
</a>
<br />
<p align="center">
<a href="https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster"><img src="https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master" alt="Sigma Build Status"></a> <a href="https://sigmahq.io/"><img src="https://cdn.jsdelivr.net/gh/SigmaHQ/sigmahq.github.io@master/images/Sigma%20Official%20Badge.svg" alt="Sigma Official Badge"></a> <img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/SigmaHQ/sigma">
<img alt="GitHub all releases" src="https://img.shields.io/github/downloads/SigmaHq/Sigma/total">
<br />
<a href="https://opensourcesecurityindex.io/" target="_blank" rel="noopener">
<img style="width: 170px;" src="https://opensourcesecurityindex.io/badge.svg" alt="Open Source Security Index - Fastest Growing Open Source Security Projects" width="170" />
</a>
</p>
Welcome to the Sigma main rule repository. The place where detection engineers, threat hunters and all defensive security practitioners collaborate on detection rules. The repository offers more than 3000 detection rules of different type and aims to make reliable detections accessible to all at no cost.
Currently the repository offers three types of rules:
* [Generic Detection Rules](./rules/) - Are threat agnostic, their aim is to detect a behavior or an implementation of a technique or procedure that was, can or will be used by a potential threat actor.
* [Threat Hunting Rules](./rules-threat-hunting/) - Are broader in scope and are meant to give the analyst a starting point to hunt for potential suspicious or malicious activity
* [Emerging Threat Rules](./rules-emerging-threats/) - Are rules that cover specific threats, that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.
* [Compliance Rules](./rules-compliance/) - Are rules that help you identify compliance violations based on well known security frameworks such as CIS Controls, NIST, ISO 27001,...etc.
* [Placeholder Rules](./rules-placeholder/) - Are rules that get their final meaning at conversion or usage time of the rule.
## Explore Sigma
To start exploring the Sigma ecosystem, please visit the official website [sigmahq.io](https://sigmahq.io)
### What is Sigma
Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.
The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
Sigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files.
<picture>
<source media="(prefers-color-scheme: dark)" srcset="./images/Sigma_description_dark.png">
<img alt="Sigma Description - A diagram showing Yaml Files (Sigma Rules) moving through a Sigma Convertor, and coming out as many SIEM logos, showing how Sigma rules can be converted to many different available SIEM query languages" src="./images/Sigma_description_light.png">
</picture>
### Why Sigma
Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.
### 🌟 Key Features
* A continuously growing list of detection and hunting rules, peer reviewed by a community of professional Detection Engineers.
* Vendor agnostic detection rules.
* Easily shareable across communities and reports
## 🏗️ Rule Creation
To start writing Sigma rules please check the following high level guide along with the sigma specification:
* [Rule Creation High‐Level Guide]([https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-High%E2%80%90Level-Guide))
* [Sigma Specification](https://github.com/SigmaHQ/sigma-specification)
## 🔎 Contributing & Making PRs
Please refer to the [CONTRIBUTING](./CONTRIBUTING.md) guide for detailed instructions on how you can start contributing new rules.
## 📦 Rule Packages
You can download the latest rule packages from the [release page](https://github.com/SigmaHQ/sigma/releases/latest) and start leveraging Sigma rules today.
## 🧬 Rule Usage and Conversion
* You can start converting Sigma rules today using [Sigma CLI](https://github.com/SigmaHQ/sigma-cli) or [sigconverter.io](https://sigconverter.io) the GUI interface
* To integrate Sigma rules in your own toolchain or products use [pySigma](https://github.com/SigmaHQ/pySigma).
## 🚨 Reporting False Positives or New Rule Ideas
If you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the [GitHub repository](https://github.com/SigmaHQ/sigma/issues/new/choose) by selecting one of the available templates.
## 📚 Resources & Further Reading
* [Hack.lu 2017 Sigma - Generic Signatures for Log Events by Thomas Patzke](https://www.youtube.com/watch?v=OheVuE9Ifhs)
* [MITRE ATT&CK® and Sigma Alerting SANS Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK® and Sigma Alerting")
* [Sigma - Generic Signatures for SIEM Systems by Florian Roth](https://www.slideshare.net/secret/gvgxeXoKblXRcA)
## Projects or Products that use or integrate Sigma rules
* [AlphaSOC](https://docs.alphasoc.com/detections_and_findings/sigma_community/) - Leverages Sigma rules to increase coverage across all supported log sources
* [alterix](https://github.com/mtnmunuklu/alterix) - Converts Sigma rules to the query language of CRYPTTECH's SIEM
* [AttackIQ](https://www.attackiq.com/2024/01/10/sigmaiq-attackiqs-latest-innovation-for-actionable-detections/) - Sigma Rules integrated in AttackIQ's platform, and [SigmAIQ](https://github.com/AttackIQ/SigmAIQ) for Sigma rule conversion and LLM apps
* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (Since December 2018)
* [AttackRuleMap - Mapping of Atomic Red Team tests and Sigma Rules](https://attackrulemap.com/)
* [Confluent Sigma](https://github.com/confluentinc/confluent-sigma) - Kafka Streams supported Sigma rules
* [Detection Studio](https://detection.studio/?ref=sigmahq_readme) - Convert Sigma rules to any supported SIEM.
* [IBM QRadar](https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2023/08/02/qradar-natively-supports-sigma-for-rules-creation)
* [Impede Detection Platform](https://impede.ai/)
* [Joe Sandbox](https://www.joesecurity.org/blog/8225577975210857708)
* [LimaCharlie](https://limacharlie.io/)
* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (Since Version 2.4.70, March 2017)
* [Nextron's Aurora Agent](https://www.nextron-systems.com/aurora/)
* [Nextron's THOR Scanner](https://www.nextron-systems.com/thor/) - Scan with Sigma rules on endpoints
* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
* [Saeros](https://github.com/Saeros-Security/Saeros)
* [Security Onion](https://docs.securityonion.net/en/latest/sigma.html)
* [Sekoia.io XDR](https://www.sekoia.io) - XDR supporting Sigma and Sigma Correlation rules languages
* [sigma2stix](https://github.com/muchdogesec/sigma2stix) - Converts the entire SigmaHQ Ruleset into STIX 2.1 Objects.
* A versioned archive of sigma2stix STIX 2.1 data is also available to [download here](https://github.com/muchdogesec/cti_knowledge_base_store/tree/main/sigma-rules).
* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion
* [SOC Prime](https://my.socprime.com/sigma/)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
* [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing
## 📜 Maintainers
* [Nasreddine Bencherchali (@nas_bench)](https://twitter.com/nas_bench)
* [Florian Roth (@cyb3rops)](https://twitter.com/cyb3rops)
* [Christian Burkard (@phantinuss)](https://twitter.com/phantinuss)
* [François Hubaut (@frack113)](https://twitter.com/frack113)
* [Thomas Patzke (@blubbfiction)](https://twitter.com/blubbfiction)
## Credits
This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.
## Licenses
The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License).
================================================
FILE: Releases.md
================================================
This following document describes the different types of rule packages provided with every release.
## Package Introduction
The rule packages provided with every release are split based on the [status](https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#status-optional), [level](https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#level) and [type](https://medium.com/sigma-hq/sigma-rule-repository-enhancements-new-folder-structure-rule-types-30adb70f5e10) of a sigma rule.
There are currently 3 main rule types provided in the sigma repository:
- **core/generic**: Rules that match on attacker techniques. These rules are timeless and often match on new threats.
- **emerging-threats/ET**: Rules that match on patterns of specific threat actors or exploits. High signal to noise ratio but will decrease in relevance over time.
- **threat-hunting/TH**: Rules that should not be run for alerting but are interesting in giving detection ideas or hunt for suspicious activity inside an environment.
### Package Overview
name | status | level | type
--- | --- | --- | ---
[Core (Default)](#core-rules) | testing, stable | high, critical | core
[Core+ (Rule Review needed)](#core-rules-1) | testing, stable | medium, high, critical | core
[Core++ (Experimental)](#core-rules-2) | experimental, testing, stable | medium, high, critical | core
[Emerging Threats AddOn Rules](#et-emerging-threats-addon-rules) | experimental, testing, stable | medium, high, critical | emerging threats
[All rules](#all-rules) | experimental, testing, stable | medium, high, critical | core, emerging threats
If you are new, best start with the `Core` Sigma package. It includes high quality rules of high confidence and relevance and should not produce many false positives.
If your setup is working fine, you can add the `emerging threats` rules and start thinking about upgrading to `Core+` rules. If that is not enough and you like the pain, use the "all" rules package.
### Defined Package
#### Core Rules
The `Core` Sigma package includes high quality rules of high confidence and relevance and should not produce many false positives.
The selected rules are of level `high` or `critical`, which means matches are of high or critical importance. The rule status is `testing` or `stable`, which means the rule is at least of an age of half a year and no false positives were reported on it.
The type is `core`, meaning the rules will match on attacker technique and generic suspicious or malicious behavior.
#### Core+ Rules
The plus in the `Core+` Sigma package stands for the addition of `medium` level rules. Those rules most often need additional tuning as certain applications, legitimate user behavior or scripts of an organization might be matched. Not every `medium` level rule is useful in every organization.
#### Core++ Rules
The `Core++` package additionally includes the rules of `experimental` status. These rules are bleeding edge. They are validated against the Goodlog tests available to the SigmaHQ project and reviewed by multiple detection engineers. Other than that they are pretty much untested at first. Use these if you want to be able to detect threats as early as possible at the cost of managing a higher threshold of false positives.
Please report any false positives you find in the wild via our [github issue tracker](https://github.com/SigmaHQ/sigma/issues/new?assignees=&labels=False-Positive&projects=&template=false_positive_report.yml). After a grace period all `experimental` rules will eventually be promoted to status `test`.
### Package AddOn's
#### ET (Emerging Threats) AddOn Rules
The `ET AddOn` Sigma package contains all of the `emerging threats` rules. These rules have a low false positive rate so that it already contains rules of status `experimental`. These rules target specific threats and are especially useful for current threats where maybe not much information is yet available. So we want to get them to you as fast as possible. The package is an `AddOn` so you can use it on top of whichever `Core` package is most useful to you.
### All Rules
> **Note**
>
> This package doesn't contain all rules
This package includes all rules from level `medium` with a status of `experimental` and upwards including the `emerging threats` rules. Some heavy tuning is required when using this package.
You'll notice that rules of level `low` and some other are omitted even from this the `All Rules` package. We do not recommend using any other types of rules to generate alerts except for those provided in these packages.
### Create Your Own Custom Rule Package
Releases are tagged using the format `r<ISO 8601 date>` (e.g. `r2023-12-24`).
You can checkout any release version and create your own package using the [sigma-package-release](tests/sigma-package-release.py) script. Define the `status`, `level` and `type` of rules and the script generates a ZIP archive containing only those rules.
e.g.
```bash
# python3 tests/sigma-package-release.py --min-status testing --levels high critical --types generic --outfile Sigma-custom.zip
```
You can either give `level` and `status` as a space separated list or using a minimum value. See `--help` for all options
================================================
FILE: deprecated/README.md
================================================
# Deprecated folder
This folder contains all rules that have been marked as deprecated.
It is recommended to avoid using these rules, as they are no longer maintained or supported.
For a summary of the deprecated rules, refer to [deprecated.csv](./deprecated.csv) or [deprecated.json](./deprecated.json)
# references
https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-rules-specification.md#status
================================================
FILE: deprecated/cloud/azure_app_credential_modification.yml
================================================
title: Azure Application Credential Modified
id: cdeef967-f9a1-4375-90ee-6978c5f23974
status: deprecated
description: Identifies when a application credential is modified.
references:
- https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
author: Austin Songer @austinsonger
date: 2021-09-02
modified: 2025-10-17
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message: 'Update application – Certificates and secrets management'
condition: selection
falsepositives:
- Application credential added may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
================================================
FILE: deprecated/cloud/azure_app_permissions_for_api.yml
================================================
title: App Permissions Granted For Other APIs
id: ba2a7c80-027b-460f-92e2-57d113897dbc
status: deprecated
description: Detects when app permissions (app roles) for other APIs are granted
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022/07/28
modified: 2023/03/29
tags:
- attack.privilege_escalation
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add app role assignment to service principal
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: medium
================================================
FILE: deprecated/deprecated.csv
================================================
id,title,date,modified,level
867613fb-fa60-4497-a017-a82df74a172c,PowerShell Execution,2019-09-12,2021-11-05,medium
0d894093-71bc-43c3-8c4d-ecfc28dcf5d9,Mimikatz Detection LSASS Access,2017-10-18,2022-04-11,high
3d304fda-78aa-43ed-975c-d740798a49c1,Suspicious PowerShell Invocations - Generic,2017-03-12,2022-04-11,high
56a8189f-11b2-48c8-8ca7-c54b03c2fbf7,Suspicious Esentutl Use,2020-05-23,2022-04-11,high
65531a81-a694-4e31-ae04-f8ba5bc33759,Suspicious PowerShell Download,2017-03-05,2022-04-11,medium
9f7aa113-9da6-4a8d-907c-5f1a4b908299,SyncAppvPublishingServer Execution to Bypass Powershell Restriction,2020-10-05,2022-04-11,medium
a0d63692-a531-4912-ad39-4393325b2a9c,RClone Execution,2021-05-10,2022-04-11,high
b932b60f-fdda-4d53-8eda-a170c1d97bbd,Activity Related to NTDS.dit Domain Hash Retrieval,2019-01-16,2022-04-11,high
cb7286ba-f207-44ab-b9e6-760d82b84253,Rclone Execution via Command Line or PowerShell,2021-05-26,2022-04-11,high
fde7929d-8beb-4a4c-b922-be9974671667,SyncAppvPublishingServer Execution to Bypass Powershell Restriction,2020-10-05,2022-04-11,medium
17f878b8-9968-4578-b814-c4217fc5768c,Autorun Keys Modification,2019-10-25,2022-05-14,medium
29d31aee-30f4-4006-85a9-a4a02d65306c,Lateral Movement Indicator ConDrv,2021-04-27,2022-05-14,low
98f4c75c-3089-44f3-b733-b327b9cd9c9d,Accessing Encrypted Credentials from Google Chrome Login Database,2021-12-20,2022-05-14,medium
a457f232-7df9-491d-898f-b5aabd2cbe2f,Windows Management Instrumentation DLL Loaded Via Microsoft Word,2019-12-26,2022-05-14,informational
db2110f3-479d-42a6-94fb-d35bc1e46492,CreateMiniDump Hacktool,2019-12-22,2022-05-14,high
2621b3a6-3840-4810-ac14-a02426086171,Winword.exe Loads Suspicious DLL,2020-10-09,2022-07-25,medium
bf6c39fc-e203-45b9-9538-05397c1b4f3f,Abusing Findstr for Defense Evasion,2020-10-05,2022-10-12,medium
82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719,Possible Applocker Bypass,2019-01-16,2022-11-03,low
dca91cfd-d7ab-4c66-8da7-ee57d487b35b,Process Start From Suspicious Folder,2022-02-11,2022-11-03,low
53c7cca0-2901-493a-95db-d00d6fcf0a37,Brute Force,2019-10-25,2022-11-04,medium
5f113a8f-8b61-41ca-b90f-d374fa7e4a39,Suspicious In-Memory Module Execution,2019-10-27,2022-11-17,low
f67dbfce-93bc-440d-86ad-a95ae8858c90,Suspicious Bitsadmin Job via PowerShell,2018-10-30,2022-11-21,high
9d1c72f5-43f0-4da5-9320-648cf2099dd0,Excel Proxy Executing Regsvr32 With Payload,2021-08-23,2022-12-02,high
c0e1c3d5-4381-4f18-8145-2583f06a1fe5,Excel Proxy Executing Regsvr32 With Payload Alternate,2021-08-23,2022-12-02,high
72671447-4352-4413-bb91-b85569687135,Nslookup PwSh Download Cradle,2022-09-06,2022-12-14,medium
3f07b9d1-2082-4c56-9277-613a621983cc,Accessing WinAPI in PowerShell for Credentials Dumping,2020-10-06,2022-12-18,high
e554f142-5cf3-4e55-ace9-a1b59e0def65,DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon,2020-10-12,2022-12-18,critical
17eb8e57-9983-420d-ad8a-2c4976c22eb8,MavInject Process Injection,2018-12-12,2022-12-19,high
36c5146c-d127-4f85-8e21-01bf62355d5a,Invoke-Obfuscation Via Use Rundll32,2019-10-08,2022-12-30,high
6d3f1399-a81c-4409-aff3-1ecfe9330baf,PrintNightmare Powershell Exploitation,2021-08-09,2023-01-02,high
83083ac6-1816-4e76-97d7-59af9a9ae46e,AzureHound PowerShell Commands,2021-10-23,2023-01-02,high
a85cf4e3-56ee-4e79-adeb-789f8fb209a8,Indirect Command Exectuion via Forfiles,2022-10-17,2023-01-04,medium
fa47597e-90e9-41cd-ab72-c3b74cfb0d02,Indirect Command Execution,2019-10-24,2023-01-04,low
e4b63079-6198-405c-abd7-3fe8b0ce3263,Suspicious CLR Logs Creation,2020-10-12,2023-01-05,high
cd5c8085-4070-4e22-908d-a5b3342deb74,Suspicious Bitstransfer via PowerShell,2021-08-19,2023-01-10,medium
d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20,Renamed PowerShell,2019-08-22,2023-01-18,high
d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2,Renamed Rundll32.exe Execution,2022-06-08,2023-01-18,high
e31f89f7-36fb-4697-8ab6-48823708353b,Suspicious Cmd Execution via WMI,2022-09-27,2023-01-19,medium
bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2,Netcat The Powershell Version - PowerShell Module,2021-07-21,2023-01-20,medium
47688f1b-9f51-4656-b013-3cc49a166a36,Base64 Encoded Listing of Shadowcopy,2022-03-01,2023-01-30,high
5b572dcf-254b-425c-a8c5-d9af6bea35a6,Potential Xor Encoded PowerShell Command,2022-07-06,2023-01-30,medium
fd6e2919-3936-40c9-99db-0aa922c356f7,Malicious Base64 Encoded Powershell Invoke Cmdlets,2022-05-31,2023-01-30,high
eeb66bbb-3dde-4582-815a-584aee9fe6d1,Correct Execution of Nltest.exe,2021-10-04,2023-02-02,high
0acaad27-9f02-4136-a243-c357202edd74,Ryuk Ransomware Command Line Activity,2019-08-06,2023-02-03,critical
4f927692-68b5-4267-871b-073c45f4f6fe,PowerShell AMSI Bypass Pattern,2022-11-04,2023-02-03,high
038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e,Registry Dump of SAM Creds and Secrets,2022-01-05,2023-02-04,high
04f5363a-6bca-42ff-be70-0d28bf629ead,Office Applications Spawning Wmi Cli Alternate,2021-08-23,2023-02-04,high
23daeb52-e6eb-493c-8607-c4f0246cb7d8,New Lolbin Process by Office Applications,2021-08-23,2023-02-04,high
518643ba-7d9c-4fa5-9f37-baed36059f6a,WMI Execution Via Office Process,2021-08-23,2023-02-04,medium
77815820-246c-47b8-9741-e0def3f57308,Domain Trust Discovery,2019-10-23,2023-02-04,medium
4d6c9da1-318b-4edf-bcea-b6c93fa98fd0,Credential Acquisition via Registry Hive Dumping,2022-10-04,2023-02-06,high
6545ce61-a1bd-4119-b9be-fcbee42c0cf3,Execute MSDT.EXE Using Diagcab File,2022-06-09,2023-02-06,high
9841b233-8df8-4ad7-9133-b0b4402a9014,Sysinternals SDelete Registry Keys,2020-05-02,2023-02-07,medium
09af397b-c5eb-4811-b2bb-08b3de464ebf,WMI Reconnaissance List Remote Services,2022-01-01,2023-02-14,medium
7b0666ad-3e38-4e3d-9bab-78b06de85f7b,Renamed PaExec Execution,2019-04-17,2023-02-14,medium
bc3cc333-48b9-467a-9d1f-d44ee594ef48,SCM DLL Sideload,2022-12-01,2023-02-14,medium
e42af9df-d90b-4306-b7fb-05c863847ebd,WMI Remote Command Execution,2022-03-13,2023-02-14,medium
fa4b21c9-0057-4493-b289-2556416ae4d7,Squirrel Lolbin,2019-11-12,2023-02-14,medium
e011a729-98a6-4139-b5c4-bf6f6dd8239a,Suspicious Certutil Command Usage,2019-01-16,2023-02-15,high
034affe8-6170-11ec-844f-0f78aa0c4d66,Mimikatz MemSSP Default Log File Creation,2021-12-20,2023-02-16,critical
7fe71fc9-de3b-432a-8d57-8c809efc10ab,New Service Creation,2019-10-21,2023-02-20,low
056a7ee1-4853-4e67-86a0-3fd9ceed7555,Invoke-Obfuscation RUNDLL LAUNCHER,2020-10-18,2023-02-21,medium
3ede524d-21cc-472d-a3ce-d21b568d8db7,PsExec Service Start,2018-03-13,2023-02-28,low
80167ada-7a12-41ed-b8e9-aa47195c66a1,Run Whoami as SYSTEM,2019-10-23,2023-02-28,high
fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba,PsExec Tool Execution,2017-06-12,2023-02-28,low
2c0d2d7b-30d6-4d14-9751-7b9113042ab9,Suspicious Characters in CommandLine,2022-04-27,2023-03-03,high
6783aa9e-0dc3-49d4-a94a-8b39c5fd700b,Stop Or Remove Antivirus Service,2021-07-07,2023-03-04,high
7fd4bb39-12d0-45ab-bb36-cebabc73dc7b,Suspicious Execution of Sc to Delete AV Services,2022-08-01,2023-03-04,high
a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2,Renamed PsExec,2019-05-21,2023-03-04,high
1a70042a-6622-4a2b-8958-267625349abf,Run from a Zip File,2021-12-26,2023-03-05,medium
46591fae-7a4c-46ea-aec3-dff5e6d785dc,Root Certificate Installed,2020-10-10,2023-03-05,medium
eb87818d-db5d-49cc-a987-d5da331fbd90,Stop Windows Service,2019-10-23,2023-03-05,low
23250293-eed5-4c39-b57a-841c8933a57d,Visual Basic Script Execution,2022-01-02,2023-03-06,medium
344482e4-a477-436c-aa70-7536d18a48c7,Execution via MSSQL Xp_cmdshell Stored Procedure,2022-09-28,2023-03-06,high
00a4bacd-6db4-46d5-9258-a7d5ebff4003,Read and Execute a File Via Cmd.exe,2022-08-20,2023-03-07,medium
70e68156-6571-427b-a6e9-4476a173a9b6,Cmd Stream Redirection,2022-02-04,2023-03-07,medium
033fe7d6-66d1-4240-ac6b-28908009c71f,APT29,2018-12-04,2023-03-08,high
04d9079e-3905-4b70-ad37-6bdf11304965,CrackMapExecWin,2018-04-08,2023-03-08,critical
18739897-21b1-41da-8ee4-5b786915a676,GALLIUM Artefacts,2020-02-07,2023-03-09,high
0eb2107b-a596-422e-b123-b389d5594ed7,Hurricane Panda Activity,2019-03-04,2023-03-10,high
4a12fa47-c735-4032-a214-6fab5b120670,Lazarus Activity Apr21,2021-04-20,2023-03-10,high
7454df60-1478-484b-810d-bff5d0ba6d4b,DNS Tunnel Technique from MuddyWater,2020-06-04,2023-03-10,critical
7b49c990-4a9a-4e65-ba95-47c9cc448f6e,Lazarus Loaders,2020-12-23,2023-03-10,critical
43f487f0-755f-4c2a-bce7-d6d2eec2fcf8,Suspicious Add Scheduled Task From User AppData Temp,2021-11-03,2023-03-14,high
d813d662-785b-42ca-8b4a-f7457d78d5a9,Suspicious Load of Advapi31.dll,2022-02-03,2023-03-15,informational
e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9,Edit of .bash_profile and .bashrc,2019-05-12,2023-03-23,medium
ba2a7c80-027b-460f-92e2-57d113897dbc,App Permissions Granted For Other APIs,2022-07-28,2023-03-29,medium
18cf6cf0-39b0-4c22-9593-e244bdc9a2d4,TA505 Dropper Load Pattern,2020-12-08,2023-04-05,critical
2d117e49-e626-4c7c-bd1f-c3c0147774c8,Potential PowerShell Base64 Encoded Shellcode,2018-11-17,2023-04-06,medium
635dbb88-67b3-4b41-9ea5-a3af2dd88153,Microsoft Binary Github Communication,2017-08-24,2023-04-18,high
6c939dfa-c710-4e12-a4dd-47e1f10e68e1,Domestic Kitten FurBall Malware Pattern,2021-02-08,2023-04-20,high
6355a919-2e97-4285-a673-74645566340d,Process Memory Dumped Via RdrLeakDiag.EXE,2022-01-04,2023-04-24,high
9cf01b6c-e723-4841-a868-6d7f8245ca6e,Group Modification Logging,2019-03-26,2023-04-26,low
410ad193-a728-4107-bc79-4419789fcbf8,Trickbot Malware Reconnaissance Activity,2019-12-28,2023-04-28,high
fce5f582-cc00-41e1-941a-c6fabf0fdb8c,Suspicious PowerShell Invocations - Specific,2017-03-05,2023-05-04,high
f016c716-754a-467f-a39e-63c06f773987,Suspicious Remote Thread Target,2022-08-25,2023-05-05,medium
65d2be45-8600-4042-b4c0-577a1ff8a60e,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,2019-10-25,2023-05-22,medium
8e2b24c9-4add-46a0-b4bb-0057b4e6187d,Regsvr32 Anomaly,2019-01-16,2023-05-26,high
fe6e002f-f244-4278-9263-20e4b593827f,Alternate PowerShell Hosts - Image,2019-09-12,2023-06-01,low
9e77ed63-2ecf-4c7b-b09d-640834882028,PsExec Pipes Artifacts,2020-05-10,2023-08-07,medium
39776c99-1c7b-4ba0-b5aa-641525eee1a4,Execution via CL_Mutexverifiers.ps1,2020-10-14,2023-08-17,high
4cd29327-685a-460e-9dac-c3ab96e549dc,Execution via CL_Invocation.ps1 - Powershell,2020-10-14,2023-08-17,high
4e8d5fd3-c959-441f-a941-f73d0cdcdca5,Abusing Windows Telemetry For Persistence - Registry,2020-09-29,2023-08-17,high
7c637634-c95d-4bbf-b26c-a82510874b34,Disable Microsoft Office Security Features,2021-06-08,2023-08-17,high
8a58209c-7ae6-4027-afb0-307a78e4589a,User Account Hidden By Registry,2022-08-20,2023-08-17,high
9b894e57-033f-46cf-b7fa-a52804181973,Office Security Settings Changed,2020-05-22,2023-08-17,high
c81fe886-cac0-4913-a511-2822d72ff505,SilentProcessExit Monitor Registration,2021-02-26,2023-08-17,high
0c1ffcf9-efa9-436e-ab68-23a9496ebf5b,User Added To Admin Group - MacOS,2023-03-19,2023-08-22,medium
5b80cf53-3a46-4adc-960b-05ec19348d74,Wscript Execution from Non C Drive,2022-10-01,2023-08-29,medium
5e3d3601-0662-4af0-b1d2-36a05e90c40a,LSASS Memory Dump File Creation,2019-10-22,2023-08-29,high
839f1ee1-292d-495a-bf37-818267b8ee82,Vulnerable Driver Load By Name,2022-10-03,2023-09-03,low
21b23707-60d6-41bb-96e3-0f0481b0fed9,Vulnerable Dell BIOS Update Driver Load,2021-05-05,2023-09-12,high
7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647,Vulnerable GIGABYTE Driver Load,2022-07-25,2023-09-12,high
7c676970-af4f-43c8-80af-ec9b49952852,Vulnerable AVAST Anti Rootkit Driver Load,2022-07-28,2023-09-12,high
9bacc538-d1b9-4d42-862e-469eafc05a41,Vulnerable HW Driver Load,2022-07-26,2023-09-12,high
ac683a42-877b-4ff8-91ac-69e94b0f70b4,Vulnerable Lenovo Driver Load,2022-11-10,2023-09-12,high
91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6,Usage Of Malicious POORTRY Signed Driver,2022-12-16,2023-09-13,high
d7825193-b70a-48a4-b992-8b5b3015cc11,Windows Update Client LOLBIN,2020-10-17,2023-11-11,high
ca83e9f3-657a-45d0-88d6-c1ac280caf53,New Service Uses Double Ampersand in Path,2022-07-05,2023-11-15,high
fe34868f-6e0e-4882-81f6-c43aa8f15b62,Windows Defender Threat Detection Disabled,2020-07-28,2023-11-22,high
32d0d3e2-e58d-4d41-926b-18b520b2b32d,Credential Dumping Tools Accessing LSASS Memory,2017-02-16,2023-11-30,high
a122ac13-daf8-4175-83a2-72c387be339d,Security Event Log Cleared,2021-08-15,2023-12-06,medium
0332a266-b584-47b4-933d-a00b103e1b37,Suspicious Get-WmiObject,2022-01-12,2023-12-11,low
46deb5e1-28c9-4905-b2df-51cdcc9e6073,PowerShell Scripts Run by a Services,2020-10-06,2023-12-11,high
d23f2ba5-9da0-4463-8908-8ee47f614bb9,Powershell File and Directory Discovery,2021-12-15,2023-12-11,low
df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2,Credential Dumping Tools Service Execution,2017-03-05,2023-12-11,critical
602a1f13-c640-4d73-b053-be9a2fa58b77,Svchost DLL Search Order Hijack,2019-10-28,2024-01-10,high
839dd1e8-eda8-4834-8145-01beeee33acd,SAM Dump to AppData,2018-01-27,2024-01-18,high
e32ce4f5-46c6-4c47-ba69-5de3c9193cd7,Possible Process Hollowing Image Loading,2018-01-07,2024-01-22,high
a6d67db4-6220-436d-8afc-f3842fe05d43,Dnscat Execution,2019-10-24,2024-01-25,critical
d7b09985-95a3-44be-8450-b6eadf49833e,Suspicious Non-Browser Network Communication With Reddit API,2023-02-16,2024-02-02,medium
37325383-740a-403d-b1a2-b2b4ab7992e7,CobaltStrike Malleable (OCSP) Profile,2019-11-12,2024-02-15,high
41b42a36-f62c-4c34-bd40-8cb804a34ad8,CobaltStrike Malformed UAs in Malleable Profiles,2021-05-06,2024-02-15,critical
953b895e-5cc9-454b-b183-7f3db555452e,CobaltStrike Malleable Amazon Browsing Traffic Profile,2019-11-12,2024-02-15,high
c9b33401-cc6a-4cf6-83bb-57ddcb2407fc,CobaltStrike Malleable OneDrive Browsing Traffic Profile,2019-11-12,2024-02-15,high
73fcad2e-ff14-4c38-b11d-4172c8ac86c7,Suspicious Rundll32 Script in CommandLine,2021-12-04,2024-02-23,medium
9f06447a-a33a-4cbe-a94f-a3f43184a7a3,Rundll32 JS RunHTMLApplication Pattern,2022-01-14,2024-02-23,high
e06ac91d-b9e6-443d-8e5b-af749e7aa6b6,iOS Implant URL Pattern,2019-08-30,2024-02-26,critical
628d7a0b-7b84-4466-8552-e6138bc03b43,Suspicious Epmap Connection,2022-07-14,2024-03-01,high
9433ff9c-5d3f-4269-99f8-95fc826ea489,CrackMapExec File Creation Patterns,2022-03-12,2024-03-01,high
c625c4c2-515d-407f-8bb6-456f65955669,Service Binary in Uncommon Folder,2022-05-02,2024-03-25,medium
42f0e038-767e-4b85-9d96-2c6335bad0b5,Adwind RAT / JRAT - Registry,2017-11-10,2024-03-26,high
5039f3d2-406a-4c1a-9350-7a5a85dc84c2,Search-ms and WebDAV Suspicious Indicators in URL,2023-08-21,2024-05-10,high
b916cba1-b38a-42da-9223-17114d846fd6,Potential NT API Stub Patching,2023-01-07,2024-05-27,medium
3d968d17-ffa4-4bc0-bfdc-f139de76ce77,Potential Persistence Via COM Hijacking From Suspicious Locations,2022-07-28,2024-07-16,high
1a3d42dd-3763-46b9-8025-b5f17f340dfb,Suspicious Unattend.xml File Access,2021-12-19,2024-07-22,medium
6902955a-01b7-432c-b32a-6f5f81d8f624,Suspicious File Event With Teams Objects,2022-09-16,2024-07-22,high
a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12,Potential Persistence Via COM Search Order Hijacking,2020-04-14,2024-09-02,medium
a33f8808-2812-4373-ae95-8cfb82134978,Windows Defender Exclusion Deleted,2019-10-26,2025-01-30,medium
e17121b4-ef2a-4418-8a59-12fb1631fa9e,Delete Volume Shadow Copies via WMI with PowerShell - PS Script,2021-12-26,2025-05-20,high
6e897651-f157-4d8f-aaeb-df8151488385,PowerShell Web Download,2022-03-24,2025-07-18,medium
f748c45a-f8d3-4e6f-b617-fe176f695b8f,.RDP File Created by Outlook Process,2024-11-01,2025-07-22,high
a2a3b925-7bb0-433b-b508-db9003263cc4,Active Directory Parsing DLL Loaded Via Office Application,2020-02-19,2025-10-17,medium
cdeef967-f9a1-4375-90ee-6978c5f23974,Azure Application Credential Modified,2021-09-02,2025-10-17,medium
8f70ac5f-1f6f-4f8e-b454-db19561216c5,PowerShell DownloadFile,2020-08-28,2025-10-20,high
e28a5a99-da44-436d-b7a0-2afc20a5f413,Whoami Utility Execution,2018-08-13,2025-10-20,low
7417e29e-c2e7-4cf6-a2e8-767228c64837,Active Directory Kerberos DLL Loaded Via Office Application,2020-02-19,2025-10-22,medium
879c3015-c88b-4782-93d7-07adf92dbcb7,Space After Filename,2020-06-17,2025-11-22,low
e710a880-1f18-4417-b6a0-b5afdf7e305a,Atomic MacOS Stealer - FileGrabber Infostealer Execution,2025-09-12,2025-11-22,high
4be03877-d5b6-4520-85c9-a5911c0a656c,FileFix - Suspicious Child Process from Browser File Upload Abuse,2025-06-26,2025-11-24,high
6e30c82f-a9f8-4aab-b79c-7c12bce6f248,File Download Via Bitsadmin To An Uncommon Target Folder,2022-06-28,2025-12-10,medium
================================================
FILE: deprecated/deprecated.json
================================================
[
{
"id": "867613fb-fa60-4497-a017-a82df74a172c",
"title": "PowerShell Execution",
"date": "2019-09-12",
"modified": "2021-11-05",
"level": "medium"
},
{
"id": "0d894093-71bc-43c3-8c4d-ecfc28dcf5d9",
"title": "Mimikatz Detection LSASS Access",
"date": "2017-10-18",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "3d304fda-78aa-43ed-975c-d740798a49c1",
"title": "Suspicious PowerShell Invocations - Generic",
"date": "2017-03-12",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "56a8189f-11b2-48c8-8ca7-c54b03c2fbf7",
"title": "Suspicious Esentutl Use",
"date": "2020-05-23",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "65531a81-a694-4e31-ae04-f8ba5bc33759",
"title": "Suspicious PowerShell Download",
"date": "2017-03-05",
"modified": "2022-04-11",
"level": "medium"
},
{
"id": "9f7aa113-9da6-4a8d-907c-5f1a4b908299",
"title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction",
"date": "2020-10-05",
"modified": "2022-04-11",
"level": "medium"
},
{
"id": "a0d63692-a531-4912-ad39-4393325b2a9c",
"title": "RClone Execution",
"date": "2021-05-10",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "b932b60f-fdda-4d53-8eda-a170c1d97bbd",
"title": "Activity Related to NTDS.dit Domain Hash Retrieval",
"date": "2019-01-16",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "cb7286ba-f207-44ab-b9e6-760d82b84253",
"title": "Rclone Execution via Command Line or PowerShell",
"date": "2021-05-26",
"modified": "2022-04-11",
"level": "high"
},
{
"id": "fde7929d-8beb-4a4c-b922-be9974671667",
"title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction",
"date": "2020-10-05",
"modified": "2022-04-11",
"level": "medium"
},
{
"id": "17f878b8-9968-4578-b814-c4217fc5768c",
"title": "Autorun Keys Modification",
"date": "2019-10-25",
"modified": "2022-05-14",
"level": "medium"
},
{
"id": "29d31aee-30f4-4006-85a9-a4a02d65306c",
"title": "Lateral Movement Indicator ConDrv",
"date": "2021-04-27",
"modified": "2022-05-14",
"level": "low"
},
{
"id": "98f4c75c-3089-44f3-b733-b327b9cd9c9d",
"title": "Accessing Encrypted Credentials from Google Chrome Login Database",
"date": "2021-12-20",
"modified": "2022-05-14",
"level": "medium"
},
{
"id": "a457f232-7df9-491d-898f-b5aabd2cbe2f",
"title": "Windows Management Instrumentation DLL Loaded Via Microsoft Word",
"date": "2019-12-26",
"modified": "2022-05-14",
"level": "informational"
},
{
"id": "db2110f3-479d-42a6-94fb-d35bc1e46492",
"title": "CreateMiniDump Hacktool",
"date": "2019-12-22",
"modified": "2022-05-14",
"level": "high"
},
{
"id": "2621b3a6-3840-4810-ac14-a02426086171",
"title": "Winword.exe Loads Suspicious DLL",
"date": "2020-10-09",
"modified": "2022-07-25",
"level": "medium"
},
{
"id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f",
"title": "Abusing Findstr for Defense Evasion",
"date": "2020-10-05",
"modified": "2022-10-12",
"level": "medium"
},
{
"id": "82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719",
"title": "Possible Applocker Bypass",
"date": "2019-01-16",
"modified": "2022-11-03",
"level": "low"
},
{
"id": "dca91cfd-d7ab-4c66-8da7-ee57d487b35b",
"title": "Process Start From Suspicious Folder",
"date": "2022-02-11",
"modified": "2022-11-03",
"level": "low"
},
{
"id": "53c7cca0-2901-493a-95db-d00d6fcf0a37",
"title": "Brute Force",
"date": "2019-10-25",
"modified": "2022-11-04",
"level": "medium"
},
{
"id": "5f113a8f-8b61-41ca-b90f-d374fa7e4a39",
"title": "Suspicious In-Memory Module Execution",
"date": "2019-10-27",
"modified": "2022-11-17",
"level": "low"
},
{
"id": "f67dbfce-93bc-440d-86ad-a95ae8858c90",
"title": "Suspicious Bitsadmin Job via PowerShell",
"date": "2018-10-30",
"modified": "2022-11-21",
"level": "high"
},
{
"id": "9d1c72f5-43f0-4da5-9320-648cf2099dd0",
"title": "Excel Proxy Executing Regsvr32 With Payload",
"date": "2021-08-23",
"modified": "2022-12-02",
"level": "high"
},
{
"id": "c0e1c3d5-4381-4f18-8145-2583f06a1fe5",
"title": "Excel Proxy Executing Regsvr32 With Payload Alternate",
"date": "2021-08-23",
"modified": "2022-12-02",
"level": "high"
},
{
"id": "72671447-4352-4413-bb91-b85569687135",
"title": "Nslookup PwSh Download Cradle",
"date": "2022-09-06",
"modified": "2022-12-14",
"level": "medium"
},
{
"id": "3f07b9d1-2082-4c56-9277-613a621983cc",
"title": "Accessing WinAPI in PowerShell for Credentials Dumping",
"date": "2020-10-06",
"modified": "2022-12-18",
"level": "high"
},
{
"id": "e554f142-5cf3-4e55-ace9-a1b59e0def65",
"title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon",
"date": "2020-10-12",
"modified": "2022-12-18",
"level": "critical"
},
{
"id": "17eb8e57-9983-420d-ad8a-2c4976c22eb8",
"title": "MavInject Process Injection",
"date": "2018-12-12",
"modified": "2022-12-19",
"level": "high"
},
{
"id": "36c5146c-d127-4f85-8e21-01bf62355d5a",
"title": "Invoke-Obfuscation Via Use Rundll32",
"date": "2019-10-08",
"modified": "2022-12-30",
"level": "high"
},
{
"id": "6d3f1399-a81c-4409-aff3-1ecfe9330baf",
"title": "PrintNightmare Powershell Exploitation",
"date": "2021-08-09",
"modified": "2023-01-02",
"level": "high"
},
{
"id": "83083ac6-1816-4e76-97d7-59af9a9ae46e",
"title": "AzureHound PowerShell Commands",
"date": "2021-10-23",
"modified": "2023-01-02",
"level": "high"
},
{
"id": "a85cf4e3-56ee-4e79-adeb-789f8fb209a8",
"title": "Indirect Command Exectuion via Forfiles",
"date": "2022-10-17",
"modified": "2023-01-04",
"level": "medium"
},
{
"id": "fa47597e-90e9-41cd-ab72-c3b74cfb0d02",
"title": "Indirect Command Execution",
"date": "2019-10-24",
"modified": "2023-01-04",
"level": "low"
},
{
"id": "e4b63079-6198-405c-abd7-3fe8b0ce3263",
"title": "Suspicious CLR Logs Creation",
"date": "2020-10-12",
"modified": "2023-01-05",
"level": "high"
},
{
"id": "cd5c8085-4070-4e22-908d-a5b3342deb74",
"title": "Suspicious Bitstransfer via PowerShell",
"date": "2021-08-19",
"modified": "2023-01-10",
"level": "medium"
},
{
"id": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20",
"title": "Renamed PowerShell",
"date": "2019-08-22",
"modified": "2023-01-18",
"level": "high"
},
{
"id": "d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2",
"title": "Renamed Rundll32.exe Execution",
"date": "2022-06-08",
"modified": "2023-01-18",
"level": "high"
},
{
"id": "e31f89f7-36fb-4697-8ab6-48823708353b",
"title": "Suspicious Cmd Execution via WMI",
"date": "2022-09-27",
"modified": "2023-01-19",
"level": "medium"
},
{
"id": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2",
"title": "Netcat The Powershell Version - PowerShell Module",
"date": "2021-07-21",
"modified": "2023-01-20",
"level": "medium"
},
{
"id": "47688f1b-9f51-4656-b013-3cc49a166a36",
"title": "Base64 Encoded Listing of Shadowcopy",
"date": "2022-03-01",
"modified": "2023-01-30",
"level": "high"
},
{
"id": "5b572dcf-254b-425c-a8c5-d9af6bea35a6",
"title": "Potential Xor Encoded PowerShell Command",
"date": "2022-07-06",
"modified": "2023-01-30",
"level": "medium"
},
{
"id": "fd6e2919-3936-40c9-99db-0aa922c356f7",
"title": "Malicious Base64 Encoded Powershell Invoke Cmdlets",
"date": "2022-05-31",
"modified": "2023-01-30",
"level": "high"
},
{
"id": "eeb66bbb-3dde-4582-815a-584aee9fe6d1",
"title": "Correct Execution of Nltest.exe",
"date": "2021-10-04",
"modified": "2023-02-02",
"level": "high"
},
{
"id": "0acaad27-9f02-4136-a243-c357202edd74",
"title": "Ryuk Ransomware Command Line Activity",
"date": "2019-08-06",
"modified": "2023-02-03",
"level": "critical"
},
{
"id": "4f927692-68b5-4267-871b-073c45f4f6fe",
"title": "PowerShell AMSI Bypass Pattern",
"date": "2022-11-04",
"modified": "2023-02-03",
"level": "high"
},
{
"id": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e",
"title": "Registry Dump of SAM Creds and Secrets",
"date": "2022-01-05",
"modified": "2023-02-04",
"level": "high"
},
{
"id": "04f5363a-6bca-42ff-be70-0d28bf629ead",
"title": "Office Applications Spawning Wmi Cli Alternate",
"date": "2021-08-23",
"modified": "2023-02-04",
"level": "high"
},
{
"id": "23daeb52-e6eb-493c-8607-c4f0246cb7d8",
"title": "New Lolbin Process by Office Applications",
"date": "2021-08-23",
"modified": "2023-02-04",
"level": "high"
},
{
"id": "518643ba-7d9c-4fa5-9f37-baed36059f6a",
"title": "WMI Execution Via Office Process",
"date": "2021-08-23",
"modified": "2023-02-04",
"level": "medium"
},
{
"id": "77815820-246c-47b8-9741-e0def3f57308",
"title": "Domain Trust Discovery",
"date": "2019-10-23",
"modified": "2023-02-04",
"level": "medium"
},
{
"id": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0",
"title": "Credential Acquisition via Registry Hive Dumping",
"date": "2022-10-04",
"modified": "2023-02-06",
"level": "high"
},
{
"id": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3",
"title": "Execute MSDT.EXE Using Diagcab File",
"date": "2022-06-09",
"modified": "2023-02-06",
"level": "high"
},
{
"id": "9841b233-8df8-4ad7-9133-b0b4402a9014",
"title": "Sysinternals SDelete Registry Keys",
"date": "2020-05-02",
"modified": "2023-02-07",
"level": "medium"
},
{
"id": "09af397b-c5eb-4811-b2bb-08b3de464ebf",
"title": "WMI Reconnaissance List Remote Services",
"date": "2022-01-01",
"modified": "2023-02-14",
"level": "medium"
},
{
"id": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b",
"title": "Renamed PaExec Execution",
"date": "2019-04-17",
"modified": "2023-02-14",
"level": "medium"
},
{
"id": "bc3cc333-48b9-467a-9d1f-d44ee594ef48",
"title": "SCM DLL Sideload",
"date": "2022-12-01",
"modified": "2023-02-14",
"level": "medium"
},
{
"id": "e42af9df-d90b-4306-b7fb-05c863847ebd",
"title": "WMI Remote Command Execution",
"date": "2022-03-13",
"modified": "2023-02-14",
"level": "medium"
},
{
"id": "fa4b21c9-0057-4493-b289-2556416ae4d7",
"title": "Squirrel Lolbin",
"date": "2019-11-12",
"modified": "2023-02-14",
"level": "medium"
},
{
"id": "e011a729-98a6-4139-b5c4-bf6f6dd8239a",
"title": "Suspicious Certutil Command Usage",
"date": "2019-01-16",
"modified": "2023-02-15",
"level": "high"
},
{
"id": "034affe8-6170-11ec-844f-0f78aa0c4d66",
"title": "Mimikatz MemSSP Default Log File Creation",
"date": "2021-12-20",
"modified": "2023-02-16",
"level": "critical"
},
{
"id": "7fe71fc9-de3b-432a-8d57-8c809efc10ab",
"title": "New Service Creation",
"date": "2019-10-21",
"modified": "2023-02-20",
"level": "low"
},
{
"id": "056a7ee1-4853-4e67-86a0-3fd9ceed7555",
"title": "Invoke-Obfuscation RUNDLL LAUNCHER",
"date": "2020-10-18",
"modified": "2023-02-21",
"level": "medium"
},
{
"id": "3ede524d-21cc-472d-a3ce-d21b568d8db7",
"title": "PsExec Service Start",
"date": "2018-03-13",
"modified": "2023-02-28",
"level": "low"
},
{
"id": "80167ada-7a12-41ed-b8e9-aa47195c66a1",
"title": "Run Whoami as SYSTEM",
"date": "2019-10-23",
"modified": "2023-02-28",
"level": "high"
},
{
"id": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba",
"title": "PsExec Tool Execution",
"date": "2017-06-12",
"modified": "2023-02-28",
"level": "low"
},
{
"id": "2c0d2d7b-30d6-4d14-9751-7b9113042ab9",
"title": "Suspicious Characters in CommandLine",
"date": "2022-04-27",
"modified": "2023-03-03",
"level": "high"
},
{
"id": "6783aa9e-0dc3-49d4-a94a-8b39c5fd700b",
"title": "Stop Or Remove Antivirus Service",
"date": "2021-07-07",
"modified": "2023-03-04",
"level": "high"
},
{
"id": "7fd4bb39-12d0-45ab-bb36-cebabc73dc7b",
"title": "Suspicious Execution of Sc to Delete AV Services",
"date": "2022-08-01",
"modified": "2023-03-04",
"level": "high"
},
{
"id": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2",
"title": "Renamed PsExec",
"date": "2019-05-21",
"modified": "2023-03-04",
"level": "high"
},
{
"id": "1a70042a-6622-4a2b-8958-267625349abf",
"title": "Run from a Zip File",
"date": "2021-12-26",
"modified": "2023-03-05",
"level": "medium"
},
{
"id": "46591fae-7a4c-46ea-aec3-dff5e6d785dc",
"title": "Root Certificate Installed",
"date": "2020-10-10",
"modified": "2023-03-05",
"level": "medium"
},
{
"id": "eb87818d-db5d-49cc-a987-d5da331fbd90",
"title": "Stop Windows Service",
"date": "2019-10-23",
"modified": "2023-03-05",
"level": "low"
},
{
"id": "23250293-eed5-4c39-b57a-841c8933a57d",
"title": "Visual Basic Script Execution",
"date": "2022-01-02",
"modified": "2023-03-06",
"level": "medium"
},
{
"id": "344482e4-a477-436c-aa70-7536d18a48c7",
"title": "Execution via MSSQL Xp_cmdshell Stored Procedure",
"date": "2022-09-28",
"modified": "2023-03-06",
"level": "high"
},
{
"id": "00a4bacd-6db4-46d5-9258-a7d5ebff4003",
"title": "Read and Execute a File Via Cmd.exe",
"date": "2022-08-20",
"modified": "2023-03-07",
"level": "medium"
},
{
"id": "70e68156-6571-427b-a6e9-4476a173a9b6",
"title": "Cmd Stream Redirection",
"date": "2022-02-04",
"modified": "2023-03-07",
"level": "medium"
},
{
"id": "033fe7d6-66d1-4240-ac6b-28908009c71f",
"title": "APT29",
"date": "2018-12-04",
"modified": "2023-03-08",
"level": "high"
},
{
"id": "04d9079e-3905-4b70-ad37-6bdf11304965",
"title": "CrackMapExecWin",
"date": "2018-04-08",
"modified": "2023-03-08",
"level": "critical"
},
{
"id": "18739897-21b1-41da-8ee4-5b786915a676",
"title": "GALLIUM Artefacts",
"date": "2020-02-07",
"modified": "2023-03-09",
"level": "high"
},
{
"id": "0eb2107b-a596-422e-b123-b389d5594ed7",
"title": "Hurricane Panda Activity",
"date": "2019-03-04",
"modified": "2023-03-10",
"level": "high"
},
{
"id": "4a12fa47-c735-4032-a214-6fab5b120670",
"title": "Lazarus Activity Apr21",
"date": "2021-04-20",
"modified": "2023-03-10",
"level": "high"
},
{
"id": "7454df60-1478-484b-810d-bff5d0ba6d4b",
"title": "DNS Tunnel Technique from MuddyWater",
"date": "2020-06-04",
"modified": "2023-03-10",
"level": "critical"
},
{
"id": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e",
"title": "Lazarus Loaders",
"date": "2020-12-23",
"modified": "2023-03-10",
"level": "critical"
},
{
"id": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8",
"title": "Suspicious Add Scheduled Task From User AppData Temp",
"date": "2021-11-03",
"modified": "2023-03-14",
"level": "high"
},
{
"id": "d813d662-785b-42ca-8b4a-f7457d78d5a9",
"title": "Suspicious Load of Advapi31.dll",
"date": "2022-02-03",
"modified": "2023-03-15",
"level": "informational"
},
{
"id": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9",
"title": "Edit of .bash_profile and .bashrc",
"date": "2019-05-12",
"modified": "2023-03-23",
"level": "medium"
},
{
"id": "ba2a7c80-027b-460f-92e2-57d113897dbc",
"title": "App Permissions Granted For Other APIs",
"date": "2022-07-28",
"modified": "2023-03-29",
"level": "medium"
},
{
"id": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4",
"title": "TA505 Dropper Load Pattern",
"date": "2020-12-08",
"modified": "2023-04-05",
"level": "critical"
},
{
"id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8",
"title": "Potential PowerShell Base64 Encoded Shellcode",
"date": "2018-11-17",
"modified": "2023-04-06",
"level": "medium"
},
{
"id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153",
"title": "Microsoft Binary Github Communication",
"date": "2017-08-24",
"modified": "2023-04-18",
"level": "high"
},
{
"id": "6c939dfa-c710-4e12-a4dd-47e1f10e68e1",
"title": "Domestic Kitten FurBall Malware Pattern",
"date": "2021-02-08",
"modified": "2023-04-20",
"level": "high"
},
{
"id": "6355a919-2e97-4285-a673-74645566340d",
"title": "Process Memory Dumped Via RdrLeakDiag.EXE",
"date": "2022-01-04",
"modified": "2023-04-24",
"level": "high"
},
{
"id": "9cf01b6c-e723-4841-a868-6d7f8245ca6e",
"title": "Group Modification Logging",
"date": "2019-03-26",
"modified": "2023-04-26",
"level": "low"
},
{
"id": "410ad193-a728-4107-bc79-4419789fcbf8",
"title": "Trickbot Malware Reconnaissance Activity",
"date": "2019-12-28",
"modified": "2023-04-28",
"level": "high"
},
{
"id": "fce5f582-cc00-41e1-941a-c6fabf0fdb8c",
"title": "Suspicious PowerShell Invocations - Specific",
"date": "2017-03-05",
"modified": "2023-05-04",
"level": "high"
},
{
"id": "f016c716-754a-467f-a39e-63c06f773987",
"title": "Suspicious Remote Thread Target",
"date": "2022-08-25",
"modified": "2023-05-05",
"level": "medium"
},
{
"id": "65d2be45-8600-4042-b4c0-577a1ff8a60e",
"title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe",
"date": "2019-10-25",
"modified": "2023-05-22",
"level": "medium"
},
{
"id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d",
"title": "Regsvr32 Anomaly",
"date": "2019-01-16",
"modified": "2023-05-26",
"level": "high"
},
{
"id": "fe6e002f-f244-4278-9263-20e4b593827f",
"title": "Alternate PowerShell Hosts - Image",
"date": "2019-09-12",
"modified": "2023-06-01",
"level": "low"
},
{
"id": "9e77ed63-2ecf-4c7b-b09d-640834882028",
"title": "PsExec Pipes Artifacts",
"date": "2020-05-10",
"modified": "2023-08-07",
"level": "medium"
},
{
"id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4",
"title": "Execution via CL_Mutexverifiers.ps1",
"date": "2020-10-14",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "4cd29327-685a-460e-9dac-c3ab96e549dc",
"title": "Execution via CL_Invocation.ps1 - Powershell",
"date": "2020-10-14",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "4e8d5fd3-c959-441f-a941-f73d0cdcdca5",
"title": "Abusing Windows Telemetry For Persistence - Registry",
"date": "2020-09-29",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "7c637634-c95d-4bbf-b26c-a82510874b34",
"title": "Disable Microsoft Office Security Features",
"date": "2021-06-08",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "8a58209c-7ae6-4027-afb0-307a78e4589a",
"title": "User Account Hidden By Registry",
"date": "2022-08-20",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "9b894e57-033f-46cf-b7fa-a52804181973",
"title": "Office Security Settings Changed",
"date": "2020-05-22",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "c81fe886-cac0-4913-a511-2822d72ff505",
"title": "SilentProcessExit Monitor Registration",
"date": "2021-02-26",
"modified": "2023-08-17",
"level": "high"
},
{
"id": "0c1ffcf9-efa9-436e-ab68-23a9496ebf5b",
"title": "User Added To Admin Group - MacOS",
"date": "2023-03-19",
"modified": "2023-08-22",
"level": "medium"
},
{
"id": "5b80cf53-3a46-4adc-960b-05ec19348d74",
"title": "Wscript Execution from Non C Drive",
"date": "2022-10-01",
"modified": "2023-08-29",
"level": "medium"
},
{
"id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a",
"title": "LSASS Memory Dump File Creation",
"date": "2019-10-22",
"modified": "2023-08-29",
"level": "high"
},
{
"id": "839f1ee1-292d-495a-bf37-818267b8ee82",
"title": "Vulnerable Driver Load By Name",
"date": "2022-10-03",
"modified": "2023-09-03",
"level": "low"
},
{
"id": "21b23707-60d6-41bb-96e3-0f0481b0fed9",
"title": "Vulnerable Dell BIOS Update Driver Load",
"date": "2021-05-05",
"modified": "2023-09-12",
"level": "high"
},
{
"id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647",
"title": "Vulnerable GIGABYTE Driver Load",
"date": "2022-07-25",
"modified": "2023-09-12",
"level": "high"
},
{
"id": "7c676970-af4f-43c8-80af-ec9b49952852",
"title": "Vulnerable AVAST Anti Rootkit Driver Load",
"date": "2022-07-28",
"modified": "2023-09-12",
"level": "high"
},
{
"id": "9bacc538-d1b9-4d42-862e-469eafc05a41",
"title": "Vulnerable HW Driver Load",
"date": "2022-07-26",
"modified": "2023-09-12",
"level": "high"
},
{
"id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4",
"title": "Vulnerable Lenovo Driver Load",
"date": "2022-11-10",
"modified": "2023-09-12",
"level": "high"
},
{
"id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6",
"title": "Usage Of Malicious POORTRY Signed Driver",
"date": "2022-12-16",
"modified": "2023-09-13",
"level": "high"
},
{
"id": "d7825193-b70a-48a4-b992-8b5b3015cc11",
"title": "Windows Update Client LOLBIN",
"date": "2020-10-17",
"modified": "2023-11-11",
"level": "high"
},
{
"id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53",
"title": "New Service Uses Double Ampersand in Path",
"date": "2022-07-05",
"modified": "2023-11-15",
"level": "high"
},
{
"id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62",
"title": "Windows Defender Threat Detection Disabled",
"date": "2020-07-28",
"modified": "2023-11-22",
"level": "high"
},
{
"id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d",
"title": "Credential Dumping Tools Accessing LSASS Memory",
"date": "2017-02-16",
"modified": "2023-11-30",
"level": "high"
},
{
"id": "a122ac13-daf8-4175-83a2-72c387be339d",
"title": "Security Event Log Cleared",
"date": "2021-08-15",
"modified": "2023-12-06",
"level": "medium"
},
{
"id": "0332a266-b584-47b4-933d-a00b103e1b37",
"title": "Suspicious Get-WmiObject",
"date": "2022-01-12",
"modified": "2023-12-11",
"level": "low"
},
{
"id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073",
"title": "PowerShell Scripts Run by a Services",
"date": "2020-10-06",
"modified": "2023-12-11",
"level": "high"
},
{
"id": "d23f2ba5-9da0-4463-8908-8ee47f614bb9",
"title": "Powershell File and Directory Discovery",
"date": "2021-12-15",
"modified": "2023-12-11",
"level": "low"
},
{
"id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2",
"title": "Credential Dumping Tools Service Execution",
"date": "2017-03-05",
"modified": "2023-12-11",
"level": "critical"
},
{
"id": "602a1f13-c640-4d73-b053-be9a2fa58b77",
"title": "Svchost DLL Search Order Hijack",
"date": "2019-10-28",
"modified": "2024-01-10",
"level": "high"
},
{
"id": "839dd1e8-eda8-4834-8145-01beeee33acd",
"title": "SAM Dump to AppData",
"date": "2018-01-27",
"modified": "2024-01-18",
"level": "high"
},
{
"id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7",
"title": "Possible Process Hollowing Image Loading",
"date": "2018-01-07",
"modified": "2024-01-22",
"level": "high"
},
{
"id": "a6d67db4-6220-436d-8afc-f3842fe05d43",
"title": "Dnscat Execution",
"date": "2019-10-24",
"modified": "2024-01-25",
"level": "critical"
},
{
"id": "d7b09985-95a3-44be-8450-b6eadf49833e",
"title": "Suspicious Non-Browser Network Communication With Reddit API",
"date": "2023-02-16",
"modified": "2024-02-02",
"level": "medium"
},
{
"id": "37325383-740a-403d-b1a2-b2b4ab7992e7",
"title": "CobaltStrike Malleable (OCSP) Profile",
"date": "2019-11-12",
"modified": "2024-02-15",
"level": "high"
},
{
"id": "41b42a36-f62c-4c34-bd40-8cb804a34ad8",
"title": "CobaltStrike Malformed UAs in Malleable Profiles",
"date": "2021-05-06",
"modified": "2024-02-15",
"level": "critical"
},
{
"id": "953b895e-5cc9-454b-b183-7f3db555452e",
"title": "CobaltStrike Malleable Amazon Browsing Traffic Profile",
"date": "2019-11-12",
"modified": "2024-02-15",
"level": "high"
},
{
"id": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc",
"title": "CobaltStrike Malleable OneDrive Browsing Traffic Profile",
"date": "2019-11-12",
"modified": "2024-02-15",
"level": "high"
},
{
"id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7",
"title": "Suspicious Rundll32 Script in CommandLine",
"date": "2021-12-04",
"modified": "2024-02-23",
"level": "medium"
},
{
"id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3",
"title": "Rundll32 JS RunHTMLApplication Pattern",
"date": "2022-01-14",
"modified": "2024-02-23",
"level": "high"
},
{
"id": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6",
"title": "iOS Implant URL Pattern",
"date": "2019-08-30",
"modified": "2024-02-26",
"level": "critical"
},
{
"id": "628d7a0b-7b84-4466-8552-e6138bc03b43",
"title": "Suspicious Epmap Connection",
"date": "2022-07-14",
"modified": "2024-03-01",
"level": "high"
},
{
"id": "9433ff9c-5d3f-4269-99f8-95fc826ea489",
"title": "CrackMapExec File Creation Patterns",
"date": "2022-03-12",
"modified": "2024-03-01",
"level": "high"
},
{
"id": "c625c4c2-515d-407f-8bb6-456f65955669",
"title": "Service Binary in Uncommon Folder",
"date": "2022-05-02",
"modified": "2024-03-25",
"level": "medium"
},
{
"id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
"title": "Adwind RAT / JRAT - Registry",
"date": "2017-11-10",
"modified": "2024-03-26",
"level": "high"
},
{
"id": "5039f3d2-406a-4c1a-9350-7a5a85dc84c2",
"title": "Search-ms and WebDAV Suspicious Indicators in URL",
"date": "2023-08-21",
"modified": "2024-05-10",
"level": "high"
},
{
"id": "b916cba1-b38a-42da-9223-17114d846fd6",
"title": "Potential NT API Stub Patching",
"date": "2023-01-07",
"modified": "2024-05-27",
"level": "medium"
},
{
"id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77",
"title": "Potential Persistence Via COM Hijacking From Suspicious Locations",
"date": "2022-07-28",
"modified": "2024-07-16",
"level": "high"
},
{
"id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb",
"title": "Suspicious Unattend.xml File Access",
"date": "2021-12-19",
"modified": "2024-07-22",
"level": "medium"
},
{
"id": "6902955a-01b7-432c-b32a-6f5f81d8f624",
"title": "Suspicious File Event With Teams Objects",
"date": "2022-09-16",
"modified": "2024-07-22",
"level": "high"
},
{
"id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12",
"title": "Potential Persistence Via COM Search Order Hijacking",
"date": "2020-04-14",
"modified": "2024-09-02",
"level": "medium"
},
{
"id": "a33f8808-2812-4373-ae95-8cfb82134978",
"title": "Windows Defender Exclusion Deleted",
"date": "2019-10-26",
"modified": "2025-01-30",
"level": "medium"
},
{
"id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e",
"title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script",
"date": "2021-12-26",
"modified": "2025-05-20",
"level": "high"
},
{
"id": "6e897651-f157-4d8f-aaeb-df8151488385",
"title": "PowerShell Web Download",
"date": "2022-03-24",
"modified": "2025-07-18",
"level": "medium"
},
{
"id": "f748c45a-f8d3-4e6f-b617-fe176f695b8f",
"title": ".RDP File Created by Outlook Process",
"date": "2024-11-01",
"modified": "2025-07-22",
"level": "high"
},
{
"id": "a2a3b925-7bb0-433b-b508-db9003263cc4",
"title": "Active Directory Parsing DLL Loaded Via Office Application",
"date": "2020-02-19",
"modified": "2025-10-17",
"level": "medium"
},
{
"id": "cdeef967-f9a1-4375-90ee-6978c5f23974",
"title": "Azure Application Credential Modified",
"date": "2021-09-02",
"modified": "2025-10-17",
"level": "medium"
},
{
"id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5",
"title": "PowerShell DownloadFile",
"date": "2020-08-28",
"modified": "2025-10-20",
"level": "high"
},
{
"id": "e28a5a99-da44-436d-b7a0-2afc20a5f413",
"title": "Whoami Utility Execution",
"date": "2018-08-13",
"modified": "2025-10-20",
"level": "low"
},
{
"id": "7417e29e-c2e7-4cf6-a2e8-767228c64837",
"title": "Active Directory Kerberos DLL Loaded Via Office Application",
"date": "2020-02-19",
"modified": "2025-10-22",
"level": "medium"
},
{
"id": "879c3015-c88b-4782-93d7-07adf92dbcb7",
"title": "Space After Filename",
"date": "2020-06-17",
"modified": "2025-11-22",
"level": "low"
},
{
"id": "e710a880-1f18-4417-b6a0-b5afdf7e305a",
"title": "Atomic MacOS Stealer - FileGrabber Infostealer Execution",
"date": "2025-09-12",
"modified": "2025-11-22",
"level": "high"
},
{
"id": "4be03877-d5b6-4520-85c9-a5911c0a656c",
"title": "FileFix - Suspicious Child Process from Browser File Upload Abuse",
"date": "2025-06-26",
"modified": "2025-11-24",
"level": "high"
},
{
"id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248",
"title": "File Download Via Bitsadmin To An Uncommon Target Folder",
"date": "2022-06-28",
"modified": "2025-12-10",
"level": "medium"
}
]
================================================
FILE: deprecated/linux/lnx_auditd_alter_bash_profile.yml
================================================
title: Edit of .bash_profile and .bashrc
id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
status: deprecated
description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
references:
- 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
author: Peter Matkovski
date: 2019/05/12
modified: 2023/03/23
tags:
- attack.s0003
- attack.persistence
- attack.t1546.004
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- '/root/.bashrc'
- '/root/.bash_profile'
- '/root/.profile'
- '/home/*/.bashrc'
- '/home/*/.bash_profile'
- '/home/*/.profile'
- '/etc/profile'
- '/etc/shells'
- '/etc/bashrc'
- '/etc/csh.cshrc'
- '/etc/csh.login'
condition: selection
falsepositives:
- Admin or User activity
level: medium
================================================
FILE: deprecated/linux/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
================================================
title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
id: 045b5f9c-49f7-4419-a236-9854fb3c827a
status: unsupported # This rule requires correlations. See https://github.com/SigmaHQ/sigma/discussions/4440#discussioncomment-7070862 and https://user-images.githubusercontent.com/9653181/133756156-4fb9c2b1-aa65-4380-957b-72170de36fc4.png
description: |
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.
Microsoft Azure, and Microsoft Operations Management Suite.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-09-17
modified: 2024-09-02
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1068
- attack.t1190
- attack.t1203
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
syscall: 'execve'
uid: 0
cwd: '/var/opt/microsoft/scx/tmp'
comm: 'sh'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
level: high
================================================
FILE: deprecated/linux/lnx_space_after_filename_.yml
================================================
title: Space After Filename
id: 879c3015-c88b-4782-93d7-07adf92dbcb7
status: deprecated
description: Detects space after filename
author: Ömer Günal
date: 2020-06-17
modified: 2025-11-22
tags:
- attack.execution
- attack.t1059
logsource:
product: linux
detection:
selection1:
- 'echo "*" > * && chmod +x *'
selection2:
- 'mv * "* "'
condition: all of selection*
falsepositives:
- Typos
level: low
================================================
FILE: deprecated/macos/proc_creation_macos_add_to_admin_group.yml
================================================
title: User Added To Admin Group - MacOS
id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
status: deprecated
description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
- https://ss64.com/osx/dscl.html
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023/03/19
modified: 2023/08/22
tags:
- attack.t1078.003
- attack.initial_access
- attack.privilege_escalation
logsource:
category: process_creation
product: macos
detection:
selection_sysadminctl: #creates and adds new user to admin group
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
- ' -addUser '
- ' -admin '
selection_dscl: #adds to admin group
Image|endswith: '/dscl'
CommandLine|contains|all:
- ' -append '
- ' /Groups/admin '
- ' GroupMembership '
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: medium
================================================
FILE: deprecated/macos/proc_creation_macos_malware_amos_filegrabber_exec.yml
================================================
title: Atomic MacOS Stealer - FileGrabber Infostealer Execution
id: e710a880-1f18-4417-b6a0-b5afdf7e305a
status: deprecated
description: |
Detects the execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
references:
- https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
- https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
author: Jason Phang Vern - Onn (Gen Digital)
date: 2025-09-12
modified: 2025-11-22
tags:
- attack.execution
- attack.t1059.002
- detection.emerging-threats
logsource:
category: process_creation
product: macos
detection:
selection:
CommandLine|contains|all:
- 'FileGrabber'
- '/tmp'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/other/generic_brute_force.yml
================================================
title: Brute Force
id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
status: deprecated
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
author: Aleksandr Akhremchik, oscd.community
date: 2019/10/25
modified: 2022/11/04
logsource:
category: authentication
detection:
selection:
action: failure
timeframe: 600s
condition: selection | count(category) by dst_ip > 30
fields:
- src_ip
- dst_ip
- user
falsepositives:
- Inventarization
- Vulnerability scanner
- Legitimate application
level: medium
tags:
- attack.credential_access
- attack.t1110
================================================
FILE: deprecated/web/proxy_apt_domestic_kitten.yml
================================================
title: Domestic Kitten FurBall Malware Pattern
id: 6c939dfa-c710-4e12-a4dd-47e1f10e68e1
status: deprecated
description: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group
references:
- https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
author: Florian Roth (Nextron Systems)
date: 2021/02/08
modified: 2023/04/20
tags:
- attack.command_and_control
logsource:
category: proxy
detection:
selection:
c-uri|contains:
- 'Get~~~AllBrowser'
- 'Get~~~HardwareInfo'
- 'Take~~RecordCall'
- 'Reset~~~AllCommand'
condition: selection
fields:
- c-ip
- c-uri
falsepositives:
- Unlikely
level: high
================================================
FILE: deprecated/web/proxy_cobalt_amazon.yml
================================================
title: CobaltStrike Malleable Amazon Browsing Traffic Profile
id: 953b895e-5cc9-454b-b183-7f3db555452e
status: deprecated
description: Detects Malleable Amazon Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
date: 2019/11/12
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection_1:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection_2:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'POST'
c-uri: '/N4215/adj/amzn.us.sr.aps'
cs-host: 'www.amazon.com'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/web/proxy_cobalt_malformed_uas.yml
================================================
title: CobaltStrike Malformed UAs in Malleable Profiles
id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
status: deprecated
description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
references:
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
author: Florian Roth (Nextron Systems)
date: 2021/05/06
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection1:
c-useragent:
- 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
- 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
selection2:
c-useragent|endswith: '; MANM; MANM)'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/web/proxy_cobalt_ocsp.yml
================================================
title: CobaltStrike Malleable (OCSP) Profile
id: 37325383-740a-403d-b1a2-b2b4ab7992e7
status: deprecated
description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
author: Markus Neis
date: 2019/11/12
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/oscp/'
cs-host: 'ocsp.verisign.com'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/web/proxy_cobalt_onedrive.yml
================================================
title: CobaltStrike Malleable OneDrive Browsing Traffic Profile
id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
status: deprecated
description: Detects Malleable OneDrive Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis
date: 2019/11/12
modified: 2024/02/15
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
c-uri|endswith: '\?manifest=wac'
cs-host: 'onedrive.live.com'
filter:
c-uri|startswith: 'http'
c-uri|contains: '://onedrive.live.com/'
condition: selection and not filter
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/web/proxy_ios_implant.yml
================================================
title: iOS Implant URL Pattern
id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6
status: deprecated # Deprecated to being related to Ios so logging will vary and its old
description: Detects URL pattern used by iOS Implant
references:
- https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
- https://twitter.com/craiu/status/1167358457344925696
author: Florian Roth (Nextron Systems)
date: 2019/08/30
modified: 2024/02/26
tags:
- attack.execution
- attack.t1203
- attack.collection
- attack.t1005
- attack.t1119
- attack.credential_access
- attack.t1528
- attack.t1552.001
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/list/suc\?name='
condition: selection
fields:
- ClientIP
- c-uri
- c-useragent
falsepositives:
- Unknown
level: critical
================================================
FILE: deprecated/web/proxy_webdav_search_ms.yml
================================================
title: Search-ms and WebDAV Suspicious Indicators in URL
id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2
status: deprecated # See https://github.com/SigmaHQ/sigma/pull/4845
description: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.
references:
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
author: Micah Babinski
date: 2023/08/21
modified: 2024/05/10
tags:
- attack.initial_access
- attack.t1584
- attack.t1566
logsource:
category: proxy
detection:
selection_search_ms:
c-uri|contains|all:
- 'search' # Matches on search:query= or search-ms:query=
- ':query='
- 'webdav'
selection_search_term:
c-uri|contains:
# Note: Add additional keywords for additional coverage
- 'agreement'
- 'invoice'
- 'notice'
- 'payment'
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/create_remote_thread_win_susp_remote_thread_target.yml
================================================
title: Suspicious Remote Thread Target
id: f016c716-754a-467f-a39e-63c06f773987
status: deprecated
description: |
Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild.
This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.
It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
references:
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Florian Roth (Nextron Systems)
date: 2022/08/25
modified: 2023/05/05
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith:
- '\spoolsv.exe'
- '\notepad.exe'
filter:
- SourceImage|endswith: '\csrss.exe'
- SourceImage|contains: 'unknown process'
- StartFunction: 'EtwpNotificationThread'
condition: selection and not filter
fields:
- ComputerName
- User
- SourceImage
- TargetImage
falsepositives:
- Unknown
level: medium
================================================
FILE: deprecated/windows/driver_load_win_mal_creddumper.yml
================================================
title: Credential Dumping Tools Service Execution
id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
status: deprecated
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017/03/05
modified: 2023/12/11
tags:
- attack.credential_access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: critical
================================================
FILE: deprecated/windows/driver_load_win_mal_poortry_driver.yml
================================================
title: Usage Of Malicious POORTRY Signed Driver
id: 91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6
status: deprecated
description: Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.
references:
- https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/12/16
modified: 2023/09/13
tags:
- attack.privilege_escalation
- attack.t1543
- attack.t1068
logsource:
category: driver_load
product: windows
detection:
selection_image:
ImageLoaded|contains:
- '\prokiller64.sys'
- '\gftkyj64.sys'
- '\KApcHelper_x64.sys'
- '\NodeDriver.sys'
- '\LcTkA.sys'
selection_sysmon:
Hashes|contains:
- 'SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'
- 'SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'
- 'SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'
- 'SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'
- 'SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'
- 'SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'
- 'SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'
- 'SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d'
- 'SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c'
- 'SHA1=cc65bf60600b64feece5575f21ab89e03a728332'
- 'SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'
- 'SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98'
- 'MD5=10f3679384a03cb487bda9621ceb5f90'
- 'MD5=04a88f5974caa621cee18f34300fc08a'
- 'MD5=6fcf56f6ca3210ec397e55f727353c4a'
- 'MD5=0f16a43f7989034641fd2de3eb268bf1'
- 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'
- 'MD5=909f3fc221acbe999483c87d9ead024a'
condition: 1 of selection*
falsepositives:
- Legitimate BIOS driver updates (should be rare)
level: high
================================================
FILE: deprecated/windows/driver_load_win_powershell_script_installed_as_service.yml
================================================
title: PowerShell Scripts Run by a Services
id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
related:
- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
type: derived
status: deprecated
description: Detects powershell script installed as a Service
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020/10/06
modified: 2023/12/11
tags:
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|contains:
- 'powershell'
- 'pwsh'
condition: selection
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml
================================================
title: Vulnerable AVAST Anti Rootkit Driver Load
id: 7c676970-af4f-43c8-80af-ec9b49952852
status: deprecated
description: Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/07/28
modified: 2023/09/12
tags:
- attack.privilege_escalation
- attack.t1543.003
logsource:
product: windows
category: driver_load
detection:
selection_sysmon:
Hashes|contains:
- 'MD5=a179c4093d05a3e1ee73f6ff07f994aa'
- 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
- 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
driver_img:
ImageLoaded|endswith: '\aswArPot.sys'
driver_status:
- Signed: 'false'
- SignatureStatus: Expired
condition: selection_sysmon or all of driver_*
falsepositives:
- Unknown
level: high
================================================
FILE: deprecated/windows/driver_load_win_vuln_dell_driver.yml
================================================
title: Vulnerable Dell BIOS Update Driver Load
id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
status: deprecated
description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
references:
- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
author: Florian Roth (Nextron Systems)
date: 2021/05/05
modified: 2023/09/12
tags:
- attack.privilege_escalation
- cve.2021.21551
- attack.t1543
- attack.t1068
logsource:
category: driver_load
product: windows
detection:
selection_image:
ImageLoaded|contains: '\DBUtil_2_3.Sys'
selection_sysmon:
Hashes|contains:
- 'SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5'
- 'SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1'
- 'SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD'
- 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25'
- 'MD5=C996D7971C49252C582171D9380360F2'
- 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244'
condition: 1 of selection*
falsepositives:
- Legitimate BIOS driver updates (should be rare)
level: high
================================================
FILE: deprecated/windows/driver_load_win_vuln_drivers_names.yml
================================================
title: Vulnerable Driver Load By Name
id: 839f1ee1-292d-495a-bf37-818267b8ee82
related:
- id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8
type: derived
status: deprecated
description: Detects the load of known vulnerable drivers via their names only.
references:
- https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/10/03
modified: 2023/09/03
tags:
- attack.privilege_escalation
- attack.t1543.003
- attack.t1068
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|endswith:
- '\reddriver.sys'
- '\mhyprot2.sys'
- '\hwos2ec7x64.sys'
- '\asrdrv103.sys'
- '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
- '\gvcidrv64.sys'
- '\spwizimgvt.sys'
- '\hwos2ec10x64.sys'
- '\e939448b28a4edc81f1f974cebf6e7d2.sys'
- '\phymemx64.sys'
- '\dh_kernel.sys'
- '\bs_def.sys'
- '\nbiolib_x64.sys'
- '\viraglt64.sys'
- '\ntiolib.sys'
- '\paniox64.sys'
- '\libnicm.sys'
- '\phymem64.sys'
- '\fiddrv.sys'
- '\cpuz141.sys'
- '\yyprotect64.sys'
- '\daxin_blank3.sys'
- '\aswarpot.sys'
- '\t8.sys'
- '\driver7-x86-withoutdbg.sys'
- '\dcr.sys'
- '\b3.sys'
- '\asupio.sys'
- '\blackbonedrv10.sys'
- '\rzpnk.sys'
- '\iomem64.sys'
- '\kfeco11x64.sys'
- '\t.sys'
- '\wantd.sys'
- '\mimikatz.sys'
- '\wantd_4.sys'
- '\chaos-rootkit.sys'
- '\mhyprot.sys'
- '\nlslexicons0024uvn.sys'
- '\piddrv64.sys'
- '\aswvmm.sys'
- '\superbmc.sys'
- '\kprocesshacker.sys'
- '\lmiinfo.sys'
- '\jokercontroller.sys'
- '\blackbone.sys'
- '\fur.sys'
- '\vboxmousent.sys'
- '\mapmom.sys'
- '\windows-xp-64.sys'
- '\d3.sys'
- '\inpout32.sys'
- '\tfbfs3ped.sys'
- '\etdsupp.sys'
- '\asmmap64.sys'
- '\lurker.sys'
- '\alsysio64.sys'
- '\ntiolib_x64.sys'
- '\asas.sys'
- '\vproeventmonitor.sys'
- '\dbutil_2_3.sys'
- '\malicious.sys'
- '\cpupress.sys'
- '\netfilter2.sys'
- '\wintapix.sys'
- '\mhyprotnap.sys'
- '\ktes.sys'
- '\titidrv.sys'
- '\rtcore64.sys'
- '\physmem.sys'
- '\d.sys'
- '\asrdrv106.sys'
- '\winiodrv.sys'
- '\phlashnt.sys'
- '\sfdrvx64.sys'
- '\ene.sys'
- '\nqrmq.sys'
- '\phydmaccx86.sys'
- '\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'
- '\magdrvamd64.sys'
- '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
- '\amdryzenmasterdriver.sys'
- '\amigendrv64.sys'
- '\d2.sys'
- '\agent64.sys'
- '\bs_rcio64.sys'
- '\goad.sys'
- '\bsmi.sys'
- '\nvflsh64.sys'
- '\gametersafe.sys'
- '\ndislan.sys'
- '\bw.sys'
- '\directio32.sys'
- '\asrsmartconnectdrv.sys'
- '\ktgn.sys'
- '\eneio64.sys'
- '\amp.sys'
- '\gdrv.sys'
- '\tmel.sys'
- '\nstr.sys'
- '\winring0.sys'
- '\fiddrv64.sys'
- '\tmcomm.sys'
- '\daxin_blank2.sys'
- '\poortry2.sys'
- '\bsmemx64.sys'
- '\asio.sys'
- '\gmer64.sys'
- '\panio.sys'
- '\ucorew64.sys'
- '\atszio64.sys'
- '\nt2.sys'
- '\pciecubed.sys'
- '\nvflsh32.sys'
- '\ssport.sys'
- '\wcpu.sys'
- '\winio64.sys'
- '\msio64.sys'
- '\black.sys'
- '\nicm.sys'
- '\daxin_blank1.sys'
- '\my.sys'
- '\tgsafe.sys'
- '\dbk64.sys'
- '\proxydrv.sys'
- '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
- '\capcom.sys'
- '\asio32.sys'
- '\proxy32.sys'
- '\asrdrv102.sys'
- '\vboxguest.sys'
- '\vboxtap.sys'
- '\daxin_blank.sys'
- '\poortry.sys'
- '\ntbios.sys'
- '\glckio2.sys'
- '\dbutildrv2.sys'
- '\kfeco10x64.sys'
- '\lenovodiagnosticsdriver.sys'
- '\netfilter.sys'
- '\corsairllaccess64.sys'
- '\semav6msr.sys'
- '\bs_rciow1064.sys'
- '\vboxusbmon.sys'
- '\nodedriver.sys'
- '\iobitunlocker.sys'
- '\smep_namco.sys'
- '\asio64.sys'
- '\xjokercontroller.sys'
- '\irec.sys'
- '\asribdrv.sys'
- '\mhyprot3.sys'
- '\daxin_blank6.sys'
- '\fidpcidrv.sys'
- '\bandai.sys'
- '\procexp.sys'
- '\daxin_blank5.sys'
- '\daxin_blank4.sys'
- '\bedaisy.sys'
- '\asrdrv10.sys'
- '\bwrsh.sys'
- '\eio.sys'
- '\winio64a.sys'
- '\citmdrv_ia64.sys'
- '\7.sys'
- '\b.sys'
- '\bwrs.sys'
- '\nt3.sys'
- '\wiseunlo.sys'
- '\ncpl.sys'
- '\ctiio64.sys'
- '\hw.sys'
- '\asromgdrv.sys'
- '\bs_hwmio64.sys'
- '\lgdatacatcher.sys'
- '\rtkio.sys'
- '\winio32.sys'
- '\phydmaccx64.sys'
- '\mtcbsv64.sys'
- '\ni.sys'
- '\b4.sys'
- '\directio64.sys'
- '\vboxdrv.sys'
- '\nvflash.sys'
- '\hpportiox64.sys'
- '\bs_i2c64.sys'
- '\iomap64.sys'
- '\vboxusb.sys'
- '\msqpq.sys'
- '\sysinfo.sys'
- '\mhyprotect.sys'
- '\naldrv.sys'
- '\lgdcatcher.sys'
- '\echo_driver.sys'
- '\otipcibus.sys'
- '\testbone.sys'
- '\lctka.sys'
- '\wyproxy64.sys'
- '\pchunter.sys'
- '\amdpowerprofiler.sys'
- '\wantd_3.sys'
- '\test2.sys'
- '\rtcoremini64.sys'
- '\d4.sys'
- '\piddrv.sys'
- '\panmonflt.sys'
- '\windows8-10-32.sys'
- '\wantd_5.sys'
- '\mjj0ge.sys'
- '\kt2.sys'
- '\rtkiow8x64.sys'
- '\nstrwsk.sys'
- '\msio32.sys'
- '\ktmutil7odm.sys'
- '\hwrwdrv.sys'
- '\nchgbios2x64.sys'
- '\bs_hwmio64_w10.sys'
- '\mydrivers.sys'
- '\t7.sys'
- '\wantd_6.sys'
- '\sandra.sys'
- '\atillk64.sys'
- '\cpuz.sys'
- '\netproxydriver.sys'
- '\protects.sys'
- '\asrrapidstartdrv.sys'
- '\dh_kernel_10.sys'
- '\ef0e1725aaf0c6c972593f860531a2ea.sys'
- '\enetechio64.sys'
- '\citmdrv_amd64.sys'
- '\iqvw64e.sys'
- '\bsmixp64.sys'
- '\bs_i2cio.sys'
- '\prokiller64.sys'
- '\netflt.sys'
- '\4748696211bd56c2d93c21cab91e82a5.sys'
- '\openlibsys.sys'
- '\adv64drv.sys'
- '\be6318413160e589080df02bb3ca6e6a.sys'
- '\cupfixerx64.sys'
- '\se64a.sys'
- '\speedfan.sys'
- '\a236e7d654cd932b7d11cb604629a2d0.sys'
- '\winio32b.sys'
- '\winio64b.sys'
- '\sysdrv3s.sys'
- '\lv561av.sys'
- '\bs_def64.sys'
- '\mlgbbiicaihflrnh.sys'
- '\dbutil.sys'
- '\834761775.sys'
- '\kdriver.sys'
- '\spf.sys'
- '\dkrtk.sys'
- '\bs_flash64.sys'
- '\nt4.sys'
- '\4.sys'
- '\directio32_legacy.sys'
- '\viragt64.sys'
- '\hostnt.sys'
- '\poortry1.sys'
- '\c94f405c5929cfcccc8ad00b42c95083.sys'
- '\b1.sys'
- '\wantd_2.sys'
- '\mhyprotrpg.sys'
- '\nscm.sys'
- '\smep_capcom.sys'
- '\sense5ext.sys'
- '\lha.sys'
- '\atszio.sys'
- '\amifldrv64.sys'
- '\blacklotus_driver.sys'
- '\asrautochkupddrv.sys'
- '\cpuz_x64.sys'
- '\asrautochkupddrv_1_0_32.sys'
- '\bs_rcio.sys'
- '\elbycdio.sys'
- '\fidpcidrv64.sys'
- '\elrawdsk.sys'
- '\telephonuafy.sys'
- '\rwdrv.sys'
- '\lgcoretemp.sys'
- '\segwindrvx64.sys'
- '\windows7-32.sys'
- '\asrsetupdrv103.sys'
-
Showing preview only (301K chars total). Download the full file or copy to clipboard to get everything.
gitextract_6lfx6dd0/ ├── .gitattributes ├── .github/ │ ├── FUNDING.yml │ ├── ISSUE_TEMPLATE/ │ │ ├── false_positive_report.yml │ │ └── rule_proposal.md │ ├── PULL_REQUEST_TEMPLATE.md │ ├── labeler.yml │ ├── latest_archiver_output.md │ └── workflows/ │ ├── goodlog-tests.yml │ ├── greetings.yml │ ├── known-FPs.csv │ ├── matchgrep.sh │ ├── pr-labeler.yml │ ├── ref-archiver.yml │ ├── regression-tests.yml │ ├── release.yml │ ├── sigma-rule-deprecated.yml │ ├── sigma-rule-promoter.yml │ ├── sigma-test.yml │ ├── sigma-validation.yml │ └── update-heatmap.yml ├── .gitignore ├── .yamllint ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── Releases.md ├── deprecated/ │ ├── README.md │ ├── cloud/ │ │ ├── azure_app_credential_modification.yml │ │ └── azure_app_permissions_for_api.yml │ ├── deprecated.csv │ ├── deprecated.json │ ├── linux/ │ │ ├── lnx_auditd_alter_bash_profile.yml │ │ ├── lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml │ │ └── lnx_space_after_filename_.yml │ ├── macos/ │ │ ├── proc_creation_macos_add_to_admin_group.yml │ │ └── proc_creation_macos_malware_amos_filegrabber_exec.yml │ ├── other/ │ │ └── generic_brute_force.yml │ ├── web/ │ │ ├── proxy_apt_domestic_kitten.yml │ │ ├── proxy_cobalt_amazon.yml │ │ ├── proxy_cobalt_malformed_uas.yml │ │ ├── proxy_cobalt_ocsp.yml │ │ ├── proxy_cobalt_onedrive.yml │ │ ├── proxy_ios_implant.yml │ │ └── proxy_webdav_search_ms.yml │ └── windows/ │ ├── create_remote_thread_win_susp_remote_thread_target.yml │ ├── driver_load_win_mal_creddumper.yml │ ├── driver_load_win_mal_poortry_driver.yml │ ├── driver_load_win_powershell_script_installed_as_service.yml │ ├── driver_load_win_vuln_avast_anti_rootkit_driver.yml │ ├── driver_load_win_vuln_dell_driver.yml │ ├── driver_load_win_vuln_drivers_names.yml │ ├── driver_load_win_vuln_gigabyte_driver.yml │ ├── driver_load_win_vuln_hw_driver.yml │ ├── driver_load_win_vuln_lenovo_driver.yml │ ├── file_event_win_access_susp_teams.yml │ ├── file_event_win_access_susp_unattend_xml.yml │ ├── file_event_win_crackmapexec_patterns.yml │ ├── file_event_win_hktl_createminidump.yml │ ├── file_event_win_lsass_memory_dump_file_creation.yml │ ├── file_event_win_mimikatz_memssp_log_file.yml │ ├── file_event_win_office_outlook_rdp_file_creation.yml │ ├── file_event_win_susp_clr_logs.yml │ ├── image_load_alternate_powershell_hosts_moduleload.yml │ ├── image_load_office_dsparse_dll_load.yml │ ├── image_load_office_kerberos_dll_load.yml │ ├── image_load_side_load_advapi32.yml │ ├── image_load_side_load_scm.yml │ ├── image_load_side_load_svchost_dlls.yml │ ├── image_load_susp_uncommon_image_load.yml │ ├── image_load_susp_winword_wmidll_load.yml │ ├── net_connection_win_binary_github_com.yml │ ├── net_connection_win_reddit_api_non_browser_access.yml │ ├── net_connection_win_susp_epmap.yml │ ├── pipe_created_psexec_pipes_artifacts.yml │ ├── posh_pm_powercat.yml │ ├── posh_ps_access_to_chrome_login_data.yml │ ├── posh_ps_azurehound_commands.yml │ ├── posh_ps_cl_invocation_lolscript.yml │ ├── posh_ps_cl_mutexverifiers_lolscript.yml │ ├── posh_ps_dnscat_execution.yml │ ├── posh_ps_exchange_mailbox_smpt_forwarding_rule.yml │ ├── posh_ps_file_and_directory_discovery.yml │ ├── posh_ps_invoke_nightmare.yml │ ├── posh_ps_susp_gwmi.yml │ ├── powershell_ps_susp_win32_shadowcopy.yml │ ├── powershell_suspicious_download.yml │ ├── powershell_suspicious_invocation_generic.yml │ ├── powershell_suspicious_invocation_specific.yml │ ├── powershell_syncappvpublishingserver_exe.yml │ ├── proc_access_win_in_memory_assembly_execution.yml │ ├── proc_access_win_lazagne_cred_dump_lsass_access.yml │ ├── proc_access_win_lsass_susp_access.yml │ ├── proc_access_win_pypykatz_cred_dump_lsass_access.yml │ ├── proc_access_win_susp_invoke_patchingapi.yml │ ├── proc_creation_win_apt_apt29_thinktanks.yml │ ├── proc_creation_win_apt_dragonfly.yml │ ├── proc_creation_win_apt_gallium.yml │ ├── proc_creation_win_apt_hurricane_panda.yml │ ├── proc_creation_win_apt_lazarus_activity_apr21.yml │ ├── proc_creation_win_apt_lazarus_loader.yml │ ├── proc_creation_win_apt_muddywater_dnstunnel.yml │ ├── proc_creation_win_apt_ta505_dropper.yml │ ├── proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml │ ├── proc_creation_win_certutil_susp_execution.yml │ ├── proc_creation_win_cmd_read_contents.yml │ ├── proc_creation_win_cmd_redirect_to_stream.yml │ ├── proc_creation_win_credential_acquisition_registry_hive_dumping.yml │ ├── proc_creation_win_cscript_vbs.yml │ ├── proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml │ ├── proc_creation_win_filefix_browsers.yml │ ├── proc_creation_win_indirect_cmd.yml │ ├── proc_creation_win_indirect_command_execution_forfiles.yml │ ├── proc_creation_win_invoke_obfuscation_via_rundll.yml │ ├── proc_creation_win_invoke_obfuscation_via_use_rundll32.yml │ ├── proc_creation_win_lolbas_execution_of_wuauclt.yml │ ├── proc_creation_win_lolbin_findstr.yml │ ├── proc_creation_win_lolbin_office.yml │ ├── proc_creation_win_lolbin_rdrleakdiag.yml │ ├── proc_creation_win_lolbins_by_office_applications.yml │ ├── proc_creation_win_mal_ryuk.yml │ ├── proc_creation_win_malware_trickbot_recon_activity.yml │ ├── proc_creation_win_mavinject_proc_inj.yml │ ├── proc_creation_win_msdt_diagcab.yml │ ├── proc_creation_win_new_service_creation.yml │ ├── proc_creation_win_nslookup_pwsh_download_cradle.yml │ ├── proc_creation_win_odbcconf_susp_exec.yml │ ├── proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml │ ├── proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml │ ├── proc_creation_win_office_spawning_wmi_commandline.yml │ ├── proc_creation_win_possible_applocker_bypass.yml │ ├── proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml │ ├── proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml │ ├── proc_creation_win_powershell_base64_listing_shadowcopy.yml │ ├── proc_creation_win_powershell_base64_shellcode.yml │ ├── proc_creation_win_powershell_bitsjob.yml │ ├── proc_creation_win_powershell_download_cradles.yml │ ├── proc_creation_win_powershell_service_modification.yml │ ├── proc_creation_win_powershell_susp_ps_downloadfile.yml │ ├── proc_creation_win_powershell_xor_encoded_command.yml │ ├── proc_creation_win_reg_dump_sam.yml │ ├── proc_creation_win_regsvr32_anomalies.yml │ ├── proc_creation_win_renamed_paexec.yml │ ├── proc_creation_win_renamed_powershell.yml │ ├── proc_creation_win_renamed_psexec.yml │ ├── proc_creation_win_renamed_rundll32.yml │ ├── proc_creation_win_root_certificate_installed.yml │ ├── proc_creation_win_run_from_zip.yml │ ├── proc_creation_win_rundll32_js_runhtmlapplication.yml │ ├── proc_creation_win_rundll32_script_run.yml │ ├── proc_creation_win_sc_delete_av_services.yml │ ├── proc_creation_win_schtasks_user_temp.yml │ ├── proc_creation_win_service_stop.yml │ ├── proc_creation_win_susp_bitstransfer.yml │ ├── proc_creation_win_susp_cmd_exectution_via_wmi.yml │ ├── proc_creation_win_susp_commandline_chars.yml │ ├── proc_creation_win_susp_lolbin_non_c_drive.yml │ ├── proc_creation_win_susp_run_folder.yml │ ├── proc_creation_win_susp_squirrel_lolbin.yml │ ├── proc_creation_win_sysinternals_psexec_service_execution.yml │ ├── proc_creation_win_sysinternals_psexesvc_start.yml │ ├── proc_creation_win_whoami_as_system.yml │ ├── proc_creation_win_whoami_execution.yml │ ├── proc_creation_win_winword_dll_load.yml │ ├── proc_creation_win_wmic_execution_via_office_process.yml │ ├── proc_creation_win_wmic_remote_command.yml │ ├── proc_creation_win_wmic_remote_service.yml │ ├── proc_creation_win_wuauclt_execution.yml │ ├── process_creation_syncappvpublishingserver_exe.yml │ ├── registry_add_sysinternals_sdelete_registry_keys.yml │ ├── registry_event_asep_reg_keys_modification.yml │ ├── registry_set_abusing_windows_telemetry_for_persistence.yml │ ├── registry_set_add_hidden_user.yml │ ├── registry_set_creation_service_uncommon_folder.yml │ ├── registry_set_disable_microsoft_office_security_features.yml │ ├── registry_set_malware_adwind.yml │ ├── registry_set_office_security.yml │ ├── registry_set_persistence_com_hijacking_susp_locations.yml │ ├── registry_set_persistence_search_order.yml │ ├── registry_set_silentprocessexit.yml │ ├── sysmon_accessing_winapi_in_powershell_credentials_dumping.yml │ ├── sysmon_dcom_iertutil_dll_hijack.yml │ ├── sysmon_mimikatz_detection_lsass.yml │ ├── sysmon_powershell_execution_moduleload.yml │ ├── sysmon_rclone_execution.yml │ ├── win_defender_disabled.yml │ ├── win_dsquery_domain_trust_discovery.yml │ ├── win_lateral_movement_condrv.yml │ ├── win_security_event_log_cleared.yml │ ├── win_security_group_modification_logging.yml │ ├── win_security_lolbas_execution_of_nltest.yml │ ├── win_security_windows_defender_exclusions_write_deleted.yml │ ├── win_susp_esentutl_activity.yml │ ├── win_susp_rclone_exec.yml │ ├── win_susp_vssadmin_ntds_activity.yml │ ├── win_system_service_install_susp_double_ampersand.yml │ └── win_system_susp_sam_dump.yml ├── documentation/ │ ├── README.md │ ├── logsource-guides/ │ │ ├── other/ │ │ │ └── antivirus.md │ │ └── windows/ │ │ ├── category/ │ │ │ ├── process_creation.md │ │ │ ├── ps_module.md │ │ │ ├── ps_script.md │ │ │ ├── registry_add.md │ │ │ ├── registry_delete.md │ │ │ ├── registry_event.md │ │ │ ├── registry_rename.md │ │ │ └── registry_set.md │ │ └── service/ │ │ ├── powershell.md │ │ └── security.md │ └── tools/ │ └── sigma-logsource-checker.py ├── other/ │ ├── godmode_sigma_rule.yml │ └── sigma_attack_nav_coverage.json ├── regression_data/ │ ├── rules/ │ │ └── windows/ │ │ ├── file/ │ │ │ └── file_event/ │ │ │ ├── file_event_win_advanced_ip_scanner/ │ │ │ │ ├── fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx │ │ │ │ ├── fed85bf9-e075-4280-9159-fbe8a023d6fa.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_anydesk_artefact/ │ │ │ │ ├── 0b9ad457-2554-44c1-82c2-d56a99c42377.evtx │ │ │ │ ├── 0b9ad457-2554-44c1-82c2-d56a99c42377.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_create_evtx_non_common_locations/ │ │ │ │ ├── 65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx │ │ │ │ ├── 65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_create_non_existent_dlls/ │ │ │ │ ├── df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx │ │ │ │ ├── df6ecb8b-7822-4f4b-b412-08f524b4576c.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_creation_new_shim_database/ │ │ │ │ ├── ee63c85c-6d51-4d12-ad09-04e25877a947.evtx │ │ │ │ ├── ee63c85c-6d51-4d12-ad09-04e25877a947.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_creation_system_dll_files/ │ │ │ │ ├── 13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx │ │ │ │ ├── 13c02350-4177-4e45-ac17-cf7ca628ff5e.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_creation_system_file/ │ │ │ │ ├── d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx │ │ │ │ ├── d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_cred_dump_tools_dropped_files/ │ │ │ │ ├── 8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx │ │ │ │ ├── 8fbf3271-1ef6-4e94-8210-03c2317947f6.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_dump_file_susp_creation/ │ │ │ │ ├── aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx │ │ │ │ ├── aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_susp_legitimate_app_dropping_in_uncommon_location/ │ │ │ │ ├── 1cf465a1-2609-4c15-9b66-c32dbe4bfd67.evtx │ │ │ │ ├── 1cf465a1-2609-4c15-9b66-c32dbe4bfd67.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_susp_lnk_double_extension/ │ │ │ │ ├── 3215aa19-f060-4332-86d5-5602511f3ca8.evtx │ │ │ │ ├── 3215aa19-f060-4332-86d5-5602511f3ca8.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_susp_public_folder_extension/ │ │ │ │ ├── b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx │ │ │ │ ├── b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_susp_recycle_bin_fake_exec/ │ │ │ │ ├── cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx │ │ │ │ ├── cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json │ │ │ │ └── info.yml │ │ │ └── file_event_win_taskmgr_lsass_dump/ │ │ │ ├── 69ca12af-119d-44ed-b50f-a47af0ebc364.evtx │ │ │ ├── 69ca12af-119d-44ed-b50f-a47af0ebc364.json │ │ │ └── info.yml │ │ ├── image_load/ │ │ │ ├── image_load_side_load_cpl_from_non_system_location/ │ │ │ │ ├── 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.evtx │ │ │ │ ├── 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.json │ │ │ │ └── info.yml │ │ │ └── image_load_win_susp_dbgcore_dbghelp_load/ │ │ │ ├── 416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx │ │ │ ├── 416bc4a2-7217-4519-8dc7-c3271817f1d5.json │ │ │ └── info.yml │ │ ├── process_access/ │ │ │ ├── proc_access_win_susp_dbgcore_dbghelp_load/ │ │ │ │ ├── 9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx │ │ │ │ ├── 9f5c1d59-33be-4e60-bcab-85d2f566effd.json │ │ │ │ └── info.yml │ │ │ └── proc_access_win_werfaultsecure_msmpeng_access/ │ │ │ ├── 387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx │ │ │ ├── 387df17d-3b04-448f-8669-9e7fd5e5fd8c.json │ │ │ └── info.yml │ │ ├── process_creation/ │ │ │ ├── proc_creation_win_amsi_registry_tampering/ │ │ │ │ ├── 7dbbcac2-57a0-45ac-b306-ff30a8bd2981.evtx │ │ │ │ ├── 7dbbcac2-57a0-45ac-b306-ff30a8bd2981.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_bitsadmin_download/ │ │ │ │ ├── d059842b-6b9d-4ed1-b5c3-5b89143c6ede.evtx │ │ │ │ ├── d059842b-6b9d-4ed1-b5c3-5b89143c6ede.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_bitsadmin_download_direct_ip/ │ │ │ │ ├── 99c840f2-2012-46fd-9141-c761987550ef.evtx │ │ │ │ ├── 99c840f2-2012-46fd-9141-c761987550ef.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_bitsadmin_download_file_sharing_domains/ │ │ │ │ ├── 8518ed3d-f7c9-4601-a26c-f361a4256a0c.evtx │ │ │ │ ├── 8518ed3d-f7c9-4601-a26c-f361a4256a0c.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_bitsadmin_download_susp_extensions/ │ │ │ │ ├── 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.evtx │ │ │ │ ├── 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_bitsadmin_download_susp_targetfolder/ │ │ │ │ ├── 2ddef153-167b-4e89-86b6-757a9e65dcac.evtx │ │ │ │ ├── 2ddef153-167b-4e89-86b6-757a9e65dcac.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_chromium_headless_file_download/ │ │ │ │ ├── 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx │ │ │ │ ├── 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_chromium_load_extension/ │ │ │ │ ├── 88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx │ │ │ │ ├── 88d6e60c-759d-4ac1-a447-c0f1466c2d21.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_chromium_mockbin_abuse/ │ │ │ │ ├── 1c526788-0abe-4713-862f-b520da5e5316.evtx │ │ │ │ ├── 1c526788-0abe-4713-862f-b520da5e5316.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_chromium_susp_load_extension/ │ │ │ │ ├── 27ba3207-dd30-4812-abbf-5d20c57d474e.evtx │ │ │ │ ├── 27ba3207-dd30-4812-abbf-5d20c57d474e.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_inline_file_download/ │ │ │ │ ├── 94771a71-ba41-4b6e-a757-b531372eaab6.evtx │ │ │ │ ├── 94771a71-ba41-4b6e-a757-b531372eaab6.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_tor_execution/ │ │ │ │ ├── 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx │ │ │ │ ├── 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_certificate_installation/ │ │ │ │ ├── d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx │ │ │ │ ├── d2125259-ddea-4c1c-9c22-977eb5b29cf0.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_decode/ │ │ │ │ ├── cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx │ │ │ │ ├── cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_download/ │ │ │ │ ├── 19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx │ │ │ │ ├── 19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_download_direct_ip/ │ │ │ │ ├── 13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx │ │ │ │ ├── 13e6fe51-d478-4c7e-b0f2-6da9b400a829.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_download_file_sharing_domains/ │ │ │ │ ├── 42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx │ │ │ │ ├── 42a5f1e7-9603-4f6d-97ae-3f37d130d794.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_encode/ │ │ │ │ ├── e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx │ │ │ │ ├── e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_encode_susp_extensions/ │ │ │ │ ├── ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx │ │ │ │ ├── ea0cdc3e-2239-4f26-a947-4e8f8224e464.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_encode_susp_location/ │ │ │ │ ├── 82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx │ │ │ │ ├── 82a6714f-4899-4f16-9c1e-9a333544d4c3.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_export_pfx/ │ │ │ │ ├── 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx │ │ │ │ ├── 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_ntlm_coercion/ │ │ │ │ ├── 6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx │ │ │ │ ├── 6c6d9280-e6d0-4b9d-80ac-254701b64916.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_chcp_codepage_lookup/ │ │ │ │ ├── 7090adee-82e2-4269-bd59-80691e7c6338.evtx │ │ │ │ ├── 7090adee-82e2-4269-bd59-80691e7c6338.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_chcp_codepage_switch/ │ │ │ │ ├── c7942406-33dd-4377-a564-0f62db0593a3.evtx │ │ │ │ ├── c7942406-33dd-4377-a564-0f62db0593a3.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cipher_overwrite_deleted_data/ │ │ │ │ ├── 4b046706-5789-4673-b111-66f25fe99534.evtx │ │ │ │ ├── 4b046706-5789-4673-b111-66f25fe99534.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_clip_execution/ │ │ │ │ ├── ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx │ │ │ │ ├── ddeff553-5233-4ae9-bbab-d64d2bd634be.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmd_assoc_execution/ │ │ │ │ ├── 3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx │ │ │ │ ├── 3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmd_dir_execution/ │ │ │ │ ├── 7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx │ │ │ │ ├── 7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmd_launched_with_hidden_start_flag/ │ │ │ │ ├── 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx │ │ │ │ ├── 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmd_mklink_osk_cmd/ │ │ │ │ ├── e9b61244-893f-427c-b287-3e708f321c6b.evtx │ │ │ │ ├── e9b61244-893f-427c-b287-3e708f321c6b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmd_rmdir_execution/ │ │ │ │ ├── 41ca393d-538c-408a-ac27-cf1e038be80c.evtx │ │ │ │ ├── 41ca393d-538c-408a-ac27-cf1e038be80c.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmdkey_adding_generic_creds/ │ │ │ │ ├── b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx │ │ │ │ ├── b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmdkey_recon/ │ │ │ │ ├── 07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx │ │ │ │ ├── 07f8bdc2-c9b3-472a-9817-5a670b872f53.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_conhost_headless_powershell/ │ │ │ │ ├── 056c7317-9a09-4bd4-9067-d051312752ea.evtx │ │ │ │ ├── 056c7317-9a09-4bd4-9067-d051312752ea.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_credential_guard_registry_tampering/ │ │ │ │ ├── c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.evtx │ │ │ │ ├── c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_cookie_hijacking/ │ │ │ │ ├── 5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx │ │ │ │ ├── 5a6e1e16-07de-48d8-8aae-faa766c05e88.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_custom_user_agent/ │ │ │ │ ├── 85de1f22-d189-44e4-8239-dc276b45379b.evtx │ │ │ │ ├── 85de1f22-d189-44e4-8239-dc276b45379b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_download_direct_ip_exec/ │ │ │ │ ├── 9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx │ │ │ │ ├── 9cc85849-3b02-4cb5-b371-3a1ff54f2218.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_download_direct_ip_susp_extensions/ │ │ │ │ ├── 5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx │ │ │ │ ├── 5cb299fc-5fb1-4d07-b989-0644c68b6043.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_download_susp_file_sharing_domains/ │ │ │ │ ├── 56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx │ │ │ │ ├── 56454143-524f-49fb-b1c6-3fb8b1ad41fb.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_insecure_connection/ │ │ │ │ ├── cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx │ │ │ │ ├── cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_insecure_proxy_or_doh/ │ │ │ │ ├── 2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx │ │ │ │ ├── 2c1486f5-02e8-4f86-9099-b97f2da4ed77.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_local_file_read/ │ │ │ │ ├── aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx │ │ │ │ ├── aa6f6ea6-0676-40dd-b510-6e46f02d8867.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_susp_download/ │ │ │ │ ├── e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx │ │ │ │ ├── e218595b-bbe7-4ee5-8a96-f32a24ad3468.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_devcon_disable_vmci_driver/ │ │ │ │ ├── 85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx │ │ │ │ ├── 85f520e7-6f5e-43ca-874c-222e5bf9c0de.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_dirlister_execution/ │ │ │ │ ├── b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx │ │ │ │ ├── b4dc61f5-6cce-468e-a608-b48b469feaa2.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_discovery_via_reg_queries/ │ │ │ │ ├── 0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx │ │ │ │ ├── 0022869c-49f7-4ff2-ba03-85ac42ddac58.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_dism_remove/ │ │ │ │ ├── 43e32da2-fdd0-4156-90de-50dfd62636f9.evtx │ │ │ │ ├── 43e32da2-fdd0-4156-90de-50dfd62636f9.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_driverquery_recon/ │ │ │ │ ├── 9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx │ │ │ │ ├── 9fc3072c-dc8f-4bf7-b231-18950000fadd.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_driverquery_usage/ │ │ │ │ ├── a20def93-0709-4eae-9bd2-31206e21e6b2.evtx │ │ │ │ ├── a20def93-0709-4eae-9bd2-31206e21e6b2.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_dsquery_domain_trust_discovery/ │ │ │ │ ├── 3bad990e-4848-4a78-9530-b427d854aac0.evtx │ │ │ │ ├── 3bad990e-4848-4a78-9530-b427d854aac0.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_dtrace_kernel_dump/ │ │ │ │ ├── 7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx │ │ │ │ ├── 7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_explorer_folder_shortcut_via_shell_binary/ │ │ │ │ ├── c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx │ │ │ │ ├── c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_findstr_gpp_passwords/ │ │ │ │ ├── 91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx │ │ │ │ ├── 91a2c315-9ee6-4052-a853-6f6a8238f90d.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_findstr_lsass/ │ │ │ │ ├── fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx │ │ │ │ ├── fe63010f-8823-4864-a96b-a7b4a0f7b929.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_findstr_recon_everyone/ │ │ │ │ ├── 47e4bab7-c626-47dc-967b-255608c9a920.evtx │ │ │ │ ├── 47e4bab7-c626-47dc-967b-255608c9a920.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_findstr_recon_pipe_output/ │ │ │ │ ├── ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx │ │ │ │ ├── ccb5742c-c248-4982-8c5c-5571b9275ad3.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_findstr_security_keyword_lookup/ │ │ │ │ ├── 4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx │ │ │ │ ├── 4fe074b4-b833-4081-8f24-7dcfeca72b42.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_finger_execution/ │ │ │ │ ├── af491bca-e752-4b44-9c86-df5680533dbc.evtx │ │ │ │ ├── af491bca-e752-4b44-9c86-df5680533dbc.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_github_self_hosted_runner/ │ │ │ │ ├── 5bac7a56-da88-4c27-922e-c81e113b20cb.evtx │ │ │ │ ├── 5bac7a56-da88-4c27-922e-c81e113b20cb.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_gpresult_execution/ │ │ │ │ ├── e56d3073-83ff-4021-90fe-c658e0709e72.evtx │ │ │ │ ├── e56d3073-83ff-4021-90fe-c658e0709e72.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_hh_chm_execution/ │ │ │ │ ├── 68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx │ │ │ │ ├── 68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_hktl_edr_freeze/ │ │ │ │ ├── c598cc0c-9e70-4852-b9eb-8921af79f598.evtx │ │ │ │ ├── c598cc0c-9e70-4852-b9eb-8921af79f598.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_hktl_wsass/ │ │ │ │ ├── 589ac73f-8e12-409c-964e-31a2f5775ae2.evtx │ │ │ │ ├── 589ac73f-8e12-409c-964e-31a2f5775ae2.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_hvci_registry_tampering/ │ │ │ │ ├── 6225c53a-a96e-4235-b28f-8d7997cd96eb.evtx │ │ │ │ ├── 6225c53a-a96e-4235-b28f-8d7997cd96eb.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_adfind_enumeration/ │ │ │ │ ├── 455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx │ │ │ │ ├── 455b9d50-15a1-4b99-853f-8d37655a4c1b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_adfind_execution/ │ │ │ │ ├── 514e7e3e-b3b4-4a67-af60-be20f139198b.evtx │ │ │ │ ├── 514e7e3e-b3b4-4a67-af60-be20f139198b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_adfind_susp_usage/ │ │ │ │ ├── 9a132afa-654e-11eb-ae93-0242ac130002.evtx │ │ │ │ ├── 9a132afa-654e-11eb-ae93-0242ac130002.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_advanced_ip_scanner/ │ │ │ │ ├── bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx │ │ │ │ ├── bef37fa2-f205-4a7b-b484-0759bfd5f86f.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_advanced_port_scanner/ │ │ │ │ ├── 54773c5f-f1cc-4703-9126-2f797d96a69d.evtx │ │ │ │ ├── 54773c5f-f1cc-4703-9126-2f797d96a69d.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_advancedrun/ │ │ │ │ ├── d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx │ │ │ │ ├── d2b749ee-4225-417e-b20e-a8d2193cbb84.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_advancedrun_priv_user/ │ │ │ │ ├── fa00b701-44c6-4679-994d-5a18afa8a707.evtx │ │ │ │ ├── fa00b701-44c6-4679-994d-5a18afa8a707.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_kdu_driver_tool/ │ │ │ │ ├── e76ca062-4de0-4d79-8d90-160a0d335eca.evtx │ │ │ │ ├── e76ca062-4de0-4d79-8d90-160a0d335eca.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_reg_add_run_key/ │ │ │ │ ├── de587dce-915e-4218-aac4-835ca6af6f70.evtx │ │ │ │ ├── de587dce-915e-4218-aac4-835ca6af6f70.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_reg_add_safeboot/ │ │ │ │ ├── d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx │ │ │ │ ├── d7662ff6-9e97-4596-a61d-9839e32dee8d.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_reg_system_language_discovery/ │ │ │ │ ├── c43a5405-e8e1-4221-9ac9-dbe3fa14e886.evtx │ │ │ │ ├── c43a5405-e8e1-4221-9ac9-dbe3fa14e886.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_registry_special_accounts_hide_user/ │ │ │ │ ├── 9ec9fb1b-e059-4489-9642-f270c207923d.evtx │ │ │ │ ├── 9ec9fb1b-e059-4489-9642-f270c207923d.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_adfind/ │ │ │ │ ├── df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx │ │ │ │ ├── df55196f-f105-44d3-a675-e9dfb6cc2f2b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_binary/ │ │ │ │ ├── 36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx │ │ │ │ ├── 36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_binary_highly_relevant/ │ │ │ │ ├── 0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx │ │ │ │ ├── 0ba1da6d-b6ce-4366-828c-18826c9de23e.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_curl/ │ │ │ │ ├── 7530cd3d-7671-43e3-b209-976966f6ea48.evtx │ │ │ │ ├── 7530cd3d-7671-43e3-b209-976966f6ea48.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_ftp/ │ │ │ │ ├── 277a4393-446c-449a-b0ed-7fdc7795244c.evtx │ │ │ │ ├── 277a4393-446c-449a-b0ed-7fdc7795244c.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_msdt/ │ │ │ │ ├── bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx │ │ │ │ ├── bd1c6866-65fc-44b2-be51-5588fcff82b9.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_sc_stop_service/ │ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx │ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.json │ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_susp_eventlog_content_recon/ │ │ │ │ ├── beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.evtx │ │ │ │ ├── beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_susp_system_exe_anomaly/ │ │ │ │ ├── e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx │ │ │ │ ├── e4a6b256-3e47-40fc-89d2-7a477edd6915.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_svchost_masqueraded_execution/ │ │ │ │ ├── be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx │ │ │ │ ├── be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_user_shell_folders_registry_modification/ │ │ │ │ ├── 8f3ab69a-aa22-4943-aa58-e0a52fdf6818.evtx │ │ │ │ ├── 8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_vulnerable_driver_blocklist_registry_tampering/ │ │ │ │ ├── 22154f0e-5132-4a54-aa78-cc62f6def531.evtx │ │ │ │ ├── 22154f0e-5132-4a54-aa78-cc62f6def531.json │ │ │ │ └── info.yml │ │ │ └── proc_creation_win_werfaultsecure_abuse/ │ │ │ ├── 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx │ │ │ ├── 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json │ │ │ └── info.yml │ │ ├── registry/ │ │ │ ├── registry_delete/ │ │ │ │ ├── registry_delete_disable_credential_guard/ │ │ │ │ │ ├── d645ef86-2396-48a1-a2b6-b629ca3f57ff.evtx │ │ │ │ │ ├── d645ef86-2396-48a1-a2b6-b629ca3f57ff.json │ │ │ │ │ └── info.yml │ │ │ │ ├── registry_delete_removal_amsi_registry_key/ │ │ │ │ │ ├── 41d1058a-aea7-4952-9293-29eaaf516465.evtx │ │ │ │ │ ├── 41d1058a-aea7-4952-9293-29eaaf516465.json │ │ │ │ │ └── info.yml │ │ │ │ ├── registry_delete_runmru/ │ │ │ │ │ ├── 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx │ │ │ │ │ ├── 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json │ │ │ │ │ └── info.yml │ │ │ │ ├── registry_delete_schtasks_hide_task_via_index_value_removal/ │ │ │ │ │ ├── 526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx │ │ │ │ │ ├── 526cc8bc-1cdc-48ad-8b26-f19bff969cec.json │ │ │ │ │ └── info.yml │ │ │ │ └── registry_delete_schtasks_hide_task_via_sd_value_removal/ │ │ │ │ ├── acd74772-5f88-45c7-956b-6a7b36c294d2.evtx │ │ │ │ ├── acd74772-5f88-45c7-956b-6a7b36c294d2.json │ │ │ │ └── info.yml │ │ │ ├── registry_event/ │ │ │ │ └── registry_event_add_local_hidden_user/ │ │ │ │ ├── 460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx │ │ │ │ ├── 460479f3-80b7-42da-9c43-2cc1d54dbccd.json │ │ │ │ └── info.yml │ │ │ └── registry_set/ │ │ │ ├── registry_set_add_load_service_in_safe_mode/ │ │ │ │ ├── 1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx │ │ │ │ ├── 1547e27c-3974-43e2-a7d7-7f484fb928ec.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_add_port_monitor/ │ │ │ │ ├── 944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx │ │ │ │ ├── 944e8941-f6f6-4ee8-ac05-1c224e923c0e.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_allow_rdp_remote_assistance_feature/ │ │ │ │ ├── 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx │ │ │ │ ├── 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_amsi_disable/ │ │ │ │ ├── aa37cbb0-da36-42cb-a90f-fdf216fc7467.evtx │ │ │ │ ├── aa37cbb0-da36-42cb-a90f-fdf216fc7467.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_bypass_uac_using_delegateexecute/ │ │ │ │ ├── 46dd5308-4572-4d12-aa43-8938f0184d4f.evtx │ │ │ │ ├── 46dd5308-4572-4d12-aa43-8938f0184d4f.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_bypass_uac_using_eventviewer/ │ │ │ │ ├── 674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx │ │ │ │ ├── 674202d0-b22a-4af4-ae5f-2eda1f3da1af.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_bypass_uac_using_silentcleanup_task/ │ │ │ │ ├── 724ea201-6514-4f38-9739-e5973c34f49a.evtx │ │ │ │ ├── 724ea201-6514-4f38-9739-e5973c34f49a.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_change_rdp_port/ │ │ │ │ ├── 509e84b9-a71a-40e0-834f-05470369bd1e.evtx │ │ │ │ ├── 509e84b9-a71a-40e0-834f-05470369bd1e.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_change_security_zones/ │ │ │ │ ├── 45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx │ │ │ │ ├── 45e112d0-7759-4c2a-aa36-9f8fb79d3393.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_credential_guard_disabled/ │ │ │ │ ├── 73921b9c-cafd-4446-b0c6-fdb0ace42bc0.evtx │ │ │ │ ├── 73921b9c-cafd-4446-b0c6-fdb0ace42bc0.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/ │ │ │ │ ├── 8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx │ │ │ │ ├── 8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_disable_administrative_share/ │ │ │ │ ├── c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx │ │ │ │ ├── c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_disable_defender_firewall/ │ │ │ │ ├── 974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx │ │ │ │ ├── 974515da-6cc5-4c95-ae65-f97f9150ec7f.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_disable_security_center_notifications/ │ │ │ │ ├── 3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx │ │ │ │ ├── 3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_persistence_amsi_providers/ │ │ │ │ ├── 33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx │ │ │ │ ├── 33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_persistence_com_key_linking/ │ │ │ │ ├── 9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx │ │ │ │ ├── 9b0f8a61-91b2-464f-aceb-0527e0a45020.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_persistence_logon_scripts_userinitmprlogonscript/ │ │ │ │ ├── 9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx │ │ │ │ ├── 9ace0707-b560-49b8-b6ca-5148b42f39fb.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_powershell_logging_disabled/ │ │ │ │ ├── fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx │ │ │ │ ├── fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_pua_sysinternals_execution_via_eula/ │ │ │ │ ├── 25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx │ │ │ │ ├── 25ffa65d-76d8-4da5-a832-3f2b0136e133.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_pua_sysinternals_renamed_execution_via_eula/ │ │ │ │ ├── f50f3c09-557d-492d-81db-9064a8d4e211.evtx │ │ │ │ ├── f50f3c09-557d-492d-81db-9064a8d4e211.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_pua_sysinternals_susp_execution_via_eula/ │ │ │ │ ├── c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx │ │ │ │ ├── c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_special_accounts/ │ │ │ │ ├── f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx │ │ │ │ ├── f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_susp_user_shell_folders/ │ │ │ │ ├── 9c226817-8dc9-46c2-a58d-66655aafd7dc.evtx │ │ │ │ ├── 9c226817-8dc9-46c2-a58d-66655aafd7dc.json │ │ │ │ └── info.yml │ │ │ └── registry_set_vulnerable_driver_blocklist_disable/ │ │ │ ├── d526c60a-e236-4011-b165-831ffa52ab70.evtx │ │ │ ├── d526c60a-e236-4011-b165-831ffa52ab70.json │ │ │ └── info.yml │ │ └── sysmon/ │ │ └── sysmon_config_modification/ │ │ ├── 8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx │ │ ├── 8ac03a65-6c84-4116-acad-dc1558ff7a77.json │ │ └── info.yml │ ├── rules-emerging-threats/ │ │ └── 2025/ │ │ ├── Exploits/ │ │ │ └── CVE-2025-55182/ │ │ │ └── proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/ │ │ │ ├── 271de298-cc0e-4842-acd8-079a0a99ea65.evtx │ │ │ ├── 271de298-cc0e-4842-acd8-079a0a99ea65.json │ │ │ └── info.yml │ │ └── Malware/ │ │ └── Grixba/ │ │ └── proc_creation_win_malware_grixba_recon/ │ │ ├── af688c76-4ce4-4309-bfdd-e896f01acf27.evtx │ │ ├── af688c76-4ce4-4309-bfdd-e896f01acf27.json │ │ └── info.yml │ └── rules-threat-hunting/ │ └── windows/ │ └── image_load/ │ └── image_load_win_werfaultsecure_dbgcore_dbghelp_load/ │ ├── 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx │ ├── 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json │ └── info.yml ├── rules/ │ ├── README.md │ ├── application/ │ │ ├── bitbucket/ │ │ │ └── audit/ │ │ │ ├── bitbucket_audit_full_data_export_triggered.yml │ │ │ ├── bitbucket_audit_global_permissions_change_detected.yml │ │ │ ├── bitbucket_audit_global_secret_scanning_rule_deleted.yml │ │ │ ├── bitbucket_audit_global_ssh_settings_change_detected.yml │ │ │ ├── bitbucket_audit_log_configuration_update_detected.yml │ │ │ ├── bitbucket_audit_project_secret_scanning_allowlist_added.yml │ │ │ ├── bitbucket_audit_secret_scanning_exempt_repository_detected.yml │ │ │ ├── bitbucket_audit_secret_scanning_rule_deleted.yml │ │ │ ├── bitbucket_audit_unauthorized_access_detected.yml │ │ │ ├── bitbucket_audit_unauthorized_full_data_export_triggered.yml │ │ │ ├── bitbucket_audit_user_details_export_attempt_detected.yml │ │ │ ├── bitbucket_audit_user_login_failure_detected.yml │ │ │ ├── bitbucket_audit_user_login_failure_via_ssh_detected.yml │ │ │ └── bitbucket_audit_user_permissions_export_attempt_detected.yml │ │ ├── django/ │ │ │ └── appframework_django_exceptions.yml │ │ ├── github/ │ │ │ └── audit/ │ │ │ ├── github_delete_action_invoked.yml │ │ │ ├── github_disable_high_risk_configuration.yml │ │ │ ├── github_disabled_outdated_dependency_or_vulnerability.yml │ │ │ ├── github_fork_private_repos_enabled_or_cleared.yml │ │ │ ├── github_new_org_member.yml │ │ │ ├── github_new_secret_created.yml │ │ │ ├── github_outside_collaborator_detected.yml │ │ │ ├── github_pages_site_changed_to_public.yml │ │ │ ├── github_push_protection_bypass_detected.yml │ │ │ ├── github_push_protection_disabled.yml │ │ │ ├── github_repo_or_org_transferred.yml │ │ │ ├── github_repository_archive_status_changed.yml │ │ │ ├── github_secret_scanning_feature_disabled.yml │ │ │ ├── github_self_hosted_runner_changes_detected.yml │ │ │ └── github_ssh_certificate_config_changed.yml │ │ ├── jvm/ │ │ │ ├── java_jndi_injection_exploitation_attempt.yml │ │ │ ├── java_local_file_read.yml │ │ │ ├── java_ognl_injection_exploitation_attempt.yml │ │ │ ├── java_rce_exploitation_attempt.yml │ │ │ └── java_xxe_exploitation_attempt.yml │ │ ├── kubernetes/ │ │ │ └── audit/ │ │ │ ├── kubernetes_audit_change_admission_controller.yml │ │ │ ├── kubernetes_audit_cronjob_modification.yml │ │ │ ├── kubernetes_audit_deployment_deleted.yml │ │ │ ├── kubernetes_audit_events_deleted.yml │ │ │ ├── kubernetes_audit_exec_into_container.yml │ │ │ ├── kubernetes_audit_hostpath_mount.yml │ │ │ ├── kubernetes_audit_pod_in_system_namespace.yml │ │ │ ├── kubernetes_audit_privileged_pod_creation.yml │ │ │ ├── kubernetes_audit_rbac_permisions_listing.yml │ │ │ ├── kubernetes_audit_rolebinding_modification.yml │ │ │ ├── kubernetes_audit_secrets_enumeration.yml │ │ │ ├── kubernetes_audit_secrets_modified_or_deleted.yml │ │ │ ├── kubernetes_audit_serviceaccount_creation.yml │ │ │ ├── kubernetes_audit_sidecar_injection.yml │ │ │ └── kubernetes_audit_unauthorized_unauthenticated_actions.yml │ │ ├── nodejs/ │ │ │ └── nodejs_rce_exploitation_attempt.yml │ │ ├── opencanary/ │ │ │ ├── opencanary_ftp_login_attempt.yml │ │ │ ├── opencanary_git_clone_request.yml │ │ │ ├── opencanary_http_get.yml │ │ │ ├── opencanary_http_post_login_attempt.yml │ │ │ ├── opencanary_httpproxy_login_attempt.yml │ │ │ ├── opencanary_mssql_login_sqlauth.yml │ │ │ ├── opencanary_mssql_login_winauth.yml │ │ │ ├── opencanary_mysql_login_attempt.yml │ │ │ ├── opencanary_ntp_monlist.yml │ │ │ ├── opencanary_portscan_nmap_fin_scan.yaml │ │ │ ├── opencanary_portscan_nmap_null_scan.yaml │ │ │ ├── opencanary_portscan_nmap_os_scan.yaml │ │ │ ├── opencanary_portscan_nmap_xmas_scan.yaml │ │ │ ├── opencanary_portscan_syn_scan.yaml │ │ │ ├── opencanary_rdp_connection_attempt.yaml │ │ │ ├── opencanary_redis_command.yml │ │ │ ├── opencanary_sip_request.yml │ │ │ ├── opencanary_smb_file_open.yml │ │ │ ├── opencanary_snmp_cmd.yml │ │ │ ├── opencanary_ssh_login_attempt.yml │ │ │ ├── opencanary_ssh_new_connection.yml │ │ │ ├── opencanary_telnet_login_attempt.yml │ │ │ ├── opencanary_tftp_request.yml │ │ │ └── opencanary_vnc_connection_attempt.yml │ │ ├── python/ │ │ │ └── app_python_sql_exceptions.yml │ │ ├── rpc_firewall/ │ │ │ ├── rpc_firewall_atsvc_lateral_movement.yml │ │ │ ├── rpc_firewall_atsvc_recon.yml │ │ │ ├── rpc_firewall_dcsync_attack.yml │ │ │ ├── rpc_firewall_efs_abuse.yml │ │ │ ├── rpc_firewall_eventlog_recon.yml │ │ │ ├── rpc_firewall_itaskschedulerservice_lateral_movement.yml │ │ │ ├── rpc_firewall_itaskschedulerservice_recon.yml │ │ │ ├── rpc_firewall_printing_lateral_movement.yml │ │ │ ├── rpc_firewall_remote_dcom_or_wmi.yml │ │ │ ├── rpc_firewall_remote_registry_lateral_movement.yml │ │ │ ├── rpc_firewall_remote_registry_recon.yml │ │ │ ├── rpc_firewall_remote_server_service_abuse.yml │ │ │ ├── rpc_firewall_remote_service_lateral_movement.yml │ │ │ ├── rpc_firewall_sasec_lateral_movement.yml │ │ │ ├── rpc_firewall_sasec_recon.yml │ │ │ ├── rpc_firewall_sharphound_recon_account.yml │ │ │ └── rpc_firewall_sharphound_recon_sessions.yml │ │ ├── ruby/ │ │ │ └── appframework_ruby_on_rails_exceptions.yml │ │ ├── spring/ │ │ │ ├── spring_application_exceptions.yml │ │ │ └── spring_spel_injection.yml │ │ ├── sql/ │ │ │ └── app_sqlinjection_errors.yml │ │ └── velocity/ │ │ └── velocity_ssti_injection.yml │ ├── category/ │ │ ├── antivirus/ │ │ │ ├── av_exploiting.yml │ │ │ ├── av_hacktool.yml │ │ │ ├── av_password_dumper.yml │ │ │ ├── av_ransomware.yml │ │ │ ├── av_relevant_files.yml │ │ │ └── av_webshell.yml │ │ └── database/ │ │ └── db_anomalous_query.yml │ ├── cloud/ │ │ ├── aws/ │ │ │ └── cloudtrail/ │ │ │ ├── aws_cloudtrail_bucket_deleted.yml │ │ │ ├── aws_cloudtrail_console_login_failed_authentication.yml │ │ │ ├── aws_cloudtrail_console_login_success_without_mfa.yml │ │ │ ├── aws_cloudtrail_disable_logging.yml │ │ │ ├── aws_cloudtrail_guardduty_detector_deleted_or_updated.yml │ │ │ ├── aws_cloudtrail_imds_malicious_usage.yml │ │ │ ├── aws_cloudtrail_new_acl_entries.yml │ │ │ ├── aws_cloudtrail_new_route_added.yml │ │ │ ├── aws_cloudtrail_pua_trufflehog.yml │ │ │ ├── aws_cloudtrail_region_enabled.yml │ │ │ ├── aws_cloudtrail_security_group_change_ingress_egress.yml │ │ │ ├── aws_cloudtrail_security_group_change_loadbalancer.yml │ │ │ ├── aws_cloudtrail_security_group_change_rds.yml │ │ │ ├── aws_cloudtrail_ssm_malicious_usage.yml │ │ │ ├── aws_cloudtrail_vpc_flow_logs_deleted.yml │ │ │ ├── aws_config_disable_recording.yml │ │ │ ├── aws_console_getsignintoken.yml │ │ │ ├── aws_delete_identity.yml │ │ │ ├── aws_delete_saml_provider.yml │ │ │ ├── aws_disable_bucket_versioning.yml │ │ │ ├── aws_ec2_disable_encryption.yml │ │ │ ├── aws_ec2_import_key_pair_activity.yml │ │ │ ├── aws_ec2_startup_script_change.yml │ │ │ ├── aws_ec2_vm_export_failure.yml │ │ │ ├── aws_ecs_task_definition_cred_endpoint_query.yml │ │ │ ├── aws_efs_fileshare_modified_or_deleted.yml │ │ │ ├── aws_efs_fileshare_mount_modified_or_deleted.yml │ │ │ ├── aws_eks_cluster_created_or_deleted.yml │ │ │ ├── aws_elasticache_security_group_created.yml │ │ │ ├── aws_elasticache_security_group_modified_or_deleted.yml │ │ │ ├── aws_enum_buckets.yml │ │ │ ├── aws_guardduty_disruption.yml │ │ │ ├── aws_iam_backdoor_users_keys.yml │ │ │ ├── aws_iam_s3browser_loginprofile_creation.yml │ │ │ ├── aws_iam_s3browser_templated_s3_bucket_policy_creation.yml │ │ │ ├── aws_iam_s3browser_user_or_accesskey_creation.yml │ │ │ ├── aws_kms_import_key_material.yml │ │ │ ├── aws_lambda_function_url.yml │ │ │ ├── aws_new_lambda_layer_attached.yml │ │ │ ├── aws_passed_role_to_glue_development_endpoint.yml │ │ │ ├── aws_rds_change_master_password.yml │ │ │ ├── aws_rds_dbcluster_actions.yml │ │ │ ├── aws_rds_public_db_restore.yml │ │ │ ├── aws_root_account_usage.yml │ │ │ ├── aws_route_53_domain_transferred_lock_disabled.yml │ │ │ ├── aws_route_53_domain_transferred_to_another_account.yml │ │ │ ├── aws_s3_data_management_tampering.yml │ │ │ ├── aws_securityhub_finding_evasion.yml │ │ │ ├── aws_snapshot_backup_exfiltration.yml │ │ │ ├── aws_sso_idp_change.yml │ │ │ ├── aws_sts_assumerole_misuse.yml │ │ │ ├── aws_sts_getcalleridentity_trufflehog.yml │ │ │ ├── aws_sts_getsessiontoken_misuse.yml │ │ │ ├── aws_susp_saml_activity.yml │ │ │ └── aws_update_login_profile.yml │ │ ├── azure/ │ │ │ ├── activity_logs/ │ │ │ │ ├── azure_aadhybridhealth_adfs_new_server.yml │ │ │ │ ├── azure_aadhybridhealth_adfs_service_delete.yml │ │ │ │ ├── azure_ad_user_added_to_admin_role.yml │ │ │ │ ├── azure_application_deleted.yml │ │ │ │ ├── azure_application_gateway_modified_or_deleted.yml │ │ │ │ ├── azure_application_security_group_modified_or_deleted.yml │ │ │ │ ├── azure_container_registry_created_or_deleted.yml │ │ │ │ ├── azure_creating_number_of_resources_detection.yml │ │ │ │ ├── azure_device_no_longer_managed_or_compliant.yml │ │ │ │ ├── azure_device_or_configuration_modified_or_deleted.yml │ │ │ │ ├── azure_dns_zone_modified_or_deleted.yml │ │ │ │ ├── azure_firewall_modified_or_deleted.yml │ │ │ │ ├── azure_firewall_rule_collection_modified_or_deleted.yml │ │ │ │ ├── azure_granting_permission_detection.yml │ │ │ │ ├── azure_keyvault_key_modified_or_deleted.yml │ │ │ │ ├── azure_keyvault_modified_or_deleted.yml │ │ │ │ ├── azure_keyvault_secrets_modified_or_deleted.yml │ │ │ │ ├── azure_kubernetes_admission_controller.yml │ │ │ │ ├── azure_kubernetes_cluster_created_or_deleted.yml │ │ │ │ ├── azure_kubernetes_cronjob.yml │ │ │ │ ├── azure_kubernetes_events_deleted.yml │ │ │ │ ├── azure_kubernetes_network_policy_change.yml │ │ │ │ ├── azure_kubernetes_pods_deleted.yml │ │ │ │ ├── azure_kubernetes_role_access.yml │ │ │ │ ├── azure_kubernetes_rolebinding_modified_or_deleted.yml │ │ │ │ ├── azure_kubernetes_secret_or_config_object_access.yml │ │ │ │ ├── azure_kubernetes_service_account_modified_or_deleted.yml │ │ │ │ ├── azure_mfa_disabled.yml │ │ │ │ ├── azure_network_firewall_policy_modified_or_deleted.yml │ │ │ │ ├── azure_network_firewall_rule_modified_or_deleted.yml │ │ │ │ ├── azure_network_p2s_vpn_modified_or_deleted.yml │ │ │ │ ├── azure_network_security_modified_or_deleted.yml │ │ │ │ ├── azure_network_virtual_device_modified_or_deleted.yml │ │ │ │ ├── azure_new_cloudshell_created.yml │ │ │ │ ├── azure_owner_removed_from_application_or_service_principal.yml │ │ │ │ ├── azure_rare_operations.yml │ │ │ │ ├── azure_service_principal_created.yml │ │ │ │ ├── azure_service_principal_removed.yml │ │ │ │ ├── azure_subscription_permissions_elevation_via_activitylogs.yml │ │ │ │ ├── azure_suppression_rule_created.yml │ │ │ │ ├── azure_virtual_network_modified_or_deleted.yml │ │ │ │ └── azure_vpn_connection_modified_or_deleted.yml │ │ │ ├── audit_logs/ │ │ │ │ ├── azure_aad_secops_ca_policy_removedby_bad_actor.yml │ │ │ │ ├── azure_aad_secops_ca_policy_updatedby_bad_actor.yml │ │ │ │ ├── azure_aad_secops_new_ca_policy_addedby_bad_actor.yml │ │ │ │ ├── azure_ad_account_created_deleted.yml │ │ │ │ ├── azure_ad_bitlocker_key_retrieval.yml │ │ │ │ ├── azure_ad_certificate_based_authencation_enabled.yml │ │ │ │ ├── azure_ad_device_registration_policy_changes.yml │ │ │ │ ├── azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml │ │ │ │ ├── azure_ad_new_root_ca_added.yml │ │ │ │ ├── azure_ad_users_added_to_device_admin_roles.yml │ │ │ │ ├── azure_app_appid_uri_changes.yml │ │ │ │ ├── azure_app_credential_added.yml │ │ │ │ ├── azure_app_delegated_permissions_all_users.yml │ │ │ │ ├── azure_app_end_user_consent.yml │ │ │ │ ├── azure_app_end_user_consent_blocked.yml │ │ │ │ ├── azure_app_owner_added.yml │ │ │ │ ├── azure_app_permissions_msft.yml │ │ │ │ ├── azure_app_privileged_permissions.yml │ │ │ │ ├── azure_app_role_added.yml │ │ │ │ ├── azure_app_uri_modifications.yml │ │ │ │ ├── azure_auditlogs_laps_credential_dumping.yml │ │ │ │ ├── azure_change_to_authentication_method.yml │ │ │ │ ├── azure_federation_modified.yml │ │ │ │ ├── azure_group_user_addition_ca_modification.yml │ │ │ │ ├── azure_group_user_removal_ca_modification.yml │ │ │ │ ├── azure_guest_invite_failure.yml │ │ │ │ ├── azure_guest_to_member.yml │ │ │ │ ├── azure_pim_activation_approve_deny.yml │ │ │ │ ├── azure_pim_alerts_disabled.yml │ │ │ │ ├── azure_pim_change_settings.yml │ │ │ │ ├── azure_priviledged_role_assignment_add.yml │ │ │ │ ├── azure_priviledged_role_assignment_bulk_change.yml │ │ │ │ ├── azure_privileged_account_creation.yml │ │ │ │ ├── azure_subscription_permissions_elevation_via_auditlogs.yml │ │ │ │ ├── azure_tap_added.yml │ │ │ │ ├── azure_update_risk_and_mfa_registration_policy.yml │ │ │ │ ├── azure_user_account_mfa_disable.yml │ │ │ │ └── azure_user_password_change.yml │ │ │ ├── identity_protection/ │ │ │ │ ├── azure_identity_protection_anomalous_token.yml │ │ │ │ ├── azure_identity_protection_anomalous_user.yml │ │ │ │ ├── azure_identity_protection_anonymous_ip_activity.yml │ │ │ │ ├── azure_identity_protection_anonymous_ip_address.yml │ │ │ │ ├── azure_identity_protection_atypical_travel.yml │ │ │ │ ├── azure_identity_protection_impossible_travel.yml │ │ │ │ ├── azure_identity_protection_inbox_forwarding_rule.yml │ │ │ │ ├── azure_identity_protection_inbox_manipulation.yml │ │ │ │ ├── azure_identity_protection_leaked_credentials.yml │ │ │ │ ├── azure_identity_protection_malicious_ip_address.yml │ │ │ │ ├── azure_identity_protection_malicious_ip_address_suspicious.yml │ │ │ │ ├── azure_identity_protection_malware_linked_ip.yml │ │ │ │ ├── azure_identity_protection_new_coutry_region.yml │ │ │ │ ├── azure_identity_protection_password_spray.yml │ │ │ │ ├── azure_identity_protection_prt_access.yml │ │ │ │ ├── azure_identity_protection_suspicious_browser.yml │ │ │ │ ├── azure_identity_protection_threat_intel.yml │ │ │ │ ├── azure_identity_protection_token_issuer_anomaly.yml │ │ │ │ └── azure_identity_protection_unfamilar_sign_in.yml │ │ │ ├── privileged_identity_management/ │ │ │ │ ├── azure_pim_account_stale.yml │ │ │ │ ├── azure_pim_invalid_license.yml │ │ │ │ ├── azure_pim_role_assigned_outside_of_pim.yml │ │ │ │ ├── azure_pim_role_frequent_activation.yml │ │ │ │ ├── azure_pim_role_no_mfa_required.yml │ │ │ │ ├── azure_pim_role_not_used.yml │ │ │ │ └── azure_pim_too_many_global_admins.yml │ │ │ └── signin_logs/ │ │ │ ├── azure_account_lockout.yml │ │ │ ├── azure_ad_auth_failure_increase.yml │ │ │ ├── azure_ad_auth_sucess_increase.yml │ │ │ ├── azure_ad_auth_to_important_apps_using_single_factor_auth.yml │ │ │ ├── azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml │ │ │ ├── azure_ad_azurehound_discovery.yml │ │ │ ├── azure_ad_device_registration_or_join_without_mfa.yml │ │ │ ├── azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml │ │ │ ├── azure_ad_only_single_factor_auth_required.yml │ │ │ ├── azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml │ │ │ ├── azure_ad_sign_ins_from_noncompliant_devices.yml │ │ │ ├── azure_ad_sign_ins_from_unknown_devices.yml │ │ │ ├── azure_ad_suspicious_signin_bypassing_mfa.yml │ │ │ ├── azure_app_device_code_authentication.yml │ │ │ ├── azure_app_ropc_authentication.yml │ │ │ ├── azure_blocked_account_attempt.yml │ │ │ ├── azure_conditional_access_failure.yml │ │ │ ├── azure_legacy_authentication_protocols.yml │ │ │ ├── azure_login_to_disabled_account.yml │ │ │ ├── azure_mfa_denies.yml │ │ │ ├── azure_mfa_interrupted.yml │ │ │ ├── azure_unusual_authentication_interruption.yml │ │ │ ├── azure_user_login_blocked_by_conditional_access.yml │ │ │ └── azure_users_authenticating_to_other_azure_ad_tenants.yml │ │ ├── gcp/ │ │ │ ├── audit/ │ │ │ │ ├── gcp_access_policy_deleted.yml │ │ │ │ ├── gcp_breakglass_container_workload_deployed.yml │ │ │ │ ├── gcp_bucket_enumeration.yml │ │ │ │ ├── gcp_bucket_modified_or_deleted.yml │ │ │ │ ├── gcp_dlp_re_identifies_sensitive_information.yml │ │ │ │ ├── gcp_dns_zone_modified_or_deleted.yml │ │ │ │ ├── gcp_firewall_rule_modified_or_deleted.yml │ │ │ │ ├── gcp_full_network_traffic_packet_capture.yml │ │ │ │ ├── gcp_kubernetes_admission_controller.yml │ │ │ │ ├── gcp_kubernetes_cronjob.yml │ │ │ │ ├── gcp_kubernetes_rolebinding.yml │ │ │ │ ├── gcp_kubernetes_secrets_modified_or_deleted.yml │ │ │ │ ├── gcp_service_account_disabled_or_deleted.yml │ │ │ │ ├── gcp_service_account_modified.yml │ │ │ │ ├── gcp_sql_database_modified_or_deleted.yml │ │ │ │ └── gcp_vpn_tunnel_modified_or_deleted.yml │ │ │ └── gworkspace/ │ │ │ ├── gcp_gworkspace_application_access_levels_modified.yml │ │ │ ├── gcp_gworkspace_application_removed.yml │ │ │ ├── gcp_gworkspace_granted_domain_api_access.yml │ │ │ ├── gcp_gworkspace_mfa_disabled.yml │ │ │ ├── gcp_gworkspace_role_modified_or_deleted.yml │ │ │ ├── gcp_gworkspace_role_privilege_deleted.yml │ │ │ └── gcp_gworkspace_user_granted_admin_privileges.yml │ │ └── m365/ │ │ ├── audit/ │ │ │ ├── microsoft365_bypass_conditional_access.yml │ │ │ ├── microsoft365_disabling_mfa.yml │ │ │ └── microsoft365_new_federated_domain_added_audit.yml │ │ ├── exchange/ │ │ │ └── microsoft365_new_federated_domain_added_exchange.yml │ │ ├── threat_detection/ │ │ │ └── microsoft365_from_susp_ip_addresses.yml │ │ └── threat_management/ │ │ ├── microsoft365_activity_by_terminated_user.yml │ │ ├── microsoft365_activity_from_anonymous_ip_addresses.yml │ │ ├── microsoft365_activity_from_infrequent_country.yml │ │ ├── microsoft365_data_exfiltration_to_unsanctioned_app.yml │ │ ├── microsoft365_impossible_travel_activity.yml │ │ ├── microsoft365_logon_from_risky_ip_address.yml │ │ ├── microsoft365_potential_ransomware_activity.yml │ │ ├── microsoft365_pst_export_alert.yml │ │ ├── microsoft365_pst_export_alert_using_new_compliancesearchaction.yml │ │ ├── microsoft365_susp_inbox_forwarding.yml │ │ ├── microsoft365_susp_oauth_app_file_download_activities.yml │ │ ├── microsoft365_unusual_volume_of_file_deletion.yml │ │ └── microsoft365_user_restricted_from_sending_email.yml │ ├── identity/ │ │ ├── cisco_duo/ │ │ │ └── cisco_duo_mfa_bypass_via_bypass_code.yml │ │ ├── okta/ │ │ │ ├── okta_admin_activity_from_proxy_query.yml │ │ │ ├── okta_admin_role_assigned_to_user_or_group.yml │ │ │ ├── okta_admin_role_assignment_created.yml │ │ │ ├── okta_api_token_created.yml │ │ │ ├── okta_api_token_revoked.yml │ │ │ ├── okta_application_modified_or_deleted.yml │ │ │ ├── okta_application_sign_on_policy_modified_or_deleted.yml │ │ │ ├── okta_fastpass_phishing_detection.yml │ │ │ ├── okta_identity_provider_created.yml │ │ │ ├── okta_mfa_reset_or_deactivated.yml │ │ │ ├── okta_network_zone_deactivated_or_deleted.yml │ │ │ ├── okta_new_behaviours_admin_console.yml │ │ │ ├── okta_password_in_alternateid_field.yml │ │ │ ├── okta_policy_modified_or_deleted.yml │ │ │ ├── okta_policy_rule_modified_or_deleted.yml │ │ │ ├── okta_security_threat_detected.yml │ │ │ ├── okta_suspicious_activity_enduser_report.yml │ │ │ ├── okta_unauthorized_access_to_app.yml │ │ │ ├── okta_user_account_locked_out.yml │ │ │ ├── okta_user_created.yml │ │ │ └── okta_user_session_start_via_anonymised_proxy.yml │ │ └── onelogin/ │ │ ├── onelogin_assumed_another_user.yml │ │ └── onelogin_user_account_locked.yml │ ├── linux/ │ │ ├── auditd/ │ │ │ ├── execve/ │ │ │ │ ├── lnx_auditd_binary_padding.yml │ │ │ │ ├── lnx_auditd_bpfdoor_port_redirect.yml │ │ │ │ ├── lnx_auditd_capabilities_discovery.yml │ │ │ │ ├── lnx_auditd_change_file_time_attr.yml │ │ │ │ ├── lnx_auditd_chattr_immutable_removal.yml │ │ │ │ ├── lnx_auditd_clipboard_collection.yml │ │ │ │ ├── lnx_auditd_clipboard_image_collection.yml │ │ │ │ ├── lnx_auditd_coinminer.yml │ │ │ │ ├── lnx_auditd_data_compressed.yml │ │ │ │ ├── lnx_auditd_data_exfil_wget.yml │ │ │ │ ├── lnx_auditd_dd_delete_file.yml │ │ │ │ ├── lnx_auditd_file_or_folder_permissions.yml │ │ │ │ ├── lnx_auditd_find_cred_in_files.yml │ │ │ │ ├── lnx_auditd_hidden_files_directories.yml │ │ │ │ ├── lnx_auditd_hidden_zip_files_steganography.yml │ │ │ │ ├── lnx_auditd_masquerading_crond.yml │ │ │ │ ├── lnx_auditd_modify_system_firewall.yml │ │ │ │ ├── lnx_auditd_network_sniffing.yml │ │ │ │ ├── lnx_auditd_screencapture_import.yml │ │ │ │ ├── lnx_auditd_screencaputre_xwd.yml │ │ │ │ ├── lnx_auditd_steghide_embed_steganography.yml │ │ │ │ ├── lnx_auditd_steghide_extract_steganography.yml │ │ │ │ ├── lnx_auditd_susp_cmds.yml │ │ │ │ ├── lnx_auditd_susp_histfile_operations.yml │ │ │ │ ├── lnx_auditd_susp_service_reload_or_restart.yml │ │ │ │ ├── lnx_auditd_system_shutdown_reboot.yml │ │ │ │ ├── lnx_auditd_unzip_hidden_zip_files_steganography.yml │ │ │ │ └── lnx_auditd_user_discovery.yml │ │ │ ├── lnx_auditd_audio_capture.yml │ │ │ ├── lnx_auditd_disable_aslr_protection.yml │ │ │ ├── lnx_auditd_keylogging_with_pam_d.yml │ │ │ ├── lnx_auditd_password_policy_discovery.yml │ │ │ ├── lnx_auditd_susp_c2_commands.yml │ │ │ ├── lnx_auditd_system_info_discovery.yml │ │ │ ├── path/ │ │ │ │ ├── lnx_auditd_auditing_config_change.yml │ │ │ │ ├── lnx_auditd_bpfdoor_file_accessed.yml │ │ │ │ ├── lnx_auditd_hidden_binary_execution.yml │ │ │ │ ├── lnx_auditd_ld_so_preload_mod.yml │ │ │ │ ├── lnx_auditd_logging_config_change.yml │ │ │ │ ├── lnx_auditd_magic_system_request_key.yml │ │ │ │ ├── lnx_auditd_system_info_discovery2.yml │ │ │ │ ├── lnx_auditd_systemd_service_creation.yml │ │ │ │ └── lnx_auditd_unix_shell_configuration_modification.yml │ │ │ ├── service_stop/ │ │ │ │ └── lnx_auditd_disable_system_firewall.yml │ │ │ └── syscall/ │ │ │ ├── lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml │ │ │ ├── lnx_auditd_create_account.yml │ │ │ ├── lnx_auditd_load_module_insmod.yml │ │ │ ├── lnx_auditd_network_service_scanning.yml │ │ │ ├── lnx_auditd_split_file_into_pieces.yml │ │ │ ├── lnx_auditd_susp_discovery_sysinfo_syscall.yml │ │ │ ├── lnx_auditd_susp_exe_folders.yml │ │ │ ├── lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml │ │ │ └── lnx_auditd_web_rce.yml │ │ ├── builtin/ │ │ │ ├── clamav/ │ │ │ │ └── lnx_clamav_relevant_message.yml │ │ │ ├── cron/ │ │ │ │ └── lnx_cron_crontab_file_modification.yml │ │ │ ├── guacamole/ │ │ │ │ └── lnx_guacamole_susp_guacamole.yml │ │ │ ├── lnx_apt_equationgroup_lnx.yml │ │ │ ├── lnx_buffer_overflows.yml │ │ │ ├── lnx_clear_syslog.yml │ │ │ ├── lnx_file_copy.yml │ │ │ ├── lnx_ldso_preload_injection.yml │ │ │ ├── lnx_potential_susp_ebpf_activity.yml │ │ │ ├── lnx_privileged_user_creation.yml │ │ │ ├── lnx_shell_clear_cmd_history.yml │ │ │ ├── lnx_shell_susp_commands.yml │ │ │ ├── lnx_shell_susp_log_entries.yml │ │ │ ├── lnx_shell_susp_rev_shells.yml │ │ │ ├── lnx_shellshock.yml │ │ │ ├── lnx_susp_dev_tcp.yml │ │ │ ├── lnx_susp_jexboss.yml │ │ │ ├── lnx_symlink_etc_passwd.yml │ │ │ ├── sshd/ │ │ │ │ └── lnx_sshd_susp_ssh.yml │ │ │ ├── syslog/ │ │ │ │ ├── lnx_syslog_security_tools_disabling_syslog.yml │ │ │ │ └── lnx_syslog_susp_named.yml │ │ │ └── vsftpd/ │ │ │ └── lnx_vsftpd_susp_error_messages.yml │ │ ├── file_event/ │ │ │ ├── file_event_lnx_doas_conf_creation.yml │ │ │ ├── file_event_lnx_persistence_cron_files.yml │ │ │ ├── file_event_lnx_persistence_sudoers_files.yml │ │ │ ├── file_event_lnx_susp_filename_with_embedded_base64_command.yml │ │ │ ├── file_event_lnx_susp_shell_script_under_profile_directory.yml │ │ │ ├── file_event_lnx_triple_cross_rootkit_lock_file.yml │ │ │ ├── file_event_lnx_triple_cross_rootkit_persistence.yml │ │ │ └── file_event_lnx_wget_download_file_in_tmp_dir.yml │ │ ├── network_connection/ │ │ │ ├── net_connection_lnx_back_connect_shell_dev.yml │ │ │ ├── net_connection_lnx_crypto_mining_indicators.yml │ │ │ ├── net_connection_lnx_domain_localtonet_tunnel.yml │ │ │ ├── net_connection_lnx_ngrok_tunnel.yml │ │ │ └── net_connection_lnx_susp_malware_callback_port.yml │ │ └── process_creation/ │ │ ├── proc_creation_lnx_apt_shell_execution.yml │ │ ├── proc_creation_lnx_at_command.yml │ │ ├── proc_creation_lnx_auditctl_clear_rules.yml │ │ ├── proc_creation_lnx_av_kaspersky_av_disabled.yml │ │ ├── proc_creation_lnx_awk_shell_spawn.yml │ │ ├── proc_creation_lnx_base64_decode.yml │ │ ├── proc_creation_lnx_base64_execution.yml │ │ ├── proc_creation_lnx_base64_shebang_cli.yml │ │ ├── proc_creation_lnx_bash_interactive_shell.yml │ │ ├── proc_creation_lnx_bpf_kprob_tracing_enabled.yml │ │ ├── proc_creation_lnx_bpftrace_unsafe_option_usage.yml │ │ ├── proc_creation_lnx_cap_setgid.yml │ │ ├── proc_creation_lnx_cap_setuid.yml │ │ ├── proc_creation_lnx_capa_discovery.yml │ │ ├── proc_creation_lnx_capsh_shell_invocation.yml │ │ ├── proc_creation_lnx_chattr_immutable_removal.yml │ │ ├── proc_creation_lnx_chroot_execution.yml │ │ ├── proc_creation_lnx_clear_logs.yml │ │ ├── proc_creation_lnx_clear_syslog.yml │ │ ├── proc_creation_lnx_clipboard_collection.yml │ │ ├── proc_creation_lnx_cp_passwd_or_shadow_tmp.yml │ │ ├── proc_creation_lnx_crontab_enumeration.yml │ │ ├── proc_creation_lnx_crontab_removal.yml │ │ ├── proc_creation_lnx_crypto_mining.yml │ │ ├── proc_creation_lnx_curl_usage.yml │ │ ├── proc_creation_lnx_curl_wget_exec_tmp.yml │ │ ├── proc_creation_lnx_dd_file_overwrite.yml │ │ ├── proc_creation_lnx_dd_process_injection.yml │ │ ├── proc_creation_lnx_disable_ufw.yml │ │ ├── proc_creation_lnx_doas_execution.yml │ │ ├── proc_creation_lnx_env_shell_invocation.yml │ │ ├── proc_creation_lnx_esxcli_network_discovery.yml │ │ ├── proc_creation_lnx_esxcli_permission_change_admin.yml │ │ ├── proc_creation_lnx_esxcli_storage_discovery.yml │ │ ├── proc_creation_lnx_esxcli_syslog_config_change.yml │ │ ├── proc_creation_lnx_esxcli_system_discovery.yml │ │ ├── proc_creation_lnx_esxcli_user_account_creation.yml │ │ ├── proc_creation_lnx_esxcli_vm_discovery.yml │ │ ├── proc_creation_lnx_esxcli_vm_kill.yml │ │ ├── proc_creation_lnx_esxcli_vsan_discovery.yml │ │ ├── proc_creation_lnx_file_and_directory_discovery.yml │ │ ├── proc_creation_lnx_file_deletion.yml │ │ ├── proc_creation_lnx_find_shell_execution.yml │ │ ├── proc_creation_lnx_flock_shell_execution.yml │ │ ├── proc_creation_lnx_gcc_shell_execution.yml │ │ ├── proc_creation_lnx_git_shell_execution.yml │ │ ├── proc_creation_lnx_grep_os_arch_discovery.yml │ │ ├── proc_creation_lnx_groupdel.yml │ │ ├── proc_creation_lnx_install_root_certificate.yml │ │ ├── proc_creation_lnx_install_suspicious_packages.yml │ │ ├── proc_creation_lnx_iptables_flush_ufw.yml │ │ ├── proc_creation_lnx_local_account.yml │ │ ├── proc_creation_lnx_local_groups.yml │ │ ├── proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml │ │ ├── proc_creation_lnx_mkfifo_named_pipe_creation.yml │ │ ├── proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml │ │ ├── proc_creation_lnx_mount_hidepid.yml │ │ ├── proc_creation_lnx_netcat_reverse_shell.yml │ │ ├── proc_creation_lnx_nice_shell_execution.yml │ │ ├── proc_creation_lnx_nohup.yml │ │ ├── proc_creation_lnx_nohup_susp_execution.yml │ │ ├── proc_creation_lnx_omigod_scx_runasprovider_executescript.yml │ │ ├── proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml │ │ ├── proc_creation_lnx_perl_reverse_shell.yml │ │ ├── proc_creation_lnx_php_reverse_shell.yml │ │ ├── proc_creation_lnx_pnscan_binary_cli_pattern.yml │ │ ├── proc_creation_lnx_proxy_connection.yml │ │ ├── proc_creation_lnx_pua_trufflehog.yml │ │ ├── proc_creation_lnx_python_http_server_execution.yml │ │ ├── proc_creation_lnx_python_pty_spawn.yml │ │ ├── proc_creation_lnx_python_reverse_shell.yml │ │ ├── proc_creation_lnx_python_shell_os_system.yml │ │ ├── proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml │ │ ├── proc_creation_lnx_remote_system_discovery.yml │ │ ├── proc_creation_lnx_remove_package.yml │ │ ├── proc_creation_lnx_rsync_shell_execution.yml │ │ ├── proc_creation_lnx_rsync_shell_spawn.yml │ │ ├── proc_creation_lnx_ruby_reverse_shell.yml │ │ ├── proc_creation_lnx_schedule_task_job_cron.yml │ │ ├── proc_creation_lnx_security_software_discovery.yml │ │ ├── proc_creation_lnx_security_tools_disabling.yml │ │ ├── proc_creation_lnx_services_stop_and_disable.yml │ │ ├── proc_creation_lnx_setgid_setuid.yml │ │ ├── proc_creation_lnx_ssh_shell_execution.yml │ │ ├── proc_creation_lnx_ssm_agent_abuse.yml │ │ ├── proc_creation_lnx_susp_chmod_directories.yml │ │ ├── proc_creation_lnx_susp_container_residence_discovery.yml │ │ ├── proc_creation_lnx_susp_curl_fileupload.yml │ │ ├── proc_creation_lnx_susp_curl_useragent.yml │ │ ├── proc_creation_lnx_susp_dockerenv_recon.yml │ │ ├── proc_creation_lnx_susp_execution_tmp_folder.yml │ │ ├── proc_creation_lnx_susp_find_execution.yml │ │ ├── proc_creation_lnx_susp_git_clone.yml │ │ ├── proc_creation_lnx_susp_history_delete.yml │ │ ├── proc_creation_lnx_susp_history_recon.yml │ │ ├── proc_creation_lnx_susp_hktl_execution.yml │ │ ├── proc_creation_lnx_susp_inod_listing.yml │ │ ├── proc_creation_lnx_susp_interactive_bash.yml │ │ ├── proc_creation_lnx_susp_java_children.yml │ │ ├── proc_creation_lnx_susp_network_utilities_execution.yml │ │ ├── proc_creation_lnx_susp_pipe_shell.yml │ │ ├── proc_creation_lnx_susp_process_reading_sudoers.yml │ │ ├── proc_creation_lnx_susp_recon_indicators.yml │ │ ├── proc_creation_lnx_susp_sensitive_file_access.yml │ │ ├── proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml │ │ ├── proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml │ │ ├── proc_creation_lnx_system_info_discovery.yml │ │ ├── proc_creation_lnx_system_network_connections_discovery.yml │ │ ├── proc_creation_lnx_system_network_discovery.yml │ │ ├── proc_creation_lnx_systemctl_mask_power_settings.yml │ │ ├── proc_creation_lnx_touch_susp.yml │ │ ├── proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml │ │ ├── proc_creation_lnx_triple_cross_rootkit_install.yml │ │ ├── proc_creation_lnx_userdel.yml │ │ ├── proc_creation_lnx_usermod_susp_group.yml │ │ ├── proc_creation_lnx_vim_shell_execution.yml │ │ ├── proc_creation_lnx_webshell_detection.yml │ │ ├── proc_creation_lnx_wget_download_suspicious_directory.yml │ │ └── proc_creation_lnx_xterm_reverse_shell.yml │ ├── macos/ │ │ ├── file_event/ │ │ │ ├── file_event_macos_emond_launch_daemon.yml │ │ │ └── file_event_macos_susp_startup_item_created.yml │ │ └── process_creation/ │ │ ├── proc_creation_macos_applescript.yml │ │ ├── proc_creation_macos_base64_decode.yml │ │ ├── proc_creation_macos_binary_padding.yml │ │ ├── proc_creation_macos_change_file_time_attr.yml │ │ ├── proc_creation_macos_chflags_hidden_flag.yml │ │ ├── proc_creation_macos_clear_system_logs.yml │ │ ├── proc_creation_macos_clipboard_data_via_osascript.yml │ │ ├── proc_creation_macos_create_account.yml │ │ ├── proc_creation_macos_create_hidden_account.yml │ │ ├── proc_creation_macos_creds_from_keychain.yml │ │ ├── proc_creation_macos_csrutil_disable.yml │ │ ├── proc_creation_macos_csrutil_status.yml │ │ ├── proc_creation_macos_disable_security_tools.yml │ │ ├── proc_creation_macos_dscl_add_user_to_admin_group.yml │ │ ├── proc_creation_macos_dseditgroup_add_to_admin_group.yml │ │ ├── proc_creation_macos_dsenableroot_enable_root_account.yml │ │ ├── proc_creation_macos_file_and_directory_discovery.yml │ │ ├── proc_creation_macos_find_cred_in_files.yml │ │ ├── proc_creation_macos_gui_input_capture.yml │ │ ├── proc_creation_macos_hdiutil_create.yml │ │ ├── proc_creation_macos_hdiutil_mount.yml │ │ ├── proc_creation_macos_installer_susp_child_process.yml │ │ ├── proc_creation_macos_ioreg_discovery.yml │ │ ├── proc_creation_macos_jamf_susp_child.yml │ │ ├── proc_creation_macos_jamf_usage.yml │ │ ├── proc_creation_macos_jxa_in_memory_execution.yml │ │ ├── proc_creation_macos_launchctl_execution.yml │ │ ├── proc_creation_macos_local_account.yml │ │ ├── proc_creation_macos_local_groups.yml │ │ ├── proc_creation_macos_network_service_scanning.yml │ │ ├── proc_creation_macos_network_sniffing.yml │ │ ├── proc_creation_macos_nscurl_usage.yml │ │ ├── proc_creation_macos_office_susp_child_processes.yml │ │ ├── proc_creation_macos_osacompile_runonly_execution.yml │ │ ├── proc_creation_macos_payload_decoded_and_decrypted.yml │ │ ├── proc_creation_macos_persistence_via_plistbuddy.yml │ │ ├── proc_creation_macos_remote_access_tools_meshagent_arguments.yml │ │ ├── proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml │ │ ├── proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml │ │ ├── proc_creation_macos_remote_system_discovery.yml │ │ ├── proc_creation_macos_schedule_task_job_cron.yml │ │ ├── proc_creation_macos_screencapture.yml │ │ ├── proc_creation_macos_security_software_discovery.yml │ │ ├── proc_creation_macos_space_after_filename.yml │ │ ├── proc_creation_macos_split_file_into_pieces.yml │ │ ├── proc_creation_macos_susp_browser_child_process.yml │ │ ├── proc_creation_macos_susp_execution_macos_script_editor.yml │ │ ├── proc_creation_macos_susp_find_execution.yml │ │ ├── proc_creation_macos_susp_histfile_operations.yml │ │ ├── proc_creation_macos_susp_in_memory_download_and_compile.yml │ │ ├── proc_creation_macos_susp_macos_firmware_activity.yml │ │ ├── proc_creation_macos_susp_system_network_discovery.yml │ │ ├── proc_creation_macos_suspicious_applet_behaviour.yml │ │ ├── proc_creation_macos_swvers_discovery.yml │ │ ├── proc_creation_macos_sysadminctl_add_user_to_admin_group.yml │ │ ├── proc_creation_macos_sysadminctl_enable_guest_account.yml │ │ ├── proc_creation_macos_sysctl_discovery.yml │ │ ├── proc_creation_macos_system_network_connections_discovery.yml │ │ ├── proc_creation_macos_system_profiler_discovery.yml │ │ ├── proc_creation_macos_system_shutdown_reboot.yml │ │ ├── proc_creation_macos_tail_base64_decode_from_image.yml │ │ ├── proc_creation_macos_tmutil_delete_backup.yml │ │ ├── proc_creation_macos_tmutil_disable_backup.yml │ │ ├── proc_creation_macos_tmutil_exclude_file_from_backup.yml │ │ ├── proc_creation_macos_wizardupdate_malware_infection.yml │ │ ├── proc_creation_macos_xattr_gatekeeper_bypass.yml │ │ └── proc_creation_macos_xcsset_malware_infection.yml │ ├── network/ │ │ ├── cisco/ │ │ │ ├── aaa/ │ │ │ │ ├── cisco_cli_clear_logs.yml │ │ │ │ ├── cisco_cli_collect_data.yml │ │ │ │ ├── cisco_cli_crypto_actions.yml │ │ │ │ ├── cisco_cli_disable_logging.yml │ │ │ │ ├── cisco_cli_discovery.yml │ │ │ │ ├── cisco_cli_dos.yml │ │ │ │ ├── cisco_cli_file_deletion.yml │ │ │ │ ├── cisco_cli_input_capture.yml │ │ │ │ ├── cisco_cli_local_accounts.yml │ │ │ │ ├── cisco_cli_modify_config.yml │ │ │ │ ├── cisco_cli_moving_data.yml │ │ │ │ └── cisco_cli_net_sniff.yml │ │ │ ├── bgp/ │ │ │ │ └── cisco_bgp_md5_auth_failed.yml │ │ │ └── ldp/ │ │ │ └── cisco_ldp_md5_auth_failed.yml │ │ ├── dns/ │ │ │ ├── net_dns_external_service_interaction_domains.yml │ │ │ ├── net_dns_mal_cobaltstrike.yml │ │ │ ├── net_dns_pua_cryptocoin_mining_xmr.yml │ │ │ ├── net_dns_susp_b64_queries.yml │ │ │ ├── net_dns_susp_telegram_api.yml │ │ │ ├── net_dns_susp_txt_exec_strings.yml │ │ │ └── net_dns_wannacry_killswitch_domain.yml │ │ ├── firewall/ │ │ │ └── net_firewall_cleartext_protocols.yml │ │ ├── fortinet/ │ │ │ └── fortigate/ │ │ │ ├── fortinet_fortigate_new_admin_account_created.yml │ │ │ ├── fortinet_fortigate_new_firewall_address_object.yml │ │ │ ├── fortinet_fortigate_new_firewall_policy_added.yml │ │ │ ├── fortinet_fortigate_new_local_user_created.yml │ │ │ ├── fortinet_fortigate_new_vpn_ssl_web_portal.yml │ │ │ ├── fortinet_fortigate_user_group_modified.yml │ │ │ └── fortinet_fortigate_vpn_ssl_settings_modified.yml │ │ ├── huawei/ │ │ │ └── bgp/ │ │ │ └── huawei_bgp_auth_failed.yml │ │ ├── juniper/ │ │ │ └── bgp/ │ │ │ └── juniper_bgp_missing_md5.yml │ │ └── zeek/ │ │ ├── zeek_dce_rpc_mitre_bzar_execution.yml │ │ ├── zeek_dce_rpc_mitre_bzar_persistence.yml │ │ ├── zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml │ │ ├── zeek_dce_rpc_smb_spoolss_named_pipe.yml │ │ ├── zeek_default_cobalt_strike_certificate.yml │ │ ├── zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml │ │ ├── zeek_dns_mining_pools.yml │ │ ├── zeek_dns_nkn.yml │ │ ├── zeek_dns_susp_zbit_flag.yml │ │ ├── zeek_dns_torproxy.yml │ │ ├── zeek_http_executable_download_from_webdav.yml │ │ ├── zeek_http_susp_file_ext_from_susp_tld.yml │ │ ├── zeek_http_webdav_put_request.yml │ │ ├── zeek_rdp_public_listener.yml │ │ ├── zeek_smb_converted_win_atsvc_task.yml │ │ ├── zeek_smb_converted_win_impacket_secretdump.yml │ │ ├── zeek_smb_converted_win_lm_namedpipe.yml │ │ ├── zeek_smb_converted_win_susp_psexec.yml │ │ ├── zeek_smb_converted_win_susp_raccess_sensitive_fext.yml │ │ ├── zeek_smb_converted_win_transferring_files_with_credential_data.yml │ │ └── zeek_susp_kerberos_rc4.yml │ ├── web/ │ │ ├── product/ │ │ │ ├── apache/ │ │ │ │ ├── web_apache_segfault.yml │ │ │ │ └── web_apache_threading_error.yml │ │ │ └── nginx/ │ │ │ └── web_nginx_core_dump.yml │ │ ├── proxy_generic/ │ │ │ ├── proxy_download_susp_dyndns.yml │ │ │ ├── proxy_download_susp_tlds_blacklist.yml │ │ │ ├── proxy_download_susp_tlds_whitelist.yml │ │ │ ├── proxy_downloadcradle_webdav.yml │ │ │ ├── proxy_f5_tm_utility_bash_api_request.yml │ │ │ ├── proxy_hello_world_user_agent.yml │ │ │ ├── proxy_hktl_baby_shark_default_agent_url.yml │ │ │ ├── proxy_hktl_cobalt_strike_malleable_c2_requests.yml │ │ │ ├── proxy_hktl_empire_ua_uri_patterns.yml │ │ │ ├── proxy_pua_advanced_ip_scanner_update_check.yml │ │ │ ├── proxy_pwndrop.yml │ │ │ ├── proxy_raw_paste_service_access.yml │ │ │ ├── proxy_susp_flash_download_loc.yml │ │ │ ├── proxy_susp_ipfs_cred_harvest.yml │ │ │ ├── proxy_telegram_api.yml │ │ │ ├── proxy_ua_apt.yml │ │ │ ├── proxy_ua_base64_encoded.yml │ │ │ ├── proxy_ua_bitsadmin_susp_ip.yml │ │ │ ├── proxy_ua_bitsadmin_susp_tld.yml │ │ │ ├── proxy_ua_cryptominer.yml │ │ │ ├── proxy_ua_empty.yml │ │ │ ├── proxy_ua_frameworks.yml │ │ │ ├── proxy_ua_hacktool.yml │ │ │ ├── proxy_ua_malware.yml │ │ │ ├── proxy_ua_powershell.yml │ │ │ ├── proxy_ua_rclone.yml │ │ │ ├── proxy_ua_susp.yml │ │ │ ├── proxy_ua_susp_base64.yml │ │ │ └── proxy_webdav_external_execution.yml │ │ └── webserver_generic/ │ │ ├── web_f5_tm_utility_bash_api_request.yml │ │ ├── web_iis_tilt_shortname_scan.yml │ │ ├── web_java_payload_in_access_logs.yml │ │ ├── web_jndi_exploit.yml │ │ ├── web_path_traversal_exploitation_attempt.yml │ │ ├── web_source_code_enumeration.yml │ │ ├── web_sql_injection_in_access_logs.yml │ │ ├── web_ssti_in_access_logs.yml │ │ ├── web_susp_useragents.yml │ │ ├── web_susp_windows_path_uri.yml │ │ ├── web_webshell_regeorg.yml │ │ ├── web_win_webshells_in_access_logs.yml │ │ └── web_xss_in_access_logs.yml │ └── windows/ │ ├── builtin/ │ │ ├── application/ │ │ │ ├── Other/ │ │ │ │ └── win_av_relevant_match.yml │ │ │ ├── application_error/ │ │ │ │ ├── win_application_error_lsass_crash.yml │ │ │ │ └── win_application_error_msmpeng_crash.yml │ │ │ ├── esent/ │ │ │ │ ├── win_esent_ntdsutil_abuse.yml │ │ │ │ └── win_esent_ntdsutil_abuse_susp_location.yml │ │ │ ├── microsoft-windows_audit_cve/ │ │ │ │ └── win_audit_cve.yml │ │ │ ├── microsoft_windows_backup/ │ │ │ │ └── win_susp_backup_delete.yml │ │ │ ├── microsoft_windows_software_restriction_policies/ │ │ │ │ └── win_software_restriction_policies_block.yml │ │ │ ├── msiinstaller/ │ │ │ │ ├── win_builtin_remove_application.yml │ │ │ │ ├── win_msi_install_from_susp_locations.yml │ │ │ │ ├── win_msi_install_from_web.yml │ │ │ │ └── win_software_atera_rmm_agent_install.yml │ │ │ ├── mssqlserver/ │ │ │ │ ├── win_mssql_add_sysadmin_account.yml │ │ │ │ ├── win_mssql_destructive_query.yml │ │ │ │ ├── win_mssql_disable_audit_settings.yml │ │ │ │ ├── win_mssql_failed_logon.yml │ │ │ │ ├── win_mssql_failed_logon_from_external_network.yml │ │ │ │ ├── win_mssql_sp_procoption_set.yml │ │ │ │ ├── win_mssql_xp_cmdshell_audit_log.yml │ │ │ │ └── win_mssql_xp_cmdshell_change.yml │ │ │ ├── screenconnect/ │ │ │ │ ├── win_app_remote_access_tools_screenconnect_command_exec.yml │ │ │ │ └── win_app_remote_access_tools_screenconnect_file_transfer.yml │ │ │ └── windows_error_reporting/ │ │ │ └── win_application_msmpeng_crash_wer.yml │ │ ├── applocker/ │ │ │ └── win_applocker_application_was_prevented_from_running.yml │ │ ├── appmodel_runtime/ │ │ │ └── win_appmodel_runtime_sysinternals_tools_appx_execution.yml │ │ ├── appxdeployment_server/ │ │ │ ├── win_appxdeployment_server_applocker_block.yml │ │ │ ├── win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml │ │ │ ├── win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml │ │ │ ├── win_appxdeployment_server_appx_package_in_staging_directory.yml │ │ │ ├── win_appxdeployment_server_mal_appx_names.yml │ │ │ ├── win_appxdeployment_server_policy_block.yml │ │ │ ├── win_appxdeployment_server_uncommon_package_locations.yml │ │ │ ├── win_appxpackaging_server_full_trust_package_installation.yml │ │ │ └── win_appxpackaging_server_unsigned_package_installation.yml │ │ ├── appxpackaging_om/ │ │ │ └── win_appxpackaging_om_sups_appx_signature.yml │ │ ├── bits_client/ │ │ │ ├── win_bits_client_new_job_via_bitsadmin.yml │ │ │ ├── win_bits_client_new_job_via_powershell.yml │ │ │ ├── win_bits_client_new_transfer_saving_susp_extensions.yml │ │ │ ├── win_bits_client_new_transfer_via_file_sharing_domains.yml │ │ │ ├── win_bits_client_new_transfer_via_ip_address.yml │ │ │ ├── win_bits_client_new_transfer_via_uncommon_tld.yml │ │ │ └── win_bits_client_new_trasnfer_susp_local_folder.yml │ │ ├── capi2/ │ │ │ └── win_capi2_acquire_certificate_private_key.yml │ │ ├── certificate_services_client_lifecycle_system/ │ │ │ └── win_certificateservicesclient_lifecycle_system_cert_exported.yml │ │ ├── code_integrity/ │ │ │ ├── win_codeintegrity_attempted_dll_load.yml │ │ │ ├── win_codeintegrity_blocked_protected_process_file.yml │ │ │ ├── win_codeintegrity_enforced_policy_block.yml │ │ │ ├── win_codeintegrity_revoked_driver_blocked.yml │ │ │ ├── win_codeintegrity_revoked_driver_loaded.yml │ │ │ ├── win_codeintegrity_revoked_image_blocked.yml │ │ │ ├── win_codeintegrity_revoked_image_loaded.yml │ │ │ ├── win_codeintegrity_unsigned_driver_loaded.yml │ │ │ ├── win_codeintegrity_unsigned_image_loaded.yml │ │ │ └── win_codeintegrity_whql_failure.yml │ │ ├── diagnosis/ │ │ │ └── scripted/ │ │ │ └── win_diagnosis_scripted_load_remote_diagcab.yml │ │ ├── dns_client/ │ │ │ ├── win_dns_client_anonymfiles_com.yml │ │ │ ├── win_dns_client_mal_cobaltstrike.yml │ │ │ ├── win_dns_client_mega_nz.yml │ │ │ ├── win_dns_client_put_io.yml │ │ │ ├── win_dns_client_tor_onion.yml │ │ │ └── win_dns_client_ufile_io.yml │ │ ├── dns_server/ │ │ │ ├── win_dns_server_failed_dns_zone_transfer.yml │ │ │ └── win_dns_server_susp_server_level_plugin_dll.yml │ │ ├── driverframeworks/ │ │ │ └── win_usb_device_plugged.yml │ │ ├── firewall_as/ │ │ │ ├── win_firewall_as_add_rule.yml │ │ │ ├── win_firewall_as_add_rule_susp_folder.yml │ │ │ ├── win_firewall_as_add_rule_wmiprvse.yml │ │ │ ├── win_firewall_as_delete_all_rules.yml │ │ │ ├── win_firewall_as_delete_rule.yml │ │ │ ├── win_firewall_as_failed_load_gpo.yml │ │ │ ├── win_firewall_as_reset_config.yml │ │ │ └── win_firewall_as_setting_change.yml │ │ ├── iis-configuration/ │ │ │ ├── win_iis_logging_etw_disabled.yml │ │ │ ├── win_iis_logging_http_disabled.yml │ │ │ ├── win_iis_module_added.yml │ │ │ └── win_iis_module_removed.yml │ │ ├── ldap/ │ │ │ └── win_ldap_recon.yml │ │ ├── lsa_server/ │ │ │ └── win_lsa_server_normal_user_admin.yml │ │ ├── msexchange/ │ │ │ ├── win_exchange_proxylogon_oabvirtualdir.yml │ │ │ ├── win_exchange_proxyshell_certificate_generation.yml │ │ │ ├── win_exchange_proxyshell_mailbox_export.yml │ │ │ ├── win_exchange_proxyshell_remove_mailbox_export.yml │ │ │ ├── win_exchange_set_oabvirtualdirectory_externalurl.yml │ │ │ ├── win_exchange_transportagent.yml │ │ │ └── win_exchange_transportagent_failed.yml │ │ ├── ntlm/ │ │ │ ├── win_susp_ntlm_auth.yml │ │ │ ├── win_susp_ntlm_brute_force.yml │ │ │ └── win_susp_ntlm_rdp.yml │ │ ├── openssh/ │ │ │ └── win_sshd_openssh_server_listening_on_socket.yml │ │ ├── security/ │ │ │ ├── account_management/ │ │ │ │ ├── win_security_access_token_abuse.yml │ │ │ │ ├── win_security_admin_rdp_login.yml │ │ │ │ ├── win_security_diagtrack_eop_default_login_username.yml │ │ │ │ ├── win_security_member_added_security_enabled_global_group.yml │ │ │ │ ├── win_security_member_removed_security_enabled_global_group.yml │ │ │ │ ├── win_security_overpass_the_hash.yml │ │ │ │ ├── win_security_pass_the_hash_2.yml │ │ │ │ ├── win_security_rdp_localhost_login.yml │ │ │ │ ├── win_security_security_enabled_global_group_deleted.yml │ │ │ │ ├── win_security_successful_external_remote_rdp_login.yml │ │ │ │ ├── win_security_successful_external_remote_smb_login.yml │ │ │ │ ├── win_security_susp_failed_logon_source.yml │ │ │ │ ├── win_security_susp_logon_newcredentials.yml │ │ │ │ ├── win_security_susp_privesc_kerberos_relay_over_ldap.yml │ │ │ │ ├── win_security_susp_rottenpotato.yml │ │ │ │ └── win_security_susp_wmi_login.yml │ │ │ ├── object_access/ │ │ │ │ └── win_security_wfp_endpoint_agent_blocked.yml │ │ │ ├── win_security_aadhealth_mon_agent_regkey_access.yml │ │ │ ├── win_security_aadhealth_svc_agent_regkey_access.yml │ │ │ ├── win_security_account_backdoor_dcsync_rights.yml │ │ │ ├── win_security_account_discovery.yml │ │ │ ├── win_security_ad_object_writedac_access.yml │ │ │ ├── win_security_ad_replication_non_machine_account.yml │ │ │ ├── win_security_ad_user_enumeration.yml │ │ │ ├── win_security_adcs_certificate_template_configuration_vulnerability.yml │ │ │ ├── win_security_adcs_certificate_template_configuration_vulnerability_eku.yml │ │ │ ├── win_security_add_remove_computer.yml │ │ │ ├── win_security_admin_share_access.yml │ │ │ ├── win_security_alert_active_directory_user_control.yml │ │ │ ├── win_security_alert_ad_user_backdoors.yml │ │ │ ├── win_security_alert_enable_weak_encryption.yml │ │ │ ├── win_security_alert_ruler.yml │ │ │ ├── win_security_atsvc_task.yml │ │ │ ├── win_security_audit_log_cleared.yml │ │ │ ├── win_security_camera_microphone_access.yml │ │ │ ├── win_security_cobaltstrike_service_installs.yml │ │ │ ├── win_security_codeintegrity_check_failure.yml │ │ │ ├── win_security_dce_rpc_smb_spoolss_named_pipe.yml │ │ │ ├── win_security_dcom_iertutil_dll_hijack.yml │ │ │ ├── win_security_dcsync.yml │ │ │ ├── win_security_default_domain_gpo_modification.yml │ │ │ ├── win_security_device_installation_blocked.yml │ │ │ ├── win_security_disable_event_auditing.yml │ │ │ ├── win_security_disable_event_auditing_critical.yml │ │ │ ├── win_security_dot_net_etw_tamper.yml │ │ │ ├── win_security_dpapi_domain_backupkey_extraction.yml │ │ │ ├── win_security_dpapi_domain_masterkey_backup_attempt.yml │ │ │ ├── win_security_external_device.yml │ │ │ ├── win_security_gpo_scheduledtasks.yml │ │ │ ├── win_security_hidden_user_creation.yml │ │ │ ├── win_security_hktl_edr_silencer.yml │ │ │ ├── win_security_hktl_nofilter.yml │ │ │ ├── win_security_hybridconnectionmgr_svc_installation.yml │ │ │ ├── win_security_impacket_psexec.yml │ │ │ ├── win_security_impacket_secretdump.yml │ │ │ ├── win_security_invoke_obfuscation_clip_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_obfuscated_iex_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_stdin_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_var_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_compress_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_rundll_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_stdin_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_use_clip_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_use_mshta_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_use_rundll32_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_var_services_security.yml │ │ │ ├── win_security_iso_mount.yml │ │ │ ├── win_security_kerberoasting_activity.yml │ │ │ ├── win_security_kerberos_asrep_roasting.yml │ │ │ ├── win_security_kerberos_coercion_via_dns_object.yml │ │ │ ├── win_security_lm_namedpipe.yml │ │ │ ├── win_security_lsass_access_non_system_account.yml │ │ │ ├── win_security_mal_creddumper.yml │ │ │ ├── win_security_mal_wceaux_dll.yml │ │ │ ├── win_security_metasploit_authentication.yml │ │ │ ├── win_security_metasploit_or_impacket_smb_psexec_service_install.yml │ │ │ ├── win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml │ │ │ ├── win_security_net_ntlm_downgrade.yml │ │ │ ├── win_security_net_share_obj_susp_desktop_ini.yml │ │ │ ├── win_security_new_or_renamed_user_account_with_dollar_sign.yml │ │ │ ├── win_security_not_allowed_rdp_access.yml │ │ │ ├── win_security_password_policy_enumerated.yml │ │ │ ├── win_security_pcap_drivers.yml │ │ │ ├── win_security_petitpotam_network_share.yml │ │ │ ├── win_security_petitpotam_susp_tgt_request.yml │ │ │ ├── win_security_possible_dc_shadow.yml │ │ │ ├── win_security_powershell_script_installed_as_service.yml │ │ │ ├── win_security_protected_storage_service_access.yml │ │ │ ├── win_security_rdp_reverse_tunnel.yml │ │ │ ├── win_security_register_new_logon_process_by_rubeus.yml │ │ │ ├── win_security_registry_permissions_weakness_check.yml │ │ │ ├── win_security_remote_powershell_session.yml │ │ │ ├── win_security_replay_attack_detected.yml │ │ │ ├── win_security_sam_registry_hive_handle_request.yml │ │ │ ├── win_security_scm_database_handle_failure.yml │ │ │ ├── win_security_scm_database_privileged_operation.yml │ │ │ ├── win_security_sdelete_potential_secure_deletion.yml │ │ │ ├── win_security_service_install_remote_access_software.yml │ │ │ ├── win_security_service_installation_by_unusal_client.yml │ │ │ ├── win_security_signal_sensitive_config_access.yml │ │ │ ├── win_security_smb_file_creation_admin_shares.yml │ │ │ ├── win_security_susp_add_domain_trust.yml │ │ │ ├── win_security_susp_add_sid_history.yml │ │ │ ├── win_security_susp_computer_name.yml │ │ │ ├── win_security_susp_dsrm_password_change.yml │ │ │ ├── win_security_susp_failed_logon_reasons.yml │ │ │ ├── win_security_susp_group_policy_abuse_privilege_addition.yml │ │ │ ├── win_security_susp_group_policy_startup_script_added_to_gpo.yml │ │ │ ├── win_security_susp_kerberos_manipulation.yml │ │ │ ├── win_security_susp_ldap_dataexchange.yml │ │ │ ├── win_security_susp_local_anon_logon_created.yml │ │ │ ├── win_security_susp_logon_explicit_credentials.yml │ │ │ ├── win_security_susp_lsass_dump.yml │ │ │ ├── win_security_susp_lsass_dump_generic.yml │ │ │ ├── win_security_susp_net_recon_activity.yml │ │ │ ├── win_security_susp_opened_encrypted_zip.yml │ │ │ ├── win_security_susp_opened_encrypted_zip_filename.yml │ │ │ ├── win_security_susp_opened_encrypted_zip_outlook.yml │ │ │ ├── win_security_susp_outbound_kerberos_connection.yml │ │ │ ├── win_security_susp_possible_shadow_credentials_added.yml │ │ │ ├── win_security_susp_psexec.yml │ │ │ ├── win_security_susp_raccess_sensitive_fext.yml │ │ │ ├── win_security_susp_rc4_kerberos.yml │ │ │ ├── win_security_susp_scheduled_task_creation.yml │ │ │ ├── win_security_susp_scheduled_task_delete_or_disable.yml │ │ │ ├── win_security_susp_scheduled_task_update.yml │ │ │ ├── win_security_susp_time_modification.yml │ │ │ ├── win_security_svcctl_remote_service.yml │ │ │ ├── win_security_syskey_registry_access.yml │ │ │ ├── win_security_sysmon_channel_reference_deletion.yml │ │ │ ├── win_security_tap_driver_installation.yml │ │ │ ├── win_security_teams_suspicious_objectaccess.yml │ │ │ ├── win_security_transf_files_with_cred_data_via_network_shares.yml │ │ │ ├── win_security_user_added_to_local_administrators.yml │ │ │ ├── win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml │ │ │ ├── win_security_user_creation.yml │ │ │ ├── win_security_user_driver_loaded.yml │ │ │ ├── win_security_user_logoff.yml │ │ │ ├── win_security_vssaudit_secevent_source_registration.yml │ │ │ ├── win_security_windows_defender_exclusions_registry_modified.yml │ │ │ ├── win_security_windows_defender_exclusions_write_access.yml │ │ │ ├── win_security_wmi_persistence.yml │ │ │ ├── win_security_wmiprvse_wbemcomn_dll_hijack.yml │ │ │ └── win_security_workstation_was_locked.yml │ │ ├── security_mitigations/ │ │ │ ├── win_security_mitigations_defender_load_unsigned_dll.yml │ │ │ └── win_security_mitigations_unsigned_dll_from_susp_location.yml │ │ ├── servicebus/ │ │ │ └── win_hybridconnectionmgr_svc_running.yml │ │ ├── shell_core/ │ │ │ └── win_shell_core_susp_packages_installed.yml │ │ ├── smbclient/ │ │ │ └── security/ │ │ │ └── win_smbclient_security_susp_failed_guest_logon.yml │ │ ├── smbserver/ │ │ │ └── connectivity/ │ │ │ └── win_smbserver_connectivity_unsigned_and_unencrypted_share_connection.yml │ │ ├── system/ │ │ │ ├── application_popup/ │ │ │ │ └── win_system_application_sysmon_crash.yml │ │ │ ├── lsasrv/ │ │ │ │ └── win_system_lsasrv_ntlmv1.yml │ │ │ ├── microsoft_windows_Iphlpsvc/ │ │ │ │ └── win_system_isatap_router_address_set.yml │ │ │ ├── microsoft_windows_certification_authority/ │ │ │ │ └── win_system_adcs_enrollment_request_denied.yml │ │ │ ├── microsoft_windows_dhcp_server/ │ │ │ │ ├── win_system_susp_dhcp_config.yml │ │ │ │ └── win_system_susp_dhcp_config_failed.yml │ │ │ ├── microsoft_windows_distributed_com/ │ │ │ │ └── win_system_lpe_indicators_tabtip.yml │ │ │ ├── microsoft_windows_eventlog/ │ │ │ │ ├── win_system_eventlog_cleared.yml │ │ │ │ └── win_system_susp_eventlog_cleared.yml │ │ │ ├── microsoft_windows_kerberos_key_distribution_center/ │ │ │ │ ├── win_system_kdcsvc_cert_use_no_strong_mapping.yml │ │ │ │ └── win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml │ │ │ ├── microsoft_windows_kernel_general/ │ │ │ │ └── win_system_susp_critical_hive_location_access_bits_cleared.yml │ │ │ ├── microsoft_windows_ntfs/ │ │ │ │ └── win_system_volume_shadow_copy_mount.yml │ │ │ ├── microsoft_windows_wer_systemerrorreporting/ │ │ │ │ └── win_system_crash_dump_created.yml │ │ │ ├── microsoft_windows_windows_update_client/ │ │ │ │ └── win_system_susp_system_update_error.yml │ │ │ ├── netlogon/ │ │ │ │ ├── win_system_possible_zerologon_exploitation_using_wellknown_tools.yml │ │ │ │ └── win_system_vul_cve_2020_1472.yml │ │ │ ├── ntfs/ │ │ │ │ └── win_system_ntfs_vuln_exploit.yml │ │ │ └── service_control_manager/ │ │ │ ├── win_system_cobaltstrike_service_installs.yml │ │ │ ├── win_system_defender_disabled.yml │ │ │ ├── win_system_hack_smbexec.yml │ │ │ ├── win_system_invoke_obfuscation_clip_services.yml │ │ │ ├── win_system_invoke_obfuscation_obfuscated_iex_services.yml │ │ │ ├── win_system_invoke_obfuscation_stdin_services.yml │ │ │ ├── win_system_invoke_obfuscation_var_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_compress_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_rundll_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_stdin_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_use_clip_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_use_mshta_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_use_rundll32_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_var_services.yml │ │ │ ├── win_system_krbrelayup_service_installation.yml │ │ │ ├── win_system_mal_creddumper.yml │ │ │ ├── win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml │ │ │ ├── win_system_moriya_rootkit.yml │ │ │ ├── win_system_powershell_script_installed_as_service.yml │ │ │ ├── win_system_service_install_anydesk.yml │ │ │ ├── win_system_service_install_csexecsvc.yml │ │ │ ├── win_system_service_install_hacktools.yml │ │ │ ├── win_system_service_install_mesh_agent.yml │ │ │ ├── win_system_service_install_netsupport_manager.yml │ │ │ ├── win_system_service_install_paexec.yml │ │ │ ├── win_system_service_install_pdqdeploy.yml │ │ │ ├── win_system_service_install_pdqdeploy_runner.yml │ │ │ ├── win_system_service_install_pua_proceshacker.yml │ │ │ ├── win_system_service_install_remcom.yml │ │ │ ├── win_system_service_install_remote_access_software.yml │ │ │ ├── win_system_service_install_remote_utilities.yml │ │ │ ├── win_system_service_install_sliver.yml │ │ │ ├── win_system_service_install_sups_unusal_client.yml │ │ │ ├── win_system_service_install_susp.yml │ │ │ ├── win_system_service_install_sysinternals_psexec.yml │ │ │ ├── win_system_service_install_tacticalrmm.yml │ │ │ ├── win_system_service_install_tap_driver.yml │ │ │ ├── win_system_service_install_uncommon.yml │ │ │ ├── win_system_service_terminated_error_generic.yml │ │ │ ├── win_system_service_terminated_error_important.yml │ │ │ ├── win_system_service_terminated_unexpectedly.yml │ │ │ ├── win_system_susp_rtcore64_service_install.yml │ │ │ ├── win_system_susp_service_installation_folder.yml │ │ │ ├── win_system_susp_service_installation_folder_pattern.yml │ │ │ └── win_system_susp_service_installation_script.yml │ │ ├── taskscheduler/ │ │ │ ├── win_taskscheduler_execution_from_susp_locations.yml │ │ │ ├── win_taskscheduler_lolbin_execution_via_task_scheduler.yml │ │ │ └── win_taskscheduler_susp_schtasks_delete.yml │ │ ├── terminalservices/ │ │ │ └── win_terminalservices_rdp_ngrok.yml │ │ ├── win_alert_mimikatz_keywords.yml │ │ ├── windefend/ │ │ │ ├── win_defender_antimalware_platform_expired.yml │ │ │ ├── win_defender_asr_lsass_access.yml │ │ │ ├── win_defender_asr_psexec_wmi.yml │ │ │ ├── win_defender_config_change_exclusion_added.yml │ │ │ ├── win_defender_config_change_exploit_guard_tamper.yml │ │ │ ├── win_defender_config_change_sample_submission_consent.yml │ │ │ ├── win_defender_history_delete.yml │ │ │ ├── win_defender_malware_and_pua_scan_disabled.yml │ │ │ ├── win_defender_malware_detected_amsi_source.yml │ │ │ ├── win_defender_real_time_protection_disabled.yml │ │ │ ├── win_defender_real_time_protection_errors.yml │ │ │ ├── win_defender_restored_quarantine_file.yml │ │ │ ├── win_defender_suspicious_features_tampering.yml │ │ │ ├── win_defender_tamper_protection_trigger.yml │ │ │ ├── win_defender_threat.yml │ │ │ └── win_defender_virus_scan_disabled.yml │ │ └── wmi/ │ │ └── win_wmi_persistence.yml │ ├── create_remote_thread/ │ │ ├── create_remote_thread_win_hktl_cactustorch.yml │ │ ├── create_remote_thread_win_hktl_cobaltstrike.yml │ │ ├── create_remote_thread_win_keepass.yml │ │ ├── create_remote_thread_win_mstsc_susp_location.yml │ │ ├── create_remote_thread_win_powershell_lsass.yml │ │ ├── create_remote_thread_win_powershell_susp_targets.yml │ │ ├── create_remote_thread_win_susp_password_dumper_lsass.yml │ │ ├── create_remote_thread_win_susp_relevant_source_image.yml │ │ ├── create_remote_thread_win_susp_uncommon_source_image.yml │ │ ├── create_remote_thread_win_susp_uncommon_target_image.yml │ │ └── create_remote_thread_win_ttdinjec.yml │ ├── create_stream_hash/ │ │ ├── create_stream_hash_ads_executable.yml │ │ ├── create_stream_hash_creation_internet_file.yml │ │ ├── create_stream_hash_file_sharing_domains_download_susp_extension.yml │ │ ├── create_stream_hash_file_sharing_domains_download_unusual_extension.yml │ │ ├── create_stream_hash_hktl_generic_download.yml │ │ ├── create_stream_hash_regedit_export_to_ads.yml │ │ ├── create_stream_hash_susp_ip_domains.yml │ │ ├── create_stream_hash_winget_susp_package_source.yml │ │ └── create_stream_hash_zip_tld_download.yml │ ├── dns_query/ │ │ ├── dns_query_win_anonymfiles_com.yml │ │ ├── dns_query_win_appinstaller.yml │ │ ├── dns_query_win_cloudflared_communication.yml │ │ ├── dns_query_win_common_malware_hosting_services.yml │ │ ├── dns_query_win_devtunnels_communication.yml │ │ ├── dns_query_win_dns_server_discovery_via_ldap_query.yml │ │ ├── dns_query_win_domain_azurewebsites.yml │ │ ├── dns_query_win_finger.yml │ │ ├── dns_query_win_gup_query_to_uncommon_domains.yml │ │ ├── dns_query_win_hybridconnectionmgr_servicebus.yml │ │ ├── dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml │ │ ├── dns_query_win_mal_cobaltstrike.yml │ │ ├── dns_query_win_mega_nz.yml │ │ ├── dns_query_win_onelaunch_update_service.yml │ │ ├── dns_query_win_quickassist.yml │ │ ├── dns_query_win_regsvr32_dns_query.yml │ │ ├── dns_query_win_remote_access_software_domains_non_browsers.yml │ │ ├── dns_query_win_susp_external_ip_lookup.yml │ │ ├── dns_query_win_teamviewer_domain_query_by_uncommon_app.yml │ │ ├── dns_query_win_tor_onion_domain_query.yml │ │ ├── dns_query_win_ufile_io_query.yml │ │ └── dns_query_win_vscode_tunnel_communication.yml │ ├── driver_load/ │ │ ├── driver_load_win_mal_drivers.yml │ │ ├── driver_load_win_mal_drivers_names.yml │ │ ├── driver_load_win_pua_process_hacker.yml │ │ ├── driver_load_win_pua_system_informer.yml │ │ ├── driver_load_win_susp_temp_use.yml │ │ ├── driver_load_win_vuln_drivers.yml │ │ ├── driver_load_win_vuln_drivers_names.yml │ │ ├── driver_load_win_vuln_hevd_driver.yml │ │ ├── driver_load_win_vuln_winring0_driver.yml │ │ └── driver_load_win_windivert.yml │ ├── file/ │ │ ├── file_access/ │ │ │ ├── file_access_win_susp_credential_manager_access.yml │ │ │ ├── file_access_win_susp_credhist.yml │ │ │ ├── file_access_win_susp_crypto_currency_wallets.yml │ │ │ ├── file_access_win_susp_dpapi_master_key_access.yml │ │ │ ├── file_access_win_susp_gpo_files.yml │ │ │ ├── file_access_win_susp_process_access_browser_cred_files.yml │ │ │ └── file_access_win_teams_sensitive_files.yml │ │ ├── file_change/ │ │ │ └── file_change_win_unusual_modification_by_dns_exe.yml │ │ ├── file_delete/ │ │ │ ├── file_delete_win_delete_backup_file.yml │ │ │ ├── file_delete_win_delete_event_log_files.yml │ │ │ ├── file_delete_win_delete_exchange_powershell_logs.yml │ │ │ ├── file_delete_win_delete_iis_access_logs.yml │ │ │ ├── file_delete_win_delete_own_image.yml │ │ │ ├── file_delete_win_delete_powershell_command_history.yml │ │ │ ├── file_delete_win_delete_prefetch.yml │ │ │ ├── file_delete_win_delete_teamviewer_logs.yml │ │ │ ├── file_delete_win_delete_tomcat_logs.yml │ │ │ ├── file_delete_win_sysinternals_sdelete_file_deletion.yml │ │ │ ├── file_delete_win_unusual_deletion_by_dns_exe.yml │ │ │ └── file_delete_win_zone_identifier_ads_uncommon.yml │ │ ├── file_event/ │ │ │ ├── file_event_win_adsi_cache_creation_by_uncommon_tool.yml │ │ │ ├── file_event_win_advanced_ip_scanner.yml │ │ │ ├── file_event_win_anydesk_artefact.yml │ │ │ ├── file_event_win_anydesk_writing_susp_binaries.yml │ │ │ ├── file_event_win_arcsoc_susp_file_created.yml │ │ │ ├── file_event_win_aspnet_temp_files.yml │ │ │ ├── file_event_win_bloodhound_collection.yml │ │ │ ├── file_event_win_comodo_itsm_potentially_suspicious_file_creation.yml │ │ │ ├── file_event_win_create_evtx_non_common_locations.yml │ │ │ ├── file_event_win_create_non_existent_dlls.yml │ │ │ ├── file_event_win_creation_deno.yml │ │ │ ├── file_event_win_creation_new_shim_database.yml │ │ │ ├── file_event_win_creation_scr_binary_file.yml │ │ │ ├── file_event_win_creation_system_dll_files.yml │ │ │ ├── file_event_win_creation_system_file.yml │ │ │ ├── file_event_win_creation_unquoted_service_path.yml │ │ │ ├── file_event_win_cred_dump_tools_dropped_files.yml │ │ │ ├── file_event_win_cscript_wscript_dropper.yml │ │ │ ├── file_event_win_csexec_service.yml │ │ │ ├── file_event_win_csharp_compile_artefact.yml │ │ │ ├── file_event_win_dcom_iertutil_dll_hijack.yml │ │ │ ├── file_event_win_desktop_ini_created_by_uncommon_process.yml │ │ │ ├── file_event_win_dll_sideloading_space_path.yml │ │ │ ├── file_event_win_dump_file_susp_creation.yml │ │ │ ├── file_event_win_errorhandler_persistence.yml │ │ │ ├── file_event_win_exchange_webshell_drop.yml │ │ │ ├── file_event_win_exchange_webshell_drop_suspicious.yml │ │ │ ├── file_event_win_gotoopener_artefact.yml │ │ │ ├── file_event_win_gup_uncommon_file_creation.yml │ │ │ ├── file_event_win_hktl_crackmapexec_indicators.yml │ │ │ ├── file_event_win_hktl_dumpert.yml │ │ │ ├── file_event_win_hktl_hivenightmare_file_exports.yml │ │ │ ├── file_event_win_hktl_inveigh_artefacts.yml │ │ │ ├── file_event_win_hktl_krbrelay_remote_ioc.yml │ │ │ ├── file_event_win_hktl_mimikatz_files.yml │ │ │ ├── file_event_win_hktl_nppspy.yml │ │ │ ├── file_event_win_hktl_powerup_dllhijacking.yml │ │ │ ├── file_event_win_hktl_quarkspw_filedump.yml │ │ │ ├── file_event_win_hktl_remote_cred_dump.yml │ │ │ ├── file_event_win_hktl_safetykatz.yml │ │ │ ├── file_event_win_impacket_file_indicators.yml │ │ │ ├── file_event_win_initial_access_dll_search_order_hijacking.yml │ │ │ ├── file_event_win_install_teamviewer_desktop.yml │ │ │ ├── file_event_win_iphlpapi_dll_sideloading.yml │ │ │ ├── file_event_win_iso_file_mount.yml │ │ │ ├── file_event_win_iso_file_recent.yml │ │ │ ├── file_event_win_lolbin_gather_network_info_script_output.yml │ │ │ ├── file_event_win_lsass_default_dump_file_names.yml │ │ │ ├── file_event_win_lsass_shtinkering.yml │ │ │ ├── file_event_win_lsass_werfault_dump.yml │ │ │ ├── file_event_win_mal_adwind.yml │ │ │ ├── file_event_win_mal_octopus_scanner.yml │ │ │ ├── file_event_win_msdt_susp_directories.yml │ │ │ ├── file_event_win_mysqld_uncommon_file_creation.yml │ │ │ ├── file_event_win_net_cli_artefact.yml │ │ │ ├── file_event_win_new_files_in_uncommon_appdata_folder.yml │ │ │ ├── file_event_win_new_scr_file.yml │ │ │ ├── file_event_win_notepad_plus_plus_persistence.yml │ │ │ ├── file_event_win_ntds_dit_creation.yml │ │ │ ├── file_event_win_ntds_dit_uncommon_parent_process.yml │ │ │ ├── file_event_win_ntds_dit_uncommon_process.yml │ │ │ ├── file_event_win_ntds_exfil_tools.yml │ │ │ ├── file_event_win_office_addin_persistence.yml │ │ │ ├── file_event_win_office_macro_files_created.yml │ │ │ ├── file_event_win_office_macro_files_downloaded.yml │ │ │ ├── file_event_win_office_macro_files_from_susp_process.yml │ │ │ ├── file_event_win_office_onenote_files_in_susp_locations.yml │ │ │ ├── file_event_win_office_onenote_susp_dropped_files.yml │ │ │ ├── file_event_win_office_outlook_macro_creation.yml │ │ │ ├── file_event_win_office_outlook_newform.yml │ │ │ ├── file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml │ │ │ ├── file_event_win_office_outlook_susp_macro_creation.yml │ │ │ ├── file_event_win_office_publisher_files_in_susp_locations.yml │ │ │ ├── file_event_win_office_startup_persistence.yml │ │ │ ├── file_event_win_office_susp_file_extension.yml │ │ │ ├── file_event_win_office_uncommon_file_startup.yml │ │ │ ├── file_event_win_pcre_net_temp_file.yml │ │ │ ├── file_event_win_perflogs_susp_files.yml │ │ │ ├── file_event_win_powershell_drop_binary_or_script.yml │ │ │ ├── file_event_win_powershell_drop_powershell.yml │ │ │ ├── file_event_win_powershell_exploit_scripts.yml │ │ │ ├── file_event_win_powershell_module_creation.yml │ │ │ ├── file_event_win_powershell_module_susp_creation.yml │ │ │ ├── file_event_win_powershell_module_uncommon_creation.yml │ │ │ ├── file_event_win_powershell_startup_shortcuts.yml │ │ │ ├── file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml │ │ │ ├── file_event_win_rclone_config_files.yml │ │ │ ├── file_event_win_rdp_file_susp_creation.yml │ │ │ ├── file_event_win_redmimicry_winnti_filedrop.yml │ │ │ ├── file_event_win_regedit_print_as_pdf.yml │ │ │ ├── file_event_win_remcom_service.yml │ │ │ ├── file_event_win_remote_access_tools_screenconnect_artefact.yml │ │ │ ├── file_event_win_remote_access_tools_screenconnect_remote_file.yml │ │ │ ├── file_event_win_ripzip_attack.yml │ │ │ ├── file_event_win_sam_dump.yml │ │ │ ├── file_event_win_sed_file_creation.yml │ │ │ ├── file_event_win_shell_write_susp_directory.yml │ │ │ ├── file_event_win_shell_write_susp_files_extensions.yml │ │ │ ├── file_event_win_startup_folder_file_write.yml │ │ │ ├── file_event_win_susp_colorcpl.yml │ │ │ ├── file_event_win_susp_creation_by_mobsync.yml │ │ │ ├── file_event_win_susp_default_gpo_dir_write.yml │ │ │ ├── file_event_win_susp_desktop_txt.yml │ │ │ ├── file_event_win_susp_desktopimgdownldr_file.yml │ │ │ ├── file_event_win_susp_diagcab.yml │ │ │ ├── file_event_win_susp_double_extension.yml │ │ │ ├── file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml │ │ │ ├── file_event_win_susp_exchange_aspx_write.yml │ │ │ ├── file_event_win_susp_executable_creation.yml │ │ │ ├── file_event_win_susp_file_write_in_webapps_root.yml │ │ │ ├── file_event_win_susp_filewrite_in_sharepoint_layouts_dir.yml │ │ │ ├── file_event_win_susp_get_variable.yml │ │ │ ├── file_event_win_susp_hidden_dir_index_allocation.yml │ │ │ ├── file_event_win_susp_homoglyph_filename.yml │ │ │ ├── file_event_win_susp_legitimate_app_dropping_archive.yml │ │ │ ├── file_event_win_susp_legitimate_app_dropping_exe.yml │ │ │ ├── file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml │ │ │ ├── file_event_win_susp_legitimate_app_dropping_script.yml │ │ │ ├── file_event_win_susp_lnk_double_extension.yml │ │ │ ├── file_event_win_susp_powershell_profile.yml │ │ │ ├── file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml │ │ │ ├── file_event_win_susp_public_folder_extension.yml │ │ │ ├── file_event_win_susp_recycle_bin_fake_exec.yml │ │ │ ├── file_event_win_susp_right_to_left_override_extension_spoofing.yml │ │ │ ├── file_event_win_susp_spool_drivers_color_drop.yml │ │ │ ├── file_event_win_susp_startup_folder_persistence.yml │ │ │ ├── file_event_win_susp_system_interactive_powershell.yml │ │ │ ├── file_event_win_susp_task_write.yml │ │ │ ├── file_event_win_susp_teamviewer_remote_session.yml │ │ │ ├── file_event_win_susp_vscode_powershell_profile.yml │ │ │ ├── file_event_win_susp_wdac_policy_creation.yml │ │ │ ├── file_event_win_susp_windows_terminal_profile.yml │ │ │ ├── file_event_win_susp_winsxs_binary_creation.yml │ │ │ ├── file_event_win_sysinternals_adexplorer_dump_written.yml │ │ │ ├── file_event_win_sysinternals_livekd_default_dump_name.yml │ │ │ ├── file_event_win_sysinternals_livekd_driver.yml │ │ │ ├── file_event_win_sysinternals_livekd_driver_susp_creation.yml │ │ │ ├── file_event_win_sysinternals_procexp_driver_susp_creation.yml │ │ │ ├── file_event_win_sysinternals_procmon_driver_susp_creation.yml │ │ │ ├── file_event_win_sysinternals_psexec_service.yml │ │ │ ├── file_event_win_sysinternals_psexec_service_key.yml │ │ │ ├── file_event_win_system32_local_folder_privilege_escalation.yml │ │ │ ├── file_event_win_taskmgr_lsass_dump.yml │ │ │ ├── file_event_win_tsclient_filewrite_startup.yml │ │ │ ├── file_event_win_uac_bypass_consent_comctl32.yml │ │ │ ├── file_event_win_uac_bypass_dotnet_profiler.yml │ │ │ ├── file_event_win_uac_bypass_eventvwr.yml │ │ │ ├── file_event_win_uac_bypass_idiagnostic_profile.yml │ │ │ ├── file_event_win_uac_bypass_ieinstal.yml │ │ │ ├── file_event_win_uac_bypass_msconfig_gui.yml │ │ │ ├── file_event_win_uac_bypass_ntfs_reparse_point.yml │ │ │ ├── file_event_win_uac_bypass_winsat.yml │ │ │ ├── file_event_win_uac_bypass_wmp.yml │ │ │ ├── file_event_win_vhd_download_via_browsers.yml │ │ │ ├── file_event_win_vscode_tunnel_remote_creation_artefacts.yml │ │ │ ├── file_event_win_vscode_tunnel_renamed_execution.yml │ │ │ ├── file_event_win_webshell_creation_detect.yml │ │ │ ├── file_event_win_werfault_dll_hijacking.yml │ │ │ ├── file_event_win_winrar_file_creation_in_startup_folder.yml │ │ │ ├── file_event_win_winrm_awl_bypass.yml │ │ │ ├── file_event_win_wmi_persistence_script_event_consumer_write.yml │ │ │ ├── file_event_win_wmiexec_default_filename.yml │ │ │ ├── file_event_win_wmiprvse_wbemcomn_dll_hijack.yml │ │ │ ├── file_event_win_wpbbin_persistence.yml │ │ │ └── file_event_win_writing_local_admin_share.yml │ │ ├── file_executable_detected/ │ │ │ └── file_executable_detected_win_susp_embeded_sed_file.yml │ │ └── file_rename/ │ │ └── file_rename_win_ransomware.yml │ ├── image_load/ │ │ ├── image_load_clfs_load.yml │ │ ├── image_load_cmstp_load_dll_from_susp_location.yml │ │ ├── image_load_dll_amsi_suspicious_process.yml │ │ ├── image_load_dll_azure_microsoft_account_token_provider_dll_load.yml │ │ ├── image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml │ │ ├── image_load_dll_credui_uncommon_process_load.yml │ │ ├── image_load_dll_dbghelp_dbgcore_unsigned_load.yml │ │ ├── image_load_dll_pcre_dotnet_dll_load.yml │ │ ├── image_load_dll_rstrtmgr_suspicious_load.yml │ │ ├── image_load_dll_rstrtmgr_uncommon_load.yml │ │ ├── image_load_dll_sdiageng_load_by_msdt.yml │ │ ├── image_load_dll_system_management_automation_susp_load.yml │ │ ├── image_load_dll_tttracer_module_load.yml │ │ ├── image_load_dll_unsigned_node_load.yml │ │ ├── image_load_dll_vss_ps_susp_load.yml │ │ ├── image_load_dll_vssapi_susp_load.yml │ │ ├── image_load_dll_vsstrace_susp_load.yml │ │ ├── image_load_hktl_sharpevtmute.yml │ │ ├── image_load_hktl_silenttrinity_stager.yml │ │ ├── image_load_iexplore_dcom_iertutil_dll_hijack.yml │ │ ├── image_load_lsass_unsigned_image_load.yml │ │ ├── image_load_office_dotnet_assembly_dll_load.yml │ │ ├── image_load_office_dotnet_clr_dll_load.yml │ │ ├── image_load_office_dotnet_gac_dll_load.yml │ │ ├── image_load_office_excel_xll_susp_load.yml │ │ ├── image_load_office_outlook_outlvba_load.yml │ │ ├── image_load_office_powershell_dll_load.yml │ │ ├── image_load_office_vbadll_load.yml │ │ ├── image_load_rundll32_remote_share_load.yml │ │ ├── image_load_scrcons_wmi_scripteventconsumer.yml │ │ ├── image_load_side_load_7za.yml │ │ ├── image_load_side_load_abused_dlls_susp_paths.yml │ │ ├── image_load_side_load_antivirus.yml │ │ ├── image_load_side_load_appverifui.yml │ │ ├── image_load_side_load_aruba_networks_virtual_intranet_access.yml │ │ ├── image_load_side_load_avkkid.yml │ │ ├── image_load_side_load_ccleaner_du.yml │ │ ├── image_load_side_load_ccleaner_reactivator.yml │ │ ├── image_load_side_load_chrome_frame_helper.yml │ │ ├── image_load_side_load_classicexplorer32.yml │ │ ├── image_load_side_load_comctl32.yml │ │ ├── image_load_side_load_coregen.yml │ │ ├── image_load_side_load_cpl_from_non_system_location.yml │ │ ├── image_load_side_load_dbgcore.yml │ │ ├── image_load_side_load_dbghelp.yml │ │ ├── image_load_side_load_dbgmodel.yml │ │ ├── image_load_side_load_eacore.yml │ │ ├── image_load_side_load_edputil.yml │ │ ├── image_load_side_load_from_non_system_location.yml │ │ ├── image_load_side_load_goopdate.yml │ │ ├── image_load_side_load_gup_libcurl.yml │ │ ├── image_load_side_load_iviewers.yml │ │ ├── image_load_side_load_jli.yml │ │ ├── image_load_side_load_jsschhlp.yml │ │ ├── image_load_side_load_keyscrambler.yml │ │ ├── image_load_side_load_libvlc.yml │ │ ├── image_load_side_load_mfdetours.yml │ │ ├── image_load_side_load_mfdetours_unsigned.yml │ │ ├── image_load_side_load_mpsvc.yml │ │ ├── image_load_side_load_mscorsvc.yml │ │ ├── image_load_side_load_non_existent_dlls.yml │ │ ├── image_load_side_load_office_dlls.yml │ │ ├── image_load_side_load_python.yml │ │ ├── image_load_side_load_rcdll.yml │ │ ├── image_load_side_load_rjvplatform_default_location.yml │ │ ├── image_load_side_load_rjvplatform_non_default_location.yml │ │ ├── image_load_side_load_robform.yml │ │ ├── image_load_side_load_shell_chrome_api.yml │ │ ├── image_load_side_load_shelldispatch.yml │ │ ├── image_load_side_load_smadhook.yml │ │ ├── image_load_side_load_solidpdfcreator.yml │ │ ├── image_load_side_load_third_party.yml │ │ ├── image_load_side_load_ualapi.yml │ │ ├── image_load_side_load_vivaldi_elf.yml │ │ ├── image_load_side_load_vmguestlib.yml │ │ ├── image_load_side_load_vmmap_dbghelp_signed.yml │ │ ├── image_load_side_load_vmmap_dbghelp_unsigned.yml │ │ ├── image_load_side_load_vmware_xfer.yml │ │ ├── image_load_side_load_waveedit.yml │ │ ├── image_load_side_load_wazuh.yml │ │ ├── image_load_side_load_windows_defender.yml │ │ ├── image_load_side_load_wwlib.yml │ │ ├── image_load_susp_baaupdate_dll_load.yml │ │ ├── image_load_susp_clickonce_unsigned_module_loaded.yml │ │ ├── image_load_susp_dll_load_system_process.yml │ │ ├── image_load_susp_python_image_load.yml │ │ ├── image_load_susp_script_dotnet_clr_dll_load.yml │ │ ├── image_load_susp_unsigned_dll.yml │ │ ├── image_load_thor_unsigned_execution.yml │ │ ├── image_load_uac_bypass_iscsicpl.yml │ │ ├── image_load_uac_bypass_via_dism.yml │ │ ├── image_load_win_mmc_loads_script_engine_dll.yml │ │ ├── image_load_win_susp_dbgcore_dbghelp_load.yml │ │ ├── image_load_win_trusted_path_bypass.yml │ │ ├── image_load_wmi_persistence_commandline_event_consumer.yml │ │ ├── image_load_wmic_remote_xsl_scripting_dlls.yml │ │ ├── image_load_wmiprvse_wbemcomn_dll_hijack.yml │ │ └── image_load_wsman_provider_image_load.yml │ ├── network_connection/ │ │ ├── net_connection_win_addinutil_initiated.yml │ │ ├── net_connection_win_adws_unusual_connection.yml │ │ ├── net_connection_win_certutil_initiated_connection.yml │ │ ├── net_connection_win_cmstp_initiated_connection.yml │ │ ├── net_connection_win_dialer_initiated_connection.yml │ │ ├── net_connection_win_domain_azurewebsites.yml │ │ ├── net_connection_win_domain_btunnels.yml │ │ ├── net_connection_win_domain_cloudflared_communication.yml │ │ ├── net_connection_win_domain_crypto_mining_pools.yml │ │ ├── net_connection_win_domain_dead_drop_resolvers.yml │ │ ├── net_connection_win_domain_devtunnels.yml │ │ ├── net_connection_win_domain_dropbox_api.yml │ │ ├── net_connection_win_domain_external_ip_lookup.yml │ │ ├── net_connection_win_domain_google_api_non_browser_access.yml │ │ ├── net_connection_win_domain_localtonet_tunnel.yml │ │ ├── net_connection_win_domain_mega_nz.yml │ │ ├── net_connection_win_domain_ngrok.yml │ │ ├── net_connection_win_domain_ngrok_tunnel.yml │ │ ├── net_connection_win_domain_notion_api_susp_communication.yml │ │ ├── net_connection_win_domain_portmap.yml │ │ ├── net_connection_win_domain_telegram_api_non_browser_access.yml │ │ ├── net_connection_win_domain_vscode_tunnel_connection.yml │ │ ├── net_connection_win_eqnedt.yml │ │ ├── net_connection_win_finger.yml │ │ ├── net_connection_win_imewdbld.yml │ │ ├── net_connection_win_notepad.yml │ │ ├── net_connection_win_office_outbound_non_local_ip.yml │ │ ├── net_connection_win_office_uncommon_ports.yml │ │ ├── net_connection_win_python.yml │ │ ├── net_connection_win_rdp_outbound_over_non_standard_tools.yml │ │ ├── net_connection_win_rdp_reverse_tunnel.yml │ │ ├── net_connection_win_rdp_to_http.yml │ │ ├── net_connection_win_regasm_network_activity.yml │ │ ├── net_connection_win_regsvr32_network_activity.yml │ │ ├── net_connection_win_remote_access_tools_anydesk_incoming_connection.yml │ │ ├── net_connection_win_rundll32_net_connections.yml │ │ ├── net_connection_win_silenttrinity_stager_msbuild_activity.yml │ │ ├── net_connection_win_susp_binary_no_cmdline.yml │ │ ├── net_connection_win_susp_file_sharing_domains_susp_folders.yml │ │ ├── net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml │ │ ├── net_connection_win_susp_malware_callback_port.yml │ │ ├── net_connection_win_susp_malware_callback_ports_uncommon.yml │ │ ├── net_connection_win_susp_outbound_kerberos_connection.yml │ │ ├── net_connection_win_susp_outbound_mobsync_connection.yml │ │ ├── net_connection_win_susp_outbound_smtp_connections.yml │ │ ├── net_connection_win_susp_remote_powershell_session.yml │ │ ├── net_connection_win_winlogon_net_connections.yml │ │ ├── net_connection_win_wordpad_uncommon_ports.yml │ │ ├── net_connection_win_wscript_cscript_local_connection.yml │ │ ├── net_connection_win_wscript_cscript_outbound_connection.yml │ │ └── net_connection_win_wuauclt_network_connection.yml │ ├── pipe_created/ │ │ ├── pipe_created_adfs_namedpipe_connection_uncommon_tool.yml │ │ ├── pipe_created_hktl_cobaltstrike.yml │ │ ├── pipe_created_hktl_cobaltstrike_re.yml │ │ ├── pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml │ │ ├── pipe_created_hktl_coercedpotato.yml │ │ ├── pipe_created_hktl_diagtrack_eop.yml │ │ ├── pipe_created_hktl_efspotato.yml │ │ ├── pipe_created_hktl_generic_cred_dump_tools_pipes.yml │ │ ├── pipe_created_hktl_koh_default_pipe.yml │ │ ├── pipe_created_powershell_alternate_host_pipe.yml │ │ ├── pipe_created_powershell_execution_pipe.yml │ │ ├── pipe_created_pua_csexec_default_pipe.yml │ │ ├── pipe_created_pua_paexec_default_pipe.yml │ │ ├── pipe_created_pua_remcom_default_pipe.yml │ │ ├── pipe_created_scrcons_wmi_consumer_namedpipe.yml │ │ ├── pipe_created_susp_malicious_namedpipes.yml │ │ └── pipe_created_sysinternals_psexec_default_pipe_susp_location.yml │ ├── powershell/ │ │ ├── powershell_classic/ │ │ │ ├── posh_pc_abuse_nslookup_with_dns_records.yml │ │ │ ├── posh_pc_delete_volume_shadow_copies.yml │ │ │ ├── posh_pc_downgrade_attack.yml │ │ │ ├── posh_pc_exe_calling_ps.yml │ │ │ ├── posh_pc_powercat.yml │ │ │ ├── posh_pc_remote_powershell_session.yml │ │ │ ├── posh_pc_remotefxvgpudisablement_abuse.yml │ │ │ ├── posh_pc_renamed_powershell.yml │ │ │ ├── posh_pc_susp_download.yml │ │ │ ├── posh_pc_susp_get_nettcpconnection.yml │ │ │ ├── posh_pc_susp_zip_compress.yml │ │ │ ├── posh_pc_tamper_windows_defender_set_mp.yml │ │ │ └── posh_pc_wsman_com_provider_no_powershell.yml │ │ ├── powershell_module/ │ │ │ ├── posh_pm_active_directory_module_dll_import.yml │ │ │ ├── posh_pm_alternate_powershell_hosts.yml │ │ │ ├── posh_pm_bad_opsec_artifacts.yml │ │ │ ├── posh_pm_clear_powershell_history.yml │ │ │ ├── posh_pm_decompress_commands.yml │ │ │ ├── posh_pm_exploit_scripts.yml │ │ │ ├── posh_pm_get_addbaccount.yml │ │ │ ├── posh_pm_get_clipboard.yml │ │ │ ├── posh_pm_hktl_evil_winrm_execution.yml │ │ │ ├── posh_pm_invoke_obfuscation_clip.yml │ │ │ ├── posh_pm_invoke_obfuscation_obfuscated_iex.yml │ │ │ ├── posh_pm_invoke_obfuscation_stdin.yml │ │ │ ├── posh_pm_invoke_obfuscation_var.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_compress.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_rundll.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_stdin.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_use_clip.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_use_mhsta.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_use_rundll32.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_var.yml │ │ │ ├── posh_pm_malicious_commandlets.yml │ │ │ ├── posh_pm_remote_powershell_session.yml │ │ │ ├── posh_pm_remotefxvgpudisablement_abuse.yml │ │ │ ├── posh_pm_susp_ad_group_reco.yml │ │ │ ├── posh_pm_susp_download.yml │ │ │ ├── posh_pm_susp_get_nettcpconnection.yml │ │ │ ├── posh_pm_susp_invocation_generic.yml │ │ │ ├── posh_pm_susp_invocation_specific.yml │ │ │ ├── posh_pm_susp_local_group_reco.yml │ │ │ ├── posh_pm_susp_reset_computermachinepassword.yml │ │ │ ├── posh_pm_susp_smb_share_reco.yml │ │ │ ├── posh_pm_susp_zip_compress.yml │ │ │ └── posh_pm_syncappvpublishingserver_exe.yml │ │ └── powershell_script/ │ │ ├── posh_ps_aadinternals_cmdlets_execution.yml │ │ ├── posh_ps_access_to_browser_login_data.yml │ │ ├── posh_ps_active_directory_module_dll_import.yml │ │ ├── posh_ps_add_dnsclient_rule.yml │ │ ├── posh_ps_add_windows_capability.yml │ │ ├── posh_ps_adrecon_execution.yml │ │ ├── posh_ps_amsi_bypass_pattern_nov22.yml │ │ ├── posh_ps_amsi_null_bits_bypass.yml │ │ ├── posh_ps_apt_silence_eda.yml │ │ ├── posh_ps_as_rep_roasting.yml │ │ ├── posh_ps_audio_exfiltration.yml │ │ ├── posh_ps_automated_collection.yml │ │ ├── posh_ps_capture_screenshots.yml │ │ ├── posh_ps_clear_powershell_history.yml │ │ ├── posh_ps_clearing_windows_console_history.yml │ │ ├── posh_ps_cmdlet_scheduled_task.yml │ │ ├── posh_ps_computer_discovery_get_adcomputer.yml │ │ ├── posh_ps_copy_item_system_directory.yml │ │ ├── posh_ps_cor_profiler.yml │ │ ├── posh_ps_create_local_user.yml │ │ ├── posh_ps_create_volume_shadow_copy.yml │ │ ├── posh_ps_detect_vm_env.yml │ │ ├── posh_ps_directorysearcher.yml │ │ ├── posh_ps_directoryservices_accountmanagement.yml │ │ ├── posh_ps_disable_psreadline_command_history.yml │ │ ├── posh_ps_disable_windows_optional_feature.yml │ │ ├── posh_ps_dotnet_assembly_from_file.yml │ │ ├── posh_ps_download_com_cradles.yml │ │ ├── posh_ps_dsinternals_cmdlets.yml │ │ ├── posh_ps_dump_password_windows_credential_manager.yml │ │ ├── posh_ps_enable_psremoting.yml │ │ ├── posh_ps_enable_susp_windows_optional_feature.yml │ │ ├── posh_ps_enumerate_password_windows_credential_manager.yml │ │ ├── posh_ps_etw_trace_evasion.yml │ │ ├── posh_ps_export_certificate.yml │ │ ├── posh_ps_frombase64string_archive.yml │ │ ├── posh_ps_get_acl_service.yml │ │ ├── posh_ps_get_adcomputer.yml │ │ ├── posh_ps_get_adgroup.yml │ │ ├── posh_ps_get_adreplaccount.yml │ │ ├── posh_ps_get_childitem_bookmarks.yml │ │ ├── posh_ps_get_process_security_software_discovery.yml │ │ ├── posh_ps_hktl_rubeus.yml │ │ ├── posh_ps_hktl_winpwn.yml │ │ ├── posh_ps_hotfix_enum.yml │ │ ├── posh_ps_icmp_exfiltration.yml │ │ ├── posh_ps_import_module_susp_dirs.yml │ │ ├── posh_ps_install_unsigned_appx_packages.yml │ │ ├── posh_ps_invoke_command_remote.yml │ │ ├── posh_ps_invoke_dnsexfiltration.yml │ │ ├── posh_ps_invoke_obfuscation_clip.yml │ │ ├── posh_ps_invoke_obfuscation_obfuscated_iex.yml │ │ ├── posh_ps_invoke_obfuscation_stdin.yml │ │ ├── posh_ps_invoke_obfuscation_var.yml │ │ ├── posh_ps_invoke_obfuscation_via_compress.yml │ │ ├── posh_ps_invoke_obfuscation_via_rundll.yml │ │ ├── posh_ps_invoke_obfuscation_via_stdin.yml │ │ ├── posh_ps_invoke_obfuscation_via_use_clip.yml │ │ ├── posh_ps_invoke_obfuscation_via_use_mhsta.yml │ │ ├── posh_ps_invoke_obfuscation_via_use_rundll32.yml │ │ ├── posh_ps_invoke_obfuscation_via_var.yml │ │ ├── posh_ps_keylogging.yml │ │ ├── posh_ps_localuser.yml │ │ ├── posh_ps_mailboxexport_share.yml │ │ ├── posh_ps_malicious_commandlets.yml │ │ ├── posh_ps_malicious_keywords.yml │ │ ├── posh_ps_memorydump_getstoragediagnosticinfo.yml │ │ ├── posh_ps_modify_group_policy_settings.yml │ │ ├── posh_ps_msxml_com.yml │ │ ├── posh_ps_nishang_malicious_commandlets.yml │ │ ├── posh_ps_ntfs_ads_access.yml │ │ ├── posh_ps_office_comobject_registerxll.yml │ │ ├── posh_ps_packet_capture.yml │ │ ├── posh_ps_potential_invoke_mimikatz.yml │ │ ├── posh_ps_potential_unconstrained_delegation_discovery.yml │ │ ├── posh_ps_powershell_web_access_installation.yml │ │ ├── posh_ps_powerview_malicious_commandlets.yml │ │ ├── posh_ps_prompt_credentials.yml │ │ ├── posh_ps_psasyncshell.yml │ │ ├── posh_ps_psattack.yml │ │ ├── posh_ps_remote_session_creation.yml │ │ ├── posh_ps_remotefxvgpudisablement_abuse.yml │ │ ├── posh_ps_request_kerberos_ticket.yml │ │ ├── posh_ps_resolve_list_of_ip_from_file.yml │ │ ├── posh_ps_root_certificate_installed.yml │ │ ├── posh_ps_run_from_mount_diskimage.yml │ │ ├── posh_ps_script_with_upload_capabilities.yml │ │ ├── posh_ps_sensitive_file_discovery.yml │ │ ├── posh_ps_set_acl.yml │ │ ├── posh_ps_set_acl_susp_location.yml │ │ ├── posh_ps_set_policies_to_unsecure_level.yml │ │ ├── posh_ps_shellcode_b64.yml │ │ ├── posh_ps_shellintel_malicious_commandlets.yml │ │ ├── posh_ps_software_discovery.yml │ │ ├── posh_ps_store_file_in_alternate_data_stream.yml │ │ ├── posh_ps_susp_ace_tampering.yml │ │ ├── posh_ps_susp_ad_group_reco.yml │ │ ├── posh_ps_susp_alias_obfscuation.yml │ │ ├── posh_ps_susp_clear_eventlog.yml │ │ ├── posh_ps_susp_directory_enum.yml │ │ ├── posh_ps_susp_download.yml │ │ ├── posh_ps_susp_execute_batch_script.yml │ │ ├── posh_ps_susp_extracting.yml │ │ ├── posh_ps_susp_follina_execution.yml │ │ ├── posh_ps_susp_get_addefaultdomainpasswordpolicy.yml │ │ ├── posh_ps_susp_get_current_user.yml │ │ ├── posh_ps_susp_get_gpo.yml │ │ ├── posh_ps_susp_get_process.yml │ │ ├── posh_ps_susp_getprocess_lsass.yml │ │ ├── posh_ps_susp_gettypefromclsid.yml │ │ ├── posh_ps_susp_hyper_v_condlet.yml │ │ ├── posh_ps_susp_invocation_generic.yml │ │ ├── posh_ps_susp_invocation_specific.yml │ │ ├── posh_ps_susp_invoke_webrequest_useragent.yml │ │ ├── posh_ps_susp_iofilestream.yml │ │ ├── posh_ps_susp_keylogger_activity.yml │ │ ├── posh_ps_susp_keywords.yml │ │ ├── posh_ps_susp_local_group_reco.yml │ │ ├── posh_ps_susp_mail_acces.yml │ │ ├── posh_ps_susp_mount_diskimage.yml │ │ ├── posh_ps_susp_mounted_share_deletion.yml │ │ ├── posh_ps_susp_networkcredential.yml │ │ ├── posh_ps_susp_new_psdrive.yml │ │ ├── posh_ps_susp_proxy_scripts.yml │ │ ├── posh_ps_susp_recon_export.yml │ │ ├── posh_ps_susp_remove_adgroupmember.yml │ │ ├── posh_ps_susp_service_dacl_modification_set_service.yml │ │ ├── posh_ps_susp_set_alias.yml │ │ ├── posh_ps_susp_smb_share_reco.yml │ │ ├── posh_ps_susp_ssl_keyword.yml │ │ ├── posh_ps_susp_start_process.yml │ │ ├── posh_ps_susp_unblock_file.yml │ │ ├── posh_ps_susp_wallpaper.yml │ │ ├── posh_ps_susp_win32_pnpentity.yml │ │ ├── posh_ps_susp_win32_shadowcopy_deletion.yml │ │ ├── posh_ps_susp_windowstyle.yml │ │ ├── posh_ps_susp_write_eventlog.yml │ │ ├── posh_ps_susp_zip_compress.yml │ │ ├── posh_ps_syncappvpublishingserver_exe.yml │ │ ├── posh_ps_tamper_windows_defender_rem_mp.yml │ │ ├── posh_ps_tamper_windows_defender_set_mp.yml │ │ ├── posh_ps_test_netconnection.yml │ │ ├── posh_ps_timestomp.yml │ │ ├── posh_ps_user_discovery_get_aduser.yml │ │ ├── posh_ps_user_profile_tampering.yml │ │ ├── posh_ps_using_set_service_to_hide_services.yml │ │ ├── posh_ps_vbscript_registry_modification.yml │ │ ├── posh_ps_veeam_credential_dumping_script.yml │ │ ├── posh_ps_web_request_cmd_and_cmdlets.yml │ │ ├── posh_ps_win32_nteventlogfile_usage.yml │ │ ├── posh_ps_win32_product_install_msi.yml │ │ ├── posh_ps_win_api_susp_access.yml │ │ ├── posh_ps_win_defender_exclusions_added.yml │ │ ├── posh_ps_windows_firewall_profile_disabled.yml │ │ ├── posh_ps_winlogon_helper_dll.yml │ │ ├── posh_ps_wmi_persistence.yml │ │ ├── posh_ps_wmi_unquoted_service_search.yml │ │ ├── posh_ps_wmimplant.yml │ │ ├── posh_ps_x509enrollment.yml │ │ └── posh_ps_xml_iex.yml │ ├── process_access/ │ │ ├── proc_access_win_cmstp_execution_by_access.yml │ │ ├── proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml │ │ ├── proc_access_win_hktl_generic_access.yml │ │ ├── proc_access_win_hktl_handlekatz_lsass_access.yml │ │ ├── proc_access_win_hktl_littlecorporal_generated_maldoc.yml │ │ ├── proc_access_win_hktl_sysmonente.yml │ │ ├── proc_access_win_lsass_dump_comsvcs_dll.yml │ │ ├── proc_access_win_lsass_dump_keyword_image.yml │ │ ├── proc_access_win_lsass_memdump.yml │ │ ├── proc_access_win_lsass_python_based_tool.yml │ │ ├── proc_access_win_lsass_remote_access_trough_winrm.yml │ │ ├── proc_access_win_lsass_seclogon_access.yml │ │ ├── proc_access_win_lsass_susp_access_flag.yml │ │ ├── proc_access_win_lsass_werfault.yml │ │ ├── proc_access_win_lsass_whitelisted_process_names.yml │ │ ├── proc_access_win_susp_all_access_uncommon_target.yml │ │ ├── proc_access_win_susp_dbgcore_dbghelp_load.yml │ │ ├── proc_access_win_susp_direct_ntopenprocess_call.yml │ │ ├── proc_access_win_svchost_credential_dumping.yml │ │ ├── proc_access_win_svchost_susp_access_request.yml │ │ ├── proc_access_win_uac_bypass_editionupgrademanagerobj.yml │ │ ├── proc_access_win_uac_bypass_wow64_logger.yml │ │ └── proc_access_win_werfaultsecure_msmpeng_access.yml │ ├── process_creation/ │ │ ├── proc_creation_win_7zip_exfil_dmp_files.yml │ │ ├── proc_creation_win_7zip_password_compression.yml │ │ ├── proc_creation_win_acccheckconsole_execution.yml │ │ ├── proc_creation_win_addinutil_suspicious_cmdline.yml │ │ ├── proc_creation_win_addinutil_uncommon_child_process.yml │ │ ├── proc_creation_win_addinutil_uncommon_cmdline.yml │ │ ├── proc_creation_win_addinutil_uncommon_dir_exec.yml │ │ ├── proc_creation_win_adplus_memory_dump.yml │ │ ├── proc_creation_win_agentexecutor_potential_abuse.yml │ │ ├── proc_creation_win_agentexecutor_susp_usage.yml │ │ ├── proc_creation_win_amsi_registry_tampering.yml │ │ ├── proc_creation_win_appvlp_uncommon_child_process.yml │ │ ├── proc_creation_win_arcsoc_susp_child_process.yml │ │ ├── proc_creation_win_aspnet_compiler_exectuion.yml │ │ ├── proc_creation_win_aspnet_compiler_susp_child_process.yml │ │ ├── proc_creation_win_aspnet_compiler_susp_paths.yml │ │ ├── proc_creation_win_at_interactive_execution.yml │ │ ├── proc_creation_win_atbroker_uncommon_ats_execution.yml │ │ ├── proc_creation_win_attrib_hiding_files.yml │ │ ├── proc_creation_win_attrib_system_susp_paths.yml │ │ ├── proc_creation_win_auditpol_nt_resource_kit_usage.yml │ │ ├── proc_creation_win_auditpol_susp_execution.yml │ │ ├── proc_creation_win_autorun_registry_modified_via_wmic.yml │ │ ├── proc_creation_win_baaupdate_susp_child_process.yml │ │ ├── proc_creation_win_bash_command_execution.yml │ │ ├── proc_creation_win_bash_file_execution.yml │ │ ├── proc_creation_win_bcdedit_boot_conf_tamper.yml │ │ ├── proc_creation_win_bcdedit_susp_execution.yml │ │ ├── proc_creation_win_bcp_export_data.yml │ │ ├── proc_creation_win_bginfo_suspicious_child_process.yml │ │ ├── proc_creation_win_bginfo_uncommon_child_process.yml │ │ ├── proc_creation_win_bitlockertogo_execution.yml │ │ ├── proc_creation_win_bitsadmin_download.yml │ │ ├── proc_creation_win_bitsadmin_download_direct_ip.yml │ │ ├── proc_creation_win_bitsadmin_download_file_sharing_domains.yml │ │ ├── proc_creation_win_bitsadmin_download_susp_extensions.yml │ │ ├── proc_creation_win_bitsadmin_download_susp_targetfolder.yml │ │ ├── proc_creation_win_bitsadmin_potential_persistence.yml │ │ ├── proc_creation_win_browsers_chromium_headless_debugging.yml │ │ ├── proc_creation_win_browsers_chromium_headless_exec.yml │ │ ├── proc_creation_win_browsers_chromium_headless_file_download.yml │ │ ├── proc_creation_win_browsers_chromium_load_extension.yml │ │ ├── proc_creation_win_browsers_chromium_mockbin_abuse.yml │ │ ├── proc_creation_win_browsers_chromium_susp_load_extension.yml │ │ ├── proc_creation_win_browsers_inline_file_download.yml │ │ ├── proc_creation_win_browsers_remote_debugging.yml │ │ ├── proc_creation_win_browsers_tor_execution.yml │ │ ├── proc_creation_win_calc_uncommon_exec.yml │ │ ├── proc_creation_win_cdb_arbitrary_command_execution.yml │ │ ├── proc_creation_win_certmgr_certificate_installation.yml │ │ ├── proc_creation_win_certoc_download.yml │ │ ├── proc_creation_win_certoc_download_direct_ip.yml │ │ ├── proc_creation_win_certoc_load_dll.yml │ │ ├── proc_creation_win_certoc_load_dll_susp_locations.yml │ │ ├── proc_creation_win_certreq_download.yml │ │ ├── proc_creation_win_certutil_certificate_installation.yml │ │ ├── proc_creation_win_certutil_decode.yml │ │ ├── proc_creation_win_certutil_download.yml │ │ ├── proc_creation_win_certutil_download_direct_ip.yml │ │ ├── proc_creation_win_certutil_download_file_sharing_domains.yml │ │ ├── proc_creation_win_certutil_encode.yml │ │ ├── proc_creation_win_certutil_encode_susp_extensions.yml │ │ ├── proc_creation_win_certutil_encode_susp_location.yml │ │ ├── proc_creation_win_certutil_export_pfx.yml │ │ ├── proc_creation_win_certutil_ntlm_coercion.yml │ │ ├── proc_creation_win_chcp_codepage_lookup.yml │ │ ├── proc_creation_win_chcp_codepage_switch.yml │ │ ├── proc_creation_win_cipher_overwrite_deleted_data.yml │ │ ├── proc_creation_win_citrix_trolleyexpress_procdump.yml │ │ ├── proc_creation_win_clip_execution.yml │ │ ├── proc_creation_win_cloudflared_portable_execution.yml │ │ ├── proc_creation_win_cloudflared_quicktunnel_execution.yml │ │ ├── proc_creation_win_cloudflared_tunnel_cleanup.yml │ │ ├── proc_creation_win_cloudflared_tunnel_run.yml │ │ ├── proc_creation_win_cmd_assoc_execution.yml │ │ ├── proc_creation_win_cmd_assoc_tamper_exe_file_association.yml │ │ ├── proc_creation_win_cmd_copy_dmp_from_share.yml │ │ ├── proc_creation_win_cmd_curl_download_exec_combo.yml │ │ ├── proc_creation_win_cmd_del_execution.yml │ │ ├── proc_creation_win_cmd_del_greedy_deletion.yml │ │ ├── proc_creation_win_cmd_dir_execution.yml │ │ ├── proc_creation_win_cmd_dosfuscation.yml │ │ ├── proc_creation_win_cmd_http_appdata.yml │ │ ├── proc_creation_win_cmd_launched_with_hidden_start_flag.yml │ │ ├── proc_creation_win_cmd_mklink_osk_cmd.yml │ │ ├── proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml │ │ ├── proc_creation_win_cmd_net_use_and_exec_combo.yml │ │ ├── proc_creation_win_cmd_no_space_execution.yml │ │ ├── proc_creation_win_cmd_ntdllpipe_redirect.yml │ │ ├── proc_creation_win_cmd_path_traversal.yml │ │ ├── proc_creation_win_cmd_ping_copy_combined_execution.yml │ │ ├── proc_creation_win_cmd_ping_del_combined_execution.yml │ │ ├── proc_creation_win_cmd_redirection_susp_folder.yml │ │ ├── proc_creation_win_cmd_rmdir_execution.yml │ │ ├── proc_creation_win_cmd_shadowcopy_access.yml │ │ ├── proc_creation_win_cmd_stdin_redirect.yml │ │ ├── proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml │ │ ├── proc_creation_win_cmd_sticky_keys_replace.yml │ │ ├── proc_creation_win_cmd_type_arbitrary_file_download.yml │ │ ├── proc_creation_win_cmd_unusual_parent.yml │ │ ├── proc_creation_win_cmdkey_adding_generic_creds.yml │ │ ├── proc_creation_win_cmdkey_recon.yml │ │ ├── proc_creation_win_cmdl32_arbitrary_file_download.yml │ │ ├── proc_creation_win_cmstp_execution_by_creation.yml │ │ ├── proc_creation_win_comodo_ssh_shellhost_cmd_spawn.yml │ │ ├── proc_creation_win_configsecuritypolicy_download_file.yml │ │ ├── proc_creation_win_conhost_headless_powershell.yml │ │ ├── proc_creation_win_conhost_legacy_option.yml │ │ ├── proc_creation_win_conhost_path_traversal.yml │ │ ├── proc_creation_win_conhost_susp_child_process.yml │ │ ├── proc_creation_win_conhost_susp_winshell_child_process.yml │ │ ├── proc_creation_win_conhost_uncommon_parent.yml │ │ ├── proc_creation_win_control_panel_item.yml │ │ ├── proc_creation_win_createdump_lolbin_execution.yml │ │ ├── proc_creation_win_credential_guard_registry_tampering.yml │ │ ├── proc_creation_win_csc_susp_dynamic_compilation.yml │ │ ├── proc_creation_win_csc_susp_parent.yml │ │ ├── proc_creation_win_csi_execution.yml │ │ ├── proc_creation_win_csi_use_of_csharp_console.yml │ │ ├── proc_creation_win_csvde_export.yml │ │ ├── proc_creation_win_curl_cookie_hijacking.yml │ │ ├── proc_creation_win_curl_custom_user_agent.yml │ │ ├── proc_creation_win_curl_download_direct_ip_exec.yml │ │ ├── proc_creation_win_curl_download_direct_ip_susp_extensions.yml │ │ ├── proc_creation_win_curl_download_susp_file_sharing_domains.yml │ │ ├── proc_creation_win_curl_insecure_connection.yml │ │ ├── proc_creation_win_curl_insecure_proxy_or_doh.yml │ │ ├── proc_creation_win_curl_local_file_read.yml │ │ ├── proc_creation_win_curl_susp_download.yml │ │ ├── proc_creation_win_customshellhost_susp_exec.yml │ │ ├── proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml │ │ ├── proc_creation_win_defaultpack_uncommon_child_process.yml │ │ ├── proc_creation_win_defender_default_action_modified.yml │ │ ├── proc_creation_win_defender_remove_context_menu.yml │ │ ├── proc_creation_win_desktopimgdownldr_remote_file_download.yml │ │ ├── proc_creation_win_desktopimgdownldr_susp_execution.yml │ │ ├── proc_creation_win_devcon_disable_vmci_driver.yml │ │ ├── proc_creation_win_device_credential_deployment.yml │ │ ├── proc_creation_win_deviceenroller_dll_sideloading.yml │ │ ├── proc_creation_win_devinit_lolbin_usage.yml │ │ ├── proc_creation_win_dfsvc_suspicious_child_processes.yml │ │ ├── proc_creation_win_dirlister_execution.yml │ │ ├── proc_creation_win_discovery_via_reg_queries.yml │ │ ├── proc_creation_win_diskshadow_child_process_susp.yml │ │ ├── proc_creation_win_diskshadow_script_mode_susp_ext.yml │ │ ├── proc_creation_win_diskshadow_script_mode_susp_location.yml │ │ ├── proc_creation_win_dism_enable_powershell_web_access_feature.yml │ │ ├── proc_creation_win_dism_remove.yml │ │ ├── proc_creation_win_dll_sideload_vmware_xfer.yml │ │ ├── proc_creation_win_dllhost_no_cli_execution.yml │ │ ├── proc_creation_win_dns_exfiltration_tools_execution.yml │ │ ├── proc_creation_win_dns_susp_child_process.yml │ │ ├── proc_creation_win_dnscmd_discovery.yml │ │ ├── proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml │ │ ├── proc_creation_win_dnx_execute_csharp_code.yml │ │ ├── proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml │ │ ├── proc_creation_win_dotnet_trace_lolbin_execution.yml │ │ ├── proc_creation_win_dotnetdump_memory_dump.yml │ │ ├── proc_creation_win_driverquery_recon.yml │ │ ├── proc_creation_win_driverquery_usage.yml │ │ ├── proc_creation_win_dsacls_abuse_permissions.yml │ │ ├── proc_creation_win_dsacls_password_spray.yml │ │ ├── proc_creation_win_dsquery_domain_trust_discovery.yml │ │ ├── proc_creation_win_dtrace_kernel_dump.yml │ │ ├── proc_creation_win_dump64_defender_av_bypass_rename.yml │ │ ├── proc_creation_win_dumpminitool_execution.yml │ │ ├── proc_creation_win_dumpminitool_susp_execution.yml │ │ ├── proc_creation_win_dxcap_arbitrary_binary_execution.yml │ │ ├── proc_creation_win_esentutl_params.yml │ │ ├── proc_creation_win_esentutl_sensitive_file_copy.yml │ │ ├── proc_creation_win_esentutl_webcache.yml │ │ ├── proc_creation_win_event_logging_disable_via_key_minint.yml │ │ ├── proc_creation_win_eventvwr_susp_child_process.yml │ │ ├── proc_creation_win_expand_cabinet_files.yml │ │ ├── proc_creation_win_explorer_break_process_tree.yml │ │ ├── proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml │ │ ├── proc_creation_win_explorer_nouaccheck.yml │ │ ├── proc_creation_win_findstr_download.yml │ │ ├── proc_creation_win_findstr_gpp_passwords.yml │ │ ├── proc_creation_win_findstr_lnk.yml │ │ ├── proc_creation_win_findstr_lsass.yml │ │ ├── proc_creation_win_findstr_recon_everyone.yml │ │ ├── proc_creation_win_findstr_recon_pipe_output.yml │ │ ├── proc_creation_win_findstr_security_keyword_lookup.yml │ │ ├── proc_creation_win_findstr_subfolder_search.yml │ │ ├── proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml │ │ ├── proc_creation_win_finger_execution.yml │ │ ├── proc_creation_win_fltmc_unload_driver.yml │ │ ├── proc_creation_win_fltmc_unload_driver_sysmon.yml │ │ ├── proc_creation_win_forfiles_child_process_masquerading.yml │ │ ├── proc_creation_win_forfiles_proxy_execution_.yml │ │ ├── proc_creation_win_format_uncommon_filesystem_load.yml │ │ ├── proc_creation_win_fsi_fsharp_code_execution.yml │ │ ├── proc_creation_win_fsutil_drive_enumeration.yml │ │ ├── proc_creation_win_fsutil_symlinkevaluation.yml │ │ ├── proc_creation_win_fsutil_usage.yml │ │ ├── proc_creation_win_ftp_arbitrary_command_execution.yml │ │ ├── proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml │ │ ├── proc_creation_win_git_susp_clone.yml │ │ ├── proc_creation_win_github_self_hosted_runner.yml │ │ ├── proc_creation_win_googleupdate_susp_child_process.yml │ │ ├── proc_creation_win_gpg4win_decryption.yml │ │ ├── proc_creation_win_gpg4win_encryption.yml │ │ ├── proc_creation_win_gpg4win_portable_execution.yml │ │ ├── proc_creation_win_gpg4win_susp_location.yml │ │ ├── proc_creation_win_gpresult_execution.yml │ │ ├── proc_creation_win_gup_arbitrary_binary_execution.yml │ │ ├── proc_creation_win_gup_download.yml │ │ ├── proc_creation_win_gup_susp_child_process.yml │ │ ├── proc_creation_win_gup_suspicious_execution.yml │ │ ├── proc_creation_win_hh_chm_execution.yml │ │ ├── proc_creation_win_hh_chm_remote_download_or_execution.yml │ │ ├── proc_creation_win_hh_html_help_susp_child_process.yml │ │ ├── proc_creation_win_hh_susp_execution.yml │ │ ├── proc_creation_win_hktl_adcspwn.yml │ │ ├── proc_creation_win_hktl_bloodhound_sharphound.yml │ │ ├── proc_creation_win_hktl_c3_rundll32_pattern.yml │ │ ├── proc_creation_win_hktl_certify.yml │ │ ├── proc_creation_win_hktl_certipy.yml │ │ ├── proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml │ │ ├── proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml │ │ ├── proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml │ │ ├── proc_creation_win_hktl_cobaltstrike_process_patterns.yml │ │ ├── proc_creation_win_hktl_coercedpotato.yml │ │ ├── proc_creation_win_hktl_covenant.yml │ │ ├── proc_creation_win_hktl_crackmapexec_execution.yml │ │ ├── proc_creation_win_hktl_crackmapexec_execution_patterns.yml │ │ ├── proc_creation_win_hktl_crackmapexec_patterns.yml │ │ ├── proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml │ │ ├── proc_creation_win_hktl_createminidump.yml │ │ ├── proc_creation_win_hktl_dinjector.yml │ │ ├── proc_creation_win_hktl_doppelganger.yml │ │ ├── proc_creation_win_hktl_dumpert.yml │ │ ├── proc_creation_win_hktl_edr_freeze.yml │ │ ├── proc_creation_win_hktl_edrsilencer.yml │ │ ├── proc_creation_win_hktl_empire_powershell_launch.yml │ │ ├── proc_creation_win_hktl_empire_powershell_uac_bypass.yml │ │ ├── proc_creation_win_hktl_evil_winrm.yml │ │ ├── proc_creation_win_hktl_execution_via_imphashes.yml │ │ ├── proc_creation_win_hktl_execution_via_pe_metadata.yml │ │ ├── proc_creation_win_hktl_gmer.yml │ │ ├── proc_creation_win_hktl_handlekatz.yml │ │ ├── proc_creation_win_hktl_hashcat.yml │ │ ├── proc_creation_win_hktl_hollowreaper.yml │ │ ├── proc_creation_win_hktl_htran_or_natbypass.yml │ │ ├── proc_creation_win_hktl_hydra.yml │ │ ├── proc_creation_win_hktl_impacket_lateral_movement.yml │ │ ├── proc_creation_win_hktl_impacket_tools.yml │ │ ├── proc_creation_win_hktl_impersonate.yml │ │ ├── proc_creation_win_hktl_inveigh.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_clip.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_stdin.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_var.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_compress.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_var.yml │ │ ├── proc_creation_win_hktl_jlaive_batch_execution.yml │ │ ├── proc_creation_win_hktl_koadic.yml │ │ ├── proc_creation_win_hktl_krbrelay.yml │ │ ├── proc_creation_win_hktl_krbrelay_remote.yml │ │ ├── proc_creation_win_hktl_krbrelayup.yml │ │ ├── proc_creation_win_hktl_lazagne.yml │ │ ├── proc_creation_win_hktl_localpotato.yml │ │ ├── proc_creation_win_hktl_meterpreter_getsystem.yml │ │ ├── proc_creation_win_hktl_mimikatz_command_line.yml │ │ ├── proc_creation_win_hktl_pchunter.yml │ │ ├── proc_creation_win_hktl_powersploit_empire_default_schtasks.yml │ │ ├── proc_creation_win_hktl_powertool.yml │ │ ├── proc_creation_win_hktl_purplesharp_indicators.yml │ │ ├── proc_creation_win_hktl_pypykatz.yml │ │ ├── proc_creation_win_hktl_quarks_pwdump.yml │ │ ├── proc_creation_win_hktl_redmimicry_winnti_playbook.yml │ │ ├── proc_creation_win_hktl_relay_attacks_tools.yml │ │ ├── proc_creation_win_hktl_rubeus.yml │ │ ├── proc_creation_win_hktl_safetykatz.yml │ │ ├── proc_creation_win_hktl_secutyxploded.yml │ │ ├── proc_creation_win_hktl_selectmyparent.yml │ │ ├── proc_creation_win_hktl_sharp_chisel.yml │ │ ├── proc_creation_win_hktl_sharp_dpapi_execution.yml │ │ ├── proc_creation_win_hktl_sharp_impersonation.yml │ │ ├── proc_creation_win_hktl_sharp_ldap_monitor.yml │ │ ├── proc_creation_win_hktl_sharpersist.yml │ │ ├── proc_creation_win_hktl_sharpevtmute.yml │ │ ├── proc_creation_win_hktl_sharpldapwhoami.yml │ │ ├── proc_creation_win_hktl_sharpmove.yml │ │ ├── proc_creation_win_hktl_sharpsuccessor_execution.yml │ │ ├── proc_creation_win_hktl_sharpup.yml │ │ ├── proc_creation_win_hktl_sharpview.yml │ │ ├── proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml │ │ ├── proc_creation_win_hktl_silenttrinity_stager.yml │ │ ├── proc_creation_win_hktl_sliver_c2_execution_pattern.yml │ │ ├── proc_creation_win_hktl_soaphound_execution.yml │ │ ├── proc_creation_win_hktl_stracciatella_execution.yml │ │ ├── proc_creation_win_hktl_sysmoneop.yml │ │ ├── proc_creation_win_hktl_trufflesnout.yml │ │ ├── proc_creation_win_hktl_uacme.yml │ │ ├── proc_creation_win_hktl_wce.yml │ │ ├── proc_creation_win_hktl_winpeas.yml │ │ ├── proc_creation_win_hktl_winpwn.yml │ │ ├── proc_creation_win_hktl_wmiexec_default_powershell.yml │ │ ├── proc_creation_win_hktl_wsass.yml │ │ ├── proc_creation_win_hktl_xordump.yml │ │ ├── proc_creation_win_hktl_zipexec.yml │ │ ├── proc_creation_win_hostname_execution.yml │ │ ├── proc_creation_win_hvci_registry_tampering.yml │ │ ├── proc_creation_win_hwp_exploits.yml │ │ ├── proc_creation_win_hxtsr_masquerading.yml │ │ ├── proc_creation_win_icacls_deny.yml │ │ ├── proc_creation_win_ieexec_download.yml │ │ ├── proc_creation_win_iexpress_susp_execution.yml │ │ ├── proc_creation_win_iis_appcmd_http_logging.yml │ │ ├── proc_creation_win_iis_appcmd_service_account_password_dumped.yml │ │ ├── proc_creation_win_iis_appcmd_susp_module_install.yml │ │ ├── proc_creation_win_iis_appcmd_susp_rewrite_rule.yml │ │ ├── proc_creation_win_iis_connection_strings_decryption.yml │ │ ├── proc_creation_win_iis_logs_deletion.yml │ │ ├── proc_creation_win_iis_susp_module_registration.yml │ │ ├── proc_creation_win_ilasm_il_code_compilation.yml │ │ ├── proc_creation_win_imagingdevices_unusual_parents.yml │ │ ├── proc_creation_win_imewbdld_download.yml │ │ ├── proc_creation_win_infdefaultinstall_execute_sct_scripts.yml │ │ ├── proc_creation_win_installutil_download.yml │ │ ├── proc_creation_win_instalutil_no_log_execution.yml │ │ ├── proc_creation_win_java_keytool_susp_child_process.yml │ │ ├── proc_creation_win_java_manageengine_susp_child_process.yml │ │ ├── proc_creation_win_java_remote_debugging.yml │ │ ├── proc_creation_win_java_susp_child_process.yml │ │ ├── proc_creation_win_java_susp_child_process_2.yml │ │ ├── proc_creation_win_java_sysaidserver_susp_child_process.yml │ │ ├── proc_creation_win_jsc_execution.yml │ │ ├── proc_creation_win_kavremover_uncommon_execution.yml │ │ ├── proc_creation_win_kd_execution.yml │ │ ├── proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml │ │ ├── proc_creation_win_keyscrambler_susp_child_process.yml │ │ ├── proc_creation_win_ksetup_password_change_computer.yml │ │ ├── proc_creation_win_ksetup_password_change_user.yml │ │ ├── proc_creation_win_ldifde_export.yml │ │ ├── proc_creation_win_ldifde_file_load.yml │ │ ├── proc_creation_win_link_uncommon_parent_process.yml │ │ ├── proc_creation_win_lodctr_performance_counter_tampering.yml │ │ ├── proc_creation_win_logman_disable_eventlog.yml │ │ ├── proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml │ │ ├── proc_creation_win_lolbin_devtoolslauncher.yml │ │ ├── proc_creation_win_lolbin_diantz_ads.yml │ │ ├── proc_creation_win_lolbin_diantz_remote_cab.yml │ │ ├── proc_creation_win_lolbin_extrac32.yml │ │ ├── proc_creation_win_lolbin_extrac32_ads.yml │ │ ├── proc_creation_win_lolbin_gather_network_info.yml │ │ ├── proc_creation_win_lolbin_gpscript.yml │ │ ├── proc_creation_win_lolbin_ie4uinit.yml │ │ ├── proc_creation_win_lolbin_launch_vsdevshell.yml │ │ ├── proc_creation_win_lolbin_manage_bde.yml │ │ ├── proc_creation_win_lolbin_mavinject_process_injection.yml │ │ ├── proc_creation_win_lolbin_mpiexec.yml │ │ ├── proc_creation_win_lolbin_msdeploy.yml │ │ ├── proc_creation_win_lolbin_openconsole.yml │ │ ├── proc_creation_win_lolbin_openwith.yml │ │ ├── proc_creation_win_lolbin_pcalua.yml │ │ ├── proc_creation_win_lolbin_pcwrun.yml │ │ ├── proc_creation_win_lolbin_pcwrun_follina.yml │ │ ├── proc_creation_win_lolbin_pcwutl.yml │ │ ├── proc_creation_win_lolbin_pester.yml │ │ ├── proc_creation_win_lolbin_pester_1.yml │ │ ├── proc_creation_win_lolbin_printbrm.yml │ │ ├── proc_creation_win_lolbin_pubprn.yml │ │ ├── proc_creation_win_lolbin_rasautou_dll_execution.yml │ │ ├── proc_creation_win_lolbin_register_app.yml │ │ ├── proc_creation_win_lolbin_remote.yml │ │ ├── proc_creation_win_lolbin_replace.yml │ │ ├── proc_creation_win_lolbin_runexehelper.yml │ │ ├── proc_creation_win_lolbin_runscripthelper.yml │ │ ├── proc_creation_win_lolbin_scriptrunner.yml │ │ ├── proc_creation_win_lolbin_settingsynchost.yml │ │ ├── proc_creation_win_lolbin_sftp.yml │ │ ├── proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml │ │ ├── proc_creation_win_lolbin_susp_grpconv.yml │ │ ├── proc_creation_win_lolbin_susp_sqldumper_activity.yml │ │ ├── proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml │ │ ├── proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml │ │ ├── proc_creation_win_lolbin_tracker.yml │ │ ├── proc_creation_win_lolbin_ttdinject.yml │ │ ├── proc_creation_win_lolbin_tttracer_mod_load.yml │ │ ├── proc_creation_win_lolbin_unregmp2.yml │ │ ├── proc_creation_win_lolbin_utilityfunctions.yml │ │ ├── proc_creation_win_lolbin_visual_basic_compiler.yml │ │ ├── proc_creation_win_lolbin_visualuiaverifynative.yml │ │ ├── proc_creation_win_lolbin_vsiisexelauncher.yml │ │ ├── proc_creation_win_lolbin_wfc.yml │ │ ├── proc_creation_win_lolscript_register_app.yml │ │ ├── proc_creation_win_lsass_process_clone.yml │ │ ├── proc_creation_win_mftrace_child_process.yml │ │ ├── proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml │ │ ├── proc_creation_win_mmc_mmc20_lateral_movement.yml │ │ ├── proc_creation_win_mmc_rlo_abuse_pattern.yml │ │ ├── proc_creation_win_mmc_susp_child_process.yml │ │ ├── proc_creation_win_mode_codepage_russian.yml │ │ ├── proc_creation_win_mofcomp_execution.yml │ │ ├── proc_creation_win_mpcmdrun_dll_sideload_defender.yml │ │ ├── proc_creation_win_mpcmdrun_download_arbitrary_file.yml │ │ ├── proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml │ │ ├── proc_creation_win_msbuild_susp_parent_process.yml │ │ ├── proc_creation_win_msdt_answer_file_exec.yml │ │ ├── proc_creation_win_msdt_arbitrary_command_execution.yml │ │ ├── proc_creation_win_msdt_susp_cab_options.yml │ │ ├── proc_creation_win_msdt_susp_parent.yml │ │ ├── proc_creation_win_msedge_proxy_download.yml │ │ ├── proc_creation_win_mshta_http.yml │ │ ├── proc_creation_win_mshta_inline_vbscript.yml │ │ ├── proc_creation_win_mshta_javascript.yml │ │ ├── proc_creation_win_mshta_lethalhta_technique.yml │ │ ├── proc_creation_win_mshta_susp_child_processes.yml │ │ ├── proc_creation_win_mshta_susp_execution.yml │ │ ├── proc_creation_win_mshta_susp_pattern.yml │ │ ├── proc_creation_win_msiexec_dll.yml │ │ ├── proc_creation_win_msiexec_embedding.yml │ │ ├── proc_creation_win_msiexec_execute_dll.yml │ │ ├── proc_creation_win_msiexec_install_quiet.yml │ │ ├── proc_creation_win_msiexec_install_remote.yml │ │ ├── proc_creation_win_msiexec_masquerading.yml │ │ ├── proc_creation_win_msiexec_web_install.yml │ │ ├── proc_creation_win_msix_ai_stub_execution.yml │ │ ├── proc_creation_win_msohtmed_download.yml │ │ ├── proc_creation_win_mspub_download.yml │ │ ├── proc_creation_win_msra_process_injection.yml │ │ ├── proc_creation_win_mssql_sqlps_susp_execution.yml │ │ ├── proc_creation_win_mssql_sqltoolsps_susp_execution.yml │ │ ├── proc_creation_win_mssql_susp_child_process.yml │ │ ├── proc_creation_win_mssql_veaam_susp_child_processes.yml │ │ ├── proc_creation_win_mstsc_rdp_hijack_shadowing.yml │ │ ├── proc_creation_win_mstsc_remote_connection.yml │ │ ├── proc_creation_win_mstsc_run_local_rdp_file.yml │ │ ├── proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml │ │ ├── proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml │ │ ├── proc_creation_win_msxsl_execution.yml │ │ ├── proc_creation_win_msxsl_remote_execution.yml │ │ ├── proc_creation_win_net_groups_and_accounts_recon.yml │ │ ├── proc_creation_win_net_share_unmount.yml │ │ ├── proc_creation_win_net_start_service.yml │ │ ├── proc_creation_win_net_stop_service.yml │ │ ├── proc_creation_win_net_use_mount_admin_share.yml │ │ ├── proc_creation_win_net_use_mount_internet_share.yml │ │ ├── proc_creation_win_net_use_mount_share.yml │ │ ├── proc_creation_win_net_use_network_connections_discovery.yml │ │ ├── proc_creation_win_net_use_password_plaintext.yml │ │ ├── proc_creation_win_net_user_add.yml │ │ ├── proc_creation_win_net_user_add_never_expire.yml │ │ ├── proc_creation_win_net_user_default_accounts_manipulation.yml │ │ ├── proc_creation_win_net_view_share_and_sessions_enum.yml │ │ ├── proc_creation_win_netsh_fw_add_rule.yml │ │ ├── proc_creation_win_netsh_fw_allow_program_in_susp_location.yml │ │ ├── proc_creation_win_netsh_fw_allow_rdp.yml │ │ ├── proc_creation_win_netsh_fw_delete_rule.yml │ │ ├── proc_creation_win_netsh_fw_disable.yml │ │ ├── proc_creation_win_netsh_fw_enable_group_rule.yml │ │ ├── proc_creation_win_netsh_fw_rules_discovery.yml │ │ ├── proc_creation_win_netsh_fw_set_rule.yml │ │ ├── proc_creation_win_netsh_helper_dll_persistence.yml │ │ ├── proc_creation_win_netsh_packet_capture.yml │ │ ├── proc_creation_win_netsh_port_forwarding.yml │ │ ├── proc_creation_win_netsh_port_forwarding_3389.yml │ │ ├── proc_creation_win_netsh_wifi_credential_harvesting.yml │ │ ├── proc_creation_win_nltest_execution.yml │ │ ├── proc_creation_win_nltest_recon.yml │ │ ├── proc_creation_win_node_abuse.yml │ │ ├── proc_creation_win_node_adobe_creative_cloud_abuse.yml │ │ ├── proc_creation_win_notepad_local_passwd_discovery.yml │ │ ├── proc_creation_win_nslookup_domain_discovery.yml │ │ ├── proc_creation_win_nslookup_poweshell_download.yml │ │ ├── proc_creation_win_ntdsutil_susp_usage.yml │ │ ├── proc_creation_win_ntdsutil_usage.yml │ │ ├── proc_creation_win_odbcconf_driver_install.yml │ │ ├── proc_creation_win_odbcconf_driver_install_susp.yml │ │ ├── proc_creation_win_odbcconf_exec_susp_locations.yml │ │ ├── proc_creation_win_odbcconf_register_dll_regsvr.yml │ │ ├── proc_creation_win_odbcconf_register_dll_regsvr_susp.yml │ │ ├── proc_creation_win_odbcconf_response_file.yml │ │ ├── proc_creation_win_odbcconf_response_file_susp.yml │ │ ├── proc_creation_win_odbcconf_uncommon_child_process.yml │ │ ├── proc_creation_win_office_arbitrary_cli_download.yml │ │ ├── proc_creation_win_office_excel_dcom_lateral_movement.yml │ │ ├── proc_creation_win_office_exec_from_trusted_locations.yml │ │ ├── proc_creation_win_office_onenote_embedded_script_execution.yml │ │ ├── proc_creation_win_office_onenote_susp_child_processes.yml │ │ ├── proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml │ │ ├── proc_creation_win_office_outlook_execution_from_temp.yml │ │ ├── proc_creation_win_office_outlook_susp_child_processes.yml │ │ ├── proc_creation_win_office_outlook_susp_child_processes_remote.yml │ │ ├── proc_creation_win_office_spawn_exe_from_users_directory.yml │ │ ├── proc_creation_win_office_susp_child_processes.yml │ │ ├── proc_creation_win_office_winword_dll_load.yml │ │ ├── proc_creation_win_offlinescannershell_mpclient_sideloading.yml │ │ ├── proc_creation_win_pdqdeploy_execution.yml │ │ ├── proc_creation_win_pdqdeploy_runner_susp_children.yml │ │ ├── proc_creation_win_perl_inline_command_execution.yml │ │ ├── proc_creation_win_php_inline_command_execution.yml │ │ ├── proc_creation_win_ping_hex_ip.yml │ │ ├── proc_creation_win_pktmon_execution.yml │ │ ├── proc_creation_win_plink_port_forwarding.yml │ │ ├── proc_creation_win_plink_susp_tunneling.yml │ │ ├── proc_creation_win_powercfg_execution.yml │ │ ├── proc_creation_win_powershell_aadinternals_cmdlets_execution.yml │ │ ├── proc_creation_win_powershell_active_directory_module_dll_import.yml │ │ ├── proc_creation_win_powershell_add_windows_capability.yml │ │ ├── proc_creation_win_powershell_amsi_init_failed_bypass.yml │ │ ├── proc_creation_win_powershell_amsi_null_bits_bypass.yml │ │ ├── proc_creation_win_powershell_audio_capture.yml │ │ ├── proc_creation_win_powershell_base64_encoded_cmd.yml │ │ ├── proc_creation_win_powershell_base64_encoded_cmd_patterns.yml │ │ ├── proc_creation_win_powershell_base64_encoded_obfusc.yml │ │ ├── proc_creation_win_powershell_base64_frombase64string.yml │ │ ├── proc_creation_win_powershell_base64_hidden_flag.yml │ │ ├── proc_creation_win_powershell_base64_iex.yml │ │ ├── proc_creation_win_powershell_base64_invoke.yml │ │ ├── proc_creation_win_powershell_base64_mppreference.yml │ │ ├── proc_creation_win_powershell_base64_reflection_assembly_load.yml │ │ ├── proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml │ │ ├── proc_creation_win_powershell_base64_wmi_classes.yml │ │ ├── proc_creation_win_powershell_cl_invocation.yml │ │ ├── proc_creation_win_powershell_cl_loadassembly.yml │ │ ├── proc_creation_win_powershell_cl_mutexverifiers.yml │ │ ├── proc_creation_win_powershell_cmdline_convertto_securestring.yml │ │ ├── proc_creation_win_powershell_cmdline_reversed_strings.yml │ │ ├── proc_creation_win_powershell_cmdline_special_characters.yml │ │ ├── proc_creation_win_powershell_comobject_msi.yml │ │ ├── proc_creation_win_powershell_comobject_msi_remote.yml │ │ ├── proc_creation_win_powershell_computer_discovery_get_adcomputer.yml │ │ ├── proc_creation_win_powershell_console_history_file_access.yml │ │ ├── proc_creation_win_powershell_create_service.yml │ │ ├── proc_creation_win_powershell_decode_gzip.yml │ │ ├── proc_creation_win_powershell_decrypt_pattern.yml │ │ ├── proc_creation_win_powershell_defender_disable_feature.yml │ │ ├── proc_creation_win_powershell_defender_exclusion.yml │ │ ├── proc_creation_win_powershell_disable_defender_av_security_monitoring.yml │ │ ├── proc_creation_win_powershell_disable_firewall.yml │ │ ├── proc_creation_win_powershell_disable_ie_features.yml │ │ ├── proc_creation_win_powershell_downgrade_attack.yml │ │ ├── proc_creation_win_powershell_download_com_cradles.yml │ │ ├── proc_creation_win_powershell_download_cradle_obfuscated.yml │ │ ├── proc_creation_win_powershell_download_dll.yml │ │ ├── proc_creation_win_powershell_download_iex.yml │ │ ├── proc_creation_win_powershell_download_patterns.yml │ │ ├── proc_creation_win_powershell_download_susp_file_sharing_domains.yml │ │ ├── proc_creation_win_powershell_dsinternals_cmdlets.yml │ │ ├── proc_creation_win_powershell_email_exfil.yml │ │ ├── proc_creation_win_powershell_enable_susp_windows_optional_feature.yml │ │ ├── proc_creation_win_powershell_encode.yml │ │ ├── proc_creation_win_powershell_encoding_patterns.yml │ │ ├── proc_creation_win_powershell_exec_data_file.yml │ │ ├── proc_creation_win_powershell_export_certificate.yml │ │ ├── proc_creation_win_powershell_frombase64string.yml │ │ ├── proc_creation_win_powershell_frombase64string_archive.yml │ │ ├── proc_creation_win_powershell_get_clipboard.yml │ │ ├── proc_creation_win_powershell_get_localgroup_member_recon.yml │ │ ├── proc_creation_win_powershell_getprocess_lsass.yml │ │ ├── proc_creation_win_powershell_hide_services_via_set_service.yml │ │ ├── proc_creation_win_powershell_iex_patterns.yml │ │ ├── proc_creation_win_powershell_import_cert_susp_locations.yml │ │ ├── proc_creation_win_powershell_import_module_susp_dirs.yml │ │ ├── proc_creation_win_powershell_install_unsigned_appx_packages.yml │ │ ├── proc_creation_win_powershell_invocation_specific.yml │ │ ├── proc_creation_win_powershell_invoke_webrequest_direct_ip.yml │ │ ├── proc_creation_win_powershell_invoke_webrequest_download.yml │ │ ├── proc_creation_win_powershell_kerberos_kerberos_ticket_request_via_cli.yml │ │ ├── proc_creation_win_powershell_mailboxexport_share.yml │ │ ├── proc_creation_win_powershell_malicious_cmdlets.yml │ │ ├── proc_creation_win_powershell_msexchange_transport_agent.yml │ │ ├── proc_creation_win_powershell_non_interactive_execution.yml │ │ ├── proc_creation_win_powershell_obfuscation_via_utf8.yml │ │ ├── proc_creation_win_powershell_public_folder.yml │ │ ├── proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml │ │ ├── proc_creation_win_powershell_remove_mppreference.yml │ │ ├── proc_creation_win_powershell_reverse_shell_connection.yml │ │ ├── proc_creation_win_powershell_run_script_from_ads.yml │ │ ├── proc_creation_win_powershell_run_script_from_input_stream.yml │ │ ├── proc_creation_win_powershell_sam_access.yml │ │ ├── proc_creation_win_powershell_script_engine_parent.yml │ │ ├── proc_creation_win_powershell_service_dacl_modification_set_service.yml │ │ ├── proc_creation_win_powershell_set_acl.yml │ │ ├── proc_creation_win_powershell_set_acl_susp_location.yml │ │ ├── proc_creation_win_powershell_set_policies_to_unsecure_level.yml │ │ ├── proc_creation_win_powershell_set_service_disabled.yml │ │ ├── proc_creation_win_powershell_shadowcopy_deletion.yml │ │ ├── proc_creation_win_powershell_snapins_hafnium.yml │ │ ├── proc_creation_win_powershell_stop_service.yml │ │ ├── proc_creation_win_powershell_susp_download_patterns.yml │ │ ├── proc_creation_win_powershell_susp_parameter_variation.yml │ │ ├── proc_creation_win_powershell_susp_parent_process.yml │ │ ├── proc_creation_win_powershell_susp_ps_appdata.yml │ │ ├── proc_creation_win_powershell_token_obfuscation.yml │ │ ├── proc_creation_win_powershell_uninstall_defender_feature.yml │ │ ├── proc_creation_win_powershell_user_discovery_get_aduser.yml │ │ ├── proc_creation_win_powershell_webclient_casing.yml │ │ ├── proc_creation_win_powershell_x509enrollment.yml │ │ ├── proc_creation_win_powershell_xor_commandline.yml │ │ ├── proc_creation_win_powershell_zip_compress.yml │ │ ├── proc_creation_win_presentationhost_download.yml │ │ ├── proc_creation_win_presentationhost_uncommon_location_exec.yml │ │ ├── proc_creation_win_pressanykey_lolbin_execution.yml │ │ ├── proc_creation_win_print_remote_file_copy.yml │ │ ├── proc_creation_win_protocolhandler_download.yml │ │ ├── proc_creation_win_provlaunch_potential_abuse.yml │ │ ├── proc_creation_win_provlaunch_susp_child_process.yml │ │ ├── proc_creation_win_psr_capture_screenshots.yml │ │ ├── proc_creation_win_pua_3proxy_execution.yml │ │ ├── proc_creation_win_pua_adfind_enumeration.yml │ │ ├── proc_creation_win_pua_adfind_execution.yml │ │ ├── proc_creation_win_pua_adfind_susp_usage.yml │ │ ├── proc_creation_win_pua_advanced_ip_scanner.yml │ │ ├── proc_creation_win_pua_advanced_port_scanner.yml │ │ ├── proc_creation_win_pua_advancedrun.yml │ │ ├── proc_creation_win_pua_advancedrun_priv_user.yml │ │ ├── proc_creation_win_pua_chisel.yml │ │ ├── proc_creation_win_pua_cleanwipe.yml │ │ ├── proc_creation_win_pua_crassus.yml │ │ ├── proc_creation_win_pua_csexec.yml │ │ ├── proc_creation_win_pua_defendercheck.yml │ │ ├── proc_creation_win_pua_ditsnap.yml │ │ ├── proc_creation_win_pua_frp.yml │ │ ├── proc_creation_win_pua_iox.yml │ │ ├── proc_creation_win_pua_kdu_driver_tool.yml │ │ ├── proc_creation_win_pua_mouselock_execution.yml │ │ ├── proc_creation_win_pua_netcat.yml │ │ ├── proc_creation_win_pua_netscan.yml │ │ ├── proc_creation_win_pua_ngrok.yml │ │ ├── proc_creation_win_pua_nimgrab.yml │ │ ├── proc_creation_win_pua_nimscan.yml │ │ ├── proc_creation_win_pua_nircmd.yml │ │ ├── proc_creation_win_pua_nircmd_as_system.yml │ │ ├── proc_creation_win_pua_nmap_zenmap.yml │ │ ├── proc_creation_win_pua_nps.yml │ │ ├── proc_creation_win_pua_nsudo.yml │ │ ├── proc_creation_win_pua_pingcastle.yml │ │ ├── proc_creation_win_pua_pingcastle_script_parent.yml │ │ ├── proc_creation_win_pua_process_hacker.yml │ │ ├── proc_creation_win_pua_radmin.yml │ │ ├── proc_creation_win_pua_rcedit_execution.yml │ │ ├── proc_creation_win_pua_rclone_execution.yml │ │ ├── proc_creation_win_pua_restic.yml │ │ ├── proc_creation_win_pua_runxcmd.yml │ │ ├── proc_creation_win_pua_seatbelt.yml │ │ ├── proc_creation_win_pua_system_informer.yml │ │ ├── proc_creation_win_pua_trufflehog.yml │ │ ├── proc_creation_win_pua_webbrowserpassview.yml │ │ ├── proc_creation_win_pua_wsudo_susp_execution.yml │ │ ├── proc_creation_win_python_adidnsdump.yml │ │ ├── proc_creation_win_python_inline_command_execution.yml │ │ ├── proc_creation_win_python_pty_spawn.yml │ │ ├── proc_creation_win_qemu_suspicious_execution.yml │ │ ├── proc_creation_win_query_session_exfil.yml │ │ ├── proc_creation_win_quickassist_execution.yml │ │ ├── proc_creation_win_rar_compress_data.yml │ │ ├── proc_creation_win_rar_compression_with_password.yml │ │ ├── proc_creation_win_rar_susp_greedy_compression.yml │ │ ├── proc_creation_win_rasdial_execution.yml │ │ ├── proc_creation_win_rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.yml │ │ ├── proc_creation_win_rdrleakdiag_process_dumping.yml │ │ ├── proc_creation_win_reagentc_disable_windows_recovery_environment.yml │ │ ├── proc_creation_win_reg_add_run_key.yml │ │ ├── proc_creation_win_reg_add_safeboot.yml │ │ ├── proc_creation_win_reg_bitlocker.yml │ │ ├── proc_creation_win_reg_credential_access_via_password_filter.yml │ │ ├── proc_creation_win_reg_defender_exclusion.yml │ │ ├── proc_creation_win_reg_delete_runmru.yml │ │ ├── proc_creation_win_reg_delete_safeboot.yml │ │ ├── proc_creation_win_reg_delete_services.yml │ │ ├── proc_creation_win_reg_desktop_background_change.yml │ │ ├── proc_creation_win_reg_direct_asep_registry_keys_modification.yml │ │ ├── proc_creation_win_reg_disable_defender_wmi_autologger.yml │ │ ├── proc_creation_win_reg_disable_sec_services.yml │ │ ├── proc_creation_win_reg_dumping_sensitive_hives.yml │ │ ├── proc_creation_win_reg_enable_windows_recall.yml │ │ ├── proc_creation_win_reg_enumeration_for_credentials_in_registry.yml │ │ ├── proc_creation_win_reg_import_from_suspicious_paths.yml │ │ ├── proc_creation_win_reg_lsa_disable_restricted_admin.yml │ │ ├── proc_creation_win_reg_lsa_ppl_protection_disabled.yml │ │ ├── proc_creation_win_reg_machineguid.yml │ │ ├── proc_creation_win_reg_modify_group_policy_settings.yml │ │ ├── proc_creation_win_reg_nolmhash.yml │ │ ├── proc_creation_win_reg_query_registry.yml │ │ ├── proc_creation_win_reg_rdp_keys_tamper.yml │ │ ├── proc_creation_win_reg_screensaver.yml │ │ ├── proc_creation_win_reg_service_imagepath_change.yml │ │ ├── proc_creation_win_reg_software_discovery.yml │ │ ├── proc_creation_win_reg_susp_paths.yml │ │ ├── proc_creation_win_reg_system_language_discovery.yml │ │ ├── proc_creation_win_reg_volsnap_disable.yml │ │ ├── proc_creation_win_reg_windows_defender_tamper.yml │ │ ├── proc_creation_win_reg_write_protect_for_storage_disabled.yml │ │ ├── proc_creation_win_regasm_no_flag_or_dll_execution.yml │ │ ├── proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml │ │ ├── proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml │ │ ├── proc_creation_win_regedit_export_critical_keys.yml │ │ ├── proc_creation_win_regedit_export_keys.yml │ │ ├── proc_creation_win_regedit_import_keys.yml │ │ ├── proc_creation_win_regedit_import_keys_ads.yml │ │ ├── proc_creation_win_regedit_trustedinstaller.yml │ │ ├── proc_creation_win_regini_ads.yml │ │ ├── proc_creation_win_regini_execution.yml │ │ ├── proc_creation_win_registry_cimprovider_dll_load.yml │ │ ├── proc_creation_win_registry_enumeration_for_credentials_cli.yml │ │ ├── proc_creation_win_registry_export_of_thirdparty_creds.yml │ │ ├── proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml │ │ ├── proc_creation_win_registry_install_reg_debugger_backdoor.yml │ │ ├── proc_creation_win_registry_logon_script.yml │ │ ├── proc_creation_win_registry_new_network_provider.yml │ │ ├── proc_creation_win_registry_office_disable_python_security_warnings.yml │ │ ├── proc_creation_win_registry_privilege_escalation_via_service_key.yml │ │ ├── proc_creation_win_registry_provlaunch_provisioning_command.yml │ │ ├── proc_creation_win_registry_set_unsecure_powershell_policy.yml │ │ ├── proc_creation_win_registry_special_accounts_hide_user.yml │ │ ├── proc_creation_win_registry_typed_paths_persistence.yml │ │ ├── proc_creation_win_regsvr32_flags_anomaly.yml │ │ ├── proc_creation_win_regsvr32_http_ip_pattern.yml │ │ ├── proc_creation_win_regsvr32_network_pattern.yml │ │ ├── proc_creation_win_regsvr32_remote_share.yml │ │ ├── proc_creation_win_regsvr32_susp_child_process.yml │ │ ├── proc_creation_win_regsvr32_susp_exec_path_1.yml │ │ ├── proc_creation_win_regsvr32_susp_exec_path_2.yml │ │ ├── proc_creation_win_regsvr32_susp_extensions.yml │ │ ├── proc_creation_win_regsvr32_susp_parent.yml │ │ ├── proc_creation_win_regsvr32_uncommon_extension.yml │ │ ├── proc_creation_win_remote_access_tools_anydesk.yml │ │ ├── proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml │ │ ├── proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml │ │ ├── proc_creation_win_remote_access_tools_anydesk_silent_install.yml │ │ ├── proc_creation_win_remote_access_tools_anydesk_susp_exec.yml │ │ ├── proc_creation_win_remote_access_tools_gotoopener.yml │ │ ├── proc_creation_win_remote_access_tools_logmein.yml │ │ ├── proc_creation_win_remote_access_tools_meshagent_arguments.yml │ │ ├── proc_creation_win_remote_access_tools_meshagent_exec.yml │ │ ├── proc_creation_win_remote_access_tools_netsupport.yml │ │ ├── proc_creation_win_remote_access_tools_netsupport_susp_exec.yml │ │ ├── proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml │ │ ├── proc_creation_win_remote_access_tools_rurat_non_default_location.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect_webshell.yml │ │ ├── proc_creation_win_remote_access_tools_simple_help.yml │ │ ├── proc_creation_win_remote_access_tools_tacticalrmm_agent_registration_via_cli.yml │ │ ├── proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml │ │ ├── proc_creation_win_remote_access_tools_ultraviewer.yml │ │ ├── proc_creation_win_remote_time_discovery.yml │ │ ├── proc_creation_win_renamed_adfind.yml │ │ ├── proc_creation_win_renamed_autohotkey.yml │ │ ├── proc_creation_win_renamed_autoit.yml │ │ ├── proc_creation_win_renamed_binary.yml │ │ ├── proc_creation_win_renamed_binary_highly_releva
SYMBOL INDEX (73 symbols across 9 files)
FILE: documentation/tools/sigma-logsource-checker.py
function yield_next_rule_file_path (line 111) | def yield_next_rule_file_path(path_to_rules: str) -> str:
function get_rule_part (line 117) | def get_rule_part(file_path: str, part_name: str):
function get_rule_yaml (line 125) | def get_rule_yaml(file_path: str) -> dict:
function extract_events_ids (line 135) | def extract_events_ids(detection):
function test_invalid_logsource_attributes (line 152) | def test_invalid_logsource_attributes(path_to_rules):
function extract_fields (line 183) | def extract_fields(detection):
function get_logsource_dict (line 202) | def get_logsource_dict(path_to_rules, broken_rules):
function enrich_logsource_dict (line 256) | def enrich_logsource_dict(logsource_dict_list):
function parse_gpresult (line 265) | def parse_gpresult(gpresult):
FILE: tests/deprecated_rules.py
function get_level (line 26) | def get_level(rule):
function get_modified_time (line 30) | def get_modified_time(rule):
function format_rule (line 34) | def format_rule(rule):
function save_file (line 44) | def save_file(rules, _format):
FILE: tests/promote_rules_status.py
function get_rules_to_promote (line 14) | def get_rules_to_promote():
function promote_rules (line 32) | def promote_rules(rules_to_promote):
FILE: tests/reference-archiver.py
function yield_next_rule_file_path (line 31) | def yield_next_rule_file_path(path_to_rules: list) -> Generator[str, Non...
function get_rule_part (line 39) | def get_rule_part(file_path: str, part_name: str):
function get_rule_yaml (line 48) | def get_rule_yaml(file_path: str) -> dict:
function get_references (line 59) | def get_references(path_to_rules):
function archive_references (line 72) | def archive_references(ref_list):
function sort_references (line 107) | def sort_references(file_path: str):
FILE: tests/regression_tests_runner.py
function get_absolute_path (line 13) | def get_absolute_path(base_path: str, relative_path: str) -> str:
function load_info_yaml (line 29) | def load_info_yaml(
function find_rule_missing_test (line 111) | def find_rule_missing_test(rule_data: Dict, file_path: str) -> tuple[boo...
function find_rule_tests (line 147) | def find_rule_tests(rule_data: Dict, file_path: str) -> tuple[List[Dict]...
function find_rules_with_tests (line 169) | def find_rules_with_tests(
function run_evtx_checker (line 219) | def run_evtx_checker(
function run_test (line 282) | def run_test(
function parse_arguments (line 300) | def parse_arguments() -> argparse.Namespace:
function init_checks (line 345) | def init_checks(args: argparse.Namespace) -> None:
function run_tests (line 377) | def run_tests(
function validate_missing_tests (line 430) | def validate_missing_tests(
function check_missing_test_files (line 479) | def check_missing_test_files(missing_files: List[Dict]) -> None:
function print_summary (line 516) | def print_summary(total_tests: int, passed_tests: int, failures: List[Di...
function check_rule_id_consistency (line 543) | def check_rule_id_consistency(rules_with_tests: List[Dict]) -> List[Dict]:
function main (line 665) | def main():
FILE: tests/sigma-package-release.py
function init_arguments (line 34) | def init_arguments(arguments: list) -> list:
function select_rules (line 98) | def select_rules(args: dict) -> list:
function write_zip (line 135) | def write_zip(outfile: str, selected_rules: list):
function main (line 153) | def main(arguments: list) -> int:
FILE: tests/test_logsource.py
class TestRules (line 17) | class TestRules(unittest.TestCase):
method yield_next_rule_file_path (line 32) | def yield_next_rule_file_path(self, path_to_rules: list) -> str:
method get_rule_yaml (line 39) | def get_rule_yaml(self, file_path: str) -> dict:
method get_rule_part (line 49) | def get_rule_part(self, file_path: str, part_name: str):
method get_detection_field (line 57) | def get_detection_field(self, detection: dict):
method full_logsource (line 81) | def full_logsource(self, logsource: dict) -> dict:
method exist_logsource (line 96) | def exist_logsource(self, logsource: dict) -> bool:
method get_logsource (line 121) | def get_logsource(self, logsource: dict) -> list:
method not_commun (line 145) | def not_commun(self, logsource: dict, data: list) -> bool:
method test_invalid_logsource_attributes (line 160) | def test_invalid_logsource_attributes(self):
method test_logsource_value (line 203) | def test_logsource_value(self):
method test_fieldname_case (line 228) | def test_fieldname_case(self):
function load_fields_json (line 261) | def load_fields_json(name: str):
FILE: tests/test_rules.py
class TestRules (line 26) | class TestRules(unittest.TestCase):
method yield_next_rule_file_path (line 66) | def yield_next_rule_file_path(self, path_to_rules: list) -> str:
method get_rule_part (line 73) | def get_rule_part(self, file_path: str, part_name: str):
method get_rule_yaml (line 81) | def get_rule_yaml(self, file_path: str) -> dict:
method test_legal_trademark_violations (line 92) | def test_legal_trademark_violations(self):
method test_duplicate_detections (line 218) | def test_duplicate_detections(self):
method test_source_eventlog (line 301) | def test_source_eventlog(self):
method test_event_id_instead_of_process_creation (line 317) | def test_event_id_instead_of_process_creation(self):
method test_sysmon_rule_without_eventid (line 377) | def test_sysmon_rule_without_eventid(self):
method test_optional_license (line 465) | def test_optional_license(self):
method test_file_names (line 546) | def test_file_names(self):
method test_title_in_first_line (line 819) | def test_title_in_first_line(self):
method test_selection_list_one_value (line 847) | def test_selection_list_one_value(self):
method test_broken_thor_logsource_config (line 1106) | def test_broken_thor_logsource_config(self):
method test_re_invalid_escapes (line 1144) | def test_re_invalid_escapes(self):
FILE: tests/validate-sigma-schema/validate.py
function get_envs (line 12) | def get_envs() -> Dict[str, Any]:
function generate_all_files (line 56) | def generate_all_files(
function get_rules (line 88) | def get_rules(sigma_rules_path: List[Path]) -> List[str] | NoReturn:
function download_schema_file (line 110) | def download_schema_file(envs: Dict[str, Any]) -> Path | NoReturn:
function help (line 144) | def help() -> None:
Condensed preview — 4472 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (7,908K chars).
[
{
"path": ".gitattributes",
"chars": 482,
"preview": "# Set the default behavior, in case people don't have core.autocrlf set.\n* text=lf\n\n# Explicitly declare text files you "
},
{
"path": ".github/FUNDING.yml",
"chars": 740,
"preview": "# These are supported funding model platforms\n\ngithub: [thomaspatzke]\npatreon: # Replace with a single Patreon username\n"
},
{
"path": ".github/ISSUE_TEMPLATE/false_positive_report.yml",
"chars": 1134,
"preview": "name: \"False Positive Report\"\ndescription: Report false positives with SIGMA rules\nlabels: [False-Positive]\nassignees:\n "
},
{
"path": ".github/ISSUE_TEMPLATE/rule_proposal.md",
"chars": 345,
"preview": "---\nname: \"Rule Proposal\"\nabout: Rule Idea Proposal\ntitle: ''\nlabels: Rule\nassignees:\n - nasbench\n\n---\n\n### Description"
},
{
"path": ".github/PULL_REQUEST_TEMPLATE.md",
"chars": 1448,
"preview": "<!--\nThanks for your contribution. Please make sure to fill the contents of this template with the necessary information"
},
{
"path": ".github/labeler.yml",
"chars": 1520,
"preview": "Rules:\n- changed-files:\n - any-glob-to-any-file:\n - 'deprecated/**'\n - 'rules/**'\n - 'rules-comp"
},
{
"path": ".github/latest_archiver_output.md",
"chars": 53958,
"preview": "# Reference Archiver Results\n\nLast Execution: 2026-03-01 02:19:10\n\n### Archiver Script Results\n\n\n#### Newly Archived Ref"
},
{
"path": ".github/workflows/goodlog-tests.yml",
"chars": 7248,
"preview": "# This workflow will install Python dependencies, run tests and lint with a single version of Python\n# For more informat"
},
{
"path": ".github/workflows/greetings.yml",
"chars": 1488,
"preview": "name: Greet First-Time Contributors\n\non:\n pull_request:\n types:\n - opened\n issues:\n types:\n - opened\n\n"
},
{
"path": ".github/workflows/known-FPs.csv",
"chars": 7193,
"preview": "RuleId;RuleName;MatchString\n8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.*\nad1f4bb9-8dfb-4765-adb6"
},
{
"path": ".github/workflows/matchgrep.sh",
"chars": 1068,
"preview": "#!/bin/bash\n\ninfile=$1\nfps=$2\n\nif [[ -z ${infile} || -z ${fps} ]]; then\n >&2 echo \"usage: $0 [json-file] [FPs.csv]\" \n"
},
{
"path": ".github/workflows/pr-labeler.yml",
"chars": 233,
"preview": "on:\n pull_request_target:\n types:\n - opened\n\nname: PR Labeler Workflow\n\njobs:\n triage:\n permissions:\n "
},
{
"path": ".github/workflows/ref-archiver.yml",
"chars": 1564,
"preview": "name: \"Reference Archiver\"\n\non:\n #push:\n # branches:\n # - \"*\"\n schedule:\n - cron: \"30 1 1,15 * *\" # At 01:3"
},
{
"path": ".github/workflows/regression-tests.yml",
"chars": 905,
"preview": "name: Regression Tests\n\non: [push, pull_request, workflow_dispatch]\n\nenv:\n EVTX_BASELINE_VERSION: v0.8.4\n\njobs:\n true-"
},
{
"path": ".github/workflows/release.yml",
"chars": 4417,
"preview": "on:\n push:\n tags:\n - 'r*'\n\nname: Create Release\n\njobs:\n build:\n name: Create Release\n runs-on: ubuntu-la"
},
{
"path": ".github/workflows/sigma-rule-deprecated.yml",
"chars": 1522,
"preview": "name: \"Create deprecated summary\"\n\non:\n #push:\n # branches:\n # - \"*\"\n schedule:\n - cron: \"0 0 1 * *\" # At 0"
},
{
"path": ".github/workflows/sigma-rule-promoter.yml",
"chars": 1673,
"preview": "#name: \"Promote Experimental Rules To Test\"\n#\n#on:\n# #push:\n# # branches:\n# # - \"*\"\n# schedule:\n# - cron: \""
},
{
"path": ".github/workflows/sigma-test.yml",
"chars": 2232,
"preview": "# This workflow will install Python dependencies, run tests and lint with a single version of Python\n# For more informat"
},
{
"path": ".github/workflows/sigma-validation.yml",
"chars": 543,
"preview": "name: Validate Sigma rules\n\non: [push, pull_request, merge_group, workflow_dispatch]\n\njobs:\n sigma-rules-validator:\n "
},
{
"path": ".github/workflows/update-heatmap.yml",
"chars": 1758,
"preview": "name: Generate Updated ATT&CK Heatmap\non:\n schedule:\n - cron: \"0 0 1 * *\"\n workflow_dispatch:\n\n\njobs:\n generate-he"
},
{
"path": ".gitignore",
"chars": 1170,
"preview": "# Byte-compiled / optimized / DLL files\n__pycache__/\n*.py[cod]\n*$py.class\n\n# C extensions\n*.so\n\n# Distribution / packagi"
},
{
"path": ".yamllint",
"chars": 548,
"preview": "# https://yamllint.readthedocs.io/en/latest/configuration.html\nextends: default\n\nignore:\n - .github/\n - deprecated"
},
{
"path": "CONTRIBUTING.md",
"chars": 1930,
"preview": "# Contributing to Sigma 🧙♂️\n\nFirst off, thank you for considering contributing to Sigma! Your help is invaluable in kee"
},
{
"path": "LICENSE",
"chars": 384,
"preview": "# Licenses\n\nThe content of this repository is released under the following licenses:\n\n- The Sigma specification (https:/"
},
{
"path": "README.md",
"chars": 9721,
"preview": "# Sigma - Generic Signature Format for SIEM Systems\n\n<a href=\"https://sigmahq.io/\">\n<p align=\"center\">\n<br />\n<picture>\n"
},
{
"path": "Releases.md",
"chars": 5278,
"preview": "This following document describes the different types of rule packages provided with every release.\n\n## Package Introduc"
},
{
"path": "deprecated/README.md",
"chars": 440,
"preview": "# Deprecated folder\r\n\r\nThis folder contains all rules that have been marked as deprecated.\r\n\r\nIt is recommended to avoid"
},
{
"path": "deprecated/cloud/azure_app_credential_modification.yml",
"chars": 940,
"preview": "title: Azure Application Credential Modified\nid: cdeef967-f9a1-4375-90ee-6978c5f23974\nstatus: deprecated\ndescription: Id"
},
{
"path": "deprecated/cloud/azure_app_permissions_for_api.yml",
"chars": 773,
"preview": "title: App Permissions Granted For Other APIs\nid: ba2a7c80-027b-460f-92e2-57d113897dbc\nstatus: deprecated\ndescription: D"
},
{
"path": "deprecated/deprecated.csv",
"chars": 16344,
"preview": "id,title,date,modified,level\n867613fb-fa60-4497-a017-a82df74a172c,PowerShell Execution,2019-09-12,2021-11-05,medium\n0d89"
},
{
"path": "deprecated/deprecated.json",
"chars": 34188,
"preview": "[\n {\n \"id\": \"867613fb-fa60-4497-a017-a82df74a172c\",\n \"title\": \"PowerShell Execution\",\n \"date\": \""
},
{
"path": "deprecated/linux/lnx_auditd_alter_bash_profile.yml",
"chars": 1017,
"preview": "title: Edit of .bash_profile and .bashrc\nid: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9\nstatus: deprecated\ndescription: Detect"
},
{
"path": "deprecated/linux/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml",
"chars": 1430,
"preview": "title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd\nid: 045b5f9c-49f7-4419-a236-9854fb3c827a\nstatus: unsupporte"
},
{
"path": "deprecated/linux/lnx_space_after_filename_.yml",
"chars": 441,
"preview": "title: Space After Filename\nid: 879c3015-c88b-4782-93d7-07adf92dbcb7\nstatus: deprecated\ndescription: Detects space after"
},
{
"path": "deprecated/macos/proc_creation_macos_add_to_admin_group.yml",
"chars": 1225,
"preview": "title: User Added To Admin Group - MacOS\nid: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b\nstatus: deprecated\ndescription: Detect"
},
{
"path": "deprecated/macos/proc_creation_macos_malware_amos_filegrabber_exec.yml",
"chars": 861,
"preview": "title: Atomic MacOS Stealer - FileGrabber Infostealer Execution\nid: e710a880-1f18-4417-b6a0-b5afdf7e305a\nstatus: depreca"
},
{
"path": "deprecated/other/generic_brute_force.yml",
"chars": 640,
"preview": "title: Brute Force\nid: 53c7cca0-2901-493a-95db-d00d6fcf0a37\nstatus: deprecated\ndescription: Detects many authentication "
},
{
"path": "deprecated/web/proxy_apt_domestic_kitten.yml",
"chars": 780,
"preview": "title: Domestic Kitten FurBall Malware Pattern\nid: 6c939dfa-c710-4e12-a4dd-47e1f10e68e1\nstatus: deprecated\ndescription: "
},
{
"path": "deprecated/web/proxy_cobalt_amazon.yml",
"chars": 1230,
"preview": "title: CobaltStrike Malleable Amazon Browsing Traffic Profile\nid: 953b895e-5cc9-454b-b183-7f3db555452e\nstatus: deprecate"
},
{
"path": "deprecated/web/proxy_cobalt_malformed_uas.yml",
"chars": 976,
"preview": "title: CobaltStrike Malformed UAs in Malleable Profiles\nid: 41b42a36-f62c-4c34-bd40-8cb804a34ad8\nstatus: deprecated\ndesc"
},
{
"path": "deprecated/web/proxy_cobalt_ocsp.yml",
"chars": 651,
"preview": "title: CobaltStrike Malleable (OCSP) Profile\nid: 37325383-740a-403d-b1a2-b2b4ab7992e7\nstatus: deprecated\ndescription: De"
},
{
"path": "deprecated/web/proxy_cobalt_onedrive.yml",
"chars": 801,
"preview": "title: CobaltStrike Malleable OneDrive Browsing Traffic Profile\nid: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc\nstatus: depreca"
},
{
"path": "deprecated/web/proxy_ios_implant.yml",
"chars": 844,
"preview": "title: iOS Implant URL Pattern\nid: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6\nstatus: deprecated # Deprecated to being related"
},
{
"path": "deprecated/web/proxy_webdav_search_ms.yml",
"chars": 1455,
"preview": "title: Search-ms and WebDAV Suspicious Indicators in URL\nid: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2\nstatus: deprecated # S"
},
{
"path": "deprecated/windows/create_remote_thread_win_susp_remote_thread_target.yml",
"chars": 1253,
"preview": "title: Suspicious Remote Thread Target\nid: f016c716-754a-467f-a39e-63c06f773987\nstatus: deprecated\ndescription: |\n Offe"
},
{
"path": "deprecated/windows/driver_load_win_mal_creddumper.yml",
"chars": 1169,
"preview": "title: Credential Dumping Tools Service Execution\nid: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2\nrelated:\n - id: 4976aa50-8"
},
{
"path": "deprecated/windows/driver_load_win_mal_poortry_driver.yml",
"chars": 2140,
"preview": "title: Usage Of Malicious POORTRY Signed Driver\nid: 91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6\nstatus: deprecated\ndescription:"
},
{
"path": "deprecated/windows/driver_load_win_powershell_script_installed_as_service.yml",
"chars": 687,
"preview": "title: PowerShell Scripts Run by a Services\nid: 46deb5e1-28c9-4905-b2df-51cdcc9e6073\nrelated:\n - id: a2e5019d-a658-4c"
},
{
"path": "deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml",
"chars": 1114,
"preview": "title: Vulnerable AVAST Anti Rootkit Driver Load\nid: 7c676970-af4f-43c8-80af-ec9b49952852\nstatus: deprecated\ndescription"
},
{
"path": "deprecated/windows/driver_load_win_vuln_dell_driver.yml",
"chars": 1254,
"preview": "title: Vulnerable Dell BIOS Update Driver Load\nid: 21b23707-60d6-41bb-96e3-0f0481b0fed9\nstatus: deprecated\ndescription: "
},
{
"path": "deprecated/windows/driver_load_win_vuln_drivers_names.yml",
"chars": 11545,
"preview": "title: Vulnerable Driver Load By Name\nid: 839f1ee1-292d-495a-bf37-818267b8ee82\nrelated:\n - id: 7aaaf4b8-e47c-4295-92e"
},
{
"path": "deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml",
"chars": 1428,
"preview": "title: Vulnerable GIGABYTE Driver Load\nid: 7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647\nstatus: deprecated\ndescription: Detects "
},
{
"path": "deprecated/windows/driver_load_win_vuln_hw_driver.yml",
"chars": 1453,
"preview": "title: Vulnerable HW Driver Load\nid: 9bacc538-d1b9-4d42-862e-469eafc05a41\nstatus: deprecated\ndescription: Detects the lo"
},
{
"path": "deprecated/windows/driver_load_win_vuln_lenovo_driver.yml",
"chars": 987,
"preview": "title: Vulnerable Lenovo Driver Load\nid: ac683a42-877b-4ff8-91ac-69e94b0f70b4\nstatus: deprecated\ndescription: Detects th"
},
{
"path": "deprecated/windows/file_event_win_access_susp_teams.yml",
"chars": 929,
"preview": "title: Suspicious File Event With Teams Objects\nid: 6902955a-01b7-432c-b32a-6f5f81d8f624\nstatus: deprecated\ndescription:"
},
{
"path": "deprecated/windows/file_event_win_access_susp_unattend_xml.yml",
"chars": 866,
"preview": "title: Suspicious Unattend.xml File Access\nid: 1a3d42dd-3763-46b9-8025-b5f17f340dfb\nstatus: deprecated\ndescription: |\n "
},
{
"path": "deprecated/windows/file_event_win_crackmapexec_patterns.yml",
"chars": 1583,
"preview": "title: CrackMapExec File Creation Patterns\nid: 9433ff9c-5d3f-4269-99f8-95fc826ea489\nstatus: deprecated\ndescription: Dete"
},
{
"path": "deprecated/windows/file_event_win_hktl_createminidump.yml",
"chars": 821,
"preview": "title: CreateMiniDump Hacktool\nid: db2110f3-479d-42a6-94fb-d35bc1e46492\nstatus: deprecated\nrelated:\n - id: 36d88494-1"
},
{
"path": "deprecated/windows/file_event_win_lsass_memory_dump_file_creation.yml",
"chars": 966,
"preview": "title: LSASS Memory Dump File Creation\nid: 5e3d3601-0662-4af0-b1d2-36a05e90c40a\nstatus: deprecated\ndescription: LSASS me"
},
{
"path": "deprecated/windows/file_event_win_mimikatz_memssp_log_file.yml",
"chars": 684,
"preview": "title: Mimikatz MemSSP Default Log File Creation\nid: 034affe8-6170-11ec-844f-0f78aa0c4d66\nrelated:\n - id: 9e099d99-44"
},
{
"path": "deprecated/windows/file_event_win_office_outlook_rdp_file_creation.yml",
"chars": 1679,
"preview": "title: .RDP File Created by Outlook Process\nid: f748c45a-f8d3-4e6f-b617-fe176f695b8f\nrelated:\n - id: fccfb43e-09a7-4b"
},
{
"path": "deprecated/windows/file_event_win_susp_clr_logs.yml",
"chars": 1540,
"preview": "title: Suspicious CLR Logs Creation\nid: e4b63079-6198-405c-abd7-3fe8b0ce3263\nstatus: deprecated\ndescription: Detects sus"
},
{
"path": "deprecated/windows/image_load_alternate_powershell_hosts_moduleload.yml",
"chars": 1297,
"preview": "title: Alternate PowerShell Hosts - Image\nid: fe6e002f-f244-4278-9263-20e4b593827f\nstatus: deprecated\ndescription: Detec"
},
{
"path": "deprecated/windows/image_load_office_dsparse_dll_load.yml",
"chars": 994,
"preview": "title: Active Directory Parsing DLL Loaded Via Office Application\nid: a2a3b925-7bb0-433b-b508-db9003263cc4\nstatus: depre"
},
{
"path": "deprecated/windows/image_load_office_kerberos_dll_load.yml",
"chars": 998,
"preview": "title: Active Directory Kerberos DLL Loaded Via Office Application\nid: 7417e29e-c2e7-4cf6-a2e8-767228c64837\nstatus: depr"
},
{
"path": "deprecated/windows/image_load_side_load_advapi32.yml",
"chars": 1024,
"preview": "title: Suspicious Load of Advapi31.dll\nid: d813d662-785b-42ca-8b4a-f7457d78d5a9\nstatus: deprecated\ndescription: Detects "
},
{
"path": "deprecated/windows/image_load_side_load_scm.yml",
"chars": 1068,
"preview": "title: SCM DLL Sideload\nid: bc3cc333-48b9-467a-9d1f-d44ee594ef48\nrelated:\n - id: 602a1f13-c640-4d73-b053-be9a2fa58b77"
},
{
"path": "deprecated/windows/image_load_side_load_svchost_dlls.yml",
"chars": 1302,
"preview": "title: Svchost DLL Search Order Hijack\nid: 602a1f13-c640-4d73-b053-be9a2fa58b77\nstatus: deprecated\ndescription: |\n De"
},
{
"path": "deprecated/windows/image_load_susp_uncommon_image_load.yml",
"chars": 827,
"preview": "title: Possible Process Hollowing Image Loading\nid: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7\nstatus: deprecated # Needs to b"
},
{
"path": "deprecated/windows/image_load_susp_winword_wmidll_load.yml",
"chars": 1251,
"preview": "title: Windows Management Instrumentation DLL Loaded Via Microsoft Word\nid: a457f232-7df9-491d-898f-b5aabd2cbe2f\nstatus:"
},
{
"path": "deprecated/windows/net_connection_win_binary_github_com.yml",
"chars": 1030,
"preview": "title: Microsoft Binary Github Communication\nid: 635dbb88-67b3-4b41-9ea5-a3af2dd88153\nstatus: deprecated\ndescription: De"
},
{
"path": "deprecated/windows/net_connection_win_reddit_api_non_browser_access.yml",
"chars": 2819,
"preview": "title: Suspicious Non-Browser Network Communication With Reddit API\nid: d7b09985-95a3-44be-8450-b6eadf49833e\nstatus: dep"
},
{
"path": "deprecated/windows/net_connection_win_susp_epmap.yml",
"chars": 957,
"preview": "title: Suspicious Epmap Connection\nid: 628d7a0b-7b84-4466-8552-e6138bc03b43\nstatus: deprecated\ndescription: Detects susp"
},
{
"path": "deprecated/windows/pipe_created_psexec_pipes_artifacts.yml",
"chars": 1286,
"preview": "title: PsExec Pipes Artifacts\nid: 9e77ed63-2ecf-4c7b-b09d-640834882028\nstatus: deprecated\ndescription: Detecting use PsE"
},
{
"path": "deprecated/windows/posh_pm_powercat.yml",
"chars": 901,
"preview": "title: Netcat The Powershell Version - PowerShell Module\nid: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2\nstatus: deprecated\ndes"
},
{
"path": "deprecated/windows/posh_ps_access_to_chrome_login_data.yml",
"chars": 1245,
"preview": "title: Accessing Encrypted Credentials from Google Chrome Login Database\nid: 98f4c75c-3089-44f3-b733-b327b9cd9c9d\nstatus"
},
{
"path": "deprecated/windows/posh_ps_azurehound_commands.yml",
"chars": 933,
"preview": "title: AzureHound PowerShell Commands\nid: 83083ac6-1816-4e76-97d7-59af9a9ae46e\nstatus: deprecated\ndescription: Detects t"
},
{
"path": "deprecated/windows/posh_ps_cl_invocation_lolscript.yml",
"chars": 778,
"preview": "title: Execution via CL_Invocation.ps1 - Powershell\nid: 4cd29327-685a-460e-9dac-c3ab96e549dc\nstatus: deprecated\ndescript"
},
{
"path": "deprecated/windows/posh_ps_cl_mutexverifiers_lolscript.yml",
"chars": 806,
"preview": "title: Execution via CL_Mutexverifiers.ps1\nid: 39776c99-1c7b-4ba0-b5aa-641525eee1a4\nstatus: deprecated\ndescription: Dete"
},
{
"path": "deprecated/windows/posh_ps_dnscat_execution.yml",
"chars": 713,
"preview": "title: Dnscat Execution\nid: a6d67db4-6220-436d-8afc-f3842fe05d43\nstatus: deprecated # In favour of the more generic Susp"
},
{
"path": "deprecated/windows/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml",
"chars": 849,
"preview": "title: Suspicious PowerShell Mailbox SMTP Forward Rule\nid: 15b7abbb-8b40-4d01-9ee2-b51994b1d474\nstatus: deprecated\ndescr"
},
{
"path": "deprecated/windows/posh_ps_file_and_directory_discovery.yml",
"chars": 1182,
"preview": "title: Powershell File and Directory Discovery\nid: d23f2ba5-9da0-4463-8908-8ee47f614bb9\nstatus: deprecated\ndescription: "
},
{
"path": "deprecated/windows/posh_ps_invoke_nightmare.yml",
"chars": 666,
"preview": "title: PrintNightmare Powershell Exploitation\nid: 6d3f1399-a81c-4409-aff3-1ecfe9330baf\nstatus: deprecated\ndescription: D"
},
{
"path": "deprecated/windows/posh_ps_susp_gwmi.yml",
"chars": 1117,
"preview": "title: Suspicious Get-WmiObject\nid: 0332a266-b584-47b4-933d-a00b103e1b37\nstatus: deprecated\ndescription: The infrastruct"
},
{
"path": "deprecated/windows/powershell_ps_susp_win32_shadowcopy.yml",
"chars": 1101,
"preview": "title: Delete Volume Shadow Copies via WMI with PowerShell - PS Script\nid: e17121b4-ef2a-4418-8a59-12fb1631fa9e\nrelated:"
},
{
"path": "deprecated/windows/powershell_suspicious_download.yml",
"chars": 604,
"preview": "title: Suspicious PowerShell Download\nid: 65531a81-a694-4e31-ae04-f8ba5bc33759\nstatus: deprecated\ndescription: Detects s"
},
{
"path": "deprecated/windows/powershell_suspicious_invocation_generic.yml",
"chars": 749,
"preview": "title: Suspicious PowerShell Invocations - Generic\nid: 3d304fda-78aa-43ed-975c-d740798a49c1\nstatus: deprecated\ndescripti"
},
{
"path": "deprecated/windows/powershell_suspicious_invocation_specific.yml",
"chars": 1922,
"preview": "title: Suspicious PowerShell Invocations - Specific\nid: fce5f582-cc00-41e1-941a-c6fabf0fdb8c\nstatus: deprecated\ndescript"
},
{
"path": "deprecated/windows/powershell_syncappvpublishingserver_exe.yml",
"chars": 789,
"preview": "title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction\nid: 9f7aa113-9da6-4a8d-907c-5f1a4b908299\nrela"
},
{
"path": "deprecated/windows/proc_access_win_in_memory_assembly_execution.yml",
"chars": 4907,
"preview": "title: Suspicious In-Memory Module Execution\nid: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39\nstatus: deprecated\ndescription: |\n"
},
{
"path": "deprecated/windows/proc_access_win_lazagne_cred_dump_lsass_access.yml",
"chars": 826,
"preview": "title: Credential Dumping by LaZagne\nid: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0\nstatus: stable\ndescription: Detects LSASS "
},
{
"path": "deprecated/windows/proc_access_win_lsass_susp_access.yml",
"chars": 6512,
"preview": "title: Credential Dumping Tools Accessing LSASS Memory\nid: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\nstatus: deprecated\ndescr"
},
{
"path": "deprecated/windows/proc_access_win_pypykatz_cred_dump_lsass_access.yml",
"chars": 826,
"preview": "title: Credential Dumping by Pypykatz\nid: 7186e989-4ed7-4f4e-a656-4674b9e3e48b\nstatus: test\ndescription: Detects LSASS p"
},
{
"path": "deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml",
"chars": 2924,
"preview": "title: Potential NT API Stub Patching\nid: b916cba1-b38a-42da-9223-17114d846fd6\nstatus: deprecated\ndescription: Detects p"
},
{
"path": "deprecated/windows/proc_creation_win_apt_apt29_thinktanks.yml",
"chars": 942,
"preview": "title: APT29\nid: 033fe7d6-66d1-4240-ac6b-28908009c71f\nstatus: deprecated\ndescription: This method detects a suspicious P"
},
{
"path": "deprecated/windows/proc_creation_win_apt_dragonfly.yml",
"chars": 717,
"preview": "title: CrackMapExecWin\nid: 04d9079e-3905-4b70-ad37-6bdf11304965\nstatus: deprecated\ndescription: Detects CrackMapExecWin "
},
{
"path": "deprecated/windows/proc_creation_win_apt_gallium.yml",
"chars": 1108,
"preview": "title: GALLIUM Artefacts\nid: 18739897-21b1-41da-8ee4-5b786915a676\nrelated:\n - id: 440a56bf-7873-4439-940a-1c8a671073c"
},
{
"path": "deprecated/windows/proc_creation_win_apt_hurricane_panda.yml",
"chars": 753,
"preview": "title: Hurricane Panda Activity\nid: 0eb2107b-a596-422e-b123-b389d5594ed7\nstatus: deprecated\ndescription: Detects Hurrica"
},
{
"path": "deprecated/windows/proc_creation_win_apt_lazarus_activity_apr21.yml",
"chars": 1092,
"preview": "title: Lazarus Activity Apr21\nid: 4a12fa47-c735-4032-a214-6fab5b120670\nstatus: deprecated\ndescription: Detects different"
},
{
"path": "deprecated/windows/proc_creation_win_apt_lazarus_loader.yml",
"chars": 1221,
"preview": "title: Lazarus Loaders\nid: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e\nstatus: deprecated\ndescription: Detects different loader"
},
{
"path": "deprecated/windows/proc_creation_win_apt_muddywater_dnstunnel.yml",
"chars": 820,
"preview": "title: DNS Tunnel Technique from MuddyWater\nid: 7454df60-1478-484b-810d-bff5d0ba6d4b\nstatus: deprecated\ndescription: Det"
},
{
"path": "deprecated/windows/proc_creation_win_apt_ta505_dropper.yml",
"chars": 732,
"preview": "title: TA505 Dropper Load Pattern\nid: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4\nstatus: deprecated\ndescription: Detects mshta"
},
{
"path": "deprecated/windows/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml",
"chars": 1300,
"preview": "title: File Download Via Bitsadmin To An Uncommon Target Folder\nid: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248\nstatus: depreca"
},
{
"path": "deprecated/windows/proc_creation_win_certutil_susp_execution.yml",
"chars": 1725,
"preview": "title: Suspicious Certutil Command Usage\nid: e011a729-98a6-4139-b5c4-bf6f6dd8239a\nstatus: deprecated\ndescription: Detect"
},
{
"path": "deprecated/windows/proc_creation_win_cmd_read_contents.yml",
"chars": 892,
"preview": "title: Read and Execute a File Via Cmd.exe\nid: 00a4bacd-6db4-46d5-9258-a7d5ebff4003\nstatus: deprecated\ndescription: Dete"
},
{
"path": "deprecated/windows/proc_creation_win_cmd_redirect_to_stream.yml",
"chars": 828,
"preview": "title: Cmd Stream Redirection\nid: 70e68156-6571-427b-a6e9-4476a173a9b6\nstatus: deprecated\ndescription: Detects the redir"
},
{
"path": "deprecated/windows/proc_creation_win_credential_acquisition_registry_hive_dumping.yml",
"chars": 911,
"preview": "title: Credential Acquisition via Registry Hive Dumping\nid: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0\nstatus: deprecated\ndesc"
},
{
"path": "deprecated/windows/proc_creation_win_cscript_vbs.yml",
"chars": 811,
"preview": "title: Visual Basic Script Execution\nid: 23250293-eed5-4c39-b57a-841c8933a57d\nstatus: deprecated\ndescription: Adversarie"
},
{
"path": "deprecated/windows/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml",
"chars": 975,
"preview": "title: Execution via MSSQL Xp_cmdshell Stored Procedure\nid: 344482e4-a477-436c-aa70-7536d18a48c7\nrelated:\n - id: d08d"
},
{
"path": "deprecated/windows/proc_creation_win_filefix_browsers.yml",
"chars": 1451,
"preview": "title: FileFix - Suspicious Child Process from Browser File Upload Abuse\nid: 4be03877-d5b6-4520-85c9-a5911c0a656c\nstatus"
},
{
"path": "deprecated/windows/proc_creation_win_indirect_cmd.yml",
"chars": 1087,
"preview": "title: Indirect Command Execution\nid: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\nstatus: deprecated\ndescription: Detect indire"
},
{
"path": "deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml",
"chars": 1462,
"preview": "title: Indirect Command Exectuion via Forfiles\nid: a85cf4e3-56ee-4e79-adeb-789f8fb209a8\nrelated:\n - id: fa47597e-90e9"
},
{
"path": "deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml",
"chars": 729,
"preview": "title: Invoke-Obfuscation RUNDLL LAUNCHER\nid: 056a7ee1-4853-4e67-86a0-3fd9ceed7555\nstatus: deprecated\ndescription: Detec"
},
{
"path": "deprecated/windows/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml",
"chars": 828,
"preview": "title: Invoke-Obfuscation Via Use Rundll32\nid: 36c5146c-d127-4f85-8e21-01bf62355d5a\nstatus: deprecated\ndescription: Dete"
},
{
"path": "deprecated/windows/proc_creation_win_lolbas_execution_of_wuauclt.yml",
"chars": 943,
"preview": "title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL\nid: ba1bb0cb-73da-42de-ad3a-de10c643a5d0\nstatus: experimental\n"
},
{
"path": "deprecated/windows/proc_creation_win_lolbin_findstr.yml",
"chars": 1507,
"preview": "title: Abusing Findstr for Defense Evasion\nid: bf6c39fc-e203-45b9-9538-05397c1b4f3f\nstatus: deprecated\ndescription: Atta"
},
{
"path": "deprecated/windows/proc_creation_win_lolbin_office.yml",
"chars": 1030,
"preview": "title: Suspicious File Download Using Office Application\nid: 0c79148b-118e-472b-bdb7-9b57b444cc19\nstatus: test\ndescripti"
},
{
"path": "deprecated/windows/proc_creation_win_lolbin_rdrleakdiag.yml",
"chars": 857,
"preview": "title: Process Memory Dumped Via RdrLeakDiag.EXE\nid: 6355a919-2e97-4285-a673-74645566340d\nstatus: deprecated\ndescription"
},
{
"path": "deprecated/windows/proc_creation_win_lolbins_by_office_applications.yml",
"chars": 2009,
"preview": "title: New Lolbin Process by Office Applications\nid: 23daeb52-e6eb-493c-8607-c4f0246cb7d8\nstatus: deprecated\ndescription"
},
{
"path": "deprecated/windows/proc_creation_win_mal_ryuk.yml",
"chars": 847,
"preview": "title: Ryuk Ransomware Command Line Activity\nid: 0acaad27-9f02-4136-a243-c357202edd74\nrelated:\n - id: c37510b8-2107-4"
},
{
"path": "deprecated/windows/proc_creation_win_malware_trickbot_recon_activity.yml",
"chars": 954,
"preview": "title: Trickbot Malware Reconnaissance Activity\nid: 410ad193-a728-4107-bc79-4419789fcbf8\nrelated:\n - id: 5cc90652-4cb"
},
{
"path": "deprecated/windows/proc_creation_win_mavinject_proc_inj.yml",
"chars": 707,
"preview": "title: MavInject Process Injection\nid: 17eb8e57-9983-420d-ad8a-2c4976c22eb8\nstatus: deprecated\ndescription: Detects proc"
},
{
"path": "deprecated/windows/proc_creation_win_msdt_diagcab.yml",
"chars": 1144,
"preview": "title: Execute MSDT.EXE Using Diagcab File\nid: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3\nstatus: deprecated\ndescription: Dete"
},
{
"path": "deprecated/windows/proc_creation_win_new_service_creation.yml",
"chars": 928,
"preview": "title: New Service Creation\nid: 7fe71fc9-de3b-432a-8d57-8c809efc10ab\nstatus: deprecated\ndescription: Detects creation of"
},
{
"path": "deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml",
"chars": 731,
"preview": "title: Nslookup PwSh Download Cradle\nid: 72671447-4352-4413-bb91-b85569687135\nstatus: deprecated\ndescription: This rule "
},
{
"path": "deprecated/windows/proc_creation_win_odbcconf_susp_exec.yml",
"chars": 1397,
"preview": "title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\nid: 65d2be45-8600-4042-b4c0-577a1ff8a60e\nstatus: d"
},
{
"path": "deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml",
"chars": 1751,
"preview": "title: Excel Proxy Executing Regsvr32 With Payload\nid: 9d1c72f5-43f0-4da5-9320-648cf2099dd0\nstatus: deprecated\ndescripti"
},
{
"path": "deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml",
"chars": 1785,
"preview": "title: Excel Proxy Executing Regsvr32 With Payload Alternate\nid: c0e1c3d5-4381-4f18-8145-2583f06a1fe5\nstatus: deprecated"
},
{
"path": "deprecated/windows/proc_creation_win_office_spawning_wmi_commandline.yml",
"chars": 1286,
"preview": "title: Office Applications Spawning Wmi Cli Alternate\nid: 04f5363a-6bca-42ff-be70-0d28bf629ead\nstatus: deprecated\ndescri"
},
{
"path": "deprecated/windows/proc_creation_win_possible_applocker_bypass.yml",
"chars": 1486,
"preview": "title: Possible Applocker Bypass\nid: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719\nstatus: deprecated\ndescription: Detects execut"
},
{
"path": "deprecated/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml",
"chars": 843,
"preview": "title: PowerShell AMSI Bypass Pattern\nid: 4f927692-68b5-4267-871b-073c45f4f6fe\nstatus: deprecated\ndescription: Detects a"
},
{
"path": "deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml",
"chars": 1364,
"preview": "title: Malicious Base64 Encoded Powershell Invoke Cmdlets\nid: fd6e2919-3936-40c9-99db-0aa922c356f7\nrelated:\n - id: 63"
},
{
"path": "deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml",
"chars": 1059,
"preview": "title: Base64 Encoded Listing of Shadowcopy\nid: 47688f1b-9f51-4656-b013-3cc49a166a36\nstatus: deprecated\ndescription: Det"
},
{
"path": "deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml",
"chars": 631,
"preview": "title: Potential PowerShell Base64 Encoded Shellcode\nid: 2d117e49-e626-4c7c-bd1f-c3c0147774c8\nstatus: deprecated\ndescrip"
},
{
"path": "deprecated/windows/proc_creation_win_powershell_bitsjob.yml",
"chars": 924,
"preview": "title: Suspicious Bitsadmin Job via PowerShell\nid: f67dbfce-93bc-440d-86ad-a95ae8858c90\nstatus: deprecated\ndescription: "
},
{
"path": "deprecated/windows/proc_creation_win_powershell_download_cradles.yml",
"chars": 837,
"preview": "title: PowerShell Web Download\nid: 6e897651-f157-4d8f-aaeb-df8151488385\nstatus: deprecated\ndescription: Detects suspicio"
},
{
"path": "deprecated/windows/proc_creation_win_powershell_service_modification.yml",
"chars": 1314,
"preview": "title: Stop Or Remove Antivirus Service\nid: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b\nstatus: deprecated\ndescription: |\n D"
},
{
"path": "deprecated/windows/proc_creation_win_powershell_susp_ps_downloadfile.yml",
"chars": 917,
"preview": "title: PowerShell DownloadFile\nid: 8f70ac5f-1f6f-4f8e-b454-db19561216c5\nstatus: deprecated # Deprecated in favor of 3b6a"
},
{
"path": "deprecated/windows/proc_creation_win_powershell_xor_encoded_command.yml",
"chars": 1115,
"preview": "title: Potential Xor Encoded PowerShell Command\nid: 5b572dcf-254b-425c-a8c5-d9af6bea35a6\nrelated:\n - id: cdf05894-89e"
},
{
"path": "deprecated/windows/proc_creation_win_reg_dump_sam.yml",
"chars": 1010,
"preview": "title: Registry Dump of SAM Creds and Secrets\nid: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e\nrelated:\n - id: fd877b94-9bb5-"
},
{
"path": "deprecated/windows/proc_creation_win_regsvr32_anomalies.yml",
"chars": 2721,
"preview": "title: Regsvr32 Anomaly\nid: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\nstatus: deprecated\ndescription: Detects various anomali"
},
{
"path": "deprecated/windows/proc_creation_win_renamed_paexec.yml",
"chars": 1104,
"preview": "title: Renamed PaExec Execution\nid: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b\nstatus: deprecated\ndescription: Detects executi"
},
{
"path": "deprecated/windows/proc_creation_win_renamed_powershell.yml",
"chars": 855,
"preview": "title: Renamed PowerShell\nid: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20\nstatus: deprecated\ndescription: Detects the execution"
},
{
"path": "deprecated/windows/proc_creation_win_renamed_psexec.yml",
"chars": 963,
"preview": "title: Renamed PsExec\nid: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2\nstatus: deprecated\ndescription: Detects the execution of "
},
{
"path": "deprecated/windows/proc_creation_win_renamed_rundll32.yml",
"chars": 641,
"preview": "title: Renamed Rundll32.exe Execution\nid: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2\nstatus: deprecated\ndescription: Detects t"
},
{
"path": "deprecated/windows/proc_creation_win_root_certificate_installed.yml",
"chars": 1314,
"preview": "title: Root Certificate Installed\nid: 46591fae-7a4c-46ea-aec3-dff5e6d785dc\nrelated:\n - id: 42821614-9264-4761-acfc-57"
},
{
"path": "deprecated/windows/proc_creation_win_run_from_zip.yml",
"chars": 650,
"preview": "title: Run from a Zip File\nid: 1a70042a-6622-4a2b-8958-267625349abf\nstatus: deprecated\ndescription: Payloads may be comp"
},
{
"path": "deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml",
"chars": 960,
"preview": "title: Rundll32 JS RunHTMLApplication Pattern\nid: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3\nstatus: deprecated\ndescription: D"
},
{
"path": "deprecated/windows/proc_creation_win_rundll32_script_run.yml",
"chars": 1045,
"preview": "title: Suspicious Rundll32 Script in CommandLine\nid: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7\nstatus: deprecated\ndescription"
},
{
"path": "deprecated/windows/proc_creation_win_sc_delete_av_services.yml",
"chars": 3839,
"preview": "title: Suspicious Execution of Sc to Delete AV Services\nid: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b\nstatus: deprecated\ndesc"
},
{
"path": "deprecated/windows/proc_creation_win_schtasks_user_temp.yml",
"chars": 893,
"preview": "title: Suspicious Add Scheduled Task From User AppData Temp\nid: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8\nstatus: deprecated\n"
},
{
"path": "deprecated/windows/proc_creation_win_service_stop.yml",
"chars": 1381,
"preview": "title: Stop Windows Service\nid: eb87818d-db5d-49cc-a987-d5da331fbd90\nstatus: deprecated\ndescription: Detects a Windows s"
},
{
"path": "deprecated/windows/proc_creation_win_susp_bitstransfer.yml",
"chars": 841,
"preview": "title: Suspicious Bitstransfer via PowerShell\nid: cd5c8085-4070-4e22-908d-a5b3342deb74\nstatus: deprecated\ndescription: D"
},
{
"path": "deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml",
"chars": 868,
"preview": "title: Suspicious Cmd Execution via WMI\nid: e31f89f7-36fb-4697-8ab6-48823708353b\nstatus: deprecated\ndescription: Detects"
},
{
"path": "deprecated/windows/proc_creation_win_susp_commandline_chars.yml",
"chars": 1051,
"preview": "title: Suspicious Characters in CommandLine\nid: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9\nstatus: deprecated\ndescription: Det"
},
{
"path": "deprecated/windows/proc_creation_win_susp_lolbin_non_c_drive.yml",
"chars": 1268,
"preview": "title: Wscript Execution from Non C Drive\nid: 5b80cf53-3a46-4adc-960b-05ec19348d74\nstatus: deprecated\ndescription: Detec"
},
{
"path": "deprecated/windows/proc_creation_win_susp_run_folder.yml",
"chars": 1488,
"preview": "title: Process Start From Suspicious Folder\nid: dca91cfd-d7ab-4c66-8da7-ee57d487b35b\nstatus: deprecated\ndescription: Det"
},
{
"path": "deprecated/windows/proc_creation_win_susp_squirrel_lolbin.yml",
"chars": 2097,
"preview": "title: Squirrel Lolbin\nid: fa4b21c9-0057-4493-b289-2556416ae4d7\nstatus: deprecated\ndescription: Detects Possible Squirre"
},
{
"path": "deprecated/windows/proc_creation_win_sysinternals_psexec_service_execution.yml",
"chars": 942,
"preview": "title: PsExec Tool Execution\nid: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba\nrelated:\n - id: 42c575ea-e41e-41f1-b248-8093c3e"
},
{
"path": "deprecated/windows/proc_creation_win_sysinternals_psexesvc_start.yml",
"chars": 496,
"preview": "title: PsExec Service Start\nid: 3ede524d-21cc-472d-a3ce-d21b568d8db7\nstatus: deprecated\ndescription: Detects a PsExec se"
},
{
"path": "deprecated/windows/proc_creation_win_whoami_as_system.yml",
"chars": 920,
"preview": "title: Run Whoami as SYSTEM\nid: 80167ada-7a12-41ed-b8e9-aa47195c66a1\nstatus: deprecated\ndescription: Detects a whoami.ex"
},
{
"path": "deprecated/windows/proc_creation_win_whoami_execution.yml",
"chars": 961,
"preview": "title: Whoami Utility Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: deprecated # Deprecated in favor of 502"
},
{
"path": "deprecated/windows/proc_creation_win_winword_dll_load.yml",
"chars": 644,
"preview": "title: Winword.exe Loads Suspicious DLL\nid: 2621b3a6-3840-4810-ac14-a02426086171\nstatus: deprecated\ndescription: Detects"
},
{
"path": "deprecated/windows/proc_creation_win_wmic_execution_via_office_process.yml",
"chars": 1230,
"preview": "title: WMI Execution Via Office Process\nid: 518643ba-7d9c-4fa5-9f37-baed36059f6a\nrelated:\n - id: e1693bc8-7168-4eab-8"
},
{
"path": "deprecated/windows/proc_creation_win_wmic_remote_command.yml",
"chars": 851,
"preview": "title: WMI Remote Command Execution\nid: e42af9df-d90b-4306-b7fb-05c863847ebd\nstatus: deprecated\ndescription: An adversar"
},
{
"path": "deprecated/windows/proc_creation_win_wmic_remote_service.yml",
"chars": 1253,
"preview": "title: WMI Reconnaissance List Remote Services\nid: 09af397b-c5eb-4811-b2bb-08b3de464ebf\nstatus: deprecated\ndescription: "
},
{
"path": "deprecated/windows/proc_creation_win_wuauclt_execution.yml",
"chars": 902,
"preview": "title: Windows Update Client LOLBIN\nid: d7825193-b70a-48a4-b992-8b5b3015cc11\nstatus: deprecated\ndescription: Detects cod"
},
{
"path": "deprecated/windows/process_creation_syncappvpublishingserver_exe.yml",
"chars": 735,
"preview": "title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction\nid: fde7929d-8beb-4a4c-b922-be9974671667\ndesc"
},
{
"path": "deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml",
"chars": 942,
"preview": "title: Sysinternals SDelete Registry Keys\nid: 9841b233-8df8-4ad7-9133-b0b4402a9014\nstatus: deprecated\ndescription: A Gen"
},
{
"path": "deprecated/windows/registry_event_asep_reg_keys_modification.yml",
"chars": 9534,
"preview": "title: Autorun Keys Modification\nid: 17f878b8-9968-4578-b814-c4217fc5768c\ndescription: Detects modification of autostart"
},
{
"path": "deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml",
"chars": 1383,
"preview": "title: Abusing Windows Telemetry For Persistence - Registry\nid: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5\nstatus: deprecated\n"
},
{
"path": "deprecated/windows/registry_set_add_hidden_user.yml",
"chars": 803,
"preview": "title: User Account Hidden By Registry\nid: 8a58209c-7ae6-4027-afb0-307a78e4589a\nstatus: deprecated\ndescription: Detect m"
},
{
"path": "deprecated/windows/registry_set_creation_service_uncommon_folder.yml",
"chars": 1500,
"preview": "title: Service Binary in Uncommon Folder\nid: c625c4c2-515d-407f-8bb6-456f65955669\nstatus: deprecated\ndescription: Detect"
},
{
"path": "deprecated/windows/registry_set_disable_microsoft_office_security_features.yml",
"chars": 1541,
"preview": "title: Disable Microsoft Office Security Features\nid: 7c637634-c95d-4bbf-b26c-a82510874b34\nstatus: deprecated\ndescriptio"
},
{
"path": "deprecated/windows/registry_set_malware_adwind.yml",
"chars": 1015,
"preview": "title: Adwind RAT / JRAT - Registry\nid: 42f0e038-767e-4b85-9d96-2c6335bad0b5\nrelated:\n - id: 1fac1481-2dbc-48b2-9096-"
},
{
"path": "deprecated/windows/registry_set_office_security.yml",
"chars": 1011,
"preview": "title: Office Security Settings Changed\nid: 9b894e57-033f-46cf-b7fa-a52804181973\nstatus: deprecated\ndescription: Detects"
},
{
"path": "deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml",
"chars": 1460,
"preview": "title: Potential Persistence Via COM Hijacking From Suspicious Locations\nid: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77\nrelate"
},
{
"path": "deprecated/windows/registry_set_persistence_search_order.yml",
"chars": 3699,
"preview": "title: Potential Persistence Via COM Search Order Hijacking\nid: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\nrelated:\n - id: "
},
{
"path": "deprecated/windows/registry_set_silentprocessexit.yml",
"chars": 887,
"preview": "title: SilentProcessExit Monitor Registration\nid: c81fe886-cac0-4913-a511-2822d72ff505\nstatus: deprecated\ndescription: D"
},
{
"path": "deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml",
"chars": 730,
"preview": "title: Accessing WinAPI in PowerShell for Credentials Dumping\nid: 3f07b9d1-2082-4c56-9277-613a621983cc\nstatus: deprecate"
},
{
"path": "deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml",
"chars": 1076,
"preview": "title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon\nid: e554f142-5cf3-4e55-ace9-a1b59e0def65\nstatus: d"
},
{
"path": "deprecated/windows/sysmon_mimikatz_detection_lsass.yml",
"chars": 1317,
"preview": "title: Mimikatz Detection LSASS Access\nid: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9\nstatus: deprecated\ndescription: Detects "
},
{
"path": "deprecated/windows/sysmon_powershell_execution_moduleload.yml",
"chars": 745,
"preview": "title: PowerShell Execution\nid: 867613fb-fa60-4497-a017-a82df74a172c\ndescription: Detects execution of PowerShell\nstatus"
},
{
"path": "deprecated/windows/sysmon_rclone_execution.yml",
"chars": 1454,
"preview": "title: RClone Execution\nid: a0d63692-a531-4912-ad39-4393325b2a9c\nstatus: deprecated\ndescription: Detects execution of RC"
},
{
"path": "deprecated/windows/win_defender_disabled.yml",
"chars": 1129,
"preview": "title: Windows Defender Threat Detection Disabled\nid: fe34868f-6e0e-4882-81f6-c43aa8f15b62\nstatus: deprecated\ndescriptio"
},
{
"path": "deprecated/windows/win_dsquery_domain_trust_discovery.yml",
"chars": 755,
"preview": "title: Domain Trust Discovery\nid: 77815820-246c-47b8-9741-e0def3f57308\nstatus: deprecated\ndescription: Detects a discove"
},
{
"path": "deprecated/windows/win_lateral_movement_condrv.yml",
"chars": 1083,
"preview": "title: Lateral Movement Indicator ConDrv\nid: 29d31aee-30f4-4006-85a9-a4a02d65306c\nstatus: deprecated #Too many FP\ndescri"
},
{
"path": "deprecated/windows/win_security_event_log_cleared.yml",
"chars": 776,
"preview": "title: Security Event Log Cleared\nid: a122ac13-daf8-4175-83a2-72c387be339d\nstatus: deprecated\ndescription: Checks for ev"
},
{
"path": "deprecated/windows/win_security_group_modification_logging.yml",
"chars": 2769,
"preview": "title: Group Modification Logging\nid: 9cf01b6c-e723-4841-a868-6d7f8245ca6e\nstatus: deprecated\ndescription: |\n Configure"
},
{
"path": "deprecated/windows/win_security_lolbas_execution_of_nltest.yml",
"chars": 1107,
"preview": "title: Correct Execution of Nltest.exe\nid: eeb66bbb-3dde-4582-815a-584aee9fe6d1\nstatus: deprecated\ndescription: The atta"
},
{
"path": "deprecated/windows/win_security_windows_defender_exclusions_write_deleted.yml",
"chars": 1091,
"preview": "title: Windows Defender Exclusion Deleted\nid: a33f8808-2812-4373-ae95-8cfb82134978\nrelated:\n - id: e9c8808f-4cfb-4ba9"
},
{
"path": "deprecated/windows/win_susp_esentutl_activity.yml",
"chars": 864,
"preview": "title: Suspicious Esentutl Use\nid: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7\nstatus: deprecated\ndescription: Detects flags of"
},
{
"path": "deprecated/windows/win_susp_rclone_exec.yml",
"chars": 1159,
"preview": "title: Rclone Execution via Command Line or PowerShell\nid: cb7286ba-f207-44ab-b9e6-760d82b84253\ndescription: Detects Rcl"
},
{
"path": "deprecated/windows/win_susp_vssadmin_ntds_activity.yml",
"chars": 1622,
"preview": "title: Activity Related to NTDS.dit Domain Hash Retrieval\nid: b932b60f-fdda-4d53-8eda-a170c1d97bbd\nstatus: deprecated\nde"
},
{
"path": "deprecated/windows/win_system_service_install_susp_double_ampersand.yml",
"chars": 638,
"preview": "title: New Service Uses Double Ampersand in Path\nid: ca83e9f3-657a-45d0-88d6-c1ac280caf53\nstatus: deprecated\ndescription"
},
{
"path": "deprecated/windows/win_system_susp_sam_dump.yml",
"chars": 719,
"preview": "title: SAM Dump to AppData\nid: 839dd1e8-eda8-4834-8145-01beeee33acd\nstatus: deprecated\ndescription: Detects suspicious S"
},
{
"path": "documentation/README.md",
"chars": 0,
"preview": ""
},
{
"path": "documentation/logsource-guides/other/antivirus.md",
"chars": 15,
"preview": "**Coming Soon**"
},
{
"path": "documentation/logsource-guides/windows/category/process_creation.md",
"chars": 5006,
"preview": "# category: process_creation\n\nID: 2ff912e8-159f-4789-a2ef-761292b32a23\n\n## Content\n\n<details>\n <summary>Expand</summa"
},
{
"path": "documentation/logsource-guides/windows/category/ps_module.md",
"chars": 2795,
"preview": "# category: ps_module\n\nID: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\n\n## Content\n\n<details>\n <summary>Expand</summary>\n\n- "
}
]
// ... and 4272 more files (download for full content)
About this extraction
This page contains the full source code of the SigmaHQ/sigma GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 4472 files (6.8 MB), approximately 2.1M tokens, and a symbol index with 73 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.