├── .github └── workflows │ └── sigma-test.yml ├── .gitignore ├── .yamllint ├── BREAKING_CHANGES.md ├── CHANGELOG.md ├── CHANGELOG.md.j2 ├── LICENSE.Detection.Rules.md ├── Makefile ├── Pipfile ├── Pipfile.lock ├── README.md ├── _config.yml ├── contrib ├── filter-uuid-patch ├── sigma2CSV.py ├── sigma2elastalert.py ├── sigma2sumologic.py └── sigmacover.py ├── images ├── Problem_OSI_v01.png ├── Sigma-description.png ├── Sigma_0.3.png ├── Sigma_0.3_inverted_title_wiki.png ├── Sigma_Coverage.png ├── Sigma_Schema.png ├── Sigma_rule_example1.png ├── Sigma_rule_example2.png ├── Sigma_rule_example3.png ├── Sigma_rule_example4.png ├── Sigma_rule_example5.png ├── Sigmac-win_susp_rc4_kerberos.png ├── sigma2attack.png ├── sigma_infographic_hq.png └── sigma_infographic_lq.png ├── other ├── godmode_sigma_rule.yml ├── sigma_attack_nav_coverage.json └── sigma_attack_nav_coverage.png ├── rules-unsupported ├── driver_load_invoke_obfuscation_clip+_services.yml ├── driver_load_invoke_obfuscation_obfuscated_iex_services.yml ├── driver_load_invoke_obfuscation_stdin+_services.yml ├── driver_load_invoke_obfuscation_var+_services.yml ├── driver_load_invoke_obfuscation_via_compress_services.yml ├── driver_load_invoke_obfuscation_via_rundll_services.yml ├── driver_load_invoke_obfuscation_via_stdin_services.yml ├── driver_load_invoke_obfuscation_via_use_clip_services.yml ├── driver_load_invoke_obfuscation_via_use_mshta_services.yml ├── driver_load_invoke_obfuscation_via_use_rundll32_services.yml ├── driver_load_invoke_obfuscation_via_var++_services.yml ├── driver_load_tap_driver_installation.yml ├── net_dns_high_subdomain_rate.yml ├── net_dns_large_domain_name.yml ├── net_possible_dns_rebinding.yml ├── sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml ├── sysmon_always_install_elevated_parent_child_correlated.yml ├── sysmon_process_reimaging.yml ├── win_access_fake_files_with_stored_credentials.yml ├── win_apt_apt29_tor.yml ├── win_dumping_ntdsdit_via_dcsync.yml ├── win_dumping_ntdsdit_via_netsync.yml ├── win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml ├── win_mal_service_installs.yml ├── win_metasploit_or_impacket_smb_psexec_service_install.yml ├── win_possible_privilege_escalation_using_rotten_potato.yml ├── win_remote_schtask.yml └── win_remote_service.yml ├── rules ├── application │ ├── app_python_sql_exceptions.yml │ ├── app_sqlinjection_errors.yml │ ├── appframework_django_exceptions.yml │ ├── appframework_ruby_on_rails_exceptions.yml │ └── appframework_spring_exceptions.yml ├── apt │ ├── apt_silence_downloader_v3.yml │ └── apt_silence_eda.yml ├── cloud │ ├── aws │ │ ├── aws_attached_malicious_lambda_layer.yml │ │ ├── aws_cloudtrail_disable_logging.yml │ │ ├── aws_config_disable_recording.yml │ │ ├── aws_ec2_disable_encryption.yml │ │ ├── aws_ec2_download_userdata.yml │ │ ├── aws_ec2_startup_script_change.yml │ │ ├── aws_ec2_vm_export_failure.yml │ │ ├── aws_efs_fileshare_modified_or_deleted.yml │ │ ├── aws_efs_fileshare_mount_modified_or_deleted.yml │ │ ├── aws_eks_cluster_created_or_deleted.yml │ │ ├── aws_elasticache_security_group_created.yml │ │ ├── aws_elasticache_security_group_modified_or_deleted.yml │ │ ├── aws_enum_listing.yml │ │ ├── aws_guardduty_disruption.yml │ │ ├── aws_iam_backdoor_users_keys.yml │ │ ├── aws_lambda_function_created_or_invoked.yml │ │ ├── aws_macic_evasion.yml │ │ ├── aws_rds_change_master_password.yml │ │ ├── aws_rds_public_db_restore.yml │ │ ├── aws_root_account_usage.yml │ │ ├── aws_route_53_domain_transferred_lock_disabled.yml │ │ ├── aws_route_53_domain_transferred_to_another_account.yml │ │ ├── aws_s3_data_management_tampering.yml │ │ ├── aws_securityhub_finding_evasion.yml │ │ ├── aws_snapshot_backup_exfiltration.yml │ │ ├── aws_sts_assumerole_misuse.yml │ │ ├── aws_sts_getsessiontoken_misuse.yml │ │ ├── aws_suspicious_saml_activity.yml │ │ ├── aws_update_login_profile.yml │ │ └── passed_role_to_glue_development_endpoint.yml │ ├── azure │ │ ├── azure_aadhybridhealth_adfs_new_server.yml │ │ ├── azure_aadhybridhealth_adfs_service_delete.yml │ │ ├── azure_account_lockout.yml │ │ ├── azure_ad_user_added_to_admin_role.yml │ │ ├── azure_app_credential_modification.yml │ │ ├── azure_application_deleted.yml │ │ ├── azure_application_gateway_modified_or_deleted.yml │ │ ├── azure_application_security_group_modified_or_deleted.yml │ │ ├── azure_change_to_authentication_method.yml │ │ ├── azure_container_registry_created_or_deleted.yml │ │ ├── azure_creating_number_of_resources_detection.yml │ │ ├── azure_device_no_longer_managed_or_compliant.yml │ │ ├── azure_device_or_configuration_modified_or_deleted.yml │ │ ├── azure_dns_zone_modified_or_deleted.yml │ │ ├── azure_federation_modified.yml │ │ ├── azure_firewall_modified_or_deleted.yml │ │ ├── azure_firewall_rule_collection_modified_or_deleted.yml │ │ ├── azure_granting_permission_detection.yml │ │ ├── azure_keyvault_key_modified_or_deleted.yml │ │ ├── azure_keyvault_modified_or_deleted.yml │ │ ├── azure_keyvault_secrets_modified_or_deleted.yml │ │ ├── azure_kubernetes_cluster_created_or_deleted.yml │ │ ├── azure_kubernetes_events_deleted.yml │ │ ├── azure_kubernetes_network_policy_change.yml │ │ ├── azure_kubernetes_pods_deleted.yml │ │ ├── azure_kubernetes_role_access.yml │ │ ├── azure_kubernetes_rolebinding_modified_or_deleted.yml │ │ ├── azure_kubernetes_secret_or_config_object_access.yml │ │ ├── azure_kubernetes_service_account_modified_or_deleted.yml │ │ ├── azure_login_to_disabled_account.yml │ │ ├── azure_mfa_interrupted.yml │ │ ├── azure_network_firewall_policy_modified_or_deleted.yml │ │ ├── azure_network_firewall_rule_modified_or_deleted.yml │ │ ├── azure_network_p2s_vpn_modified_or_deleted.yml │ │ ├── azure_network_security_modified_or_deleted.yml │ │ ├── azure_network_virtual_device_modified_or_deleted.yml │ │ ├── azure_new_cloudshell_created.yml │ │ ├── azure_owner_removed_from_application_or_service_principal.yml │ │ ├── azure_rare_operations.yml │ │ ├── azure_service_principal_created.yml │ │ ├── azure_service_principal_removed.yml │ │ ├── azure_suppression_rule_created.yml │ │ ├── azure_user_login_blocked_by_conditional_access.yml │ │ ├── azure_virtual_network_modified_or_deleted.yml │ │ └── azure_vpn_connection_modified_or_deleted.yml │ ├── gcp │ │ ├── gcp_bucket_enumeration.yml │ │ ├── gcp_bucket_modified_or_deleted.yml │ │ ├── gcp_dlp_re_identifies_sensitive_information.yml │ │ ├── gcp_dns_zone_modified_or_deleted.yml │ │ ├── gcp_firewall_rule_modified_or_deleted.yml │ │ ├── gcp_full_network_traffic_packet_capture.yml │ │ ├── gcp_kubernetes_rolebinding.yml │ │ ├── gcp_kubernetes_secrets_modified_or_deleted.yml │ │ ├── gcp_service_account_disabled_or_deleted.yml │ │ ├── gcp_service_account_modified.yml │ │ └── gcp_vpn_tunnel_modified_or_deleted.yml │ ├── gworkspace │ │ ├── gworkspace_application_removed.yml │ │ ├── gworkspace_granted_domain_api_access.yml │ │ ├── gworkspace_mfa_disabled.yml │ │ ├── gworkspace_role_modified_or_deleted.yml │ │ ├── gworkspace_role_privilege_deleted.yml │ │ └── gworkspace_user_granted_admin_privileges.yml │ ├── m365 │ │ ├── microsoft365_activity_by_terminated_user.yml │ │ ├── microsoft365_activity_from_anonymous_ip_addresses.yml │ │ ├── microsoft365_activity_from_infrequent_country.yml │ │ ├── microsoft365_data_exfiltration_to_unsanctioned_app.yml │ │ ├── microsoft365_from_suspicious_ip_addresses.yml │ │ ├── microsoft365_impossible_travel_activity.yml │ │ ├── microsoft365_logon_from_risky_ip_address.yml │ │ ├── microsoft365_potential_ransomware_activity.yml │ │ ├── microsoft365_suspicious_inbox_forwarding.yml │ │ ├── microsoft365_suspicious_oauth_app_file_download_activities.yml │ │ ├── microsoft365_unusual_volume_of_file_deletion.yml │ │ └── microsoft365_user_restricted_from_sending_email.yml │ ├── okta │ │ ├── okta_admin_role_assigned_to_user_or_group.yml │ │ ├── okta_api_token_created.yml │ │ ├── okta_api_token_revoked.yml │ │ ├── okta_application_modified_or_deleted.yml │ │ ├── okta_application_sign_on_policy_modified_or_deleted.yml │ │ ├── okta_mfa_reset_or_deactivated.yml │ │ ├── okta_network_zone_deactivated_or_deleted.yml │ │ ├── okta_policy_modified_or_deleted.yml │ │ ├── okta_policy_rule_modified_or_deleted.yml │ │ ├── okta_security_threat_detected.yml │ │ ├── okta_unauthorized_access_to_app.yml │ │ └── okta_user_account_locked_out.yml │ └── onelogin │ │ ├── onelogin_assumed_another_user.yml │ │ └── onelogin_user_account_locked.yml ├── compliance │ ├── default_credentials_usage.yml │ ├── firewall_cleartext_protocols.yml │ ├── group_modification_logging.yml │ ├── host_without_firewall.yml │ ├── netflow_cleartext_protocols.yml │ └── workstation_was_locked.yml ├── generic │ └── generic_brute_force.yml ├── linux │ ├── at_command.yml │ ├── auditd │ │ ├── lnx_auditd_alter_bash_profile.yml │ │ ├── lnx_auditd_audio_capture.yml │ │ ├── lnx_auditd_auditing_config_change.yml │ │ ├── lnx_auditd_binary_padding.yml │ │ ├── lnx_auditd_change_file_time_attr.yml │ │ ├── lnx_auditd_chattr_immutable_removal.yml │ │ ├── lnx_auditd_clipboard_collection.yml │ │ ├── lnx_auditd_clipboard_image_collection.yml │ │ ├── lnx_auditd_coinminer.yml │ │ ├── lnx_auditd_create_account.yml │ │ ├── lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml │ │ ├── lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml │ │ ├── lnx_auditd_dd_delete_file.yml │ │ ├── lnx_auditd_file_or_folder_permissions.yml │ │ ├── lnx_auditd_find_cred_in_files.yml │ │ ├── lnx_auditd_hidden_files_directories.yml │ │ ├── lnx_auditd_hidden_zip_files_steganography.yml │ │ ├── lnx_auditd_ld_so_preload_mod.yml │ │ ├── lnx_auditd_logging_config_change.yml │ │ ├── lnx_auditd_masquerading_crond.yml │ │ ├── lnx_auditd_network_service_scanning.yml │ │ ├── lnx_auditd_omigod_scx_runasprovider_executescript.yml │ │ ├── lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml │ │ ├── lnx_auditd_password_policy_discovery.yml │ │ ├── lnx_auditd_pers_systemd_reload.yml │ │ ├── lnx_auditd_screencapture_import.yml │ │ ├── lnx_auditd_screencaputre_xwd.yml │ │ ├── lnx_auditd_split_file_into_pieces.yml │ │ ├── lnx_auditd_steghide_embed_steganography.yml │ │ ├── lnx_auditd_steghide_extract_steganography.yml │ │ ├── lnx_auditd_susp_c2_commands.yml │ │ ├── lnx_auditd_susp_cmds.yml │ │ ├── lnx_auditd_susp_exe_folders.yml │ │ ├── lnx_auditd_susp_histfile_operations.yml │ │ ├── lnx_auditd_system_info_discovery.yml │ │ ├── lnx_auditd_system_info_discovery2.yml │ │ ├── lnx_auditd_system_shutdown_reboot.yml │ │ ├── lnx_auditd_unzip_hidden_zip_files_steganography.yml │ │ ├── lnx_auditd_user_discovery.yml │ │ ├── lnx_auditd_web_rce.yml │ │ ├── lnx_data_compressed.yml │ │ └── lnx_network_sniffing.yml │ ├── lnx_apt_equationgroup_lnx.yml │ ├── lnx_base64_decode.yml │ ├── lnx_buffer_overflows.yml │ ├── lnx_clamav.yml │ ├── lnx_clear_logs.yml │ ├── lnx_clear_syslog.yml │ ├── lnx_file_and_directory_discovery.yml │ ├── lnx_file_copy.yml │ ├── lnx_file_deletion.yml │ ├── lnx_install_root_certificate.yml │ ├── lnx_ldso_preload_injection.yml │ ├── lnx_local_account.yml │ ├── lnx_local_groups.yml │ ├── lnx_network_service_scanning.yml │ ├── lnx_process_discovery.yml │ ├── lnx_proxy_connection.yml │ ├── lnx_remote_system_discovery.yml │ ├── lnx_schedule_task_job_cron.yml │ ├── lnx_security_software_discovery.yml │ ├── lnx_security_tools_disabling.yml │ ├── lnx_security_tools_disabling_syslog.yml │ ├── lnx_setgid_setuid.yml │ ├── lnx_shell_clear_cmd_history.yml │ ├── lnx_shell_priv_esc_prep.yml │ ├── lnx_shell_susp_commands.yml │ ├── lnx_shell_susp_log_entries.yml │ ├── lnx_shell_susp_rev_shells.yml │ ├── lnx_shellshock.yml │ ├── lnx_space_after_filename_.yml │ ├── lnx_ssh_cve_2018_15473.yml │ ├── lnx_sudo_cve_2019_14287.yml │ ├── lnx_sudo_cve_2019_14287_user.yml │ ├── lnx_susp_failed_logons_single_source.yml │ ├── lnx_susp_guacamole.yml │ ├── lnx_susp_jexboss.yml │ ├── lnx_susp_named.yml │ ├── lnx_susp_ssh.yml │ ├── lnx_susp_vsftp.yml │ ├── lnx_symlink_etc_passwd.yml │ ├── lnx_system_info_discovery.yml │ ├── lnx_system_network_connections_discovery.yml │ ├── lnx_system_network_discovery.yml │ ├── macos_applescript.yml │ ├── macos_base64_decode.yml │ ├── macos_binary_padding.yml │ ├── macos_change_file_time_attr.yml │ ├── macos_clear_system_logs.yml │ ├── macos_create_account.yml │ ├── macos_create_hidden_account.yml │ ├── macos_creds_from_keychain.yml │ ├── macos_disable_security_tools.yml │ ├── macos_emond_launch_daemon.yml │ ├── macos_file_and_directory_discovery.yml │ ├── macos_find_cred_in_files.yml │ ├── macos_gui_input_capture.yml │ ├── macos_local_account.yml │ ├── macos_local_groups.yml │ ├── macos_network_service_scanning.yml │ ├── macos_network_sniffing.yml │ ├── macos_remote_system_discovery.yml │ ├── macos_schedule_task_job_cron.yml │ ├── macos_screencapture.yml │ ├── macos_security_software_discovery.yml │ ├── macos_split_file_into_pieces.yml │ ├── macos_startup_items.yml │ ├── macos_susp_histfile_operations.yml │ ├── macos_suspicious_macos_firmware_activity.yml │ ├── macos_system_network_connections_discovery.yml │ ├── macos_system_network_discovery.yml │ ├── macos_system_shutdown_reboot.yml │ ├── macos_xattr_gatekeeper_bypass.yml │ └── modsecurity │ │ └── modsec_mulitple_blocks.yml ├── network │ ├── cisco │ │ └── aaa │ │ │ ├── cisco_cli_clear_logs.yml │ │ │ ├── cisco_cli_collect_data.yml │ │ │ ├── cisco_cli_crypto_actions.yml │ │ │ ├── cisco_cli_disable_logging.yml │ │ │ ├── cisco_cli_discovery.yml │ │ │ ├── cisco_cli_dos.yml │ │ │ ├── cisco_cli_file_deletion.yml │ │ │ ├── cisco_cli_input_capture.yml │ │ │ ├── cisco_cli_local_accounts.yml │ │ │ ├── cisco_cli_modify_config.yml │ │ │ ├── cisco_cli_moving_data.yml │ │ │ └── cisco_cli_net_sniff.yml │ ├── net_apt_equationgroup_c2.yml │ ├── net_dns_c2_detection.yml │ ├── net_firewall_high_dns_bytes_out.yml │ ├── net_firewall_high_dns_requests_rate.yml │ ├── net_high_dns_bytes_out.yml │ ├── net_high_dns_requests_rate.yml │ ├── net_high_null_records_requests_rate.yml │ ├── net_high_txt_records_requests_rate.yml │ ├── net_mal_dns_cobaltstrike.yml │ ├── net_susp_dns_b64_queries.yml │ ├── net_susp_dns_txt_exec_strings.yml │ ├── net_susp_ipify.yml │ ├── net_susp_network_scan_by_ip.yml │ ├── net_susp_network_scan_by_port.yml │ ├── net_susp_telegram_api.yml │ ├── net_wannacry_killswitch_domain.yml │ └── zeek │ │ ├── zeek_dce_rpc_domain_user_enumeration.yml │ │ ├── zeek_dce_rpc_mitre_bzar_execution.yml │ │ ├── zeek_dce_rpc_mitre_bzar_persistence.yml │ │ ├── zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml │ │ ├── zeek_dce_rpc_printnightmare_print_driver_install.yml │ │ ├── zeek_dce_rpc_smb_spoolss_named_pipe.yml │ │ ├── zeek_default_cobalt_strike_certificate.yml │ │ ├── zeek_dns_mining_pools.yml │ │ ├── zeek_dns_suspicious_zbit_flag.yml │ │ ├── zeek_dns_torproxy.yml │ │ ├── zeek_http_executable_download_from_webdav.yml │ │ ├── zeek_http_exfiltration_compressed_files.yml │ │ ├── zeek_http_omigod_no_auth_rce.yml │ │ ├── zeek_http_webdav_put_request.yml │ │ ├── zeek_rdp_public_listener.yml │ │ ├── zeek_smb_converted_win_atsvc_task.yml │ │ ├── zeek_smb_converted_win_impacket_secretdump.yml │ │ ├── zeek_smb_converted_win_lm_namedpipe.yml │ │ ├── zeek_smb_converted_win_susp_psexec.yml │ │ ├── zeek_smb_converted_win_susp_raccess_sensitive_fext.yml │ │ ├── zeek_smb_converted_win_transferring_files_with_credential_data.yml │ │ └── zeek_susp_kerberos_rc4.yml ├── proxy │ ├── proxy_apt40.yml │ ├── proxy_apt_domestic_kitten.yml │ ├── proxy_baby_shark.yml │ ├── proxy_chafer_malware.yml │ ├── proxy_cobalt_amazon.yml │ ├── proxy_cobalt_malformed_uas.yml │ ├── proxy_cobalt_ocsp.yml │ ├── proxy_cobalt_onedrive.yml │ ├── proxy_download_susp_dyndns.yml │ ├── proxy_download_susp_tlds_blacklist.yml │ ├── proxy_download_susp_tlds_whitelist.yml │ ├── proxy_downloadcradle_webdav.yml │ ├── proxy_empire_ua_uri_combos.yml │ ├── proxy_empty_ua.yml │ ├── proxy_ios_implant.yml │ ├── proxy_powershell_ua.yml │ ├── proxy_pwndrop.yml │ ├── proxy_raw_paste_service_access.yml │ ├── proxy_susp_flash_download_loc.yml │ ├── proxy_telegram_api.yml │ ├── proxy_turla_comrat.yml │ ├── proxy_ua_apt.yml │ ├── proxy_ua_bitsadmin_susp_tld.yml │ ├── proxy_ua_cryptominer.yml │ ├── proxy_ua_frameworks.yml │ ├── proxy_ua_hacktool.yml │ ├── proxy_ua_malware.yml │ ├── proxy_ua_suspicious.yml │ ├── proxy_ursnif_malware_c2_url.yml │ └── proxy_ursnif_malware_download_url.yml ├── web │ ├── sql_injection_keywords.yml │ ├── web_apache_segfault.yml │ ├── web_apache_threading_error.yml │ ├── web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml │ ├── web_citrix_cve_2019_19781_exploit.yml │ ├── web_citrix_cve_2020_8193_8195_exploit.yml │ ├── web_cve_2010_5278_exploitation_attempt.yml │ ├── web_cve_2018_2894_weblogic_exploit.yml │ ├── web_cve_2019_3398_confluence.yml │ ├── web_cve_2020_0688_msexchange.yml │ ├── web_cve_2020_14882_weblogic_exploit.yml │ ├── web_cve_2020_3452_cisco_asa_ftd.yml │ ├── web_cve_2020_5902_f5_bigip.yml │ ├── web_cve_2021_2109_weblogic_rce_exploit.yml │ ├── web_cve_2021_21978_vmware_view_planner_exploit.yml │ ├── web_cve_2021_22005_vmware_file_upload.yml │ ├── web_cve_2021_22893_pulse_secure_rce_exploit.yml │ ├── web_cve_2021_26814_wzuh_rce.yml │ ├── web_cve_2021_26858_iis_rce.yml │ ├── web_cve_2021_33766_msexchange_proxytoken.yml │ ├── web_cve_2021_40539_adselfservice.yml │ ├── web_cve_2021_40539_manageengine_adselfservice_exploit.yml │ ├── web_cve_2021_41773_apache_path_traversal.yml │ ├── web_exchange_cve_2020_0688_exploit.yml │ ├── web_exchange_exploitation_hafnium.yml │ ├── web_exchange_proxyshell.yml │ ├── web_exchange_proxyshell_successful.yml │ ├── web_expl_exchange_cve_2021_28480.yml │ ├── web_fortinet_cve_2018_13379_preauth_read_exploit.yml │ ├── web_fortinet_cve_2021_22123_exploit.yml │ ├── web_iis_tilt_shortname_scan.yml │ ├── web_multiple_suspicious_resp_codes_single_source.yml │ ├── web_nginx_core_dump.yml │ ├── web_path_traversal_exploitation_attempt.yml │ ├── web_pulsesecure_cve_2019_11510.yml │ ├── web_solarwinds_cve_2020_10148.yml │ ├── web_solarwinds_supernova_webshell.yml │ ├── web_sonicwall_jarrewrite_exploit.yml │ ├── web_source_code_enumeration.yml │ ├── web_terramaster_cve_2020_28188_rce_exploit.yml │ ├── web_unc2546_dewmode_php_webshell.yml │ ├── web_vsphere_cve_2021_21972_unauth_rce_exploit.yml │ ├── web_webshell_keyword.yml │ ├── win_powershell_snapins_hafnium.yml │ ├── win_webshell_regeorg.yml │ └── xss_keywords.yml └── windows │ ├── builtin │ ├── win_aadhealth_mon_agent_regkey_access.yml │ ├── win_aadhealth_svc_agent_regkey_access.yml │ ├── win_account_backdoor_dcsync_rights.yml │ ├── win_account_discovery.yml │ ├── win_ad_object_writedac_access.yml │ ├── win_ad_replication_non_machine_account.yml │ ├── win_ad_user_enumeration.yml │ ├── win_admin_rdp_login.yml │ ├── win_admin_share_access.yml │ ├── win_alert_active_directory_user_control.yml │ ├── win_alert_ad_user_backdoors.yml │ ├── win_alert_enable_weak_encryption.yml │ ├── win_alert_lsass_access.yml │ ├── win_alert_mimikatz_keywords.yml │ ├── win_alert_ruler.yml │ ├── win_applocker_file_was_not_allowed_to_run.yml │ ├── win_apt_carbonpaper_turla.yml │ ├── win_apt_chafer_mar18_security.yml │ ├── win_apt_chafer_mar18_system.yml │ ├── win_apt_gallium.yml │ ├── win_apt_slingshot.yml │ ├── win_apt_stonedrill.yml │ ├── win_apt_turla_service_png.yml │ ├── win_apt_wocao.yml │ ├── win_arbitrary_shell_execution_via_settingcontent.yml │ ├── win_asr_bypass_via_appvlp_re.yml │ ├── win_atsvc_task.yml │ ├── win_audit_cve.yml │ ├── win_av_relevant_match.yml │ ├── win_camera_microphone_access.yml │ ├── win_cobaltstrike_service_installs.yml │ ├── win_dce_rpc_smb_spoolss_named_pipe.yml │ ├── win_dcom_iertutil_dll_hijack.yml │ ├── win_dcsync.yml │ ├── win_disable_event_logging.yml │ ├── win_dpapi_domain_backupkey_extraction.yml │ ├── win_dpapi_domain_masterkey_backup_attempt.yml │ ├── win_etw_modification.yml │ ├── win_event_log_cleared.yml │ ├── win_exchange_transportagent.yml │ ├── win_exploit_cve_2021_1675_printspooler.yml │ ├── win_exploit_cve_2021_1675_printspooler_operational.yml │ ├── win_exploit_cve_2021_1675_printspooler_security.yml │ ├── win_external_device.yml │ ├── win_global_catalog_enumeration.yml │ ├── win_gpo_scheduledtasks.yml │ ├── win_hack_smbexec.yml │ ├── win_hidden_user_creation.yml │ ├── win_hybridconnectionmgr_svc_installation.yml │ ├── win_hybridconnectionmgr_svc_running.yml │ ├── win_impacket_psexec.yml │ ├── win_impacket_secretdump.yml │ ├── win_invoke_obfuscation_clip_services.yml │ ├── win_invoke_obfuscation_clip_services_security.yml │ ├── win_invoke_obfuscation_obfuscated_iex_services.yml │ ├── win_invoke_obfuscation_obfuscated_iex_services_security.yml │ ├── win_invoke_obfuscation_stdin_services.yml │ ├── win_invoke_obfuscation_stdin_services_security.yml │ ├── win_invoke_obfuscation_var_services.yml │ ├── win_invoke_obfuscation_var_services_security.yml │ ├── win_invoke_obfuscation_via_compress_services.yml │ ├── win_invoke_obfuscation_via_compress_services_security.yml │ ├── win_invoke_obfuscation_via_rundll_services.yml │ ├── win_invoke_obfuscation_via_rundll_services_security.yml │ ├── win_invoke_obfuscation_via_stdin_services.yml │ ├── win_invoke_obfuscation_via_stdin_services_security.yml │ ├── win_invoke_obfuscation_via_use_clip_services.yml │ ├── win_invoke_obfuscation_via_use_clip_services_security.yml │ ├── win_invoke_obfuscation_via_use_mshta_services.yml │ ├── win_invoke_obfuscation_via_use_mshta_services_security.yml │ ├── win_invoke_obfuscation_via_use_rundll32_services.yml │ ├── win_invoke_obfuscation_via_use_rundll32_services_security.yml │ ├── win_invoke_obfuscation_via_var_services.yml │ ├── win_invoke_obfuscation_via_var_services_security.yml │ ├── win_iso_mount.yml │ ├── win_lm_namedpipe.yml │ ├── win_lolbas_execution_of_nltest.yml │ ├── win_lsass_access_non_system_account.yml │ ├── win_mal_creddumper.yml │ ├── win_mal_wceaux_dll.yml │ ├── win_metasploit_authentication.yml │ ├── win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml │ ├── win_mmc20_lateral_movement.yml │ ├── win_moriya_rootkit.yml │ ├── win_net_ntlm_downgrade.yml │ ├── win_net_use_admin_share.yml │ ├── win_new_or_renamed_user_account_with_dollar_sign.yml │ ├── win_not_allowed_rdp_access.yml │ ├── win_ntfs_vuln_exploit.yml │ ├── win_overpass_the_hash.yml │ ├── win_pass_the_hash.yml │ ├── win_pass_the_hash_2.yml │ ├── win_petitpotam_network_share.yml │ ├── win_petitpotam_susp_tgt_request.yml │ ├── win_possible_dc_shadow.yml │ ├── win_powershell_script_installed_as_service.yml │ ├── win_privesc_cve_2020_1472.yml │ ├── win_protected_storage_service_access.yml │ ├── win_quarkspwdump_clearing_hive_access_history.yml │ ├── win_rare_schtasks_creations.yml │ ├── win_rare_service_installs.yml │ ├── win_rdp_bluekeep_poc_scanner.yml │ ├── win_rdp_localhost_login.yml │ ├── win_rdp_potential_cve_2019_0708.yml │ ├── win_rdp_reverse_tunnel.yml │ ├── win_register_new_logon_process_by_rubeus.yml │ ├── win_remote_powershell_session.yml │ ├── win_remote_registry_management_using_reg_utility.yml │ ├── win_root_certificate_installed.yml │ ├── win_sam_registry_hive_handle_request.yml │ ├── win_scheduled_task_deletion.yml │ ├── win_scm_database_handle_failure.yml │ ├── win_scm_database_privileged_operation.yml │ ├── win_scrcons_remote_wmi_scripteventconsumer.yml │ ├── win_security_cobaltstrike_service_installs.yml │ ├── win_security_mal_creddumper.yml │ ├── win_security_mal_service_installs.yml │ ├── win_security_metasploit_or_impacket_smb_psexec_service_install.yml │ ├── win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml │ ├── win_security_powershell_script_installed_as_service.yml │ ├── win_security_tap_driver_installation.yml │ ├── win_set_oabvirtualdirectory_externalurl.yml │ ├── win_smb_file_creation_admin_shares.yml │ ├── win_software_atera_rmm_agent_install.yml │ ├── win_software_discovery.yml │ ├── win_susp_add_domain_trust.yml │ ├── win_susp_add_sid_history.yml │ ├── win_susp_backup_delete.yml │ ├── win_susp_codeintegrity_check_failure.yml │ ├── win_susp_dhcp_config.yml │ ├── win_susp_dhcp_config_failed.yml │ ├── win_susp_dns_config.yml │ ├── win_susp_dsrm_password_change.yml │ ├── win_susp_eventlog_cleared.yml │ ├── win_susp_failed_guest_logon.yml │ ├── win_susp_failed_logon_reasons.yml │ ├── win_susp_failed_logon_source.yml │ ├── win_susp_failed_logons_explicit_credentials.yml │ ├── win_susp_failed_logons_single_process.yml │ ├── win_susp_failed_logons_single_source.yml │ ├── win_susp_failed_logons_single_source2.yml │ ├── win_susp_failed_logons_single_source_kerberos.yml │ ├── win_susp_failed_logons_single_source_kerberos2.yml │ ├── win_susp_failed_logons_single_source_kerberos3.yml │ ├── win_susp_failed_logons_single_source_ntlm.yml │ ├── win_susp_failed_logons_single_source_ntlm2.yml │ ├── win_susp_failed_remote_logons_single_source.yml │ ├── win_susp_interactive_logons.yml │ ├── win_susp_kerberos_manipulation.yml │ ├── win_susp_ldap_dataexchange.yml │ ├── win_susp_local_anon_logon_created.yml │ ├── win_susp_logon_explicit_credentials.yml │ ├── win_susp_lsass_dump.yml │ ├── win_susp_lsass_dump_generic.yml │ ├── win_susp_mshta_execution.yml │ ├── win_susp_msmpeng_crash.yml │ ├── win_susp_multiple_files_renamed_or_deleted.yml │ ├── win_susp_net_recon_activity.yml │ ├── win_susp_ntlm_auth.yml │ ├── win_susp_ntlm_rdp.yml │ ├── win_susp_proceshacker.yml │ ├── win_susp_psexec.yml │ ├── win_susp_raccess_sensitive_fext.yml │ ├── win_susp_rc4_kerberos.yml │ ├── win_susp_rottenpotato.yml │ ├── win_susp_sam_dump.yml │ ├── win_susp_samr_pwset.yml │ ├── win_susp_sdelete.yml │ ├── win_susp_time_modification.yml │ ├── win_susp_wmi_login.yml │ ├── win_suspicious_outbound_kerberos_connection.yml │ ├── win_suspicious_werfault_connection_outbound.yml │ ├── win_svcctl_remote_service.yml │ ├── win_syskey_registry_access.yml │ ├── win_sysmon_channel_reference_deletion.yml │ ├── win_system_susp_eventlog_cleared.yml │ ├── win_tap_driver_installation.yml │ ├── win_transferring_files_with_credential_data_via_network_shares.yml │ ├── win_usb_device_plugged.yml │ ├── win_user_added_to_local_administrators.yml │ ├── win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml │ ├── win_user_creation.yml │ ├── win_user_driver_loaded.yml │ ├── win_volume_shadow_copy_mount.yml │ ├── win_vssaudit_secevent_source_registration.yml │ ├── win_vul_cve_2020_0688.yml │ ├── win_vul_cve_2020_1472.yml │ └── win_wmiprvse_wbemcomn_dll_hijack.yml │ ├── create_remote_thread │ ├── sysmon_cactustorch.yml │ ├── sysmon_cobaltstrike_process_injection.yml │ ├── sysmon_createremotethread_loadlibrary.yml │ ├── sysmon_password_dumper_lsass.yml │ ├── sysmon_powershell_code_injection.yml │ ├── sysmon_susp_powershell_rundll32.yml │ └── sysmon_suspicious_remote_thread.yml │ ├── create_stream_hash │ ├── sysmon_ads_executable.yml │ └── sysmon_regedit_export_to_ads.yml │ ├── deprecated │ ├── process_creation_syncappvpublishingserver_exe.yml │ ├── sysmon_mimikatz_detection_lsass.yml │ ├── win_susp_esentutl_activity.yml │ └── win_susp_vssadmin_ntds_activity.yml │ ├── dns_query │ ├── dns_query_hybridconnectionmgr_servicebus.yml │ ├── dns_query_mega_nz.yml │ ├── dns_query_possible_dns_rebinding.yml │ └── dns_query_regsvr32_network_activity.yml │ ├── driver_load │ ├── driver_load_mal_creddumper.yml │ ├── driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml │ ├── driver_load_powershell_script_installed_as_service.yml │ ├── driver_load_susp_temp_use.yml │ ├── driver_load_vuln_dell_driver.yml │ └── driver_load_windivert.yml │ ├── file_delete │ ├── sysmon_delete_prefetch.yml │ ├── sysmon_sysinternals_sdelete_file_deletion.yml │ └── win_cve_2021_1675_printspooler_del.yml │ ├── file_event │ ├── file_event_advanced_ip_scanner.yml │ ├── file_event_apt_unidentified_nov_18.yml │ ├── file_event_cve_2021_31979_cve_2021_33771_exploits.yml │ ├── file_event_executable_and_script_creation_by_office_using_file_ext.yml │ ├── file_event_hack_dumpert.yml │ ├── file_event_hktl_createminidump.yml │ ├── file_event_mal_adwind.yml │ ├── file_event_moriya_rootkit.yml │ ├── file_event_pingback_backdoor.yml │ ├── file_event_script_creation_by_office_using_file_ext.yml │ ├── file_event_tool_psexec.yml │ ├── file_event_uac_bypass_winsat.yml │ ├── file_event_uac_bypass_wmp.yml │ ├── file_event_winrm_awl_bypass.yml │ ├── file_event_wmiprvse_wbemcomn_dll_hijack.yml │ ├── sysmon_creation_system_file.yml │ ├── sysmon_cred_dump_tools_dropped_files.yml │ ├── sysmon_cve_2021_26858_msexchange.yml │ ├── sysmon_detect_powerup_dllhijacking.yml │ ├── sysmon_ghostpack_safetykatz.yml │ ├── sysmon_lsass_memory_dump_file_creation.yml │ ├── sysmon_non_priv_program_files_move.yml │ ├── sysmon_office_persistence.yml │ ├── sysmon_outlook_newform.yml │ ├── sysmon_pcre_net_temp_file.yml │ ├── sysmon_powershell_exploit_scripts.yml │ ├── sysmon_quarkspw_filedump.yml │ ├── sysmon_redmimicry_winnti_filedrop.yml │ ├── sysmon_startup_folder_file_write.yml │ ├── sysmon_susp_adsi_cache_usage.yml │ ├── sysmon_susp_clr_logs.yml │ ├── sysmon_susp_desktop_ini.yml │ ├── sysmon_susp_pfx_file_creation.yml │ ├── sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml │ ├── sysmon_suspicious_powershell_profile_create.yml │ ├── sysmon_tsclient_filewrite_startup.yml │ ├── sysmon_uac_bypass_consent_comctl32.yml │ ├── sysmon_uac_bypass_dotnet_profiler.yml │ ├── sysmon_uac_bypass_ieinstal.yml │ ├── sysmon_uac_bypass_msconfig_gui.yml │ ├── sysmon_uac_bypass_ntfs_reparse_point.yml │ ├── sysmon_webshell_creation_detect.yml │ ├── sysmon_wmi_persistence_script_event_consumer_write.yml │ ├── win_cve_2021_1675_printspooler.yml │ ├── win_file_winword_cve_2021_40444.yml │ ├── win_hivenightmare_file_exports.yml │ ├── win_outlook_c2_macro_creation.yml │ ├── win_rclone_exec_file.yml │ └── win_susp_desktopimgdownldr_file.yml │ ├── image_load │ ├── image_load_pingback_backdoor.yml │ ├── image_load_silenttrinity_stage_use.yml │ ├── image_load_wmiprvse_wbemcomn_dll_hijack.yml │ ├── process_creation_tttracer_mod_load.yml │ ├── sysmon_abusing_azure_browser_sso.yml │ ├── sysmon_alternate_powershell_hosts_moduleload.yml │ ├── sysmon_foggyweb_nobelium.yml │ ├── sysmon_in_memory_powershell.yml │ ├── sysmon_mimikatz_inmemory_detection.yml │ ├── sysmon_pcre_net_load.yml │ ├── sysmon_powershell_execution_moduleload.yml │ ├── sysmon_scrcons_imageload_wmi_scripteventconsumer.yml │ ├── sysmon_spoolsv_dll_load.yml │ ├── sysmon_susp_fax_dll.yml │ ├── sysmon_susp_image_load.yml │ ├── sysmon_susp_office_dotnet_assembly_dll_load.yml │ ├── sysmon_susp_office_dotnet_clr_dll_load.yml │ ├── sysmon_susp_office_dotnet_gac_dll_load.yml │ ├── sysmon_susp_office_dsparse_dll_load.yml │ ├── sysmon_susp_office_kerberos_dll_load.yml │ ├── sysmon_susp_python_image_load.yml │ ├── sysmon_susp_script_dotnet_clr_dll_load.yml │ ├── sysmon_susp_system_drawing_load.yml │ ├── sysmon_susp_winword_vbadll_load.yml │ ├── sysmon_susp_winword_wmidll_load.yml │ ├── sysmon_suspicious_dbghelp_dbgcore_load.yml │ ├── sysmon_svchost_dll_search_order_hijack.yml │ ├── sysmon_tttracer_mod_load.yml │ ├── sysmon_uac_bypass_via_dism.yml │ ├── sysmon_uipromptforcreds_dlls.yml │ ├── sysmon_unsigned_image_loaded_into_lsass.yml │ ├── sysmon_wmi_module_load.yml │ ├── sysmon_wmi_persistence_commandline_event_consumer.yml │ ├── sysmon_wmic_remote_xsl_scripting_dlls.yml │ ├── sysmon_wsman_provider_image_load.yml │ ├── win_susp_svchost_clfsw32.yml │ └── win_suspicious_vss_ps_load.yml │ ├── malware │ ├── av_exploiting.yml │ ├── av_hacktool.yml │ ├── av_password_dumper.yml │ ├── av_printernightmare_cve_2021_34527.yml │ ├── av_relevant_files.yml │ ├── av_webshell.yml │ ├── file_event_mal_octopus_scanner.yml │ ├── process_creation_mal_blue_mockingbird.yml │ ├── process_creation_mal_darkside_ransomware.yml │ ├── process_creation_mal_lockergoga_ransomware.yml │ ├── process_creation_mal_ryuk.yml │ ├── registry_event_mal_azorult.yml │ ├── registry_event_mal_blue_mockingbird.yml │ ├── registry_event_mal_flowcloud.yml │ └── registry_event_mal_ursnif.yml │ ├── network_connection │ ├── silenttrinity_stager_msbuild_activity.yml │ ├── sysmon_dllhost_net_connections.yml │ ├── sysmon_malware_backconnect_ports.yml │ ├── sysmon_notepad_network_connection.yml │ ├── sysmon_powershell_network_connection.yml │ ├── sysmon_rdp_reverse_tunnel.yml │ ├── sysmon_regsvr32_network_activity.yml │ ├── sysmon_remote_powershell_session_network.yml │ ├── sysmon_rundll32_net_connections.yml │ ├── sysmon_susp_prog_location_network_connection.yml │ ├── sysmon_susp_rdp.yml │ ├── sysmon_suspicious_outbound_kerberos_connection.yml │ ├── sysmon_win_binary_github_com.yml │ ├── sysmon_win_binary_susp_com.yml │ └── sysmon_wuauclt_network_connection.yml │ ├── other │ ├── win_defender_amsi_trigger.yml │ ├── win_defender_bypass.yml │ ├── win_defender_disabled.yml │ ├── win_defender_exclusions.yml │ ├── win_defender_history_delete.yml │ ├── win_defender_psexec_wmi_asr.yml │ ├── win_defender_tamper_protection_trigger.yml │ ├── win_defender_threat.yml │ ├── win_exchange_proxyshell_certificate_generation.yml │ ├── win_exchange_proxyshell_mailbox_export.yml │ ├── win_exchange_proxyshell_remove_mailbox_export.yml │ ├── win_exchange_transportagent_failed.yml │ ├── win_lateral_movement_condrv.yml │ ├── win_ldap_recon.yml │ ├── win_pcap_drivers.yml │ ├── win_possible_zerologon_exploitation_using_wellknown_tools.yml │ ├── win_rare_schtask_creation.yml │ ├── win_security_wmi_persistence.yml │ ├── win_system_defender_disabled.yml │ ├── win_tool_psexec.yml │ └── win_wmi_persistence.yml │ ├── pipe_created │ ├── pipe_created_tool_psexec.yml │ ├── sysmon_alternate_powershell_hosts_pipe.yml │ ├── sysmon_apt_turla_namedpipes.yml │ ├── sysmon_cred_dump_tools_named_pipes.yml │ ├── sysmon_efspotato_namedpipe.yml │ ├── sysmon_mal_cobaltstrike.yml │ ├── sysmon_mal_cobaltstrike_re.yml │ ├── sysmon_mal_namedpipes.yml │ ├── sysmon_powershell_execution_pipe.yml │ ├── sysmon_psexec_pipes_artifacts.yml │ ├── sysmon_susp_adfs_namedpipe_connection.yml │ ├── sysmon_susp_cobaltstrike_pipe_patterns.yml │ └── sysmon_susp_wmi_consumer_namedpipe.yml │ ├── powershell │ ├── powershell_classic │ │ ├── powershell_classic_alternate_powershell_hosts.yml │ │ ├── powershell_classic_powercat.yml │ │ ├── powershell_classic_remote_powershell_session.yml │ │ ├── powershell_classic_susp_athremotefxvgpudisablementcommand.yml │ │ ├── powershell_classic_susp_zip_compress.yml │ │ ├── powershell_classic_suspicious_download.yml │ │ ├── powershell_delete_volume_shadow_copies.yml │ │ ├── powershell_downgrade_attack.yml │ │ ├── powershell_exe_calling_ps.yml │ │ ├── powershell_renamed_powershell.yml │ │ ├── powershell_tamper_with_windows_defender.yml │ │ ├── powershell_wsman_com_provider_no_powershell.yml │ │ └── powershell_xor_commandline.yml │ ├── powershell_module │ │ ├── powershell_alternate_powershell_hosts.yml │ │ ├── powershell_bad_opsec_artifacts.yml │ │ ├── powershell_clear_powershell_history.yml │ │ ├── powershell_decompress_commands.yml │ │ ├── powershell_get_clipboard.yml │ │ ├── powershell_invoke_obfuscation_clip.yml │ │ ├── powershell_invoke_obfuscation_obfuscated_iex.yml │ │ ├── powershell_invoke_obfuscation_stdin.yml │ │ ├── powershell_invoke_obfuscation_var.yml │ │ ├── powershell_invoke_obfuscation_via_compress.yml │ │ ├── powershell_invoke_obfuscation_via_rundll.yml │ │ ├── powershell_invoke_obfuscation_via_stdin.yml │ │ ├── powershell_invoke_obfuscation_via_use_clip.yml │ │ ├── powershell_invoke_obfuscation_via_use_mhsta.yml │ │ ├── powershell_invoke_obfuscation_via_use_rundll32.yml │ │ ├── powershell_invoke_obfuscation_via_var.yml │ │ ├── powershell_powercat.yml │ │ ├── powershell_remote_powershell_session.yml │ │ ├── powershell_susp_athremotefxvgpudisablementcommand.yml │ │ └── powershell_susp_zip_compress.yml │ ├── powershell_script │ │ ├── powershell_accessing_win_api.yml │ │ ├── powershell_adrecon_execution.yml │ │ ├── powershell_automated_collection.yml │ │ ├── powershell_cl_invocation_lolscript.yml │ │ ├── powershell_cl_invocation_lolscript_count.yml │ │ ├── powershell_cl_mutexverifiers_lolscript.yml │ │ ├── powershell_cl_mutexverifiers_lolscript_count.yml │ │ ├── powershell_create_local_user.yml │ │ ├── powershell_data_compressed.yml │ │ ├── powershell_detect_vm_env.yml │ │ ├── powershell_dnscat_execution.yml │ │ ├── powershell_icmp_exfiltration.yml │ │ ├── powershell_invoke_nightmare.yml │ │ ├── powershell_invoke_obfuscation_clip_in_scriptblocktext.yml │ │ ├── powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml │ │ ├── powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml │ │ ├── powershell_invoke_obfuscation_var_in_scriptblocktext.yml │ │ ├── powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml │ │ ├── powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml │ │ ├── powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml │ │ ├── powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml │ │ ├── powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml │ │ ├── powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml │ │ ├── powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml │ │ ├── powershell_keylogging.yml │ │ ├── powershell_malicious_commandlets.yml │ │ ├── powershell_malicious_keywords.yml │ │ ├── powershell_memorydump_getstoragediagnosticinfo.yml │ │ ├── powershell_nishang_malicious_commandlets.yml │ │ ├── powershell_ntfs_ads_access.yml │ │ ├── powershell_powerview_malicious_commandlets.yml │ │ ├── powershell_prompt_credentials.yml │ │ ├── powershell_psattack.yml │ │ ├── powershell_shellcode_b64.yml │ │ ├── powershell_shellintel_malicious_commandlets.yml │ │ ├── powershell_store_file_in_alternate_data_stream.yml │ │ ├── powershell_susp_zip_compress_in_scriptblocktext.yml │ │ ├── powershell_suspicious_export_pfxcertificate.yml │ │ ├── powershell_suspicious_getprocess_lsass.yml │ │ ├── powershell_suspicious_keywords.yml │ │ ├── powershell_suspicious_mail_acces.yml │ │ ├── powershell_suspicious_mounted_share_deletion.yml │ │ ├── powershell_suspicious_recon.yml │ │ ├── powershell_suspicious_win32_pnpentity.yml │ │ ├── powershell_timestomp.yml │ │ ├── powershell_trigger_profiles.yml │ │ ├── powershell_web_request.yml │ │ ├── powershell_windows_firewall_profile_disabled.yml │ │ ├── powershell_winlogon_helper_dll.yml │ │ ├── powershell_wmi_persistence.yml │ │ └── powershell_wmimplant.yml │ ├── powershell_suspicious_download.yml │ ├── powershell_suspicious_invocation_generic.yml │ ├── powershell_suspicious_invocation_specific.yml │ └── powershell_syncappvpublishingserver_exe.yml │ ├── process_access │ ├── sysmon_cmstp_execution_by_access.yml │ ├── sysmon_cobaltstrike_bof_injection_pattern.yml │ ├── sysmon_cred_dump_lsass_access.yml │ ├── sysmon_direct_syscall_ntopenprocess.yml │ ├── sysmon_in_memory_assembly_execution.yml │ ├── sysmon_invoke_phantom.yml │ ├── sysmon_lazagne_cred_dump_lsass_access.yml │ ├── sysmon_littlecorporal_generated_maldoc.yml │ ├── sysmon_load_undocumented_autoelevated_com_interface.yml │ ├── sysmon_lsass_dump_comsvcs_dll.yml │ ├── sysmon_lsass_memdump.yml │ ├── sysmon_malware_verclsid_shellcode.yml │ ├── sysmon_mimikatz_trough_winrm.yml │ ├── sysmon_pypykatz_cred_dump_lsass_access.yml │ ├── sysmon_svchost_cred_dump.yml │ ├── sysmon_uac_bypass_wow64_logger.yml │ └── win_susp_shell_spawn_from_winrm.yml │ ├── process_creation │ ├── process_creation_abusing_windows_telemetry_for_persistence.yml │ ├── process_creation_advanced_ip_scanner.yml │ ├── process_creation_alternate_data_streams.yml │ ├── process_creation_apt_gallium.yml │ ├── process_creation_apt_gallium_sha1.yml │ ├── process_creation_apt_pandemic.yml │ ├── process_creation_apt_slingshot.yml │ ├── process_creation_apt_turla_commands_critical.yml │ ├── process_creation_apt_turla_commands_medium.yml │ ├── process_creation_apt_wocao.yml │ ├── process_creation_automated_collection.yml │ ├── process_creation_c3_load_by_rundll32.yml │ ├── process_creation_clip.yml │ ├── process_creation_cobaltstrike_load_by_rundll32.yml │ ├── process_creation_command_execution_by_office_applications.yml │ ├── process_creation_conti_cmd_ransomware.yml │ ├── process_creation_coti_sqlcmd.yml │ ├── process_creation_discover_private_keys.yml │ ├── process_creation_dns_serverlevelplugindll.yml │ ├── process_creation_dotnet.yml │ ├── process_creation_hack_dumpert.yml │ ├── process_creation_infdefaultinstall.yml │ ├── process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml │ ├── process_creation_lolbins_by_office_applications.yml │ ├── process_creation_lolbins_with_wmiprvse_parent_process.yml │ ├── process_creation_msdeploy.yml │ ├── process_creation_office_applications_spawning_wmi_commandline.yml │ ├── process_creation_office_from_proxy_executing_regsvr32_payload.yml │ ├── process_creation_office_from_proxy_executing_regsvr32_payload2.yml │ ├── process_creation_office_spawning_wmi_commandline.yml │ ├── process_creation_pingback_backdoor.yml │ ├── process_creation_powershell_web_request.yml │ ├── process_creation_protocolhandler_suspicious_file.yml │ ├── process_creation_root_certificate_installed.yml │ ├── process_creation_sdelete.yml │ ├── process_creation_software_discovery.yml │ ├── process_creation_stickykey_like_backdoor.yml │ ├── process_creation_susp_7z.yml │ ├── process_creation_susp_athremotefxvgpudisablementcommand.yml │ ├── process_creation_susp_recon.yml │ ├── process_creation_susp_winzip.yml │ ├── process_creation_susp_zip_compress.yml │ ├── process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml │ ├── process_creation_syncappvpublishingserver_vbs_execute_powershell.yml │ ├── process_creation_sysinternals_eula_accepted.yml │ ├── process_creation_sysmon_uac_bypass_eventvwr.yml │ ├── process_creation_tool_psexec.yml │ ├── process_creation_win_exchange_transportagent.yml │ ├── process_creationn_apt_chafer_mar18.yml │ ├── process_mailboxexport_share.yml │ ├── process_susp_esentutl_params.yml │ ├── sysmon_abusing_debug_privilege.yml │ ├── sysmon_accesschk_usage_after_priv_escalation.yml │ ├── sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml │ ├── sysmon_always_install_elevated_windows_installer.yml │ ├── sysmon_apt_muddywater_dnstunnel.yml │ ├── sysmon_apt_sourgrum.yml │ ├── sysmon_atlassian_confluence_cve_2021_26084_exploit.yml │ ├── sysmon_cmstp_execution_by_creation.yml │ ├── sysmon_creation_mavinject_dll.yml │ ├── sysmon_cve_2021_26857_msexchange.yml │ ├── sysmon_expand_cabinet_files.yml │ ├── sysmon_hack_wce.yml │ ├── sysmon_high_integrity_sdclt.yml │ ├── sysmon_logon_scripts_userinitmprlogonscript_proc.yml │ ├── sysmon_long_powershell_commandline.yml │ ├── sysmon_netcat_execution.yml │ ├── sysmon_proxy_execution_wuauclt.yml │ ├── sysmon_rclone_execution.yml │ ├── sysmon_remove_windows_defender_definition_files.yml │ ├── sysmon_sdclt_child_process.yml │ ├── sysmon_susp_plink_remote_forward.yml │ ├── sysmon_susp_service_modification.yml │ ├── sysmon_susp_webdav_client_execution.yml │ ├── sysmon_uninstall_crowdstrike_falcon.yml │ ├── sysmon_vmtoolsd_susp_child_process.yml │ ├── win_ad_find_discovery.yml │ ├── win_anydesk_silent_install.yml │ ├── win_apt_apt29_thinktanks.yml │ ├── win_apt_babyshark.yml │ ├── win_apt_bear_activity_gtr19.yml │ ├── win_apt_bluemashroom.yml │ ├── win_apt_cloudhopper.yml │ ├── win_apt_dragonfly.yml │ ├── win_apt_elise.yml │ ├── win_apt_emissarypanda_sep19.yml │ ├── win_apt_empiremonkey.yml │ ├── win_apt_equationgroup_dll_u_load.yml │ ├── win_apt_evilnum_jul20.yml │ ├── win_apt_greenbug_may20.yml │ ├── win_apt_hafnium.yml │ ├── win_apt_hurricane_panda.yml │ ├── win_apt_judgement_panda_gtr19.yml │ ├── win_apt_ke3chang_regadd.yml │ ├── win_apt_lazarus_activity_apr21.yml │ ├── win_apt_lazarus_activity_dec20.yml │ ├── win_apt_lazarus_loader.yml │ ├── win_apt_lazarus_session_highjack.yml │ ├── win_apt_mustangpanda.yml │ ├── win_apt_revil_kaseya.yml │ ├── win_apt_sofacy.yml │ ├── win_apt_ta17_293a_ps.yml │ ├── win_apt_ta505_dropper.yml │ ├── win_apt_taidoor.yml │ ├── win_apt_tropictrooper.yml │ ├── win_apt_turla_comrat_may20.yml │ ├── win_apt_unc2452_cmds.yml │ ├── win_apt_unc2452_ps.yml │ ├── win_apt_unidentified_nov_18.yml │ ├── win_apt_winnti_mal_hk_jan20.yml │ ├── win_apt_winnti_pipemon.yml │ ├── win_apt_zxshell.yml │ ├── win_attrib_hiding_files.yml │ ├── win_bad_opsec_sacrificial_processes.yml │ ├── win_bootconf_mod.yml │ ├── win_bypass_squiblytwo.yml │ ├── win_change_default_file_association.yml │ ├── win_cl_invocation_lolscript.yml │ ├── win_cl_mutexverifiers_lolscript.yml │ ├── win_class_exec_xwizard.yml │ ├── win_cmdkey_recon.yml │ ├── win_cmstp_com_object_access.yml │ ├── win_cobaltstrike_process_patterns.yml │ ├── win_commandline_path_traversal.yml │ ├── win_control_panel_item.yml │ ├── win_copying_sensitive_files_with_credential_data.yml │ ├── win_credential_access_via_password_filter.yml │ ├── win_crime_fireball.yml │ ├── win_crime_maze_ransomware.yml │ ├── win_crime_snatch_ransomware.yml │ ├── win_data_compressed_with_rar.yml │ ├── win_detecting_fake_instances_of_hxtsr.yml │ ├── win_dll_sideload_xwizard.yml │ ├── win_dns_exfiltration_tools_execution.yml │ ├── win_dnscat2_powershell_implementation.yml │ ├── win_encoded_frombase64string.yml │ ├── win_encoded_iex.yml │ ├── win_etw_modification_cmdline.yml │ ├── win_etw_trace_evasion.yml │ ├── win_exchange_proxylogon_oabvirtualdir.yml │ ├── win_exfiltration_and_tunneling_tools_execution.yml │ ├── win_exploit_cve_2015_1641.yml │ ├── win_exploit_cve_2017_0261.yml │ ├── win_exploit_cve_2017_11882.yml │ ├── win_exploit_cve_2017_8759.yml │ ├── win_exploit_cve_2019_1378.yml │ ├── win_exploit_cve_2019_1388.yml │ ├── win_exploit_cve_2020_10189.yml │ ├── win_exploit_cve_2020_1048.yml │ ├── win_exploit_cve_2020_1350.yml │ ├── win_exploit_systemnightmare.yml │ ├── win_file_permission_modifications.yml │ ├── win_grabbing_sensitive_hives_via_reg.yml │ ├── win_hack_adcspwn.yml │ ├── win_hack_bloodhound.yml │ ├── win_hack_koadic.yml │ ├── win_hack_rubeus.yml │ ├── win_hack_secutyxploded.yml │ ├── win_hh_chm.yml │ ├── win_hiding_malware_in_fonts_folder.yml │ ├── win_hktl_createminidump.yml │ ├── win_hktl_uacme_uac_bypass.yml │ ├── win_html_help_spawn.yml │ ├── win_hwp_exploits.yml │ ├── win_impacket_compiled_tools.yml │ ├── win_impacket_lateralization.yml │ ├── win_indirect_cmd.yml │ ├── win_indirect_cmd_compatibility_assistant.yml │ ├── win_install_reg_debugger_backdoor.yml │ ├── win_interactive_at.yml │ ├── win_invoke_obfuscation_clip.yml │ ├── win_invoke_obfuscation_obfuscated_iex_commandline.yml │ ├── win_invoke_obfuscation_stdin.yml │ ├── win_invoke_obfuscation_var.yml │ ├── win_invoke_obfuscation_via_compress.yml │ ├── win_invoke_obfuscation_via_rundll.yml │ ├── win_invoke_obfuscation_via_stdin.yml │ ├── win_invoke_obfuscation_via_use_clip.yml │ ├── win_invoke_obfuscation_via_use_mhsta.yml │ ├── win_invoke_obfuscation_via_use_rundll32.yml │ ├── win_invoke_obfuscation_via_var.yml │ ├── win_lethalhta.yml │ ├── win_local_system_owner_account_discovery.yml │ ├── win_lolbas_execution_of_wuauclt.yml │ ├── win_lolbin_execution_via_winget.yml │ ├── win_lsass_dump.yml │ ├── win_mal_adwind.yml │ ├── win_malware_conti.yml │ ├── win_malware_conti_7zip.yml │ ├── win_malware_conti_shadowcopy.yml │ ├── win_malware_dridex.yml │ ├── win_malware_dtrack.yml │ ├── win_malware_emotet.yml │ ├── win_malware_formbook.yml │ ├── win_malware_notpetya.yml │ ├── win_malware_qbot.yml │ ├── win_malware_ryuk.yml │ ├── win_malware_script_dropper.yml │ ├── win_malware_trickbot_recon_activity.yml │ ├── win_malware_trickbot_wermgr.yml │ ├── win_malware_wannacry.yml │ ├── win_manage_bde_lolbas.yml │ ├── win_mavinject_proc_inj.yml │ ├── win_meterpreter_or_cobaltstrike_getsystem_service_start.yml │ ├── win_mimikatz_command_line.yml │ ├── win_mmc_spawn_shell.yml │ ├── win_modif_of_services_for_via_commandline.yml │ ├── win_monitoring_for_persistence_via_bits.yml │ ├── win_mouse_lock.yml │ ├── win_mshta_javascript.yml │ ├── win_mshta_spawn_shell.yml │ ├── win_multiple_suspicious_cli.yml │ ├── win_net_enum.yml │ ├── win_net_user_add.yml │ ├── win_netsh_allow_port_rdp.yml │ ├── win_netsh_fw_add.yml │ ├── win_netsh_fw_add_susp_image.yml │ ├── win_netsh_packet_capture.yml │ ├── win_netsh_port_fwd.yml │ ├── win_netsh_port_fwd_3389.yml │ ├── win_netsh_wifi_credential_harvesting.yml │ ├── win_network_sniffing.yml │ ├── win_new_service_creation.yml │ ├── win_nltest_recon.yml │ ├── win_non_interactive_powershell.yml │ ├── win_non_priv_reg_or_ps.yml │ ├── win_office_shell.yml │ ├── win_office_spawn_exe_from_users_directory.yml │ ├── win_plugx_susp_exe_locations.yml │ ├── win_possible_applocker_bypass.yml │ ├── win_possible_privilege_escalation_via_service_registry_permissions.yml │ ├── win_powershell_amsi_bypass.yml │ ├── win_powershell_audio_capture.yml │ ├── win_powershell_b64_shellcode.yml │ ├── win_powershell_bitsjob.yml │ ├── win_powershell_cmdline_reversed_strings.yml │ ├── win_powershell_cmdline_special_characters.yml │ ├── win_powershell_cmdline_specific_comb_methods.yml │ ├── win_powershell_defender_exclusion.yml │ ├── win_powershell_disable_windef_av.yml │ ├── win_powershell_dll_execution.yml │ ├── win_powershell_downgrade_attack.yml │ ├── win_powershell_download.yml │ ├── win_powershell_frombase64string.yml │ ├── win_powershell_reverse_shell_connection.yml │ ├── win_powershell_suspicious_parameter_variation.yml │ ├── win_powershell_xor_commandline.yml │ ├── win_powersploit_empire_schtasks.yml │ ├── win_proc_wrong_parent.yml │ ├── win_procdump.yml │ ├── win_process_creation_bitsadmin_download.yml │ ├── win_process_dump_rdrleakdiag.yml │ ├── win_process_dump_rundll32_comsvcs.yml │ ├── win_psexesvc_start.yml │ ├── win_purplesharp_indicators.yml │ ├── win_query_registry.yml │ ├── win_rasautou_dll_execution.yml │ ├── win_rdp_hijack_shadowing.yml │ ├── win_redmimicry_winnti_proc.yml │ ├── win_reg_add_run_key.yml │ ├── win_regedit_export_critical_keys.yml │ ├── win_regedit_export_keys.yml │ ├── win_regedit_import_keys.yml │ ├── win_regedit_import_keys_ads.yml │ ├── win_regini.yml │ ├── win_regini_ads.yml │ ├── win_remote_powershell_session_process.yml │ ├── win_remote_time_discovery.yml │ ├── win_renamed_binary.yml │ ├── win_renamed_binary_highly_relevant.yml │ ├── win_renamed_jusched.yml │ ├── win_renamed_megasync.yml │ ├── win_renamed_paexec.yml │ ├── win_renamed_powershell.yml │ ├── win_renamed_procdump.yml │ ├── win_renamed_psexec.yml │ ├── win_renamed_whoami.yml │ ├── win_run_powershell_script_from_ads.yml │ ├── win_run_powershell_script_from_input_stream.yml │ ├── win_run_virtualbox.yml │ ├── win_rundll32_without_parameters.yml │ ├── win_script_event_consumer_spawn.yml │ ├── win_sdbinst_shim_persistence.yml │ ├── win_service_execution.yml │ ├── win_service_stop.yml │ ├── win_shadow_copies_access_symlink.yml │ ├── win_shadow_copies_creation.yml │ ├── win_shadow_copies_deletion.yml │ ├── win_shell_spawn_mshta.yml │ ├── win_shell_spawn_susp_program.yml │ ├── win_silenttrinity_stage_use.yml │ ├── win_soundrec_audio_capture.yml │ ├── win_spn_enum.yml │ ├── win_sticky_keys_unauthenticated_privileged_console_access.yml │ ├── win_sus_auditpol_usage.yml │ ├── win_susp_adfind.yml │ ├── win_susp_atbroker.yml │ ├── win_susp_bcdedit.yml │ ├── win_susp_bginfo.yml │ ├── win_susp_bitstransfer.yml │ ├── win_susp_calc.yml │ ├── win_susp_cdb.yml │ ├── win_susp_certutil_command.yml │ ├── win_susp_certutil_encode.yml │ ├── win_susp_cli_escape.yml │ ├── win_susp_cmd_http_appdata.yml │ ├── win_susp_cmd_shadowcopy_access.yml │ ├── win_susp_codepage_switch.yml │ ├── win_susp_commands_recon_activity.yml │ ├── win_susp_compression_params.yml │ ├── win_susp_comsvcs_procdump.yml │ ├── win_susp_conhost.yml │ ├── win_susp_control_cve_2021_40444.yml │ ├── win_susp_control_dll_load.yml │ ├── win_susp_copy_lateral_movement.yml │ ├── win_susp_copy_system32.yml │ ├── win_susp_covenant.yml │ ├── win_susp_crackmapexec_execution.yml │ ├── win_susp_crackmapexec_powershell_obfuscation.yml │ ├── win_susp_csc.yml │ ├── win_susp_csc_folder.yml │ ├── win_susp_csi.yml │ ├── win_susp_curl_download.yml │ ├── win_susp_curl_fileupload.yml │ ├── win_susp_curl_start_combo.yml │ ├── win_susp_dctask64_proc_inject.yml │ ├── win_susp_desktopimgdownldr.yml │ ├── win_susp_devtoolslauncher.yml │ ├── win_susp_direct_asep_reg_keys_modification.yml │ ├── win_susp_disable_eventlog.yml │ ├── win_susp_disable_ie_features.yml │ ├── win_susp_disable_raccine.yml │ ├── win_susp_diskshadow.yml │ ├── win_susp_ditsnap.yml │ ├── win_susp_dnx.yml │ ├── win_susp_double_extension.yml │ ├── win_susp_dxcap.yml │ ├── win_susp_emotet_rudll32_execution.yml │ ├── win_susp_eventlog_clear.yml │ ├── win_susp_execution_path.yml │ ├── win_susp_execution_path_webserver.yml │ ├── win_susp_explorer.yml │ ├── win_susp_explorer_break_proctree.yml │ ├── win_susp_file_characteristics.yml │ ├── win_susp_file_download_via_gfxdownloadwrapper.yml │ ├── win_susp_findstr.yml │ ├── win_susp_findstr_lnk.yml │ ├── win_susp_finger_usage.yml │ ├── win_susp_firewall_disable.yml │ ├── win_susp_fsutil_usage.yml │ ├── win_susp_ftp.yml │ ├── win_susp_gup.yml │ ├── win_susp_iss_module_install.yml │ ├── win_susp_mounted_share_deletion.yml │ ├── win_susp_mpcmdrun_download.yml │ ├── win_susp_mshta_pattern.yml │ ├── win_susp_msiexec_cwd.yml │ ├── win_susp_msiexec_web_install.yml │ ├── win_susp_msoffice.yml │ ├── win_susp_net_execution.yml │ ├── win_susp_netsh_dll_persistence.yml │ ├── win_susp_ngrok_pua.yml │ ├── win_susp_ntdsutil.yml │ ├── win_susp_odbcconf.yml │ ├── win_susp_openwith.yml │ ├── win_susp_outlook.yml │ ├── win_susp_outlook_temp.yml │ ├── win_susp_pcwutl.yml │ ├── win_susp_pester.yml │ ├── win_susp_ping_hex_ip.yml │ ├── win_susp_powershell_empire_launch.yml │ ├── win_susp_powershell_empire_uac_bypass.yml │ ├── win_susp_powershell_enc_cmd.yml │ ├── win_susp_powershell_encoded_param.yml │ ├── win_susp_powershell_getprocess_lsass.yml │ ├── win_susp_powershell_hidden_b64_cmd.yml │ ├── win_susp_powershell_parent_combo.yml │ ├── win_susp_powershell_parent_process.yml │ ├── win_susp_powershell_sam_access.yml │ ├── win_susp_print.yml │ ├── win_susp_procdump.yml │ ├── win_susp_procdump_lsass.yml │ ├── win_susp_ps_appdata.yml │ ├── win_susp_ps_downloadfile.yml │ ├── win_susp_psexec_eula.yml │ ├── win_susp_psexex_paexec_flags.yml │ ├── win_susp_psr_capture_screenshots.yml │ ├── win_susp_rar_flags.yml │ ├── win_susp_rasdial_activity.yml │ ├── win_susp_razorinstaller_explorer.yml │ ├── win_susp_rclone_exec.yml │ ├── win_susp_recon_activity.yml │ ├── win_susp_reg_disable_sec_services.yml │ ├── win_susp_regedit_trustedinstaller.yml │ ├── win_susp_register_cimprovider.yml │ ├── win_susp_regsvr32_anomalies.yml │ ├── win_susp_regsvr32_flags_anomaly.yml │ ├── win_susp_regsvr32_no_dll.yml │ ├── win_susp_renamed_dctask64.yml │ ├── win_susp_renamed_debugview.yml │ ├── win_susp_renamed_paexec.yml │ ├── win_susp_rpcping.yml │ ├── win_susp_run_locations.yml │ ├── win_susp_rundll32_activity.yml │ ├── win_susp_rundll32_by_ordinal.yml │ ├── win_susp_rundll32_inline_vbs.yml │ ├── win_susp_rundll32_no_params.yml │ ├── win_susp_rundll32_setupapi_installhinfsection.yml │ ├── win_susp_rundll32_sys.yml │ ├── win_susp_runonce_execution.yml │ ├── win_susp_runscripthelper.yml │ ├── win_susp_schtask_creation.yml │ ├── win_susp_schtask_creation_temp_folder.yml │ ├── win_susp_screenconnect_access.yml │ ├── win_susp_screensaver_reg.yml │ ├── win_susp_script_exec_from_temp.yml │ ├── win_susp_script_execution.yml │ ├── win_susp_service_dacl_modification.yml │ ├── win_susp_service_dir.yml │ ├── win_susp_service_path_modification.yml │ ├── win_susp_servu_exploitation_cve_2021_35211.yml │ ├── win_susp_servu_process_pattern.yml │ ├── win_susp_shell_spawn_from_mssql.yml │ ├── win_susp_shimcache_flush.yml │ ├── win_susp_splwow64.yml │ ├── win_susp_spoolsv_child_processes.yml │ ├── win_susp_sqldumper_activity.yml │ ├── win_susp_squirrel_lolbin.yml │ ├── win_susp_svchost.yml │ ├── win_susp_svchost_no_cli.yml │ ├── win_susp_sysprep_appdata.yml │ ├── win_susp_sysvol_access.yml │ ├── win_susp_taskmgr_localsystem.yml │ ├── win_susp_taskmgr_parent.yml │ ├── win_susp_tracker_execution.yml │ ├── win_susp_tscon_localsystem.yml │ ├── win_susp_tscon_rdp_redirect.yml │ ├── win_susp_uac_bypass_trustedpath.yml │ ├── win_susp_use_of_csharp_console.yml │ ├── win_susp_use_of_sqlps_bin.yml │ ├── win_susp_use_of_sqltoolsps_bin.yml │ ├── win_susp_use_of_te_bin.yml │ ├── win_susp_use_of_vsjitdebugger_bin.yml │ ├── win_susp_userinit_child.yml │ ├── win_susp_vboxdrvinst.yml │ ├── win_susp_vbscript_unc2452.yml │ ├── win_susp_volsnap_disable.yml │ ├── win_susp_whoami.yml │ ├── win_susp_whoami_anomaly.yml │ ├── win_susp_winrm_awl_bypass.yml │ ├── win_susp_winrm_execution.yml │ ├── win_susp_wmi_execution.yml │ ├── win_susp_wmic_eventconsumer_create.yml │ ├── win_susp_wmic_proc_create_rundll32.yml │ ├── win_susp_wmic_security_product_uninstall.yml │ ├── win_susp_wsl_lolbin.yml │ ├── win_susp_wuauclt.yml │ ├── win_sysmon_driver_unload.yml │ ├── win_system_exe_anomaly.yml │ ├── win_tap_installer_execution.yml │ ├── win_task_folder_evasion.yml │ ├── win_termserv_proc_spawn.yml │ ├── win_tools_relay_attacks.yml │ ├── win_trust_discovery.yml │ ├── win_uac_bypass_changepk_slui.yml │ ├── win_uac_bypass_cleanmgr.yml │ ├── win_uac_bypass_computerdefaults.yml │ ├── win_uac_bypass_consent_comctl32.yml │ ├── win_uac_bypass_dismhost.yml │ ├── win_uac_bypass_ieinstal.yml │ ├── win_uac_bypass_msconfig_gui.yml │ ├── win_uac_bypass_ntfs_reparse_point.yml │ ├── win_uac_bypass_pkgmgr_dism.yml │ ├── win_uac_bypass_winsat.yml │ ├── win_uac_bypass_wmp.yml │ ├── win_uac_bypass_wsreset.yml │ ├── win_uac_cmstp.yml │ ├── win_uac_fodhelper.yml │ ├── win_uac_wsreset.yml │ ├── win_using_sc_to_change_sevice_image_path_by_non_admin.yml │ ├── win_using_settingsynchost_as_lolbin.yml │ ├── win_verclsid_runs_com.yml │ ├── win_visual_basic_compiler.yml │ ├── win_vul_java_remote_debugging.yml │ ├── win_webshell_detection.yml │ ├── win_webshell_recon_detection.yml │ ├── win_webshell_spawn.yml │ ├── win_whoami_as_system.yml │ ├── win_whoami_priv.yml │ ├── win_win10_sched_task_0day.yml │ ├── win_winword_dll_load.yml │ ├── win_wmi_backdoor_exchange_transport_agent.yml │ ├── win_wmi_persistence_script_event_consumer.yml │ ├── win_wmi_spwns_powershell.yml │ ├── win_wmiprvse_spawning_process.yml │ ├── win_workflow_compiler.yml │ ├── win_write_protect_for_storage_disabled.yml │ ├── win_wsreset_uac_bypass.yml │ └── win_xsl_script_processing.yml │ ├── raw_access_thread │ └── sysmon_raw_disk_access_using_illegitimate_tools.yml │ ├── registry_event │ ├── registry_event_abusing_windows_telemetry_for_persistence.yml │ ├── registry_event_apt_chafer_mar18.yml │ ├── registry_event_apt_pandemic.yml │ ├── registry_event_cve_2021_31979_cve_2021_33771_exploits.yml │ ├── registry_event_defender_disabled.yml │ ├── registry_event_defender_exclusions.yml │ ├── registry_event_dns_serverlevelplugindll.yml │ ├── registry_event_mal_adwind.yml │ ├── registry_event_net_ntlm_downgrade.yml │ ├── registry_event_stickykey_like_backdoor.yml │ ├── registry_event_sysinternals_eula_accepted.yml │ ├── registry_event_uac_bypass_eventvwr.yml │ ├── registry_event_uac_bypass_winsat.yml │ ├── registry_event_uac_bypass_wmp.yml │ ├── sysmon_apt_leviathan.yml │ ├── sysmon_apt_oceanlotus_registry.yml │ ├── sysmon_asep_reg_keys_modification.yml │ ├── sysmon_bypass_via_wsreset.yml │ ├── sysmon_cmstp_execution_by_registry.yml │ ├── sysmon_cobaltstrike_service_installs.yml │ ├── sysmon_comhijack_sdclt.yml │ ├── sysmon_cve_2020_1048.yml │ ├── sysmon_dhcp_calloutdll.yml │ ├── sysmon_disable_microsoft_office_security_features.yml │ ├── sysmon_disable_security_events_logging_adding_reg_key_minint.yml │ ├── sysmon_disable_wdigest_credential_guard.yml │ ├── sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml │ ├── sysmon_disabled_pua_protection_on_microsoft_defender.yml │ ├── sysmon_disabled_tamper_protection_on_microsoft_defender.yml │ ├── sysmon_dns_over_https_enabled.yml │ ├── sysmon_enabling_cor_profiler_env_variables.yml │ ├── sysmon_etw_disabled.yml │ ├── sysmon_hack_wce_reg.yml │ ├── sysmon_hybridconnectionmgr_svc_installation.yml │ ├── sysmon_logon_scripts_userinitmprlogonscript_reg.yml │ ├── sysmon_modify_screensaver_binary_path.yml │ ├── sysmon_narrator_feedback_persistance.yml │ ├── sysmon_new_application_appcompat.yml │ ├── sysmon_new_dll_added_to_appcertdlls_registry_key.yml │ ├── sysmon_new_dll_added_to_appinit_dlls_registry_key.yml │ ├── sysmon_office_test_regadd.yml │ ├── sysmon_office_vsto_persistence.yml │ ├── sysmon_powershell_as_service.yml │ ├── sysmon_rdp_registry_modification.yml │ ├── sysmon_rdp_settings_hijack.yml │ ├── sysmon_redmimicry_winnti_reg.yml │ ├── sysmon_reg_office_security.yml │ ├── sysmon_reg_silentprocessexit.yml │ ├── sysmon_reg_silentprocessexit_lsass.yml │ ├── sysmon_reg_vbs_payload_stored.yml │ ├── sysmon_registry_add_local_hidden_user.yml │ ├── sysmon_registry_persistence_key_linking.yml │ ├── sysmon_registry_persistence_search_order.yml │ ├── sysmon_registry_susp_printer_driver.yml │ ├── sysmon_registry_trust_record_modification.yml │ ├── sysmon_removal_amsi_registry_key.yml │ ├── sysmon_removal_com_hijacking_registry_key.yml │ ├── sysmon_runkey_winekey.yml │ ├── sysmon_runonce_persistence.yml │ ├── sysmon_ssp_added_lsa_config.yml │ ├── sysmon_susp_atbroker_change.yml │ ├── sysmon_susp_download_run_key.yml │ ├── sysmon_susp_lsass_dll_load.yml │ ├── sysmon_susp_mic_cam_access.yml │ ├── sysmon_susp_reg_persist_explorer_run.yml │ ├── sysmon_susp_run_key_img_folder.yml │ ├── sysmon_susp_service_installed.yml │ ├── sysmon_suspicious_keyboard_layout_load.yml │ ├── sysmon_sysinternals_sdelete_registry_keys.yml │ ├── sysmon_taskcache_entry.yml │ ├── sysmon_uac_bypass_sdclt.yml │ ├── sysmon_uac_bypass_shell_open.yml │ ├── sysmon_volume_shadow_copy_service_keys.yml │ ├── sysmon_wab_dllpath_reg_change.yml │ ├── sysmon_wdigest_enable_uselogoncredential.yml │ ├── sysmon_win_reg_persistence.yml │ ├── sysmon_win_reg_telemetry_persistence.yml │ ├── win_outlook_c2_registry_key.yml │ ├── win_outlook_registry_todaypage.yml │ ├── win_outlook_registry_webview.yml │ ├── win_portproxy_registry_key.yml │ └── win_registry_mimikatz_printernightmare.yml │ ├── sysmon │ ├── sysmon_accessing_winapi_in_powershell_credentials_dumping.yml │ ├── sysmon_config_modification_error.yml │ ├── sysmon_config_modification_status.yml │ └── sysmon_dcom_iertutil_dll_hijack.yml │ └── wmi_event │ ├── sysmon_wmi_event_subscription.yml │ ├── sysmon_wmi_susp_encoded_scripts.yml │ └── sysmon_wmi_susp_scripting.yml ├── sigma-schema.rx.yml ├── tests ├── backend_config.yml ├── collection_repeat.yml ├── config-multiple_mapping-2.yml ├── config-multiple_mapping.yml ├── es-query-template.jq ├── invalid_config.yml ├── invalid_sigma-invalid_aggregation.yml ├── invalid_sigma-invalid_identifier_reference.yml ├── invalid_sigma-no_condition.yml ├── invalid_sigma-no_identifiers.yml ├── invalid_sigma-wrong_identifier_definition.yml ├── invalid_yaml.badyml ├── mapping-conditional-multi.yml ├── test-backend-es-qs.py ├── test-backend-netwitness.py ├── test-merge.sh ├── test-modifiers.yml └── test_rules.py └── tools ├── LICENSE.LGPL.txt ├── LONG_DESCRIPTION.md ├── MANIFEST.in ├── README.md ├── config ├── ala-azure-activitylogs.yml ├── ala-azure-ad_auditlogs.yml ├── ala-azure-aws_cloudtrail.yml ├── ala-suricata.yml ├── ala.yml ├── arcsight-zeek.yml ├── arcsight.yml ├── carbon-black-eedr.yml ├── carbon-black.yml ├── chronicle.yml ├── crowdstrike.yml ├── devo-network.yml ├── devo-web.yml ├── devo-windows.yml ├── ecs-auditbeat-modules-enabled.yml ├── ecs-auditd.yml ├── ecs-azure-activitylogs.yml ├── ecs-azure-ad_auditlogs.yml ├── ecs-azure-ad_signinlogs.yml ├── ecs-cloudtrail.yml ├── ecs-dns.yml ├── ecs-filebeat.yml ├── ecs-ms365_defender.yml ├── ecs-okta.yml ├── ecs-proxy.yml ├── ecs-suricata.yml ├── ecs-zeek-corelight.yml ├── ecs-zeek-elastic-beats-implementation.yml ├── elk-defaultindex-filebeat.yml ├── elk-defaultindex-logstash.yml ├── elk-defaultindex.yml ├── elk-linux.yml ├── elk-windows.yml ├── elk-winlogbeat-sp.yml ├── elk-winlogbeat.yml ├── filebeat-defaultindex.yml ├── fireeye-helix.yml ├── generic │ ├── m365.yml │ ├── powershell.yml │ ├── sysmon.yml │ └── windows-audit.yml ├── helk.yml ├── humio.yml ├── limacharlie.yml ├── logpoint-windows.yml ├── logrhythm_winevent.yml ├── logstash-defaultindex.yml ├── logstash-linux.yml ├── logstash-windows.yml ├── logstash-zeek-default-json.yml ├── mitre │ ├── tactics.json │ ├── techniques.json │ └── update_mitre.py ├── netwitness-epl.yml ├── netwitness.yml ├── powershell.yml ├── qradar.yml ├── qualys.yml ├── splunk-windows-index.yml ├── splunk-windows.yml ├── splunk-zeek.yml ├── stix-custom.yml ├── stix-shifter.yml ├── stix2.0.yml ├── sumologic-cse.yml ├── sumologic.yml ├── thor.yml ├── winlogbeat-modules-enabled.yml ├── winlogbeat-old.yml └── winlogbeat.yml ├── merge_sigma ├── setup.cfg ├── setup.py ├── sigma ├── __init__.py ├── backends │ ├── ala.py │ ├── arcsight.py │ ├── base.py │ ├── carbonblack.py │ ├── chronicle.py │ ├── cim.py │ ├── csharp.py │ ├── data.py │ ├── devo.py │ ├── discovery.py │ ├── ee-outliers.py │ ├── elasticsearch.py │ ├── exceptions.py │ ├── fireeye-helix.py │ ├── graylog.py │ ├── humio.py │ ├── lacework.py │ ├── limacharlie.py │ ├── logiq.py │ ├── logpoint.py │ ├── mdatp.py │ ├── misc.py │ ├── mixins.py │ ├── netwitness-epl.py │ ├── netwitness.py │ ├── opensearch.py │ ├── powershell.py │ ├── qradar.py │ ├── qualys.py │ ├── splunk.py │ ├── splunkdm.py │ ├── sql.py │ ├── sqlite.py │ ├── stix.py │ ├── sumologic.py │ ├── sysmon.py │ ├── tools.py │ └── uberagent.py ├── config │ ├── collection.py │ ├── eventdict.py │ ├── exceptions.py │ └── mapping.py ├── configuration.py ├── filter.py ├── merge_sigma.py ├── output.py ├── parser │ ├── base.py │ ├── collection.py │ ├── condition.py │ ├── exceptions.py │ ├── modifiers │ │ ├── __init__.py │ │ ├── base.py │ │ ├── discovery.py │ │ ├── exceptions.py │ │ ├── mixins.py │ │ ├── transform.py │ │ └── type.py │ └── rule.py ├── sigma-similarity.py ├── sigma-uuid.py ├── sigma2attack.py ├── sigma2genericsigma.py ├── sigma2misp.py ├── sigma_configurations_check.py ├── sigma_similarity.py ├── sigma_uuid.py ├── sigmac.py └── tools.py ├── sigma2attack ├── sigma2misp ├── sigma_configurations_check ├── sigma_similarity ├── sigma_uuid ├── sigmac └── tests ├── test_backend_devo.py ├── test_backend_elasticsearch.py ├── test_backend_sql.py ├── test_backend_sqlite.py └── test_parsing.py /.github/workflows/sigma-test.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/.github/workflows/sigma-test.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/.gitignore -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/.yamllint -------------------------------------------------------------------------------- /BREAKING_CHANGES.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/BREAKING_CHANGES.md -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/CHANGELOG.md -------------------------------------------------------------------------------- /CHANGELOG.md.j2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/CHANGELOG.md.j2 -------------------------------------------------------------------------------- /LICENSE.Detection.Rules.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/LICENSE.Detection.Rules.md -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/Makefile -------------------------------------------------------------------------------- /Pipfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/Pipfile -------------------------------------------------------------------------------- /Pipfile.lock: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/Pipfile.lock -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/README.md -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/_config.yml -------------------------------------------------------------------------------- /contrib/filter-uuid-patch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/contrib/filter-uuid-patch -------------------------------------------------------------------------------- /contrib/sigma2CSV.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/contrib/sigma2CSV.py -------------------------------------------------------------------------------- /contrib/sigma2elastalert.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/contrib/sigma2elastalert.py -------------------------------------------------------------------------------- /contrib/sigma2sumologic.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/contrib/sigma2sumologic.py -------------------------------------------------------------------------------- /contrib/sigmacover.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/contrib/sigmacover.py -------------------------------------------------------------------------------- /images/Problem_OSI_v01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Problem_OSI_v01.png -------------------------------------------------------------------------------- /images/Sigma-description.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigma-description.png -------------------------------------------------------------------------------- /images/Sigma_0.3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigma_0.3.png -------------------------------------------------------------------------------- /images/Sigma_0.3_inverted_title_wiki.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigma_0.3_inverted_title_wiki.png -------------------------------------------------------------------------------- /images/Sigma_Coverage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigma_Coverage.png -------------------------------------------------------------------------------- /images/Sigma_Schema.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigma_Schema.png -------------------------------------------------------------------------------- /images/Sigma_rule_example1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigma_rule_example1.png -------------------------------------------------------------------------------- /images/Sigma_rule_example2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigma_rule_example2.png -------------------------------------------------------------------------------- /images/Sigma_rule_example3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigma_rule_example3.png -------------------------------------------------------------------------------- /images/Sigma_rule_example4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigma_rule_example4.png -------------------------------------------------------------------------------- /images/Sigma_rule_example5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigma_rule_example5.png -------------------------------------------------------------------------------- /images/Sigmac-win_susp_rc4_kerberos.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/Sigmac-win_susp_rc4_kerberos.png -------------------------------------------------------------------------------- /images/sigma2attack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/sigma2attack.png -------------------------------------------------------------------------------- /images/sigma_infographic_hq.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/sigma_infographic_hq.png -------------------------------------------------------------------------------- /images/sigma_infographic_lq.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/images/sigma_infographic_lq.png -------------------------------------------------------------------------------- /other/godmode_sigma_rule.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/other/godmode_sigma_rule.yml -------------------------------------------------------------------------------- /other/sigma_attack_nav_coverage.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/other/sigma_attack_nav_coverage.json -------------------------------------------------------------------------------- /other/sigma_attack_nav_coverage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/other/sigma_attack_nav_coverage.png -------------------------------------------------------------------------------- /rules-unsupported/driver_load_tap_driver_installation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/driver_load_tap_driver_installation.yml -------------------------------------------------------------------------------- /rules-unsupported/net_dns_high_subdomain_rate.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/net_dns_high_subdomain_rate.yml -------------------------------------------------------------------------------- /rules-unsupported/net_dns_large_domain_name.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/net_dns_large_domain_name.yml -------------------------------------------------------------------------------- /rules-unsupported/net_possible_dns_rebinding.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/net_possible_dns_rebinding.yml -------------------------------------------------------------------------------- /rules-unsupported/sysmon_process_reimaging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/sysmon_process_reimaging.yml -------------------------------------------------------------------------------- /rules-unsupported/win_apt_apt29_tor.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/win_apt_apt29_tor.yml -------------------------------------------------------------------------------- /rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml -------------------------------------------------------------------------------- /rules-unsupported/win_dumping_ntdsdit_via_netsync.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml -------------------------------------------------------------------------------- /rules-unsupported/win_mal_service_installs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/win_mal_service_installs.yml -------------------------------------------------------------------------------- /rules-unsupported/win_remote_schtask.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/win_remote_schtask.yml -------------------------------------------------------------------------------- /rules-unsupported/win_remote_service.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules-unsupported/win_remote_service.yml -------------------------------------------------------------------------------- /rules/application/app_python_sql_exceptions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/application/app_python_sql_exceptions.yml -------------------------------------------------------------------------------- /rules/application/app_sqlinjection_errors.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/application/app_sqlinjection_errors.yml -------------------------------------------------------------------------------- /rules/application/appframework_django_exceptions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/application/appframework_django_exceptions.yml -------------------------------------------------------------------------------- /rules/application/appframework_spring_exceptions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/application/appframework_spring_exceptions.yml -------------------------------------------------------------------------------- /rules/apt/apt_silence_downloader_v3.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/apt/apt_silence_downloader_v3.yml -------------------------------------------------------------------------------- /rules/apt/apt_silence_eda.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/apt/apt_silence_eda.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_attached_malicious_lambda_layer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_cloudtrail_disable_logging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_cloudtrail_disable_logging.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_config_disable_recording.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_config_disable_recording.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_ec2_disable_encryption.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_ec2_disable_encryption.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_ec2_download_userdata.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_ec2_download_userdata.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_ec2_startup_script_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_ec2_startup_script_change.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_ec2_vm_export_failure.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_ec2_vm_export_failure.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_elasticache_security_group_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_elasticache_security_group_created.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_enum_listing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_enum_listing.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_guardduty_disruption.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_guardduty_disruption.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_iam_backdoor_users_keys.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_iam_backdoor_users_keys.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_macic_evasion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_macic_evasion.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_rds_change_master_password.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_rds_change_master_password.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_rds_public_db_restore.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_rds_public_db_restore.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_root_account_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_root_account_usage.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_s3_data_management_tampering.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_s3_data_management_tampering.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_securityhub_finding_evasion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_securityhub_finding_evasion.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_snapshot_backup_exfiltration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_sts_assumerole_misuse.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_sts_assumerole_misuse.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_suspicious_saml_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_suspicious_saml_activity.yml -------------------------------------------------------------------------------- /rules/cloud/aws/aws_update_login_profile.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/aws/aws_update_login_profile.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_account_lockout.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_account_lockout.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_ad_user_added_to_admin_role.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_app_credential_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_app_credential_modification.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_application_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_application_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_federation_modified.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_federation_modified.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_firewall_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_firewall_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_keyvault_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_kubernetes_events_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_kubernetes_events_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_kubernetes_pods_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_kubernetes_pods_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_kubernetes_role_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_kubernetes_role_access.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_login_to_disabled_account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_login_to_disabled_account.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_mfa_interrupted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_mfa_interrupted.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_new_cloudshell_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_new_cloudshell_created.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_rare_operations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_rare_operations.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_service_principal_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_service_principal_created.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_service_principal_removed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_service_principal_removed.yml -------------------------------------------------------------------------------- /rules/cloud/azure/azure_suppression_rule_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/azure/azure_suppression_rule_created.yml -------------------------------------------------------------------------------- /rules/cloud/gcp/gcp_bucket_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/gcp/gcp_bucket_enumeration.yml -------------------------------------------------------------------------------- /rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/gcp/gcp_kubernetes_rolebinding.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml -------------------------------------------------------------------------------- /rules/cloud/gcp/gcp_service_account_modified.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/gcp/gcp_service_account_modified.yml -------------------------------------------------------------------------------- /rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/gworkspace/gworkspace_mfa_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml -------------------------------------------------------------------------------- /rules/cloud/okta/okta_api_token_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/okta/okta_api_token_created.yml -------------------------------------------------------------------------------- /rules/cloud/okta/okta_api_token_revoked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/okta/okta_api_token_revoked.yml -------------------------------------------------------------------------------- /rules/cloud/okta/okta_mfa_reset_or_deactivated.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml -------------------------------------------------------------------------------- /rules/cloud/okta/okta_policy_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/okta/okta_policy_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/cloud/okta/okta_security_threat_detected.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/okta/okta_security_threat_detected.yml -------------------------------------------------------------------------------- /rules/cloud/okta/okta_unauthorized_access_to_app.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/okta/okta_unauthorized_access_to_app.yml -------------------------------------------------------------------------------- /rules/cloud/okta/okta_user_account_locked_out.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/okta/okta_user_account_locked_out.yml -------------------------------------------------------------------------------- /rules/cloud/onelogin/onelogin_assumed_another_user.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/onelogin/onelogin_assumed_another_user.yml -------------------------------------------------------------------------------- /rules/cloud/onelogin/onelogin_user_account_locked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/cloud/onelogin/onelogin_user_account_locked.yml -------------------------------------------------------------------------------- /rules/compliance/default_credentials_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/compliance/default_credentials_usage.yml -------------------------------------------------------------------------------- /rules/compliance/firewall_cleartext_protocols.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/compliance/firewall_cleartext_protocols.yml -------------------------------------------------------------------------------- /rules/compliance/group_modification_logging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/compliance/group_modification_logging.yml -------------------------------------------------------------------------------- /rules/compliance/host_without_firewall.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/compliance/host_without_firewall.yml -------------------------------------------------------------------------------- /rules/compliance/netflow_cleartext_protocols.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/compliance/netflow_cleartext_protocols.yml -------------------------------------------------------------------------------- /rules/compliance/workstation_was_locked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/compliance/workstation_was_locked.yml -------------------------------------------------------------------------------- /rules/generic/generic_brute_force.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/generic/generic_brute_force.yml -------------------------------------------------------------------------------- /rules/linux/at_command.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/at_command.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_alter_bash_profile.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_audio_capture.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_audio_capture.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_auditing_config_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_auditing_config_change.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_binary_padding.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_binary_padding.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_change_file_time_attr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_clipboard_collection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_clipboard_collection.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_coinminer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_coinminer.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_create_account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_create_account.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_dd_delete_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_dd_delete_file.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_find_cred_in_files.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_logging_config_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_logging_config_change.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_masquerading_crond.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_masquerading_crond.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_screencapture_import.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_screencapture_import.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_susp_c2_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_susp_cmds.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_susp_cmds.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_susp_exe_folders.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_system_info_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_system_info_discovery.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_system_info_discovery2.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_user_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_user_discovery.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_web_rce.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_auditd_web_rce.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_data_compressed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_data_compressed.yml -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_network_sniffing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/auditd/lnx_network_sniffing.yml -------------------------------------------------------------------------------- /rules/linux/lnx_apt_equationgroup_lnx.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_apt_equationgroup_lnx.yml -------------------------------------------------------------------------------- /rules/linux/lnx_base64_decode.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_base64_decode.yml -------------------------------------------------------------------------------- /rules/linux/lnx_buffer_overflows.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_buffer_overflows.yml -------------------------------------------------------------------------------- /rules/linux/lnx_clamav.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_clamav.yml -------------------------------------------------------------------------------- /rules/linux/lnx_clear_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_clear_logs.yml -------------------------------------------------------------------------------- /rules/linux/lnx_clear_syslog.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_clear_syslog.yml -------------------------------------------------------------------------------- /rules/linux/lnx_file_and_directory_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_file_and_directory_discovery.yml -------------------------------------------------------------------------------- /rules/linux/lnx_file_copy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_file_copy.yml -------------------------------------------------------------------------------- /rules/linux/lnx_file_deletion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_file_deletion.yml -------------------------------------------------------------------------------- /rules/linux/lnx_install_root_certificate.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_install_root_certificate.yml -------------------------------------------------------------------------------- /rules/linux/lnx_ldso_preload_injection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_ldso_preload_injection.yml -------------------------------------------------------------------------------- /rules/linux/lnx_local_account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_local_account.yml -------------------------------------------------------------------------------- /rules/linux/lnx_local_groups.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_local_groups.yml -------------------------------------------------------------------------------- /rules/linux/lnx_network_service_scanning.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_network_service_scanning.yml -------------------------------------------------------------------------------- /rules/linux/lnx_process_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_process_discovery.yml -------------------------------------------------------------------------------- /rules/linux/lnx_proxy_connection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_proxy_connection.yml -------------------------------------------------------------------------------- /rules/linux/lnx_remote_system_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_remote_system_discovery.yml -------------------------------------------------------------------------------- /rules/linux/lnx_schedule_task_job_cron.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_schedule_task_job_cron.yml -------------------------------------------------------------------------------- /rules/linux/lnx_security_software_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_security_software_discovery.yml -------------------------------------------------------------------------------- /rules/linux/lnx_security_tools_disabling.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_security_tools_disabling.yml -------------------------------------------------------------------------------- /rules/linux/lnx_security_tools_disabling_syslog.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_security_tools_disabling_syslog.yml -------------------------------------------------------------------------------- /rules/linux/lnx_setgid_setuid.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_setgid_setuid.yml -------------------------------------------------------------------------------- /rules/linux/lnx_shell_clear_cmd_history.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_shell_clear_cmd_history.yml -------------------------------------------------------------------------------- /rules/linux/lnx_shell_priv_esc_prep.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_shell_priv_esc_prep.yml -------------------------------------------------------------------------------- /rules/linux/lnx_shell_susp_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_shell_susp_commands.yml -------------------------------------------------------------------------------- /rules/linux/lnx_shell_susp_log_entries.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_shell_susp_log_entries.yml -------------------------------------------------------------------------------- /rules/linux/lnx_shell_susp_rev_shells.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_shell_susp_rev_shells.yml -------------------------------------------------------------------------------- /rules/linux/lnx_shellshock.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_shellshock.yml -------------------------------------------------------------------------------- /rules/linux/lnx_space_after_filename_.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_space_after_filename_.yml -------------------------------------------------------------------------------- /rules/linux/lnx_ssh_cve_2018_15473.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_ssh_cve_2018_15473.yml -------------------------------------------------------------------------------- /rules/linux/lnx_sudo_cve_2019_14287.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_sudo_cve_2019_14287.yml -------------------------------------------------------------------------------- /rules/linux/lnx_sudo_cve_2019_14287_user.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_sudo_cve_2019_14287_user.yml -------------------------------------------------------------------------------- /rules/linux/lnx_susp_failed_logons_single_source.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_susp_failed_logons_single_source.yml -------------------------------------------------------------------------------- /rules/linux/lnx_susp_guacamole.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_susp_guacamole.yml -------------------------------------------------------------------------------- /rules/linux/lnx_susp_jexboss.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_susp_jexboss.yml -------------------------------------------------------------------------------- /rules/linux/lnx_susp_named.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_susp_named.yml -------------------------------------------------------------------------------- /rules/linux/lnx_susp_ssh.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_susp_ssh.yml -------------------------------------------------------------------------------- /rules/linux/lnx_susp_vsftp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_susp_vsftp.yml -------------------------------------------------------------------------------- /rules/linux/lnx_symlink_etc_passwd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_symlink_etc_passwd.yml -------------------------------------------------------------------------------- /rules/linux/lnx_system_info_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_system_info_discovery.yml -------------------------------------------------------------------------------- /rules/linux/lnx_system_network_connections_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_system_network_connections_discovery.yml -------------------------------------------------------------------------------- /rules/linux/lnx_system_network_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/lnx_system_network_discovery.yml -------------------------------------------------------------------------------- /rules/linux/macos_applescript.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_applescript.yml -------------------------------------------------------------------------------- /rules/linux/macos_base64_decode.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_base64_decode.yml -------------------------------------------------------------------------------- /rules/linux/macos_binary_padding.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_binary_padding.yml -------------------------------------------------------------------------------- /rules/linux/macos_change_file_time_attr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_change_file_time_attr.yml -------------------------------------------------------------------------------- /rules/linux/macos_clear_system_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_clear_system_logs.yml -------------------------------------------------------------------------------- /rules/linux/macos_create_account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_create_account.yml -------------------------------------------------------------------------------- /rules/linux/macos_create_hidden_account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_create_hidden_account.yml -------------------------------------------------------------------------------- /rules/linux/macos_creds_from_keychain.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_creds_from_keychain.yml -------------------------------------------------------------------------------- /rules/linux/macos_disable_security_tools.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_disable_security_tools.yml -------------------------------------------------------------------------------- /rules/linux/macos_emond_launch_daemon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_emond_launch_daemon.yml -------------------------------------------------------------------------------- /rules/linux/macos_file_and_directory_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_file_and_directory_discovery.yml -------------------------------------------------------------------------------- /rules/linux/macos_find_cred_in_files.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_find_cred_in_files.yml -------------------------------------------------------------------------------- /rules/linux/macos_gui_input_capture.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_gui_input_capture.yml -------------------------------------------------------------------------------- /rules/linux/macos_local_account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_local_account.yml -------------------------------------------------------------------------------- /rules/linux/macos_local_groups.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_local_groups.yml -------------------------------------------------------------------------------- /rules/linux/macos_network_service_scanning.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_network_service_scanning.yml -------------------------------------------------------------------------------- /rules/linux/macos_network_sniffing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_network_sniffing.yml -------------------------------------------------------------------------------- /rules/linux/macos_remote_system_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_remote_system_discovery.yml -------------------------------------------------------------------------------- /rules/linux/macos_schedule_task_job_cron.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_schedule_task_job_cron.yml -------------------------------------------------------------------------------- /rules/linux/macos_screencapture.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_screencapture.yml -------------------------------------------------------------------------------- /rules/linux/macos_security_software_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_security_software_discovery.yml -------------------------------------------------------------------------------- /rules/linux/macos_split_file_into_pieces.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_split_file_into_pieces.yml -------------------------------------------------------------------------------- /rules/linux/macos_startup_items.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_startup_items.yml -------------------------------------------------------------------------------- /rules/linux/macos_susp_histfile_operations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_susp_histfile_operations.yml -------------------------------------------------------------------------------- /rules/linux/macos_suspicious_macos_firmware_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_suspicious_macos_firmware_activity.yml -------------------------------------------------------------------------------- /rules/linux/macos_system_network_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_system_network_discovery.yml -------------------------------------------------------------------------------- /rules/linux/macos_system_shutdown_reboot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_system_shutdown_reboot.yml -------------------------------------------------------------------------------- /rules/linux/macos_xattr_gatekeeper_bypass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/macos_xattr_gatekeeper_bypass.yml -------------------------------------------------------------------------------- /rules/linux/modsecurity/modsec_mulitple_blocks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/linux/modsecurity/modsec_mulitple_blocks.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_clear_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_clear_logs.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_collect_data.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_collect_data.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_crypto_actions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_disable_logging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_disable_logging.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_discovery.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_dos.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_dos.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_file_deletion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_file_deletion.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_input_capture.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_input_capture.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_local_accounts.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_local_accounts.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_modify_config.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_modify_config.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_moving_data.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_moving_data.yml -------------------------------------------------------------------------------- /rules/network/cisco/aaa/cisco_cli_net_sniff.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/cisco/aaa/cisco_cli_net_sniff.yml -------------------------------------------------------------------------------- /rules/network/net_apt_equationgroup_c2.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_apt_equationgroup_c2.yml -------------------------------------------------------------------------------- /rules/network/net_dns_c2_detection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_dns_c2_detection.yml -------------------------------------------------------------------------------- /rules/network/net_firewall_high_dns_bytes_out.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_firewall_high_dns_bytes_out.yml -------------------------------------------------------------------------------- /rules/network/net_firewall_high_dns_requests_rate.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_firewall_high_dns_requests_rate.yml -------------------------------------------------------------------------------- /rules/network/net_high_dns_bytes_out.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_high_dns_bytes_out.yml -------------------------------------------------------------------------------- /rules/network/net_high_dns_requests_rate.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_high_dns_requests_rate.yml -------------------------------------------------------------------------------- /rules/network/net_high_null_records_requests_rate.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_high_null_records_requests_rate.yml -------------------------------------------------------------------------------- /rules/network/net_high_txt_records_requests_rate.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_high_txt_records_requests_rate.yml -------------------------------------------------------------------------------- /rules/network/net_mal_dns_cobaltstrike.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_mal_dns_cobaltstrike.yml -------------------------------------------------------------------------------- /rules/network/net_susp_dns_b64_queries.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_susp_dns_b64_queries.yml -------------------------------------------------------------------------------- /rules/network/net_susp_dns_txt_exec_strings.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_susp_dns_txt_exec_strings.yml -------------------------------------------------------------------------------- /rules/network/net_susp_ipify.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_susp_ipify.yml -------------------------------------------------------------------------------- /rules/network/net_susp_network_scan_by_ip.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_susp_network_scan_by_ip.yml -------------------------------------------------------------------------------- /rules/network/net_susp_network_scan_by_port.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_susp_network_scan_by_port.yml -------------------------------------------------------------------------------- /rules/network/net_susp_telegram_api.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_susp_telegram_api.yml -------------------------------------------------------------------------------- /rules/network/net_wannacry_killswitch_domain.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/net_wannacry_killswitch_domain.yml -------------------------------------------------------------------------------- /rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml -------------------------------------------------------------------------------- /rules/network/zeek/zeek_dns_mining_pools.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/zeek/zeek_dns_mining_pools.yml -------------------------------------------------------------------------------- /rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml -------------------------------------------------------------------------------- /rules/network/zeek/zeek_dns_torproxy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/zeek/zeek_dns_torproxy.yml -------------------------------------------------------------------------------- /rules/network/zeek/zeek_http_omigod_no_auth_rce.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml -------------------------------------------------------------------------------- /rules/network/zeek/zeek_http_webdav_put_request.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/zeek/zeek_http_webdav_put_request.yml -------------------------------------------------------------------------------- /rules/network/zeek/zeek_rdp_public_listener.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/zeek/zeek_rdp_public_listener.yml -------------------------------------------------------------------------------- /rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml -------------------------------------------------------------------------------- /rules/network/zeek/zeek_susp_kerberos_rc4.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/network/zeek/zeek_susp_kerberos_rc4.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_apt40.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_apt40.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_apt_domestic_kitten.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_apt_domestic_kitten.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_baby_shark.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_baby_shark.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_chafer_malware.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_chafer_malware.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_cobalt_amazon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_cobalt_amazon.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_cobalt_malformed_uas.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_cobalt_malformed_uas.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_cobalt_ocsp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_cobalt_ocsp.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_cobalt_onedrive.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_cobalt_onedrive.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_download_susp_dyndns.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_download_susp_dyndns.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_download_susp_tlds_blacklist.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_download_susp_tlds_blacklist.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_download_susp_tlds_whitelist.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_download_susp_tlds_whitelist.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_downloadcradle_webdav.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_downloadcradle_webdav.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_empire_ua_uri_combos.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_empire_ua_uri_combos.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_empty_ua.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_empty_ua.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_ios_implant.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_ios_implant.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_powershell_ua.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_powershell_ua.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_pwndrop.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_pwndrop.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_raw_paste_service_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_raw_paste_service_access.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_susp_flash_download_loc.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_susp_flash_download_loc.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_telegram_api.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_telegram_api.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_turla_comrat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_turla_comrat.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_ua_apt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_ua_apt.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_ua_bitsadmin_susp_tld.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_ua_cryptominer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_ua_cryptominer.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_ua_frameworks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_ua_frameworks.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_ua_hacktool.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_ua_hacktool.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_ua_malware.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_ua_malware.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_ua_suspicious.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_ua_suspicious.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_ursnif_malware_c2_url.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_ursnif_malware_c2_url.yml -------------------------------------------------------------------------------- /rules/proxy/proxy_ursnif_malware_download_url.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/proxy/proxy_ursnif_malware_download_url.yml -------------------------------------------------------------------------------- /rules/web/sql_injection_keywords.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/sql_injection_keywords.yml -------------------------------------------------------------------------------- /rules/web/web_apache_segfault.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_apache_segfault.yml -------------------------------------------------------------------------------- /rules/web/web_apache_threading_error.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_apache_threading_error.yml -------------------------------------------------------------------------------- /rules/web/web_citrix_cve_2019_19781_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_citrix_cve_2019_19781_exploit.yml -------------------------------------------------------------------------------- /rules/web/web_citrix_cve_2020_8193_8195_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2010_5278_exploitation_attempt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2010_5278_exploitation_attempt.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2018_2894_weblogic_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2018_2894_weblogic_exploit.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2019_3398_confluence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2019_3398_confluence.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2020_0688_msexchange.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2020_0688_msexchange.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2020_14882_weblogic_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2020_14882_weblogic_exploit.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2020_3452_cisco_asa_ftd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2020_5902_f5_bigip.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2020_5902_f5_bigip.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2021_22005_vmware_file_upload.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2021_22005_vmware_file_upload.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2021_26814_wzuh_rce.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2021_26814_wzuh_rce.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2021_26858_iis_rce.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2021_26858_iis_rce.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2021_33766_msexchange_proxytoken.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2021_40539_adselfservice.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2021_40539_adselfservice.yml -------------------------------------------------------------------------------- /rules/web/web_cve_2021_41773_apache_path_traversal.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_cve_2021_41773_apache_path_traversal.yml -------------------------------------------------------------------------------- /rules/web/web_exchange_cve_2020_0688_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_exchange_cve_2020_0688_exploit.yml -------------------------------------------------------------------------------- /rules/web/web_exchange_exploitation_hafnium.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_exchange_exploitation_hafnium.yml -------------------------------------------------------------------------------- /rules/web/web_exchange_proxyshell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_exchange_proxyshell.yml -------------------------------------------------------------------------------- /rules/web/web_exchange_proxyshell_successful.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_exchange_proxyshell_successful.yml -------------------------------------------------------------------------------- /rules/web/web_expl_exchange_cve_2021_28480.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_expl_exchange_cve_2021_28480.yml -------------------------------------------------------------------------------- /rules/web/web_fortinet_cve_2021_22123_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_fortinet_cve_2021_22123_exploit.yml -------------------------------------------------------------------------------- /rules/web/web_iis_tilt_shortname_scan.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_iis_tilt_shortname_scan.yml -------------------------------------------------------------------------------- /rules/web/web_nginx_core_dump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_nginx_core_dump.yml -------------------------------------------------------------------------------- /rules/web/web_path_traversal_exploitation_attempt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_path_traversal_exploitation_attempt.yml -------------------------------------------------------------------------------- /rules/web/web_pulsesecure_cve_2019_11510.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_pulsesecure_cve_2019_11510.yml -------------------------------------------------------------------------------- /rules/web/web_solarwinds_cve_2020_10148.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_solarwinds_cve_2020_10148.yml -------------------------------------------------------------------------------- /rules/web/web_solarwinds_supernova_webshell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_solarwinds_supernova_webshell.yml -------------------------------------------------------------------------------- /rules/web/web_sonicwall_jarrewrite_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_sonicwall_jarrewrite_exploit.yml -------------------------------------------------------------------------------- /rules/web/web_source_code_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_source_code_enumeration.yml -------------------------------------------------------------------------------- /rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml -------------------------------------------------------------------------------- /rules/web/web_unc2546_dewmode_php_webshell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_unc2546_dewmode_php_webshell.yml -------------------------------------------------------------------------------- /rules/web/web_webshell_keyword.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/web_webshell_keyword.yml -------------------------------------------------------------------------------- /rules/web/win_powershell_snapins_hafnium.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/win_powershell_snapins_hafnium.yml -------------------------------------------------------------------------------- /rules/web/win_webshell_regeorg.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/win_webshell_regeorg.yml -------------------------------------------------------------------------------- /rules/web/xss_keywords.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/web/xss_keywords.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_account_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_account_discovery.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_ad_object_writedac_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_ad_object_writedac_access.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_ad_user_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_ad_user_enumeration.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_admin_rdp_login.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_admin_rdp_login.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_admin_share_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_admin_share_access.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_alert_ad_user_backdoors.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_alert_ad_user_backdoors.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_alert_lsass_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_alert_lsass_access.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_alert_mimikatz_keywords.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_alert_mimikatz_keywords.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_alert_ruler.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_alert_ruler.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_apt_carbonpaper_turla.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_apt_carbonpaper_turla.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_apt_chafer_mar18_security.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_apt_chafer_mar18_security.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_apt_chafer_mar18_system.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_apt_chafer_mar18_system.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_apt_gallium.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_apt_gallium.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_apt_slingshot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_apt_slingshot.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_apt_stonedrill.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_apt_stonedrill.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_apt_turla_service_png.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_apt_turla_service_png.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_apt_wocao.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_apt_wocao.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_atsvc_task.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_atsvc_task.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_audit_cve.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_audit_cve.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_av_relevant_match.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_av_relevant_match.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_camera_microphone_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_camera_microphone_access.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_dcsync.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_dcsync.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_disable_event_logging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_disable_event_logging.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_etw_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_etw_modification.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_event_log_cleared.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_event_log_cleared.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_exchange_transportagent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_exchange_transportagent.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_external_device.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_external_device.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_global_catalog_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_global_catalog_enumeration.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_gpo_scheduledtasks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_gpo_scheduledtasks.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_hack_smbexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_hack_smbexec.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_hidden_user_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_hidden_user_creation.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_impacket_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_impacket_psexec.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_impacket_secretdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_impacket_secretdump.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_iso_mount.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_iso_mount.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_lm_namedpipe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_lm_namedpipe.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_lolbas_execution_of_nltest.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_lolbas_execution_of_nltest.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_mal_creddumper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_mal_creddumper.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_mal_wceaux_dll.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_mal_wceaux_dll.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_metasploit_authentication.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_metasploit_authentication.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_mmc20_lateral_movement.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_mmc20_lateral_movement.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_moriya_rootkit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_moriya_rootkit.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_net_ntlm_downgrade.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_net_ntlm_downgrade.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_net_use_admin_share.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_net_use_admin_share.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_not_allowed_rdp_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_not_allowed_rdp_access.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_ntfs_vuln_exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_ntfs_vuln_exploit.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_overpass_the_hash.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_overpass_the_hash.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_pass_the_hash.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_pass_the_hash.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_pass_the_hash_2.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_pass_the_hash_2.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_petitpotam_network_share.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_petitpotam_network_share.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_possible_dc_shadow.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_possible_dc_shadow.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_privesc_cve_2020_1472.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_privesc_cve_2020_1472.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_rare_schtasks_creations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_rare_schtasks_creations.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_rare_service_installs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_rare_service_installs.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_rdp_localhost_login.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_rdp_localhost_login.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_rdp_reverse_tunnel.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_rdp_reverse_tunnel.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_remote_powershell_session.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_remote_powershell_session.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_root_certificate_installed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_root_certificate_installed.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_scheduled_task_deletion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_scheduled_task_deletion.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_security_mal_creddumper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_security_mal_creddumper.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_software_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_software_discovery.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_add_domain_trust.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_add_domain_trust.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_add_sid_history.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_add_sid_history.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_backup_delete.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_backup_delete.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_dhcp_config.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_dhcp_config.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_dhcp_config_failed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_dhcp_config_failed.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_dns_config.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_dns_config.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_dsrm_password_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_dsrm_password_change.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_eventlog_cleared.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_eventlog_cleared.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_failed_guest_logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_failed_guest_logon.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_failed_logon_reasons.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_failed_logon_reasons.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_failed_logon_source.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_failed_logon_source.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_interactive_logons.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_interactive_logons.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_kerberos_manipulation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_kerberos_manipulation.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_ldap_dataexchange.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_ldap_dataexchange.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_lsass_dump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_lsass_dump.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_lsass_dump_generic.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_lsass_dump_generic.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_mshta_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_mshta_execution.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_msmpeng_crash.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_msmpeng_crash.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_net_recon_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_net_recon_activity.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_ntlm_auth.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_ntlm_auth.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_ntlm_rdp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_ntlm_rdp.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_proceshacker.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_proceshacker.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_psexec.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_rc4_kerberos.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_rc4_kerberos.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_rottenpotato.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_rottenpotato.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_sam_dump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_sam_dump.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_samr_pwset.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_samr_pwset.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_sdelete.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_sdelete.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_time_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_time_modification.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_susp_wmi_login.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_susp_wmi_login.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_svcctl_remote_service.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_svcctl_remote_service.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_syskey_registry_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_syskey_registry_access.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_tap_driver_installation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_tap_driver_installation.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_usb_device_plugged.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_usb_device_plugged.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_user_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_user_creation.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_user_driver_loaded.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_user_driver_loaded.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_volume_shadow_copy_mount.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_volume_shadow_copy_mount.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_vul_cve_2020_0688.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_vul_cve_2020_0688.yml -------------------------------------------------------------------------------- /rules/windows/builtin/win_vul_cve_2020_1472.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/builtin/win_vul_cve_2020_1472.yml -------------------------------------------------------------------------------- /rules/windows/deprecated/win_susp_esentutl_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/deprecated/win_susp_esentutl_activity.yml -------------------------------------------------------------------------------- /rules/windows/dns_query/dns_query_mega_nz.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/dns_query/dns_query_mega_nz.yml -------------------------------------------------------------------------------- /rules/windows/driver_load/driver_load_mal_creddumper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/driver_load/driver_load_mal_creddumper.yml -------------------------------------------------------------------------------- /rules/windows/driver_load/driver_load_susp_temp_use.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/driver_load/driver_load_susp_temp_use.yml -------------------------------------------------------------------------------- /rules/windows/driver_load/driver_load_windivert.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/driver_load/driver_load_windivert.yml -------------------------------------------------------------------------------- /rules/windows/file_delete/sysmon_delete_prefetch.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_delete/sysmon_delete_prefetch.yml -------------------------------------------------------------------------------- /rules/windows/file_event/file_event_hack_dumpert.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/file_event_hack_dumpert.yml -------------------------------------------------------------------------------- /rules/windows/file_event/file_event_mal_adwind.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/file_event_mal_adwind.yml -------------------------------------------------------------------------------- /rules/windows/file_event/file_event_moriya_rootkit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/file_event_moriya_rootkit.yml -------------------------------------------------------------------------------- /rules/windows/file_event/file_event_tool_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/file_event_tool_psexec.yml -------------------------------------------------------------------------------- /rules/windows/file_event/file_event_uac_bypass_wmp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/file_event_uac_bypass_wmp.yml -------------------------------------------------------------------------------- /rules/windows/file_event/file_event_winrm_awl_bypass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/file_event_winrm_awl_bypass.yml -------------------------------------------------------------------------------- /rules/windows/file_event/sysmon_creation_system_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/sysmon_creation_system_file.yml -------------------------------------------------------------------------------- /rules/windows/file_event/sysmon_ghostpack_safetykatz.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml -------------------------------------------------------------------------------- /rules/windows/file_event/sysmon_office_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/sysmon_office_persistence.yml -------------------------------------------------------------------------------- /rules/windows/file_event/sysmon_outlook_newform.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/sysmon_outlook_newform.yml -------------------------------------------------------------------------------- /rules/windows/file_event/sysmon_pcre_net_temp_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/sysmon_pcre_net_temp_file.yml -------------------------------------------------------------------------------- /rules/windows/file_event/sysmon_quarkspw_filedump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/sysmon_quarkspw_filedump.yml -------------------------------------------------------------------------------- /rules/windows/file_event/sysmon_susp_clr_logs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/sysmon_susp_clr_logs.yml -------------------------------------------------------------------------------- /rules/windows/file_event/sysmon_susp_desktop_ini.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/sysmon_susp_desktop_ini.yml -------------------------------------------------------------------------------- /rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml -------------------------------------------------------------------------------- /rules/windows/file_event/win_rclone_exec_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/file_event/win_rclone_exec_file.yml -------------------------------------------------------------------------------- /rules/windows/image_load/sysmon_foggyweb_nobelium.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/sysmon_foggyweb_nobelium.yml -------------------------------------------------------------------------------- /rules/windows/image_load/sysmon_in_memory_powershell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/sysmon_in_memory_powershell.yml -------------------------------------------------------------------------------- /rules/windows/image_load/sysmon_pcre_net_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/sysmon_pcre_net_load.yml -------------------------------------------------------------------------------- /rules/windows/image_load/sysmon_spoolsv_dll_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/sysmon_spoolsv_dll_load.yml -------------------------------------------------------------------------------- /rules/windows/image_load/sysmon_susp_fax_dll.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/sysmon_susp_fax_dll.yml -------------------------------------------------------------------------------- /rules/windows/image_load/sysmon_susp_image_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/sysmon_susp_image_load.yml -------------------------------------------------------------------------------- /rules/windows/image_load/sysmon_tttracer_mod_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/sysmon_tttracer_mod_load.yml -------------------------------------------------------------------------------- /rules/windows/image_load/sysmon_uac_bypass_via_dism.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml -------------------------------------------------------------------------------- /rules/windows/image_load/sysmon_wmi_module_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/sysmon_wmi_module_load.yml -------------------------------------------------------------------------------- /rules/windows/image_load/win_susp_svchost_clfsw32.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/win_susp_svchost_clfsw32.yml -------------------------------------------------------------------------------- /rules/windows/image_load/win_suspicious_vss_ps_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/image_load/win_suspicious_vss_ps_load.yml -------------------------------------------------------------------------------- /rules/windows/malware/av_exploiting.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/malware/av_exploiting.yml -------------------------------------------------------------------------------- /rules/windows/malware/av_hacktool.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/malware/av_hacktool.yml -------------------------------------------------------------------------------- /rules/windows/malware/av_password_dumper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/malware/av_password_dumper.yml -------------------------------------------------------------------------------- /rules/windows/malware/av_relevant_files.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/malware/av_relevant_files.yml -------------------------------------------------------------------------------- /rules/windows/malware/av_webshell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/malware/av_webshell.yml -------------------------------------------------------------------------------- /rules/windows/malware/file_event_mal_octopus_scanner.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/malware/file_event_mal_octopus_scanner.yml -------------------------------------------------------------------------------- /rules/windows/malware/process_creation_mal_ryuk.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/malware/process_creation_mal_ryuk.yml -------------------------------------------------------------------------------- /rules/windows/malware/registry_event_mal_azorult.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/malware/registry_event_mal_azorult.yml -------------------------------------------------------------------------------- /rules/windows/malware/registry_event_mal_flowcloud.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/malware/registry_event_mal_flowcloud.yml -------------------------------------------------------------------------------- /rules/windows/malware/registry_event_mal_ursnif.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/malware/registry_event_mal_ursnif.yml -------------------------------------------------------------------------------- /rules/windows/network_connection/sysmon_susp_rdp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/network_connection/sysmon_susp_rdp.yml -------------------------------------------------------------------------------- /rules/windows/other/win_defender_amsi_trigger.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_defender_amsi_trigger.yml -------------------------------------------------------------------------------- /rules/windows/other/win_defender_bypass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_defender_bypass.yml -------------------------------------------------------------------------------- /rules/windows/other/win_defender_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_defender_disabled.yml -------------------------------------------------------------------------------- /rules/windows/other/win_defender_exclusions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_defender_exclusions.yml -------------------------------------------------------------------------------- /rules/windows/other/win_defender_history_delete.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_defender_history_delete.yml -------------------------------------------------------------------------------- /rules/windows/other/win_defender_psexec_wmi_asr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_defender_psexec_wmi_asr.yml -------------------------------------------------------------------------------- /rules/windows/other/win_defender_threat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_defender_threat.yml -------------------------------------------------------------------------------- /rules/windows/other/win_lateral_movement_condrv.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_lateral_movement_condrv.yml -------------------------------------------------------------------------------- /rules/windows/other/win_ldap_recon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_ldap_recon.yml -------------------------------------------------------------------------------- /rules/windows/other/win_pcap_drivers.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_pcap_drivers.yml -------------------------------------------------------------------------------- /rules/windows/other/win_rare_schtask_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_rare_schtask_creation.yml -------------------------------------------------------------------------------- /rules/windows/other/win_security_wmi_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_security_wmi_persistence.yml -------------------------------------------------------------------------------- /rules/windows/other/win_system_defender_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_system_defender_disabled.yml -------------------------------------------------------------------------------- /rules/windows/other/win_tool_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_tool_psexec.yml -------------------------------------------------------------------------------- /rules/windows/other/win_wmi_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/other/win_wmi_persistence.yml -------------------------------------------------------------------------------- /rules/windows/pipe_created/pipe_created_tool_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/pipe_created/pipe_created_tool_psexec.yml -------------------------------------------------------------------------------- /rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml -------------------------------------------------------------------------------- /rules/windows/pipe_created/sysmon_mal_namedpipes.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/pipe_created/sysmon_mal_namedpipes.yml -------------------------------------------------------------------------------- /rules/windows/process_access/sysmon_invoke_phantom.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_access/sysmon_invoke_phantom.yml -------------------------------------------------------------------------------- /rules/windows/process_access/sysmon_lsass_memdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_access/sysmon_lsass_memdump.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/process_creation_clip.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/process_creation_clip.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/sysmon_apt_sourgrum.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/sysmon_apt_sourgrum.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/sysmon_hack_wce.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/sysmon_hack_wce.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_ad_find_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_ad_find_discovery.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_babyshark.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_babyshark.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_bluemashroom.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_bluemashroom.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_cloudhopper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_cloudhopper.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_dragonfly.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_dragonfly.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_elise.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_elise.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_empiremonkey.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_empiremonkey.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_evilnum_jul20.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_evilnum_jul20.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_hafnium.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_hafnium.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_mustangpanda.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_mustangpanda.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_revil_kaseya.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_revil_kaseya.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_sofacy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_sofacy.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_ta17_293a_ps.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_ta17_293a_ps.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_ta505_dropper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_ta505_dropper.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_taidoor.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_taidoor.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_tropictrooper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_tropictrooper.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_unc2452_cmds.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_unc2452_cmds.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_unc2452_ps.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_unc2452_ps.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_apt_zxshell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_apt_zxshell.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_bootconf_mod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_bootconf_mod.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_bypass_squiblytwo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_bypass_squiblytwo.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_cmdkey_recon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_cmdkey_recon.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_crime_fireball.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_crime_fireball.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_encoded_iex.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_encoded_iex.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_etw_trace_evasion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_etw_trace_evasion.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_hack_adcspwn.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_hack_adcspwn.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_hack_bloodhound.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_hack_bloodhound.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_hack_koadic.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_hack_koadic.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_hack_rubeus.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_hack_rubeus.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_hh_chm.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_hh_chm.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_html_help_spawn.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_html_help_spawn.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_hwp_exploits.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_hwp_exploits.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_indirect_cmd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_indirect_cmd.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_interactive_at.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_interactive_at.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_lethalhta.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_lethalhta.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_lsass_dump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_lsass_dump.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_mal_adwind.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_mal_adwind.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_malware_conti.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_malware_conti.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_malware_dridex.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_malware_dridex.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_malware_dtrack.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_malware_dtrack.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_malware_emotet.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_malware_emotet.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_malware_formbook.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_malware_formbook.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_malware_notpetya.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_malware_notpetya.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_malware_qbot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_malware_qbot.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_malware_ryuk.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_malware_ryuk.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_malware_wannacry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_malware_wannacry.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_manage_bde_lolbas.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_manage_bde_lolbas.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_mmc_spawn_shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_mmc_spawn_shell.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_mouse_lock.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_mouse_lock.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_mshta_javascript.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_mshta_javascript.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_mshta_spawn_shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_mshta_spawn_shell.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_net_enum.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_net_enum.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_net_user_add.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_net_user_add.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_netsh_fw_add.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_netsh_fw_add.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_netsh_port_fwd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_netsh_port_fwd.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_network_sniffing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_network_sniffing.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_nltest_recon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_nltest_recon.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_office_shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_office_shell.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_proc_wrong_parent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_proc_wrong_parent.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_procdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_procdump.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_psexesvc_start.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_psexesvc_start.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_query_registry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_query_registry.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_reg_add_run_key.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_reg_add_run_key.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_regini.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_regini.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_regini_ads.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_regini_ads.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_renamed_binary.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_renamed_binary.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_renamed_jusched.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_renamed_jusched.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_renamed_megasync.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_renamed_megasync.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_renamed_paexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_renamed_paexec.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_renamed_procdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_renamed_procdump.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_renamed_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_renamed_psexec.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_renamed_whoami.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_renamed_whoami.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_run_virtualbox.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_run_virtualbox.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_service_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_service_execution.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_service_stop.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_service_stop.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_shell_spawn_mshta.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_shell_spawn_mshta.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_spn_enum.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_spn_enum.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_adfind.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_adfind.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_atbroker.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_atbroker.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_bcdedit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_bcdedit.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_bginfo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_bginfo.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_bitstransfer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_bitstransfer.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_calc.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_calc.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_cdb.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_cdb.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_cli_escape.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_cli_escape.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_conhost.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_conhost.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_covenant.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_covenant.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_csc.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_csc.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_csc_folder.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_csc_folder.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_csi.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_csi.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_diskshadow.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_diskshadow.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_ditsnap.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_ditsnap.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_dnx.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_dnx.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_dxcap.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_dxcap.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_explorer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_explorer.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_findstr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_findstr.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_findstr_lnk.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_findstr_lnk.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_finger_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_finger_usage.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_fsutil_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_fsutil_usage.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_ftp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_ftp.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_gup.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_gup.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_msiexec_cwd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_msiexec_cwd.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_msoffice.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_msoffice.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_ngrok_pua.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_ngrok_pua.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_ntdsutil.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_ntdsutil.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_odbcconf.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_odbcconf.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_openwith.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_openwith.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_outlook.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_outlook.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_outlook_temp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_outlook_temp.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_pcwutl.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_pcwutl.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_pester.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_pester.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_ping_hex_ip.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_ping_hex_ip.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_print.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_print.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_procdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_procdump.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_ps_appdata.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_ps_appdata.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_psexec_eula.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_psexec_eula.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_rar_flags.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_rar_flags.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_rclone_exec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_rclone_exec.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_rpcping.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_rpcping.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_rundll32_sys.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_rundll32_sys.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_service_dir.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_service_dir.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_splwow64.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_splwow64.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_svchost.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_svchost.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_vboxdrvinst.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_vboxdrvinst.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_whoami.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_whoami.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_wsl_lolbin.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_wsl_lolbin.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_susp_wuauclt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_susp_wuauclt.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_trust_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_trust_discovery.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_uac_bypass_winsat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_uac_bypass_winsat.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_uac_bypass_wmp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_uac_bypass_wmp.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_uac_cmstp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_uac_cmstp.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_uac_fodhelper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_uac_fodhelper.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_uac_wsreset.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_uac_wsreset.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_verclsid_runs_com.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_verclsid_runs_com.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_webshell_spawn.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_webshell_spawn.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_whoami_as_system.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_whoami_as_system.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_whoami_priv.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_whoami_priv.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_winword_dll_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_winword_dll_load.yml -------------------------------------------------------------------------------- /rules/windows/process_creation/win_workflow_compiler.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/process_creation/win_workflow_compiler.yml -------------------------------------------------------------------------------- /rules/windows/registry_event/sysmon_apt_leviathan.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/registry_event/sysmon_apt_leviathan.yml -------------------------------------------------------------------------------- /rules/windows/registry_event/sysmon_comhijack_sdclt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/registry_event/sysmon_comhijack_sdclt.yml -------------------------------------------------------------------------------- /rules/windows/registry_event/sysmon_cve_2020_1048.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/registry_event/sysmon_cve_2020_1048.yml -------------------------------------------------------------------------------- /rules/windows/registry_event/sysmon_dhcp_calloutdll.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml -------------------------------------------------------------------------------- /rules/windows/registry_event/sysmon_etw_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/registry_event/sysmon_etw_disabled.yml -------------------------------------------------------------------------------- /rules/windows/registry_event/sysmon_hack_wce_reg.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/registry_event/sysmon_hack_wce_reg.yml -------------------------------------------------------------------------------- /rules/windows/registry_event/sysmon_runkey_winekey.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/registry_event/sysmon_runkey_winekey.yml -------------------------------------------------------------------------------- /rules/windows/registry_event/sysmon_taskcache_entry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/registry_event/sysmon_taskcache_entry.yml -------------------------------------------------------------------------------- /rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml -------------------------------------------------------------------------------- /rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml -------------------------------------------------------------------------------- /rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml -------------------------------------------------------------------------------- /sigma-schema.rx.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/sigma-schema.rx.yml -------------------------------------------------------------------------------- /tests/backend_config.yml: -------------------------------------------------------------------------------- 1 | sysmon: true 2 | -------------------------------------------------------------------------------- /tests/collection_repeat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/collection_repeat.yml -------------------------------------------------------------------------------- /tests/config-multiple_mapping-2.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/config-multiple_mapping-2.yml -------------------------------------------------------------------------------- /tests/config-multiple_mapping.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/config-multiple_mapping.yml -------------------------------------------------------------------------------- /tests/es-query-template.jq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/es-query-template.jq -------------------------------------------------------------------------------- /tests/invalid_config.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/invalid_config.yml -------------------------------------------------------------------------------- /tests/invalid_sigma-invalid_aggregation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/invalid_sigma-invalid_aggregation.yml -------------------------------------------------------------------------------- /tests/invalid_sigma-invalid_identifier_reference.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/invalid_sigma-invalid_identifier_reference.yml -------------------------------------------------------------------------------- /tests/invalid_sigma-no_condition.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/invalid_sigma-no_condition.yml -------------------------------------------------------------------------------- /tests/invalid_sigma-no_identifiers.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/invalid_sigma-no_identifiers.yml -------------------------------------------------------------------------------- /tests/invalid_sigma-wrong_identifier_definition.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/invalid_sigma-wrong_identifier_definition.yml -------------------------------------------------------------------------------- /tests/invalid_yaml.badyml: -------------------------------------------------------------------------------- 1 | foo: bar: foobar 2 | -------------------------------------------------------------------------------- /tests/mapping-conditional-multi.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/mapping-conditional-multi.yml -------------------------------------------------------------------------------- /tests/test-backend-es-qs.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/test-backend-es-qs.py -------------------------------------------------------------------------------- /tests/test-backend-netwitness.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/test-backend-netwitness.py -------------------------------------------------------------------------------- /tests/test-merge.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/test-merge.sh -------------------------------------------------------------------------------- /tests/test-modifiers.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/test-modifiers.yml -------------------------------------------------------------------------------- /tests/test_rules.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tests/test_rules.py -------------------------------------------------------------------------------- /tools/LICENSE.LGPL.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/LICENSE.LGPL.txt -------------------------------------------------------------------------------- /tools/LONG_DESCRIPTION.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/LONG_DESCRIPTION.md -------------------------------------------------------------------------------- /tools/MANIFEST.in: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/MANIFEST.in -------------------------------------------------------------------------------- /tools/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/README.md -------------------------------------------------------------------------------- /tools/config/ala-azure-activitylogs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ala-azure-activitylogs.yml -------------------------------------------------------------------------------- /tools/config/ala-azure-ad_auditlogs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ala-azure-ad_auditlogs.yml -------------------------------------------------------------------------------- /tools/config/ala-azure-aws_cloudtrail.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ala-azure-aws_cloudtrail.yml -------------------------------------------------------------------------------- /tools/config/ala-suricata.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ala-suricata.yml -------------------------------------------------------------------------------- /tools/config/ala.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ala.yml -------------------------------------------------------------------------------- /tools/config/arcsight-zeek.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/arcsight-zeek.yml -------------------------------------------------------------------------------- /tools/config/arcsight.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/arcsight.yml -------------------------------------------------------------------------------- /tools/config/carbon-black-eedr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/carbon-black-eedr.yml -------------------------------------------------------------------------------- /tools/config/carbon-black.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/carbon-black.yml -------------------------------------------------------------------------------- /tools/config/chronicle.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/chronicle.yml -------------------------------------------------------------------------------- /tools/config/crowdstrike.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/crowdstrike.yml -------------------------------------------------------------------------------- /tools/config/devo-network.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/devo-network.yml -------------------------------------------------------------------------------- /tools/config/devo-web.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/devo-web.yml -------------------------------------------------------------------------------- /tools/config/devo-windows.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/devo-windows.yml -------------------------------------------------------------------------------- /tools/config/ecs-auditbeat-modules-enabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-auditbeat-modules-enabled.yml -------------------------------------------------------------------------------- /tools/config/ecs-auditd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-auditd.yml -------------------------------------------------------------------------------- /tools/config/ecs-azure-activitylogs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-azure-activitylogs.yml -------------------------------------------------------------------------------- /tools/config/ecs-azure-ad_auditlogs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-azure-ad_auditlogs.yml -------------------------------------------------------------------------------- /tools/config/ecs-azure-ad_signinlogs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-azure-ad_signinlogs.yml -------------------------------------------------------------------------------- /tools/config/ecs-cloudtrail.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-cloudtrail.yml -------------------------------------------------------------------------------- /tools/config/ecs-dns.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-dns.yml -------------------------------------------------------------------------------- /tools/config/ecs-filebeat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-filebeat.yml -------------------------------------------------------------------------------- /tools/config/ecs-ms365_defender.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-ms365_defender.yml -------------------------------------------------------------------------------- /tools/config/ecs-okta.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-okta.yml -------------------------------------------------------------------------------- /tools/config/ecs-proxy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-proxy.yml -------------------------------------------------------------------------------- /tools/config/ecs-suricata.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-suricata.yml -------------------------------------------------------------------------------- /tools/config/ecs-zeek-corelight.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-zeek-corelight.yml -------------------------------------------------------------------------------- /tools/config/ecs-zeek-elastic-beats-implementation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/ecs-zeek-elastic-beats-implementation.yml -------------------------------------------------------------------------------- /tools/config/elk-defaultindex-filebeat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/elk-defaultindex-filebeat.yml -------------------------------------------------------------------------------- /tools/config/elk-defaultindex-logstash.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/elk-defaultindex-logstash.yml -------------------------------------------------------------------------------- /tools/config/elk-defaultindex.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/elk-defaultindex.yml -------------------------------------------------------------------------------- /tools/config/elk-linux.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/elk-linux.yml -------------------------------------------------------------------------------- /tools/config/elk-windows.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/elk-windows.yml -------------------------------------------------------------------------------- /tools/config/elk-winlogbeat-sp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/elk-winlogbeat-sp.yml -------------------------------------------------------------------------------- /tools/config/elk-winlogbeat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/elk-winlogbeat.yml -------------------------------------------------------------------------------- /tools/config/filebeat-defaultindex.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/filebeat-defaultindex.yml -------------------------------------------------------------------------------- /tools/config/fireeye-helix.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/fireeye-helix.yml -------------------------------------------------------------------------------- /tools/config/generic/m365.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/generic/m365.yml -------------------------------------------------------------------------------- /tools/config/generic/powershell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/generic/powershell.yml -------------------------------------------------------------------------------- /tools/config/generic/sysmon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/generic/sysmon.yml -------------------------------------------------------------------------------- /tools/config/generic/windows-audit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/generic/windows-audit.yml -------------------------------------------------------------------------------- /tools/config/helk.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/helk.yml -------------------------------------------------------------------------------- /tools/config/humio.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/humio.yml -------------------------------------------------------------------------------- /tools/config/limacharlie.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/limacharlie.yml -------------------------------------------------------------------------------- /tools/config/logpoint-windows.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/logpoint-windows.yml -------------------------------------------------------------------------------- /tools/config/logrhythm_winevent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/logrhythm_winevent.yml -------------------------------------------------------------------------------- /tools/config/logstash-defaultindex.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/logstash-defaultindex.yml -------------------------------------------------------------------------------- /tools/config/logstash-linux.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/logstash-linux.yml -------------------------------------------------------------------------------- /tools/config/logstash-windows.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/logstash-windows.yml -------------------------------------------------------------------------------- /tools/config/logstash-zeek-default-json.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/logstash-zeek-default-json.yml -------------------------------------------------------------------------------- /tools/config/mitre/tactics.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/mitre/tactics.json -------------------------------------------------------------------------------- /tools/config/mitre/techniques.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/mitre/techniques.json -------------------------------------------------------------------------------- /tools/config/mitre/update_mitre.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/mitre/update_mitre.py -------------------------------------------------------------------------------- /tools/config/netwitness-epl.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/netwitness-epl.yml -------------------------------------------------------------------------------- /tools/config/netwitness.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/netwitness.yml -------------------------------------------------------------------------------- /tools/config/powershell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/powershell.yml -------------------------------------------------------------------------------- /tools/config/qradar.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/qradar.yml -------------------------------------------------------------------------------- /tools/config/qualys.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/qualys.yml -------------------------------------------------------------------------------- /tools/config/splunk-windows-index.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/splunk-windows-index.yml -------------------------------------------------------------------------------- /tools/config/splunk-windows.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/splunk-windows.yml -------------------------------------------------------------------------------- /tools/config/splunk-zeek.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/splunk-zeek.yml -------------------------------------------------------------------------------- /tools/config/stix-custom.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/stix-custom.yml -------------------------------------------------------------------------------- /tools/config/stix-shifter.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/stix-shifter.yml -------------------------------------------------------------------------------- /tools/config/stix2.0.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/stix2.0.yml -------------------------------------------------------------------------------- /tools/config/sumologic-cse.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/sumologic-cse.yml -------------------------------------------------------------------------------- /tools/config/sumologic.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/sumologic.yml -------------------------------------------------------------------------------- /tools/config/thor.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/thor.yml -------------------------------------------------------------------------------- /tools/config/winlogbeat-modules-enabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/winlogbeat-modules-enabled.yml -------------------------------------------------------------------------------- /tools/config/winlogbeat-old.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/winlogbeat-old.yml -------------------------------------------------------------------------------- /tools/config/winlogbeat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/config/winlogbeat.yml -------------------------------------------------------------------------------- /tools/merge_sigma: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/merge_sigma -------------------------------------------------------------------------------- /tools/setup.cfg: -------------------------------------------------------------------------------- 1 | [bdist_wheel] 2 | universal=0 3 | -------------------------------------------------------------------------------- /tools/setup.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/setup.py -------------------------------------------------------------------------------- /tools/sigma/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tools/sigma/backends/ala.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/ala.py -------------------------------------------------------------------------------- /tools/sigma/backends/arcsight.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/arcsight.py -------------------------------------------------------------------------------- /tools/sigma/backends/base.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/base.py -------------------------------------------------------------------------------- /tools/sigma/backends/carbonblack.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/carbonblack.py -------------------------------------------------------------------------------- /tools/sigma/backends/chronicle.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/chronicle.py -------------------------------------------------------------------------------- /tools/sigma/backends/cim.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/cim.py -------------------------------------------------------------------------------- /tools/sigma/backends/csharp.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/csharp.py -------------------------------------------------------------------------------- /tools/sigma/backends/data.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/data.py -------------------------------------------------------------------------------- /tools/sigma/backends/devo.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/devo.py -------------------------------------------------------------------------------- /tools/sigma/backends/discovery.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/discovery.py -------------------------------------------------------------------------------- /tools/sigma/backends/ee-outliers.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/ee-outliers.py -------------------------------------------------------------------------------- /tools/sigma/backends/elasticsearch.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/elasticsearch.py -------------------------------------------------------------------------------- /tools/sigma/backends/exceptions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/exceptions.py -------------------------------------------------------------------------------- /tools/sigma/backends/fireeye-helix.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/fireeye-helix.py -------------------------------------------------------------------------------- /tools/sigma/backends/graylog.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/graylog.py -------------------------------------------------------------------------------- /tools/sigma/backends/humio.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/humio.py -------------------------------------------------------------------------------- /tools/sigma/backends/lacework.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/lacework.py -------------------------------------------------------------------------------- /tools/sigma/backends/limacharlie.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/limacharlie.py -------------------------------------------------------------------------------- /tools/sigma/backends/logiq.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/logiq.py -------------------------------------------------------------------------------- /tools/sigma/backends/logpoint.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/logpoint.py -------------------------------------------------------------------------------- /tools/sigma/backends/mdatp.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/mdatp.py -------------------------------------------------------------------------------- /tools/sigma/backends/misc.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/misc.py -------------------------------------------------------------------------------- /tools/sigma/backends/mixins.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/mixins.py -------------------------------------------------------------------------------- /tools/sigma/backends/netwitness-epl.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/netwitness-epl.py -------------------------------------------------------------------------------- /tools/sigma/backends/netwitness.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/netwitness.py -------------------------------------------------------------------------------- /tools/sigma/backends/opensearch.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/opensearch.py -------------------------------------------------------------------------------- /tools/sigma/backends/powershell.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/powershell.py -------------------------------------------------------------------------------- /tools/sigma/backends/qradar.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/qradar.py -------------------------------------------------------------------------------- /tools/sigma/backends/qualys.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/qualys.py -------------------------------------------------------------------------------- /tools/sigma/backends/splunk.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/splunk.py -------------------------------------------------------------------------------- /tools/sigma/backends/splunkdm.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/splunkdm.py -------------------------------------------------------------------------------- /tools/sigma/backends/sql.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/sql.py -------------------------------------------------------------------------------- /tools/sigma/backends/sqlite.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/sqlite.py -------------------------------------------------------------------------------- /tools/sigma/backends/stix.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/stix.py -------------------------------------------------------------------------------- /tools/sigma/backends/sumologic.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/sumologic.py -------------------------------------------------------------------------------- /tools/sigma/backends/sysmon.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/sysmon.py -------------------------------------------------------------------------------- /tools/sigma/backends/tools.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/tools.py -------------------------------------------------------------------------------- /tools/sigma/backends/uberagent.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/backends/uberagent.py -------------------------------------------------------------------------------- /tools/sigma/config/collection.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/config/collection.py -------------------------------------------------------------------------------- /tools/sigma/config/eventdict.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/config/eventdict.py -------------------------------------------------------------------------------- /tools/sigma/config/exceptions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/config/exceptions.py -------------------------------------------------------------------------------- /tools/sigma/config/mapping.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/config/mapping.py -------------------------------------------------------------------------------- /tools/sigma/configuration.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/configuration.py -------------------------------------------------------------------------------- /tools/sigma/filter.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/filter.py -------------------------------------------------------------------------------- /tools/sigma/merge_sigma.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/merge_sigma.py -------------------------------------------------------------------------------- /tools/sigma/output.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/output.py -------------------------------------------------------------------------------- /tools/sigma/parser/base.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/base.py -------------------------------------------------------------------------------- /tools/sigma/parser/collection.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/collection.py -------------------------------------------------------------------------------- /tools/sigma/parser/condition.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/condition.py -------------------------------------------------------------------------------- /tools/sigma/parser/exceptions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/exceptions.py -------------------------------------------------------------------------------- /tools/sigma/parser/modifiers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/modifiers/__init__.py -------------------------------------------------------------------------------- /tools/sigma/parser/modifiers/base.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/modifiers/base.py -------------------------------------------------------------------------------- /tools/sigma/parser/modifiers/discovery.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/modifiers/discovery.py -------------------------------------------------------------------------------- /tools/sigma/parser/modifiers/exceptions.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/modifiers/exceptions.py -------------------------------------------------------------------------------- /tools/sigma/parser/modifiers/mixins.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/modifiers/mixins.py -------------------------------------------------------------------------------- /tools/sigma/parser/modifiers/transform.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/modifiers/transform.py -------------------------------------------------------------------------------- /tools/sigma/parser/modifiers/type.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/modifiers/type.py -------------------------------------------------------------------------------- /tools/sigma/parser/rule.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/parser/rule.py -------------------------------------------------------------------------------- /tools/sigma/sigma-similarity.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/sigma-similarity.py -------------------------------------------------------------------------------- /tools/sigma/sigma-uuid.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/sigma-uuid.py -------------------------------------------------------------------------------- /tools/sigma/sigma2attack.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/sigma2attack.py -------------------------------------------------------------------------------- /tools/sigma/sigma2genericsigma.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/sigma2genericsigma.py -------------------------------------------------------------------------------- /tools/sigma/sigma2misp.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/sigma2misp.py -------------------------------------------------------------------------------- /tools/sigma/sigma_configurations_check.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/sigma_configurations_check.py -------------------------------------------------------------------------------- /tools/sigma/sigma_similarity.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/sigma_similarity.py -------------------------------------------------------------------------------- /tools/sigma/sigma_uuid.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/sigma_uuid.py -------------------------------------------------------------------------------- /tools/sigma/sigmac.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/sigmac.py -------------------------------------------------------------------------------- /tools/sigma/tools.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma/tools.py -------------------------------------------------------------------------------- /tools/sigma2attack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma2attack -------------------------------------------------------------------------------- /tools/sigma2misp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma2misp -------------------------------------------------------------------------------- /tools/sigma_configurations_check: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma_configurations_check -------------------------------------------------------------------------------- /tools/sigma_similarity: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma_similarity -------------------------------------------------------------------------------- /tools/sigma_uuid: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigma_uuid -------------------------------------------------------------------------------- /tools/sigmac: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/sigmac -------------------------------------------------------------------------------- /tools/tests/test_backend_devo.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/tests/test_backend_devo.py -------------------------------------------------------------------------------- /tools/tests/test_backend_elasticsearch.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/tests/test_backend_elasticsearch.py -------------------------------------------------------------------------------- /tools/tests/test_backend_sql.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/tests/test_backend_sql.py -------------------------------------------------------------------------------- /tools/tests/test_backend_sqlite.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/sigma/HEAD/tools/tests/test_backend_sqlite.py -------------------------------------------------------------------------------- /tools/tests/test_parsing.py: -------------------------------------------------------------------------------- 1 | 2 | def test_collection(): 3 | pass 4 | --------------------------------------------------------------------------------