├── Bundles ├── sigma_bundle.json └── sra_bundle.json ├── Images ├── TALR_run.gif └── TALRlogo.png ├── LICENSE.GPL.txt ├── README.md ├── Rules ├── SRA │ ├── execution │ │ ├── Hidden_PowerShell_with_Unusual_Parent.yml │ │ ├── Office_applications_writing_an_exe_via_WMI.yml │ │ ├── Process_Setting_Hidden_and_System_File_Attributes.yml │ │ ├── WMIC_calling_vbscript_or_jscript.yml │ │ ├── WMIC_getting_OS.yml │ │ ├── WMIC_process_call_create.yml │ │ ├── WMI_making_a_network_connection.yml │ │ ├── Word_calling_wscript.yml │ │ ├── mshta_executing_powershell.yml │ │ └── regsrv32_COM_Object_creation.yml │ ├── lateral_movement │ │ └── MSBuild_Invoked_by_WMI.yml │ └── persistence │ │ ├── RegSvr32_making_network_connections.yml │ │ └── SC_Service_Creation.yml └── Sigma │ ├── command_and_control │ ├── APT29_Google_Update_Service_Install.yml │ ├── CobaltStrike_Malleable_Amazon_browsing_traffic_profile.yml │ ├── DNS_TXT_Answer_with_possible_execution_strings.yml │ ├── Equation_Group_C2_Communication.yml │ ├── Turla_PNG_Dropper_Service.yml │ └── Turla_Service_Install.yml │ ├── credential_access │ ├── Active_Directory_User_Backdoors.yml │ ├── Activity_Related_to_NTDS.dit_Domain_Hash_Retrieval.yml │ ├── Antivirus_Password_Dumper_Detection.yml │ ├── Detection_of_SafetyKatz.yml │ ├── Invocation_of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).yml │ ├── Kerberos_Manipulation.yml │ ├── LSASS_Access_Detected_via_Attack_Surface_Reduction.yml │ ├── Malicious_Service_Install.yml │ ├── Mimikatz_DC_Sync.yml │ ├── Mimikatz_Detection_LSASS_Access.yml │ ├── Mimikatz_In-Memory.yml │ ├── Mimikatz_Use.yml │ ├── NTLM_Logon.yml │ ├── NetNTLM_Downgrade_Attack.yml │ ├── Password_Dumper_Activity_on_LSASS.yml │ ├── Password_Dumper_Remote_Thread_in_LSASS.yml │ ├── Possible_Remote_Password_Change_Through_SAMR.yml │ ├── SAM_Dump_to_AppData.yml │ ├── Suspicious_Kerberos_RC4_Ticket_Encryption.yml │ ├── Suspicious_SYSVOL_Domain_Group_Policy_Access.yml │ └── WCE_wceaux.dll_Access.yml │ ├── defense_evasion │ ├── Backup_Catalog_Deleted.yml │ ├── Bitsadmin_Download.yml │ ├── CMSTP_Execution.yml │ ├── CMSTP_UAC_Bypass_via_COM_Object_Access.yml │ ├── CobaltStrike_Process_Injection.yml │ ├── DHCP_Server_Loaded_the_CallOut_DLL.yml │ ├── Disabling_Windows_Event_Auditing.yml │ ├── Eventlog_Cleared.yml │ ├── Executable_in_ADS.yml │ ├── Hiding_files_with_attrib.exe.yml │ ├── MSHTA_Spawning_Windows_Shell.yml │ ├── Malicious_Named_Pipe.yml │ ├── Microsoft_Malware_Protection_Engine_Crash.yml │ ├── Microsoft_Workflow_Compiler.yml │ ├── NTFS_Alternate_Data_Stream.yml │ ├── Possible_Applocker_Bypass.yml │ ├── PowerShell_Base64_Encoded_Shellcode.yml │ ├── PowerShell_Downgrade_Attack.yml │ ├── PowerShell_Rundll32_Remote_Thread_Creation.yml │ ├── PowerShell_called_from_an_Executable_Version_Mismatch.yml │ ├── Ps.exe_Renamed_SysInternals_Tool.yml │ ├── Regsvr32_Anomaly.yml │ ├── Rundll32_Internet_Connection.yml │ ├── Secure_Deletion_with_SDelete.yml │ ├── Security_Eventlog_Cleared.yml │ ├── SquiblyTwo.yml │ ├── Suspicious_Certutil_Command.yml │ ├── Suspicious_Commandline_Escape.yml │ ├── Suspicious_Process_Start_Locations.yml │ ├── Suspicious_Rundll32_Activity.yml │ ├── Suspicious_Svchost_Process.yml │ ├── Suspicious_Use_of_Procdump.yml │ ├── System_File_Execution_Location_Anomaly.yml │ ├── UAC_Bypass_via_Event_Viewer.yml │ └── UAC_Bypass_via_sdclt.yml │ ├── discovery │ ├── Hacktool_Use.yml │ ├── Net.exe_Execution.yml │ ├── Reconnaissance_Activity.yml │ ├── Suspicious_Reconnaissance_Activity.yml │ └── Whoami_Execution.yml │ ├── execution │ ├── Antivirus_Exploitation_Framework_Detection.yml │ ├── Default_PowerSploit_Schtasks_Persistence.yml │ ├── Detection_of_PowerShell_Execution_via_DLL.yml │ ├── Equation_Group_DLL_U_Load.yml │ ├── Equation_Group_Indicators.yml │ ├── Malicious_Base64_encoded_PowerShell_Keywords_in_command_lines.yml │ ├── Malicious_PowerShell_Commandlet_Names.yml │ ├── Malicious_PowerShell_Commandlets.yml │ ├── Malicious_PowerShell_Keywords.yml │ ├── Microsoft_Office_Product_Spawning_Windows_Shell.yml │ ├── NotPetya_Ransomware_Activity.yml │ ├── PowerShell_Credential_Prompt.yml │ ├── PowerShell_Download_from_URL.yml │ ├── PowerShell_Network_Connections.yml │ ├── PowerShell_PSAttack.yml │ ├── PowerShell_ShellCode.yml │ ├── Powershell_AMSI_Bypass_via_.NET_Reflection.yml │ ├── PsExec_Service_Start.yml │ ├── PsExec_Tool_Execution.yml │ ├── Rare_Scheduled_Task_Creations.yml │ ├── Rare_Schtasks_Creations.yml │ ├── Scheduled_Task_Creation.yml │ ├── Sofacy_Zebrocy.yml │ ├── Suspicious_PowerShell_Download.yml │ ├── Suspicious_PowerShell_Invocation_based_on_Parent_Process.yml │ ├── Suspicious_PowerShell_Invocations_-_Generic.yml │ ├── Suspicious_PowerShell_Invocations_-_Specific.yml │ ├── Suspicious_PowerShell_Parameter_Substring.yml │ ├── Suspicious_WMI_execution.yml │ ├── WMIExec_VBS_Script.yml │ ├── WMI_Persistence.yml │ └── WMI_Persistence_-_Script_Event_Consumer.yml │ ├── initial_access │ └── Oracle_WebLogic_Exploit.yml │ ├── lateral_movement │ ├── Access_to_ADMIN$_Share.yml │ ├── Admin_User_Remote_Logon.yml │ ├── Interactive_Logon_to_Server_Systems.yml │ ├── Pandemic_Registry_Key.yml │ ├── Pass_the_Hash_Activity.yml │ ├── Successful_Overpass_the_Hash_Attempt.yml │ ├── Turla_Group_Lateral_Movement.yml │ └── smbexec.py_Service_Installation.yml │ ├── persistence │ ├── Account_Tampering_-_Suspicious_Failed_Logon_Reasons.yml │ ├── Antivirus_Web_Shell_Detection.yml │ ├── Defrag_Deactivation.yml │ ├── IIS_Native-Code_Module_Command_Line_Installation.yml │ ├── Malicious_Service_Installations.yml │ ├── Multiple_Failed_Logins_with_Different_Accounts_from_Single_Source_System.yml │ ├── New_RUN_Key_Pointing_to_Suspicious_Folder.yml │ ├── Password_Change_on_Directory_Service_Restore_Mode_(DSRM)_Account.yml │ ├── Possible_Shim_Database_Persistence_via_sdbinst.exe.yml │ ├── Rare_Service_Installs.yml │ ├── Registry_Persistence_via_Explorer_Run_Key.yml │ ├── StoneDrill_Service_Install.yml │ ├── WMI_Persistence_-_Command_Line_Event_Consumer.yml │ └── WMI_Persistence_-_Script_Event_Consumer_File_Write.yml │ ├── privilege_escalation │ ├── Addition_of_SID_History_to_Active_Directory_Object.yml │ ├── Enabled_User_Right_in_AD_to_Control_User_Objects.yml │ ├── Hurricane_Panda_Activity.yml │ ├── Registry_Persistence_Mechanisms.yml │ ├── Shells_Spawned_by_Web_Servers.yml │ ├── Sticky_Key_Like_Backdoor_Usage.yml │ ├── User_Added_to_Local_Administrators.yml │ └── Webshell_Detection_With_Command_Line_Keywords.yml │ └── unsorted │ ├── APT_User_Agent.yml │ ├── Adwind_RAT___JRAT.yml │ ├── Antivirus_Exploitation_Framework_Detection.yml │ ├── Apache_Segmentation_Fault.yml │ ├── Buffer_Overflow_Attempts.yml │ ├── Chafer_Activity.yml │ ├── Cmdkey_Cached_Credentials_Recon.yml │ ├── Cobalt_Strike_DNS_Beaconing.yml │ ├── Command_Line_Execution_with_suspicious_URL_and_AppData_Strings.yml │ ├── CrackMapExecWin.yml │ ├── DHCP_Callout_DLL_installation.yml │ ├── DHCP_Server_Error_Failed_Loading_the_CallOut_DLL.yml │ ├── DNS_ServerLevelPluginDll_Install.yml │ ├── DNS_Server_Error_Failed_Loading_the_ServerLevelPluginDLL.yml │ ├── Detects_Suspicious_Commands_on_Linux_systems.yml │ ├── Django_framework_exceptions.yml │ ├── Download_EXE_from_Suspicious_TLD.yml │ ├── Download_from_Suspicious_Dyndns_Hosts.yml │ ├── Download_from_Suspicious_TLD.yml │ ├── Droppers_exploiting_CVE-2017-11882.yml │ ├── Elise_Backdoor.yml │ ├── Empty_User_Agent.yml │ ├── Executable_used_by_PlugX_in_Uncommon_Location.yml │ ├── Executables_Started_in_Suspicious_Folder.yml │ ├── Execution_in_Non-Executable_Folder.yml │ ├── Execution_in_Webserver_Root_Folder.yml │ ├── Exploit_Framework_User_Agent.yml │ ├── Exploit_for_CVE-2015-1641.yml │ ├── Exploit_for_CVE-2017-0261.yml │ ├── Exploit_for_CVE-2017-8759.yml │ ├── Fireball_Archer_Install.yml │ ├── Flash_Player_Update_from_Suspicious_Location.yml │ ├── Hack_Tool_User_Agent.yml │ ├── Java_Running_with_Remote_Debugging.yml │ ├── JexBoss_Command_Sequence.yml │ ├── MSHTA_spwaned_by_SVCHOST_as_seen_in_LethalHTA.yml │ ├── Malware_Shellcode_in_Verclsid_Target_Process.yml │ ├── Malware_User_Agent.yml │ ├── Microsoft_Binary_Github_Communication.yml │ ├── Microsoft_Binary_Suspicious_Communication_Endpoint.yml │ ├── Microsoft_Outlook_Spawning_Windows_Shell.yml │ ├── MsiExec_Web_Install.yml │ ├── Multiple_Failed_Logins_with_Different_Accounts_from_Single_Source_System.yml │ ├── Multiple_Modsecurity_Blocks.yml │ ├── Multiple_suspicious_Response_Codes_caused_by_Single_Client.yml │ ├── Network_Scans.yml │ ├── Office_Macro_Starts_Cmd.yml │ ├── Ping_Hex_IP.yml │ ├── Possible_Process_Hollowing_Image_Loading.yml │ ├── Processes_created_by_MMC.yml │ ├── Program_Executions_in_Suspicious_Folders.yml │ ├── Python_SQL_Exceptions.yml │ ├── QuarksPwDump_Dump_File.yml │ ├── Quick_Execution_of_a_Series_of_Suspicious_Commands.yml │ ├── Reconnaissance_Activity_with_Net_Command.yml │ ├── Relevant_Anti-Virus_Event.yml │ ├── Relevant_ClamAV_Message.yml │ ├── Ruby_on_Rails_framework_exceptions.yml │ ├── SSHD_Error_Message_CVE-2018-15473.yml │ ├── Shellshock_Expression.yml │ ├── Sofacy_Trojan_Loader_Activity.yml │ ├── Spring_framework_exceptions.yml │ ├── Suspicious_Activity_in_Shell_Commands.yml │ ├── Suspicious_Control_Panel_DLL_Load.yml │ ├── Suspicious_DNS_Query_with_B64_Encoded_String.yml │ ├── Suspicious_Driver_Load_from_Temp.yml │ ├── Suspicious_Encoded_PowerShell_Command_Line.yml │ ├── Suspicious_Log_Entries.yml │ ├── Suspicious_Named_Error.yml │ ├── Suspicious_Process_Creation.yml │ ├── Suspicious_Program_Location_with_Network_Connections.yml │ ├── Suspicious_RASdial_Activity.yml │ ├── Suspicious_RDP_Redirect_Using_TSCON.yml │ ├── Suspicious_SQL_Error_Messages.yml │ ├── Suspicious_SSHD_Error.yml │ ├── Suspicious_Svchost_Processes.yml │ ├── Suspicious_TSCON_Start.yml │ ├── Suspicious_Typical_Malware_Back_Connect_Ports.yml │ ├── Suspicious_User_Agent.yml │ ├── Suspicious_VSFTPD_Error_Messages.yml │ ├── Sysprep_on_AppData_Folder.yml │ ├── Taskmgr_as_LOCAL_SYSTEM.yml │ ├── Taskmgr_as_Parent.yml │ ├── Telegram_API_Access.yml │ ├── Telegram_Bot_API_Request.yml │ ├── Turla_Group_Named_Pipes.yml │ ├── USB_Device_Plugged.yml │ ├── Usage_of_Sysinternals_Tools.yml │ ├── WSF_JSE_JS_VBA_VBE_File_Execution.yml │ ├── WScript_or_CScript_Dropper.yml │ ├── WannaCry_Ransomware.yml │ ├── WannaCry_Ransomware_via_Sysmon.yml │ ├── Weak_Encryption_Enabled_and_Kerberoast.yml │ ├── Webshell_Detection_by_Keyword.yml │ ├── Windows_PowerShell_User_Agent.yml │ ├── Windows_Shell_Spawning_Suspicious_Program.yml │ ├── Windows_WebDAV_User_Agent.yml │ └── ZxShell_Malware.yml └── Tools ├── README.md └── stix2sigmac ├── requirements.txt └── stix2sigmac.sh /Bundles/sigma_bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Bundles/sigma_bundle.json -------------------------------------------------------------------------------- /Bundles/sra_bundle.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Bundles/sra_bundle.json -------------------------------------------------------------------------------- /Images/TALR_run.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Images/TALR_run.gif -------------------------------------------------------------------------------- /Images/TALRlogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Images/TALRlogo.png -------------------------------------------------------------------------------- /LICENSE.GPL.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/LICENSE.GPL.txt -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/README.md -------------------------------------------------------------------------------- /Rules/SRA/execution/Hidden_PowerShell_with_Unusual_Parent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/execution/Hidden_PowerShell_with_Unusual_Parent.yml -------------------------------------------------------------------------------- /Rules/SRA/execution/Office_applications_writing_an_exe_via_WMI.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/execution/Office_applications_writing_an_exe_via_WMI.yml -------------------------------------------------------------------------------- /Rules/SRA/execution/Process_Setting_Hidden_and_System_File_Attributes.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/execution/Process_Setting_Hidden_and_System_File_Attributes.yml -------------------------------------------------------------------------------- /Rules/SRA/execution/WMIC_calling_vbscript_or_jscript.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/execution/WMIC_calling_vbscript_or_jscript.yml -------------------------------------------------------------------------------- /Rules/SRA/execution/WMIC_getting_OS.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/execution/WMIC_getting_OS.yml -------------------------------------------------------------------------------- /Rules/SRA/execution/WMIC_process_call_create.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/execution/WMIC_process_call_create.yml -------------------------------------------------------------------------------- /Rules/SRA/execution/WMI_making_a_network_connection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/execution/WMI_making_a_network_connection.yml -------------------------------------------------------------------------------- /Rules/SRA/execution/Word_calling_wscript.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/execution/Word_calling_wscript.yml -------------------------------------------------------------------------------- /Rules/SRA/execution/mshta_executing_powershell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/execution/mshta_executing_powershell.yml -------------------------------------------------------------------------------- /Rules/SRA/execution/regsrv32_COM_Object_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/execution/regsrv32_COM_Object_creation.yml -------------------------------------------------------------------------------- /Rules/SRA/lateral_movement/MSBuild_Invoked_by_WMI.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/lateral_movement/MSBuild_Invoked_by_WMI.yml -------------------------------------------------------------------------------- /Rules/SRA/persistence/RegSvr32_making_network_connections.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/persistence/RegSvr32_making_network_connections.yml -------------------------------------------------------------------------------- /Rules/SRA/persistence/SC_Service_Creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/SRA/persistence/SC_Service_Creation.yml -------------------------------------------------------------------------------- /Rules/Sigma/command_and_control/APT29_Google_Update_Service_Install.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/command_and_control/APT29_Google_Update_Service_Install.yml -------------------------------------------------------------------------------- /Rules/Sigma/command_and_control/CobaltStrike_Malleable_Amazon_browsing_traffic_profile.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/command_and_control/CobaltStrike_Malleable_Amazon_browsing_traffic_profile.yml -------------------------------------------------------------------------------- /Rules/Sigma/command_and_control/DNS_TXT_Answer_with_possible_execution_strings.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/command_and_control/DNS_TXT_Answer_with_possible_execution_strings.yml -------------------------------------------------------------------------------- /Rules/Sigma/command_and_control/Equation_Group_C2_Communication.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/command_and_control/Equation_Group_C2_Communication.yml -------------------------------------------------------------------------------- /Rules/Sigma/command_and_control/Turla_PNG_Dropper_Service.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/command_and_control/Turla_PNG_Dropper_Service.yml -------------------------------------------------------------------------------- /Rules/Sigma/command_and_control/Turla_Service_Install.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/command_and_control/Turla_Service_Install.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Active_Directory_User_Backdoors.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Active_Directory_User_Backdoors.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Activity_Related_to_NTDS.dit_Domain_Hash_Retrieval.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Activity_Related_to_NTDS.dit_Domain_Hash_Retrieval.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Antivirus_Password_Dumper_Detection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Antivirus_Password_Dumper_Detection.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Detection_of_SafetyKatz.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Detection_of_SafetyKatz.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Invocation_of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Invocation_of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Kerberos_Manipulation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Kerberos_Manipulation.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/LSASS_Access_Detected_via_Attack_Surface_Reduction.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/LSASS_Access_Detected_via_Attack_Surface_Reduction.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Malicious_Service_Install.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Malicious_Service_Install.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Mimikatz_DC_Sync.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Mimikatz_DC_Sync.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Mimikatz_Detection_LSASS_Access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Mimikatz_Detection_LSASS_Access.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Mimikatz_In-Memory.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Mimikatz_In-Memory.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Mimikatz_Use.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Mimikatz_Use.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/NTLM_Logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/NTLM_Logon.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/NetNTLM_Downgrade_Attack.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/NetNTLM_Downgrade_Attack.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Password_Dumper_Activity_on_LSASS.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Password_Dumper_Activity_on_LSASS.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Password_Dumper_Remote_Thread_in_LSASS.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Password_Dumper_Remote_Thread_in_LSASS.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Possible_Remote_Password_Change_Through_SAMR.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Possible_Remote_Password_Change_Through_SAMR.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/SAM_Dump_to_AppData.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/SAM_Dump_to_AppData.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Suspicious_Kerberos_RC4_Ticket_Encryption.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Suspicious_Kerberos_RC4_Ticket_Encryption.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/Suspicious_SYSVOL_Domain_Group_Policy_Access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/Suspicious_SYSVOL_Domain_Group_Policy_Access.yml -------------------------------------------------------------------------------- /Rules/Sigma/credential_access/WCE_wceaux.dll_Access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/credential_access/WCE_wceaux.dll_Access.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Backup_Catalog_Deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Backup_Catalog_Deleted.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Bitsadmin_Download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Bitsadmin_Download.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/CMSTP_Execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/CMSTP_Execution.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/CMSTP_UAC_Bypass_via_COM_Object_Access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/CMSTP_UAC_Bypass_via_COM_Object_Access.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/CobaltStrike_Process_Injection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/CobaltStrike_Process_Injection.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/DHCP_Server_Loaded_the_CallOut_DLL.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/DHCP_Server_Loaded_the_CallOut_DLL.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Disabling_Windows_Event_Auditing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Disabling_Windows_Event_Auditing.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Eventlog_Cleared.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Eventlog_Cleared.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Executable_in_ADS.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Executable_in_ADS.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Hiding_files_with_attrib.exe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Hiding_files_with_attrib.exe.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/MSHTA_Spawning_Windows_Shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/MSHTA_Spawning_Windows_Shell.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Malicious_Named_Pipe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Malicious_Named_Pipe.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Microsoft_Malware_Protection_Engine_Crash.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Microsoft_Malware_Protection_Engine_Crash.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Microsoft_Workflow_Compiler.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Microsoft_Workflow_Compiler.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/NTFS_Alternate_Data_Stream.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/NTFS_Alternate_Data_Stream.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Possible_Applocker_Bypass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Possible_Applocker_Bypass.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/PowerShell_Base64_Encoded_Shellcode.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/PowerShell_Base64_Encoded_Shellcode.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/PowerShell_Downgrade_Attack.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/PowerShell_Downgrade_Attack.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/PowerShell_Rundll32_Remote_Thread_Creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/PowerShell_Rundll32_Remote_Thread_Creation.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/PowerShell_called_from_an_Executable_Version_Mismatch.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/PowerShell_called_from_an_Executable_Version_Mismatch.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Ps.exe_Renamed_SysInternals_Tool.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Ps.exe_Renamed_SysInternals_Tool.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Regsvr32_Anomaly.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Regsvr32_Anomaly.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Rundll32_Internet_Connection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Rundll32_Internet_Connection.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Secure_Deletion_with_SDelete.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Secure_Deletion_with_SDelete.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Security_Eventlog_Cleared.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Security_Eventlog_Cleared.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/SquiblyTwo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/SquiblyTwo.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Suspicious_Certutil_Command.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Suspicious_Certutil_Command.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Suspicious_Commandline_Escape.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Suspicious_Commandline_Escape.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Suspicious_Process_Start_Locations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Suspicious_Process_Start_Locations.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Suspicious_Rundll32_Activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Suspicious_Rundll32_Activity.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Suspicious_Svchost_Process.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Suspicious_Svchost_Process.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/Suspicious_Use_of_Procdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/Suspicious_Use_of_Procdump.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/System_File_Execution_Location_Anomaly.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/System_File_Execution_Location_Anomaly.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/UAC_Bypass_via_Event_Viewer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/UAC_Bypass_via_Event_Viewer.yml -------------------------------------------------------------------------------- /Rules/Sigma/defense_evasion/UAC_Bypass_via_sdclt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/defense_evasion/UAC_Bypass_via_sdclt.yml -------------------------------------------------------------------------------- /Rules/Sigma/discovery/Hacktool_Use.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/discovery/Hacktool_Use.yml -------------------------------------------------------------------------------- /Rules/Sigma/discovery/Net.exe_Execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/discovery/Net.exe_Execution.yml -------------------------------------------------------------------------------- /Rules/Sigma/discovery/Reconnaissance_Activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/discovery/Reconnaissance_Activity.yml -------------------------------------------------------------------------------- /Rules/Sigma/discovery/Suspicious_Reconnaissance_Activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/discovery/Suspicious_Reconnaissance_Activity.yml -------------------------------------------------------------------------------- /Rules/Sigma/discovery/Whoami_Execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/discovery/Whoami_Execution.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Antivirus_Exploitation_Framework_Detection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Antivirus_Exploitation_Framework_Detection.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Default_PowerSploit_Schtasks_Persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Default_PowerSploit_Schtasks_Persistence.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Detection_of_PowerShell_Execution_via_DLL.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Detection_of_PowerShell_Execution_via_DLL.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Equation_Group_DLL_U_Load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Equation_Group_DLL_U_Load.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Equation_Group_Indicators.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Equation_Group_Indicators.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Malicious_Base64_encoded_PowerShell_Keywords_in_command_lines.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Malicious_Base64_encoded_PowerShell_Keywords_in_command_lines.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Malicious_PowerShell_Commandlet_Names.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Malicious_PowerShell_Commandlet_Names.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Malicious_PowerShell_Commandlets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Malicious_PowerShell_Commandlets.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Malicious_PowerShell_Keywords.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Malicious_PowerShell_Keywords.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Microsoft_Office_Product_Spawning_Windows_Shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Microsoft_Office_Product_Spawning_Windows_Shell.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/NotPetya_Ransomware_Activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/NotPetya_Ransomware_Activity.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/PowerShell_Credential_Prompt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/PowerShell_Credential_Prompt.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/PowerShell_Download_from_URL.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/PowerShell_Download_from_URL.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/PowerShell_Network_Connections.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/PowerShell_Network_Connections.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/PowerShell_PSAttack.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/PowerShell_PSAttack.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/PowerShell_ShellCode.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/PowerShell_ShellCode.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Powershell_AMSI_Bypass_via_.NET_Reflection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Powershell_AMSI_Bypass_via_.NET_Reflection.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/PsExec_Service_Start.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/PsExec_Service_Start.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/PsExec_Tool_Execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/PsExec_Tool_Execution.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Rare_Scheduled_Task_Creations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Rare_Scheduled_Task_Creations.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Rare_Schtasks_Creations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Rare_Schtasks_Creations.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Scheduled_Task_Creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Scheduled_Task_Creation.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Sofacy_Zebrocy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Sofacy_Zebrocy.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Suspicious_PowerShell_Download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Suspicious_PowerShell_Download.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Suspicious_PowerShell_Invocation_based_on_Parent_Process.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Suspicious_PowerShell_Invocation_based_on_Parent_Process.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Suspicious_PowerShell_Invocations_-_Generic.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Suspicious_PowerShell_Invocations_-_Generic.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Suspicious_PowerShell_Invocations_-_Specific.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Suspicious_PowerShell_Invocations_-_Specific.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Suspicious_PowerShell_Parameter_Substring.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Suspicious_PowerShell_Parameter_Substring.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/Suspicious_WMI_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/Suspicious_WMI_execution.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/WMIExec_VBS_Script.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/WMIExec_VBS_Script.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/WMI_Persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/WMI_Persistence.yml -------------------------------------------------------------------------------- /Rules/Sigma/execution/WMI_Persistence_-_Script_Event_Consumer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/execution/WMI_Persistence_-_Script_Event_Consumer.yml -------------------------------------------------------------------------------- /Rules/Sigma/initial_access/Oracle_WebLogic_Exploit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/initial_access/Oracle_WebLogic_Exploit.yml -------------------------------------------------------------------------------- /Rules/Sigma/lateral_movement/Access_to_ADMIN$_Share.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/lateral_movement/Access_to_ADMIN$_Share.yml -------------------------------------------------------------------------------- /Rules/Sigma/lateral_movement/Admin_User_Remote_Logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/lateral_movement/Admin_User_Remote_Logon.yml -------------------------------------------------------------------------------- /Rules/Sigma/lateral_movement/Interactive_Logon_to_Server_Systems.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/lateral_movement/Interactive_Logon_to_Server_Systems.yml -------------------------------------------------------------------------------- /Rules/Sigma/lateral_movement/Pandemic_Registry_Key.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/lateral_movement/Pandemic_Registry_Key.yml -------------------------------------------------------------------------------- /Rules/Sigma/lateral_movement/Pass_the_Hash_Activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/lateral_movement/Pass_the_Hash_Activity.yml -------------------------------------------------------------------------------- /Rules/Sigma/lateral_movement/Successful_Overpass_the_Hash_Attempt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/lateral_movement/Successful_Overpass_the_Hash_Attempt.yml -------------------------------------------------------------------------------- /Rules/Sigma/lateral_movement/Turla_Group_Lateral_Movement.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/lateral_movement/Turla_Group_Lateral_Movement.yml -------------------------------------------------------------------------------- /Rules/Sigma/lateral_movement/smbexec.py_Service_Installation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/lateral_movement/smbexec.py_Service_Installation.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/Account_Tampering_-_Suspicious_Failed_Logon_Reasons.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/Account_Tampering_-_Suspicious_Failed_Logon_Reasons.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/Antivirus_Web_Shell_Detection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/Antivirus_Web_Shell_Detection.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/Defrag_Deactivation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/Defrag_Deactivation.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/IIS_Native-Code_Module_Command_Line_Installation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/IIS_Native-Code_Module_Command_Line_Installation.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/Malicious_Service_Installations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/Malicious_Service_Installations.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/Multiple_Failed_Logins_with_Different_Accounts_from_Single_Source_System.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/Multiple_Failed_Logins_with_Different_Accounts_from_Single_Source_System.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/New_RUN_Key_Pointing_to_Suspicious_Folder.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/New_RUN_Key_Pointing_to_Suspicious_Folder.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/Password_Change_on_Directory_Service_Restore_Mode_(DSRM)_Account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/Password_Change_on_Directory_Service_Restore_Mode_(DSRM)_Account.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/Possible_Shim_Database_Persistence_via_sdbinst.exe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/Possible_Shim_Database_Persistence_via_sdbinst.exe.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/Rare_Service_Installs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/Rare_Service_Installs.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/Registry_Persistence_via_Explorer_Run_Key.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/Registry_Persistence_via_Explorer_Run_Key.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/StoneDrill_Service_Install.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/StoneDrill_Service_Install.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/WMI_Persistence_-_Command_Line_Event_Consumer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/WMI_Persistence_-_Command_Line_Event_Consumer.yml -------------------------------------------------------------------------------- /Rules/Sigma/persistence/WMI_Persistence_-_Script_Event_Consumer_File_Write.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/persistence/WMI_Persistence_-_Script_Event_Consumer_File_Write.yml -------------------------------------------------------------------------------- /Rules/Sigma/privilege_escalation/Addition_of_SID_History_to_Active_Directory_Object.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/privilege_escalation/Addition_of_SID_History_to_Active_Directory_Object.yml -------------------------------------------------------------------------------- /Rules/Sigma/privilege_escalation/Enabled_User_Right_in_AD_to_Control_User_Objects.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/privilege_escalation/Enabled_User_Right_in_AD_to_Control_User_Objects.yml -------------------------------------------------------------------------------- /Rules/Sigma/privilege_escalation/Hurricane_Panda_Activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/privilege_escalation/Hurricane_Panda_Activity.yml -------------------------------------------------------------------------------- /Rules/Sigma/privilege_escalation/Registry_Persistence_Mechanisms.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/privilege_escalation/Registry_Persistence_Mechanisms.yml -------------------------------------------------------------------------------- /Rules/Sigma/privilege_escalation/Shells_Spawned_by_Web_Servers.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/privilege_escalation/Shells_Spawned_by_Web_Servers.yml -------------------------------------------------------------------------------- /Rules/Sigma/privilege_escalation/Sticky_Key_Like_Backdoor_Usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/privilege_escalation/Sticky_Key_Like_Backdoor_Usage.yml -------------------------------------------------------------------------------- /Rules/Sigma/privilege_escalation/User_Added_to_Local_Administrators.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/privilege_escalation/User_Added_to_Local_Administrators.yml -------------------------------------------------------------------------------- /Rules/Sigma/privilege_escalation/Webshell_Detection_With_Command_Line_Keywords.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/privilege_escalation/Webshell_Detection_With_Command_Line_Keywords.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/APT_User_Agent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/APT_User_Agent.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Adwind_RAT___JRAT.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Adwind_RAT___JRAT.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Antivirus_Exploitation_Framework_Detection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Antivirus_Exploitation_Framework_Detection.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Apache_Segmentation_Fault.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Apache_Segmentation_Fault.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Buffer_Overflow_Attempts.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Buffer_Overflow_Attempts.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Chafer_Activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Chafer_Activity.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Cmdkey_Cached_Credentials_Recon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Cmdkey_Cached_Credentials_Recon.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Cobalt_Strike_DNS_Beaconing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Cobalt_Strike_DNS_Beaconing.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Command_Line_Execution_with_suspicious_URL_and_AppData_Strings.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Command_Line_Execution_with_suspicious_URL_and_AppData_Strings.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/CrackMapExecWin.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/CrackMapExecWin.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/DHCP_Callout_DLL_installation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/DHCP_Callout_DLL_installation.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/DHCP_Server_Error_Failed_Loading_the_CallOut_DLL.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/DHCP_Server_Error_Failed_Loading_the_CallOut_DLL.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/DNS_ServerLevelPluginDll_Install.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/DNS_ServerLevelPluginDll_Install.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/DNS_Server_Error_Failed_Loading_the_ServerLevelPluginDLL.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/DNS_Server_Error_Failed_Loading_the_ServerLevelPluginDLL.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Detects_Suspicious_Commands_on_Linux_systems.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Detects_Suspicious_Commands_on_Linux_systems.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Django_framework_exceptions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Django_framework_exceptions.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Download_EXE_from_Suspicious_TLD.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Download_EXE_from_Suspicious_TLD.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Download_from_Suspicious_Dyndns_Hosts.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Download_from_Suspicious_Dyndns_Hosts.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Download_from_Suspicious_TLD.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Download_from_Suspicious_TLD.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Droppers_exploiting_CVE-2017-11882.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Droppers_exploiting_CVE-2017-11882.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Elise_Backdoor.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Elise_Backdoor.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Empty_User_Agent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Empty_User_Agent.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Executable_used_by_PlugX_in_Uncommon_Location.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Executable_used_by_PlugX_in_Uncommon_Location.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Executables_Started_in_Suspicious_Folder.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Executables_Started_in_Suspicious_Folder.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Execution_in_Non-Executable_Folder.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Execution_in_Non-Executable_Folder.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Execution_in_Webserver_Root_Folder.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Execution_in_Webserver_Root_Folder.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Exploit_Framework_User_Agent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Exploit_Framework_User_Agent.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Exploit_for_CVE-2015-1641.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Exploit_for_CVE-2015-1641.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Exploit_for_CVE-2017-0261.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Exploit_for_CVE-2017-0261.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Exploit_for_CVE-2017-8759.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Exploit_for_CVE-2017-8759.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Fireball_Archer_Install.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Fireball_Archer_Install.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Flash_Player_Update_from_Suspicious_Location.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Flash_Player_Update_from_Suspicious_Location.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Hack_Tool_User_Agent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Hack_Tool_User_Agent.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Java_Running_with_Remote_Debugging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Java_Running_with_Remote_Debugging.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/JexBoss_Command_Sequence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/JexBoss_Command_Sequence.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/MSHTA_spwaned_by_SVCHOST_as_seen_in_LethalHTA.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/MSHTA_spwaned_by_SVCHOST_as_seen_in_LethalHTA.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Malware_Shellcode_in_Verclsid_Target_Process.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Malware_Shellcode_in_Verclsid_Target_Process.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Malware_User_Agent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Malware_User_Agent.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Microsoft_Binary_Github_Communication.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Microsoft_Binary_Github_Communication.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Microsoft_Binary_Suspicious_Communication_Endpoint.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Microsoft_Binary_Suspicious_Communication_Endpoint.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Microsoft_Outlook_Spawning_Windows_Shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Microsoft_Outlook_Spawning_Windows_Shell.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/MsiExec_Web_Install.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/MsiExec_Web_Install.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Multiple_Failed_Logins_with_Different_Accounts_from_Single_Source_System.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Multiple_Failed_Logins_with_Different_Accounts_from_Single_Source_System.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Multiple_Modsecurity_Blocks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Multiple_Modsecurity_Blocks.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Multiple_suspicious_Response_Codes_caused_by_Single_Client.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Multiple_suspicious_Response_Codes_caused_by_Single_Client.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Network_Scans.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Network_Scans.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Office_Macro_Starts_Cmd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Office_Macro_Starts_Cmd.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Ping_Hex_IP.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Ping_Hex_IP.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Possible_Process_Hollowing_Image_Loading.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Possible_Process_Hollowing_Image_Loading.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Processes_created_by_MMC.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Processes_created_by_MMC.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Program_Executions_in_Suspicious_Folders.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Program_Executions_in_Suspicious_Folders.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Python_SQL_Exceptions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Python_SQL_Exceptions.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/QuarksPwDump_Dump_File.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/QuarksPwDump_Dump_File.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Quick_Execution_of_a_Series_of_Suspicious_Commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Quick_Execution_of_a_Series_of_Suspicious_Commands.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Reconnaissance_Activity_with_Net_Command.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Reconnaissance_Activity_with_Net_Command.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Relevant_Anti-Virus_Event.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Relevant_Anti-Virus_Event.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Relevant_ClamAV_Message.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Relevant_ClamAV_Message.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Ruby_on_Rails_framework_exceptions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Ruby_on_Rails_framework_exceptions.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/SSHD_Error_Message_CVE-2018-15473.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/SSHD_Error_Message_CVE-2018-15473.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Shellshock_Expression.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Shellshock_Expression.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Sofacy_Trojan_Loader_Activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Sofacy_Trojan_Loader_Activity.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Spring_framework_exceptions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Spring_framework_exceptions.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_Activity_in_Shell_Commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_Activity_in_Shell_Commands.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_Control_Panel_DLL_Load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_Control_Panel_DLL_Load.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_DNS_Query_with_B64_Encoded_String.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_DNS_Query_with_B64_Encoded_String.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_Driver_Load_from_Temp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_Driver_Load_from_Temp.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_Encoded_PowerShell_Command_Line.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_Encoded_PowerShell_Command_Line.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_Log_Entries.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_Log_Entries.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_Named_Error.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_Named_Error.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_Process_Creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_Process_Creation.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_Program_Location_with_Network_Connections.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_Program_Location_with_Network_Connections.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_RASdial_Activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_RASdial_Activity.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_RDP_Redirect_Using_TSCON.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_RDP_Redirect_Using_TSCON.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_SQL_Error_Messages.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_SQL_Error_Messages.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_SSHD_Error.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_SSHD_Error.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_Svchost_Processes.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_Svchost_Processes.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_TSCON_Start.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_TSCON_Start.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_Typical_Malware_Back_Connect_Ports.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_Typical_Malware_Back_Connect_Ports.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_User_Agent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_User_Agent.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Suspicious_VSFTPD_Error_Messages.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Suspicious_VSFTPD_Error_Messages.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Sysprep_on_AppData_Folder.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Sysprep_on_AppData_Folder.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Taskmgr_as_LOCAL_SYSTEM.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Taskmgr_as_LOCAL_SYSTEM.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Taskmgr_as_Parent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Taskmgr_as_Parent.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Telegram_API_Access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Telegram_API_Access.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Telegram_Bot_API_Request.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Telegram_Bot_API_Request.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Turla_Group_Named_Pipes.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Turla_Group_Named_Pipes.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/USB_Device_Plugged.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/USB_Device_Plugged.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Usage_of_Sysinternals_Tools.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Usage_of_Sysinternals_Tools.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/WSF_JSE_JS_VBA_VBE_File_Execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/WSF_JSE_JS_VBA_VBE_File_Execution.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/WScript_or_CScript_Dropper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/WScript_or_CScript_Dropper.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/WannaCry_Ransomware.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/WannaCry_Ransomware.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/WannaCry_Ransomware_via_Sysmon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/WannaCry_Ransomware_via_Sysmon.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Weak_Encryption_Enabled_and_Kerberoast.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Weak_Encryption_Enabled_and_Kerberoast.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Webshell_Detection_by_Keyword.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Webshell_Detection_by_Keyword.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Windows_PowerShell_User_Agent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Windows_PowerShell_User_Agent.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Windows_Shell_Spawning_Suspicious_Program.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Windows_Shell_Spawning_Suspicious_Program.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/Windows_WebDAV_User_Agent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/Windows_WebDAV_User_Agent.yml -------------------------------------------------------------------------------- /Rules/Sigma/unsorted/ZxShell_Malware.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Rules/Sigma/unsorted/ZxShell_Malware.yml -------------------------------------------------------------------------------- /Tools/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Tools/README.md -------------------------------------------------------------------------------- /Tools/stix2sigmac/requirements.txt: -------------------------------------------------------------------------------- 1 | sigmatools 2 | json2yaml 3 | figlet 4 | -------------------------------------------------------------------------------- /Tools/stix2sigmac/stix2sigmac.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityRiskAdvisors/TALR/HEAD/Tools/stix2sigmac/stix2sigmac.sh --------------------------------------------------------------------------------