├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ ├── behavior_bug_issue.md │ ├── behavior_custom_issue.md │ ├── behavior_new_endpoint_rule.md │ ├── yara_add_new_rule.md │ ├── yara_request_coverage.md │ └── yara_rule_tuning.md └── workflows │ └── duplicate_issue.yml ├── .gitignore ├── LICENSE.txt ├── README.md ├── SDP.md ├── behavior ├── README.md └── rules │ ├── cross-platform │ ├── command_and_control_potential_vscode_remote_tunnel_established.toml │ ├── defense_evasion_kill_command_executed_from_a_hidden_process.toml │ ├── defense_evasion_tampering_of_bash_command_line_history.toml │ ├── execution_attempt_to_establish_vscode_remote_tunnel.toml │ ├── execution_eggshell_backdoor_execution.toml │ ├── execution_empire_stager_execution.toml │ ├── execution_kill_command_executed_from_binary_in_unusual_location.toml │ ├── execution_potential_reverse_shell_activity_via_terminal.toml │ ├── execution_privilege_escalation_enumeration_via_linpeas.toml │ ├── execution_silent_npm_package_install_command.toml │ ├── impact_darkradiation_ransomware_infection.toml │ ├── impact_suspicious_recursive_file_deletion_via_built_in_utilities.toml │ ├── persistence_potential_persistence_via_direct_crontab_modification.toml │ └── privilege_escalation_sudo_heap_based_buffer_overflow_attempt.toml │ ├── linux │ ├── command_and_control_curl_socks_proxy_activity_from_unusual_parent.toml │ ├── command_and_control_egress_network_connection_followed_by_command_execution.toml │ ├── command_and_control_file_download_from_or_upload_to_hosting_service.toml │ ├── command_and_control_file_downloaded_via_curl_or_wget_to_hidden_directory.toml │ ├── command_and_control_hidden_executable_initiated_egress_network_connection.toml │ ├── command_and_control_hidden_process_execution_followed_by_network_connection.toml │ ├── command_and_control_network_activity_detected_via_cat.toml │ ├── command_and_control_network_connection_by_foomatic_rip_child.toml │ ├── command_and_control_network_connection_followed_by_file_creation.toml │ ├── command_and_control_potential_multi_architecture_file_downloads.toml │ ├── command_and_control_potential_vsingle_malware_infection.toml │ ├── command_and_control_python_network_connection_followed_by_command_execution.toml │ ├── command_and_control_torsocks_execution.toml │ ├── credential_access_linux_init_(pid_1)_secret_dump_via_gdb.toml │ ├── credential_access_manual_memory_password_searching_activity.toml │ ├── credential_access_potential_linux_credential_dumping_via_unshadow.toml │ ├── defense_evasion_auditctl_disabled_via_shell_process.toml │ ├── defense_evasion_base64_or_xxd_decode_argument_evasion.toml │ ├── defense_evasion_base64_shebang_payload_decoded_via_built_in_utility.toml │ ├── defense_evasion_binary_executed_from_shared_memory_directory.toml │ ├── defense_evasion_chattr_execution_from_unusual_parent.toml │ ├── defense_evasion_chattr_execution_with_unusual_target_file.toml │ ├── defense_evasion_cron(d)_service_started_by_unusual_parent.toml │ ├── defense_evasion_defense_evasion_via_bind_mount.toml │ ├── defense_evasion_defense_evasion_via_hidepid_mount.toml │ ├── defense_evasion_egress_network_connection_from_deleted_executable.toml │ ├── defense_evasion_execution_of_in_memory_file_via_interactive_session.toml │ ├── defense_evasion_global_dynamic_linker_file_copied.toml │ ├── defense_evasion_hexadecimal_ip_command_line_argument.toml │ ├── defense_evasion_linux_base64_descendant_egress_network_connection.toml │ ├── defense_evasion_linux_compilation_in_suspicious_directory.toml │ ├── defense_evasion_linux_file_made_executable_by_suspicious_parent.toml │ ├── defense_evasion_linux_hidden_file_mounted.toml │ ├── defense_evasion_linux_payload_decoded_and_decrypted_via_built_in_utility.toml │ ├── defense_evasion_linux_shared_object_load_via_ssh_keygen.toml │ ├── defense_evasion_network_activity_from_in_memory_file.toml │ ├── defense_evasion_potential_masquerading_via__proc_self_exe.toml │ ├── defense_evasion_potential_nologin_ssh_backdoor.toml │ ├── defense_evasion_potential_process_injection_via_dd.toml │ ├── defense_evasion_potential_process_masquerading_via_exec.toml │ ├── defense_evasion_potential_proxy_execution_via_crash.toml │ ├── defense_evasion_potential_proxy_execution_via_php.toml │ ├── defense_evasion_potential_proxy_execution_via_pidstat.toml │ ├── defense_evasion_potential_proxy_execution_via_run_parts.toml │ ├── defense_evasion_potential_proxy_execution_via_sed.toml │ ├── defense_evasion_potential_proxy_execution_via_split.toml │ ├── defense_evasion_potential_proxy_execution_via_sysctl.toml │ ├── defense_evasion_potential_proxy_execution_via_systemd_run.toml │ ├── defense_evasion_potential_proxy_execution_via_tcpdump.toml │ ├── defense_evasion_process_masquerading_as_kernel_process.toml │ ├── defense_evasion_process_path_symbolic_link_manipulation.toml │ ├── defense_evasion_shared_object_file_creation_and_immediate_preload.toml │ ├── defense_evasion_shared_object_injection_via_process_environment_variable.toml │ ├── defense_evasion_shared_object_load_via_lolbin.toml │ ├── defense_evasion_shell_command_execution_via_kworker.toml │ ├── defense_evasion_shell_execution_of_non_executable_file.toml │ ├── defense_evasion_suspicious_base64_string_command_line.toml │ ├── defense_evasion_system_binary_copied_or_moved.toml │ ├── defense_evasion_system_binary_preload_and_immediate_network_connection.toml │ ├── defense_evasion_system_binary_proxy_execution_via_ld.so.toml │ ├── defense_evasion_timestomping_detected_via_touch.toml │ ├── defense_evasion_unusual_process_execution.toml │ ├── defense_evasion_world_writeable_directory_exec_remount.toml │ ├── discovery_linux_external_ip_address_discovery_via_curl.toml │ ├── execution_background_task_execution_via_a_hidden_process.toml │ ├── execution_bind_shell_via_netcat_traditional.toml │ ├── execution_bind_shell_via_node.toml │ ├── execution_bind_shell_via_socket.toml │ ├── execution_command_interpreter_with_ip_address_argument.toml │ ├── execution_file_creation_by_foomatic_rip_child.toml │ ├── execution_foomatic_rip_shell_execution.toml │ ├── execution_interactive_shell_spawned_via_hidden_process.toml │ ├── execution_interpreter_based_code_execution_via_unusual_parent.toml │ ├── execution_java_xsl_template_creation_followed_by_shell_execution.toml │ ├── execution_javascript_reverse_shell_via_node.js.toml │ ├── execution_linux_background_process_execution_via_shell.toml │ ├── execution_linux_hidden_folder_or_file_execution_via_python.toml │ ├── execution_linux_powershell_egress_network_connection.toml │ ├── execution_linux_powershell_encoded_command.toml │ ├── execution_linux_powershell_suspicious_child_process.toml │ ├── execution_linux_reverse_shell.toml │ ├── execution_linux_reverse_shell_via_child.toml │ ├── execution_linux_reverse_shell_via_netcat.toml │ ├── execution_linux_reverse_shell_via_setsid_and_nohup.toml │ ├── execution_linux_reverse_shell_via_suspicious_utility.toml │ ├── execution_linux_suspicious_child_process_execution_via_interactive_shell.toml │ ├── execution_netcat_reverse_shell_via_busybox.toml │ ├── execution_openssl_reverse_shell_activity_via_named_pipe.toml │ ├── execution_outbound_network_connection_followed_by_process_file_deletion.toml │ ├── execution_potential_gsocket_activity.toml │ ├── execution_potential_linux_hack_tool_launched.toml │ ├── execution_potential_linux_reverse_shell_via_java_jar_execution.toml │ ├── execution_potential_redishell_(cve_2025_49844)_exploitation.toml │ ├── execution_potential_remote_code_execution_via_langflow.toml │ ├── execution_potential_reverse_shell_via_named_pipe.toml │ ├── execution_printer_user_(lp)_shell_execution.toml │ ├── execution_pseudoterminal_(pty)_creation_from_suspicious_executable.toml │ ├── execution_renice_or_ulimit_execution_from_unusual_parent.toml │ ├── execution_reverse_or_bind_shell_via_suspicious_utility.toml │ ├── execution_reverse_shell_via_networkmanager_dispatcher_script.toml │ ├── execution_reverse_shell_via_node.js_descendant.toml │ ├── execution_script_executed_through_unusual_parent_process.toml │ ├── execution_shell_execution_via_java_parent_process.toml │ ├── execution_shell_via_networkmanager_dispatcher_script.toml │ ├── execution_sleep_execution_from_suspicious_process_path.toml │ ├── execution_socat_reverse_shell_or_listener_activity.toml │ ├── execution_suspicious_command_execution_via_busybox_proxy.toml │ ├── execution_suspicious_d_bus_method_call.toml │ ├── execution_suspicious_execution_from_foomatic_rip_or_cupsd_parent.toml │ ├── execution_suspicious_execution_via_a_hidden_process.toml │ ├── execution_suspicious_execution_via_setsid_and_nohup.toml │ ├── execution_suspicious_lua_command_execution.toml │ ├── execution_suspicious_mining_process_events.toml │ ├── execution_suspicious_perl_command_execution.toml │ ├── execution_suspicious_php_command_execution.toml │ ├── execution_suspicious_python_command_execution.toml │ ├── execution_suspicious_python_shell_execution.toml │ ├── execution_suspicious_ruby_command_execution.toml │ ├── execution_suspicious_shell_command_execution_via_node.js_parent.toml │ ├── execution_unusual_execution_from__dev_parent.toml │ ├── execution_user_discovery_command_execution_from_shared_memory.toml │ ├── execution_world_writeable_directory_file_creation_and_outbound_connection.toml │ ├── impact_msr_write_access_enabled.toml │ ├── impact_potential_coin_miner_execution.toml │ ├── impact_potential_coin_miner_execution_via_shell.toml │ ├── impact_potential_mining_pool_command_detection.toml │ ├── initial_access_remote_code_execution_via_confluence_ognl_injection.toml │ ├── lateral_movement_potential_netcat_file_listener_established.toml │ ├── lateral_movement_potential_ssh_it_ssh_worm_downloaded.toml │ ├── persistence_apt_package_manager_command_execution.toml │ ├── persistence_apt_package_manager_egress_network_connection.toml │ ├── persistence_at_utility_launched_through_udevadm.toml │ ├── persistence_binary_execution_from_unusual_location_through_shell_profile.toml │ ├── persistence_decode_activity_via_web_server.toml │ ├── persistence_egress_connection_by_a_dnf_package_manager_descendant.toml │ ├── persistence_egress_connection_by_a_yum_package_manager_descendant.toml │ ├── persistence_egress_network_connection_by_motd_child.toml │ ├── persistence_egress_network_connection_from_default_dpkg_directory.toml │ ├── persistence_egress_network_connection_from_rpm_package.toml │ ├── persistence_file_downloaded_and_piped_to_interpreter_by_web_server.toml │ ├── persistence_file_downloaded_from_suspicious_source_by_web_server.toml │ ├── persistence_file_downloaded_to_suspicious_location_by_web_server.toml │ ├── persistence_hidden_payload_executed_via_scheduled_job.toml │ ├── persistence_linux_backdoor_network_access_via_unusual_process.toml │ ├── persistence_motd_execution_followed_by_egress_network_connection.toml │ ├── persistence_network_connection_through_shell_profile.toml │ ├── persistence_potential_web_server_directory_traversal.toml │ ├── persistence_reverse_shell_executed_via_web_server.toml │ ├── persistence_scheduled_job_executing_binary_in_unusual_location.toml │ ├── persistence_scheduled_task_unusual_command_execution.toml │ ├── persistence_suspicious_download_and_redirect_by_web_server.toml │ ├── persistence_suspicious_echo_execution.toml │ ├── persistence_suspicious_file_creation_via_web_server.toml │ ├── persistence_suspicious_message_of_the_day_execution.toml │ ├── persistence_suspicious_process_spawned_from_motd_detected.toml │ ├── persistence_system_v_init_(init.d)_egress_network_connection.toml │ ├── persistence_system_v_init_(init.d)_executed_binary_from_unusual_location.toml │ ├── persistence_systemd_execution_followed_by_network_connection.toml │ ├── persistence_udev_execution_followed_by_egress_network_connection.toml │ ├── persistence_unusual_command_executed_by_web_server.toml │ ├── persistence_unusual_ssh_child_network_connection.toml │ ├── persistence_unusual_ssh_parent_child_execution.toml │ ├── privilege_escalation_cve_2023_0386_exploitation_attempt.toml │ ├── privilege_escalation_general_privilege_escalation_sequence_detected.toml │ ├── privilege_escalation_potential_cgroup_privilege_escalation_container_escape_via_mount.toml │ ├── privilege_escalation_potential_cve_2025_32463_nsswitch_file_creation.toml │ ├── privilege_escalation_potential_cve_2025_32463_sudo_chroot_execution_attempt.toml │ ├── privilege_escalation_potential_privilege_escalation_via_cve_2023_4911.toml │ ├── privilege_escalation_potential_privilege_escalation_via_fuse_binary.toml │ ├── privilege_escalation_potential_privilege_escalation_via_overlayfs.toml │ ├── privilege_escalation_potential_privilege_escalation_via_suid_binary.toml │ ├── privilege_escalation_potential_sudo_privilege_escalation_via_cve_2019_14287.toml │ ├── privilege_escalation_privilege_escalation_via_pkexec_exploitation.toml │ ├── privilege_escalation_privilege_escalation_via_polkit_system_service.toml │ ├── privilege_escalation_uid_change_to_0_from_unusual_process_executable.toml │ └── privilege_escalation_unusual_sudo_file_creation.toml │ ├── macos │ ├── collection_clipboard_accessed_by_unsigned_or_untrusted_binary.toml │ ├── collection_discovery_result_written_to_a_suspicious_file_via_discovery_process.toml │ ├── collection_exfiltration_data_staging_in_temporary_directory_via_osascript.toml │ ├── collection_pbpaste_execution_via_unusual_parent.toml │ ├── collection_potential_data_collection_in_temporary_directory_by_hidden_executable.toml │ ├── collection_sensitive_file_access_followed_by_compression.toml │ ├── collection_sensitive_file_access_via_rsync.toml │ ├── collection_sensitive_file_copy_via_ditto.toml │ ├── collection_suspicious_archive_creation_via_ditto.toml │ ├── collection_suspicious_image_creation_via_screencapture.toml │ ├── command_and_control_curl_download_and_osascript_payload_execution_via_node.toml │ ├── command_and_control_curl_executable_file_download_via_osascript.toml │ ├── command_and_control_curl_execution_via_apple_installer_package.toml │ ├── command_and_control_curl_execution_via_application_shell_script.toml │ ├── command_and_control_curl_execution_via_automator_application.toml │ ├── command_and_control_curl_execution_via_commandline_shell_script.toml │ ├── command_and_control_curl_execution_via_env_binary.toml │ ├── command_and_control_curl_from_volume_mount.toml │ ├── command_and_control_curl_local_file_read_or_write_via_osascript.toml │ ├── command_and_control_curl_to_ftp_server_via_raw_ip.toml │ ├── command_and_control_curl_to_suspicious_top_level_domain.toml │ ├── command_and_control_curl_to_telegram_api.toml │ ├── command_and_control_executable_file_access_or_modification_via_osascript.toml │ ├── command_and_control_executable_file_download_via_wget.toml │ ├── command_and_control_file_download_from_suspicious_top_level_domain.toml │ ├── command_and_control_google_calendar_c2_via_script.toml │ ├── command_and_control_hidden_applescript_download_via_curl.toml │ ├── command_and_control_hidden_file_network_connection_and_executable_download.toml │ ├── command_and_control_malicious_homebrew_initial_access.toml │ ├── command_and_control_network_connection_to_oast_domain_via_package_service_or_script.toml │ ├── command_and_control_osascript_download_cradle_spawned.toml │ ├── command_and_control_osascript_payload_drop_and_execute.toml │ ├── command_and_control_potential_payload_download_via_applescript_applet.toml │ ├── command_and_control_potential_wizardupdate_malware_infection.toml │ ├── command_and_control_potential_xcsset_malware_infection.toml │ ├── command_and_control_python_outbound_network_connection_over_ftp.toml │ ├── command_and_control_shlayer_malware_infection.toml │ ├── command_and_control_suspicious_binary_aws_s3_connection.toml │ ├── command_and_control_suspicious_curl_file_download_from_raw_ip.toml │ ├── command_and_control_suspicious_curl_from_macos_application.toml │ ├── command_and_control_suspicious_curl_to_google_app_script_endpoint.toml │ ├── command_and_control_suspicious_curl_to_oast_domain.toml │ ├── command_and_control_suspicious_curl_to_raw_ip_via_perl.toml │ ├── command_and_control_suspicious_curl_user_agent.toml │ ├── command_and_control_suspicious_executable_download_via_curl.toml │ ├── command_and_control_suspicious_executable_download_via_ruby.toml │ ├── command_and_control_suspicious_executable_file_creation_via_python.toml │ ├── command_and_control_suspicious_file_download_via_google_drive.toml │ ├── command_and_control_suspicious_hidden_executable_and_immediate_network_connection.toml │ ├── command_and_control_suspicious_network_connection_to_gmail_via_nodejs.toml │ ├── command_and_control_suspicious_url_as_argument_to_self_signed_binary.toml │ ├── command_and_control_suspicious_vscode_extension_child_process.toml │ ├── command_and_control_url_as_argument_to_python_script_and_immediate_network_connection.toml │ ├── command_and_control_url_as_process_argument_via_installer_package.toml │ ├── credential_access_cloud_credential_files_accessed_by_osascript.toml │ ├── credential_access_cloud_credential_files_accessed_by_process_in_suspicious_directory.toml │ ├── credential_access_crypto_wallet_file_access_by_unsigned_or_untrusted_binary.toml │ ├── credential_access_crypto_wallet_file_access_via_commandline.toml │ ├── credential_access_crypto_wallet_or_web_browser_file_access_via_nodejs.toml │ ├── credential_access_crypto_wallet_or_web_browser_file_access_via_osascript.toml │ ├── credential_access_crypto_wallet_or_web_browser_file_access_via_python.toml │ ├── credential_access_crypto_wallet_or_web_browser_file_access_via_ssh.toml │ ├── credential_access_dumping_account_hashes_via_built_in_commands.toml │ ├── credential_access_kerberos_config_file_accessed_by_osascript.toml │ ├── credential_access_kerberos_config_file_accessed_by_untrusted_or_unsigned_process.toml │ ├── credential_access_keychain_credential_files_collected_via_archive_utility.toml │ ├── credential_access_keychain_dump_via_native_security_tool.toml │ ├── credential_access_potential_access_to_kerberos_cached_credentials.toml │ ├── credential_access_potential_credentials_phishing_via_osascript.toml │ ├── credential_access_potential_python_stealer.toml │ ├── credential_access_sensitive_file_access_via_perl.toml │ ├── credential_access_slack_workspace_files_accessed_by_osascript.toml │ ├── credential_access_slack_workspace_files_accessed_by_unsigned_or_untrusted_process.toml │ ├── credential_access_ssh_keys_accessed_by_osascript.toml │ ├── credential_access_suspicious_user_keychain_access_via_nodejs.toml │ ├── credential_access_suspicious_user_keychain_db_access_by_unsigned_binary.toml │ ├── credential_access_systemkey_access_via_command_line.toml │ ├── credential_access_telegram_data_accessed_by_osascript.toml │ ├── credential_access_telegram_data_accessed_by_unsigned_or_untrusted_process.toml │ ├── credential_access_user_keychain_access_in_unusual_location.toml │ ├── credential_access_user_keychain_copied_via_shell_interpreter.toml │ ├── credential_access_user_keychain_db_access_by_osascript.toml │ ├── credential_access_user_keychain_db_access_by_self_signed_binary.toml │ ├── credential_access_web_browser_credential_data_accessed_by_osascript.toml │ ├── credential_access_web_browser_credential_data_accessed_by_unsigned_or_untrusted_process.toml │ ├── credential_access_web_browsers_password_access_via_command_line.toml │ ├── defense_evasion_applescript_decoded_via_base64.toml │ ├── defense_evasion_base64_encoded_string_execution_via_osascript.toml │ ├── defense_evasion_decoded_or_decrypted_payload_written_to_suspicious_directory.toml │ ├── defense_evasion_dylib_load_via_ssh_keygen.toml │ ├── defense_evasion_dylib_loaded_by_process_in_suspicious_location.toml │ ├── defense_evasion_elastic_endpoint_security_kernel_extension_unload.toml │ ├── defense_evasion_embedded_payload_dropped_and_executed.toml │ ├── defense_evasion_executable_file_creation_via_base64.toml │ ├── defense_evasion_execution_of_a_file_dropped_by_openssl.toml │ ├── defense_evasion_execution_of_hidden_file_from_the_shared_directory.toml │ ├── defense_evasion_execution_of_non_executable_file_via_shell.toml │ ├── defense_evasion_file_hidden_via_chflags.toml │ ├── defense_evasion_file_hidden_via_setfile.toml │ ├── defense_evasion_file_made_executable_via_package_install_script.toml │ ├── defense_evasion_in_memory_jxa_execution_via_scriptingadditions.toml │ ├── defense_evasion_killall_execution_via_python.toml │ ├── defense_evasion_launchpad_hijack.toml │ ├── defense_evasion_mach_o_file_with_unusual_extension.toml │ ├── defense_evasion_macos_hidden_file_mounted.toml │ ├── defense_evasion_malicious_ledger_live_execution.toml │ ├── defense_evasion_modification_of_safari_settings_via_defaults_command.toml │ ├── defense_evasion_multi_layered_deobfuscation_via_unusual_parent.toml │ ├── defense_evasion_network_file_unzipped_via_unsigned_or_untrusted_binary.toml │ ├── defense_evasion_notificationcenter_silenced_via_killall_binary.toml │ ├── defense_evasion_operating_system_security_updates_disabled.toml │ ├── defense_evasion_payload_decoded_and_decrypted_via_built_in_utilities.toml │ ├── defense_evasion_potential_binary_masquerading_via_invalid_code_signature.toml │ ├── defense_evasion_potential_masquerading_as_system_binary.toml │ ├── defense_evasion_potential_privacy_control_bypass_via_localhost_secure_copy.toml │ ├── defense_evasion_potential_tcc_bypass_via_electron_web_inspector_api.toml │ ├── defense_evasion_python_library_load_and_delete.toml │ ├── defense_evasion_quarantine_attribute_deleted_via_untrusted_binary.toml │ ├── defense_evasion_quarantine_attribute_removal_via_textedit.toml │ ├── defense_evasion_reading_or_modifying_downloaded_files_database_via_sqlite_utility.toml │ ├── defense_evasion_reflective_binary_load.toml │ ├── defense_evasion_reflective_dylib_load.toml │ ├── defense_evasion_rot_encoded_python_script_execution.toml │ ├── defense_evasion_self_deleted_python_script_outbound_network_connection.toml │ ├── defense_evasion_self_deleting_python_script.toml │ ├── defense_evasion_suspicious_dd_execution.toml │ ├── defense_evasion_suspicious_deobfuscation_via_shell_script.toml │ ├── defense_evasion_suspicious_dmg_file_creation_in_tmp_directory.toml │ ├── defense_evasion_suspicious_executable_copied_from_volume_mount.toml │ ├── defense_evasion_suspicious_file_overwrite_and_modification_via_echo.toml │ ├── defense_evasion_suspicious_file_quarantine_removal_via_find.toml │ ├── defense_evasion_suspicious_finder_cache_file_modification.toml │ ├── defense_evasion_suspicious_macos_application_hidden_executable_file.toml │ ├── defense_evasion_suspicious_openssl_execution_via_macos_application.toml │ ├── defense_evasion_suspicious_stop_of_tccd_via_launchctl.toml │ ├── defense_evasion_suspicious_task_for_pid_system_call.toml │ ├── defense_evasion_suspicious_unload_of_elastic_agent_via_launchctl.toml │ ├── defense_evasion_tccutil_reset_via_suspicious_binary.toml │ ├── defense_evasion_terminal_closed_with_pkill_or_killall.toml │ ├── defense_evasion_terminal_window_hidden_or_closed_via_osascript.toml │ ├── defense_evasion_unsigned_or_untrusted_process_execution_and_immediate_self_deletion.toml │ ├── defense_evasion_unusual_dylib_load_from_users_shared_directory.toml │ ├── discovery_external_ip_address_discovery_via_curl.toml │ ├── discovery_potential_virtual_machine_fingerprinting_via_grep.toml │ ├── discovery_security_software_discovery_via_grep.toml │ ├── discovery_suspicious_sip_check_by_macos_application.toml │ ├── execution_abnormal_auval_child_process_execution.toml │ ├── execution_abnormally_large_javascript_evaluation_via_nodejs.toml │ ├── execution_abnormally_large_shell_script_execution_via_perl.toml │ ├── execution_arbitrary_python_code_execution_via_nodejs.toml │ ├── execution_background_process_execution_via_shell.toml │ ├── execution_cocoa_applet_binary_execution.toml │ ├── execution_code_editor_untrusted_or_unsigned_child_process_execution.toml │ ├── execution_command_execution_via_screen_session.toml │ ├── execution_curl_download_and_execution_of_javascript_payload.toml │ ├── execution_curl_hidden_binary_modification_via_osascript.toml │ ├── execution_curl_output_piped_to_osascript.toml │ ├── execution_cursor_arbitrary_code_execution_via_php.toml │ ├── execution_decoy_document_creation_via_curl.toml │ ├── execution_disown_execution_via_shell_command_from_volume_mount.toml │ ├── execution_dscl_execution_via_osascript.toml │ ├── execution_executable_file_extracted_to_temporary_directory.toml │ ├── execution_executable_file_modification_via_ssh.toml │ ├── execution_execution_of_javascript_payload_via_osascript.toml │ ├── execution_execution_of_javascript_payload_via_python.toml │ ├── execution_execution_of_self_signed_binary_from_volume_mount.toml │ ├── execution_execution_via_electron_child_process_node.js_module.toml │ ├── execution_file_cloned_by_unsigned_or_untrusted_process.toml │ ├── execution_hidden_folder_or_file_access_in_tmp_via_python.toml │ ├── execution_hidden_python_script_execution_via_nodejs.toml │ ├── execution_initial_access_discovery_via_applet_executable.toml │ ├── execution_initial_access_via_audio_unit_plug_in.toml │ ├── execution_initial_access_via_macos_installer_package.toml │ ├── execution_initial_access_via_osa_shell_script_piped_to_python_interpreter.toml │ ├── execution_javascript_reverse_shell_via_nodejs.toml │ ├── execution_lone_binary_execution_from_volume_mount.toml │ ├── execution_macos_interactive_shell_spawned_via_hidden_process.toml │ ├── execution_nodejs_initial_access_via_vscode_auto_run_task.toml │ ├── execution_nohup_execution_followed_by_outbound_network_connection.toml │ ├── execution_osa_script_execution_via_unsigned_or_untrusted_parent.toml │ ├── execution_osascript_execution_via_piped_applescript.toml │ ├── execution_payload_delivery_via_curl_and_immediate_execution.toml │ ├── execution_payload_piped_to_script_interpreter.toml │ ├── execution_perl_script_file_creation_or_modification.toml │ ├── execution_possible_java_reverse_shell.toml │ ├── execution_potential_decoy_document_via_open.toml │ ├── execution_potential_python_reverse_shell.toml │ ├── execution_powershell_encoded_command.toml │ ├── execution_powershell_outbound_network_connection.toml │ ├── execution_python_initial_access_via_google_drive.toml │ ├── execution_python_script_execution_via_shell_and_remote_network_connection.toml │ ├── execution_shell_command_curl_execution_via_osascript.toml │ ├── execution_shell_command_discovery_execution_via_untrusted_binary.toml │ ├── execution_shell_command_piped_to_osascript_via_shell_script.toml │ ├── execution_shell_script_execution_from_abnormal_volume_mount_path.toml │ ├── execution_suspicious_apple_script_execution.toml │ ├── execution_suspicious_audio_unit_plug_in_file_access.toml │ ├── execution_suspicious_automator_application_execution.toml │ ├── execution_suspicious_automator_workflows_execution.toml │ ├── execution_suspicious_binary_execution_via_ssh.toml │ ├── execution_suspicious_child_process_execution_via_interactive_shell.toml │ ├── execution_suspicious_child_process_of_expect.toml │ ├── execution_suspicious_codesign_execution_via_osacompile.toml │ ├── execution_suspicious_curl_execution_via_automator_workflow.toml │ ├── execution_suspicious_dscl_auth_validation.toml │ ├── execution_suspicious_dylib_load_from_temporary_directory.toml │ ├── execution_suspicious_electron_command_execution.toml │ ├── execution_suspicious_elevated_command_execution.toml │ ├── execution_suspicious_execution_of_unsigned_or_untrusted_process_via_sudo.toml │ ├── execution_suspicious_installer_remote_plugin_service_child_process.toml │ ├── execution_suspicious_interactive_shell_execution.toml │ ├── execution_suspicious_large_script_execution_via_shell_command.toml │ ├── execution_suspicious_network_connection_via_installer_package.toml │ ├── execution_suspicious_perl_child_process_execution.toml │ ├── execution_suspicious_powershell_child_process.toml │ ├── execution_suspicious_python_package_child_process_execution.toml │ ├── execution_suspicious_python_script_execution_and_network_connection.toml │ ├── execution_suspicious_script_compilation_via_osacompile.toml │ ├── execution_suspicious_terminal_child_process_execution.toml │ ├── execution_suspicious_unsigned_application_execution_via_shell.toml │ ├── execution_suspicious_xpc_service_child_process.toml │ ├── execution_tclsh_execution_followed_by_immediate_network_connection.toml │ ├── execution_temporary_binary_execution_via_osascript.toml │ ├── execution_unsigned_or_untrusted_application_launch_via_xpc.toml │ ├── execution_unsigned_or_untrusted_binary_execution_via_xpc_call.toml │ ├── execution_unsigned_or_untrusted_binary_fork_via_python.toml │ ├── execution_unsigned_or_untrusted_pyinstaller_binary_execution.toml │ ├── execution_untrusted_or_unsigned_binary_execution_via_osascript.toml │ ├── execution_untrusted_process_execution_with_invalid_plist_or_code_signature.toml │ ├── execution_unusual_bundle_execution_via_shell.toml │ ├── execution_unusual_library_load_via_python.toml │ ├── execution_unusually_large_osa_script_execution_via_shell_command.toml │ ├── execution_unusually_large_script_executed_by_osascript.toml │ ├── execution_user_discovery_command_execution_from_volume_mount.toml │ ├── execution_user_tcc_db_access_by_osascript.toml │ ├── execution_user_tcc_db_access_by_unsigned_or_untrusted_process.toml │ ├── execution_volume_muted_via_osascript.toml │ ├── execution_vscode_extension_install_via_uri_handler.toml │ ├── exfiltration_potential_data_exfiltration_via_curl.toml │ ├── exfiltration_user_keychain_exfiltration_via_curl.toml │ ├── initial_access_initial_access_or_execution_via_microsoft_office_application.toml │ ├── initial_access_suspicious_execution_via_script_editor.toml │ ├── lateral_movement_potential_kerberos_attack_via_bifrost.toml │ ├── lateral_movement_suspicious_curl_to_jamf_endpoint.toml │ ├── persistence_at_job_creation_or_modification_via_shell_command.toml │ ├── persistence_cron_tab_creation_or_modification_via_shell_command.toml │ ├── persistence_default_application_hijacking.toml │ ├── persistence_dock_tile_plug_in_load.toml │ ├── persistence_initial_access_staging_via_installer_package.toml │ ├── persistence_manual_loading_of_a_suspicious_chromium_extension.toml │ ├── persistence_new_system_kext_file_and_immediate_load_via_kextload.toml │ ├── persistence_persistence_via_a_hidden_plist_filename.toml │ ├── persistence_persistence_via_a_masqueraded_plist_filename.toml │ ├── persistence_plist_loaded_by_launchctl_from_unusual_location.toml │ ├── persistence_potential_persistence_via_emond.toml │ ├── persistence_screensaver_plist_file_modified_by_unexpected_process.toml │ ├── persistence_suspicious_apple_mail_rule_plist_creation_or_modification.toml │ ├── persistence_suspicious_browser_preference_file_modification.toml │ ├── persistence_suspicious_dock_plist_configuration_modification.toml │ ├── persistence_suspicious_file_creation_via_pkg_install_script.toml │ ├── persistence_suspicious_startupitem_plist_creation_or_modification.toml │ ├── persistence_unexpected_child_process_of_macos_screensaver_engine.toml │ ├── persistence_unsigned_or_untrusted_binary_execution_via_cron.toml │ ├── persistence_unsigned_or_untrusted_binary_execution_via_zshrc.toml │ ├── persistence_unsigned_or_untrusted_process_execution_via_installer.toml │ ├── persistence_untrusted_or_unsigned_binary_executed_via_launch_service.toml │ ├── persistence_unusual_launch_service_creation_via_unsigned_or_untrusted_binary.toml │ ├── persistence_vscode_project_file_infection_via_osascript.toml │ ├── privilege_escalation_elevated_apple_script_execution_via_unsigned_parent.toml │ ├── privilege_escalation_executewithprivileges_prompt_via_unsigned_or_untrusted_application.toml │ ├── privilege_escalation_potential_code_injection_via_remote_thread.toml │ ├── privilege_escalation_potential_privilege_escalation_via_root_crontab_file_modification.toml │ ├── privilege_escalation_potential_privilege_escalation_via_tcc_bypass_with_fake_tcc.db.toml │ ├── privilege_escalation_potential_sip_bypass_via_the_shoveservice.toml │ └── privilege_escalation_suspicious_privilegedhelpertool_activity.toml │ └── windows │ ├── collection_getasynckeystate_api_call_from_suspicious_process.toml │ ├── collection_keystroke_input_capture_via_directinput.toml │ ├── collection_keystroke_input_capture_via_registerrawinputdevices.toml │ ├── collection_keystroke_messages_hooking_via_setwindowshookex.toml │ ├── collection_keystrokes_input_capture_from_a_managed_application.toml │ ├── collection_keystrokes_input_capture_from_a_suspicious_module.toml │ ├── collection_keystrokes_input_capture_from_suspicious_callstack.toml │ ├── collection_keystrokes_input_capture_from_unsigned_dll.toml │ ├── collection_keystrokes_input_capture_via_powershell.toml │ ├── collection_keystrokes_input_capture_via_setwindowshookex.toml │ ├── collection_powershell_script_with_screen_capture_capability.toml │ ├── command_and_control_connection_to_dynamic_dns_provider_by_a_signed_binary_proxy.toml │ ├── command_and_control_connection_to_dynamic_dns_provider_by_an_unsigned_binary.toml │ ├── command_and_control_connection_to_webservice_by_a_signed_binary_proxy.toml │ ├── command_and_control_connection_to_webservice_by_an_unsigned_binary.toml │ ├── command_and_control_dns_over_https_by_an_unusual_process.toml │ ├── command_and_control_dns_query_to_suspicious_top_level_domain.toml │ ├── command_and_control_download_activity_via_a_headless_browser.toml │ ├── command_and_control_execution_from_suspicious_stack_trailing_bytes.toml │ ├── command_and_control_execution_of_a_file_written_by_a_signed_binary_proxy.toml │ ├── command_and_control_ingress_tool_transfer_via_curl.toml │ ├── command_and_control_ingress_tool_transfer_via_inet_cache.toml │ ├── command_and_control_ingress_tool_transfer_via_powershell.toml │ ├── command_and_control_ingress_transfer_via_windows_utility.toml │ ├── command_and_control_library_load_of_a_file_written_by_a_signed_binary_proxy.toml │ ├── command_and_control_netsupport_execution_form_unusual_path.toml │ ├── command_and_control_netwire_rat_registry_modification.toml │ ├── command_and_control_network_connect_api_from_modified_memory.toml │ ├── command_and_control_network_connect_api_from_unbacked_memory.toml │ ├── command_and_control_outlook_home_page_registry_modification.toml │ ├── command_and_control_potential_dante_spyware_execution.toml │ ├── command_and_control_potential_execution_via_sliver_framework.toml │ ├── command_and_control_potential_known_tcp_port_traffic_tunneling.toml │ ├── command_and_control_potential_plugx_registry_modification.toml │ ├── command_and_control_potential_protocol_tunneling_via_legit_utilities.toml │ ├── command_and_control_potential_remote_desktop_protocol_tunneling.toml │ ├── command_and_control_potential_traffic_tunneling_with_qemu.toml │ ├── command_and_control_remcos_rat_exepath_registry_modification.toml │ ├── command_and_control_remcos_rat_inetcookies_file_deletion.toml │ ├── command_and_control_remcos_rat_registry_or_file_modification.toml │ ├── command_and_control_service_communication_via_mail_protocol.toml │ ├── command_and_control_suspicious_command_and_control_via_internet_explorer.toml │ ├── command_and_control_suspicious_communication_via_mail_protocol.toml │ ├── command_and_control_suspicious_dns_lookup_by_remote_utilities_rmm.toml │ ├── command_and_control_suspicious_dns_query_by_msiexec.toml │ ├── command_and_control_suspicious_dns_query_from_mounted_virtual_disk.toml │ ├── command_and_control_suspicious_executable_file_creation.toml │ ├── command_and_control_suspicious_netsupport_execution.toml │ ├── credential_access_access_attempt_to_non_existing_cryptocurrency_wallet.toml │ ├── credential_access_access_to_browser_credentials_from_suspicious_memory.toml │ ├── credential_access_access_to_windows_passwords_vault_via_powershell.toml │ ├── credential_access_autologons_access_attempt_via_registry.toml │ ├── credential_access_browser_debugging_from_unusual_parent.toml │ ├── credential_access_chrome_browser_spawned_from_an_unusual_parent.toml │ ├── credential_access_credential_access_via_known_utilities.toml │ ├── credential_access_failed_access_attempt_to_web_browser_files.toml │ ├── credential_access_failed_attempts_to_access_sensitive_files.toml │ ├── credential_access_ldap_search_followed_by_kerberos_connection.toml │ ├── credential_access_lsa_dump_via_silentprocessexit.toml │ ├── credential_access_lsa_dump_via_windows_error_reporting.toml │ ├── credential_access_lsass_access_attempt_from_an_unsigned_executable.toml │ ├── credential_access_lsass_access_attempt_from_unbacked_memory.toml │ ├── credential_access_lsass_memory_dump_via_minidumpwritedump.toml │ ├── credential_access_lsass_memory_read_via_ppl_bypass.toml │ ├── credential_access_potential_browser_credentials_stealer.toml │ ├── credential_access_potential_browser_debugging_via_localhost.toml │ ├── credential_access_potential_credential_access_via_mimikatz.toml │ ├── credential_access_potential_credential_access_via_rubeus.toml │ ├── credential_access_potential_credential_access_via_windows_credential_history.toml │ ├── credential_access_potential_discovery_of_dpapi_master_keys.toml │ ├── credential_access_potential_discovery_of_windows_credential_manager_store.toml │ ├── credential_access_potential_google_credentials_phishing.toml │ ├── credential_access_powershell_script_with_passwords_vault_access_capability.toml │ ├── credential_access_remote_access_to_sensitive_registry_keys.toml │ ├── credential_access_security_account_manager_(sam)_file_access.toml │ ├── credential_access_security_account_manager_(sam)_registry_access.toml │ ├── credential_access_sensitive_file_access_by_an_unsigned_process.toml │ ├── credential_access_sensitive_file_access_cloud_credentials.toml │ ├── credential_access_sensitive_file_access_remote_desktop_connection_manager.toml │ ├── credential_access_sensitive_file_access_ssh_saved_keys.toml │ ├── credential_access_sensitive_file_access_system_admin_utilities.toml │ ├── credential_access_sensitive_file_access_unattended_panther.toml │ ├── credential_access_sensitive_hive_access_via_registry_backup.toml │ ├── credential_access_suspicious_access_to_active_directory_database_file.toml │ ├── credential_access_suspicious_access_to_cryptocurrency_wallet_files.toml │ ├── credential_access_suspicious_access_to_lsa_secrets_registry.toml │ ├── credential_access_suspicious_access_to_web_browser_credential_stores.toml │ ├── credential_access_suspicious_access_to_windows_vault_files.toml │ ├── credential_access_suspicious_credential_files_creation_via_kerberos.toml │ ├── credential_access_suspicious_registry_hive_dump.toml │ ├── credential_access_suspicious_vault_client_image_load.toml │ ├── credential_access_suspicious_vault_files_access_via_rpc.toml │ ├── credential_access_system_bootkey_registry_access.toml │ ├── credential_access_unusual_kerberos_client_process.toml │ ├── credential_access_unusual_ldap_client_process.toml │ ├── credential_access_web_browser_credential_access_via_scripting_utility.toml │ ├── credential_access_web_browser_credential_access_via_unsigned_process.toml │ ├── defense_evasion_allowprotectedrenames_registry_modification.toml │ ├── defense_evasion_amsi_bypass_from_suspicious_module.toml │ ├── defense_evasion_amsi_bypass_via_com_registry_modification.toml │ ├── defense_evasion_amsi_bypass_via_powershell.toml │ ├── defense_evasion_amsi_bypass_via_unbacked_memory.toml │ ├── defense_evasion_amsi_or_wldp_bypass_via_memory_patching.toml │ ├── defense_evasion_api_call_from_a_process_with_a_spoofed_parent.toml │ ├── defense_evasion_api_call_from_inaccessible_memory_page.toml │ ├── defense_evasion_api_call_via_jump_rop_gadget.toml │ ├── defense_evasion_api_call_via_timer_callback_event.toml │ ├── defense_evasion_api_via_trusted_app_runtime_dll.toml │ ├── defense_evasion_asynchronous_procedure_call_from_unusual_module.toml │ ├── defense_evasion_attempt_to_disable_driver_via_hvcidisallowedimages.toml │ ├── defense_evasion_attempt_to_disable_windows_defender_services.toml │ ├── defense_evasion_attempt_to_disable_windows_driver_blocklist_via_registry.toml │ ├── defense_evasion_attempt_to_hide_files_via_registry_modification.toml │ ├── defense_evasion_binary_masquerading_via_untrusted_path.toml │ ├── defense_evasion_binary_proxy_execution_via_appvlp.toml │ ├── defense_evasion_binary_proxy_execution_via_pester.toml │ ├── defense_evasion_binary_proxy_execution_via_rundll32.toml │ ├── defense_evasion_binary_proxy_execution_via_runexehelper.toml │ ├── defense_evasion_binary_proxy_execution_via_ttdinject.toml │ ├── defense_evasion_binary_proxy_execution_via_windows_openssh.toml │ ├── defense_evasion_bindfltapi_loaded_by_an_unusual_process.toml │ ├── defense_evasion_browser_process_started_in_a_hidden_desktop.toml │ ├── defense_evasion_com_to_.net_redirection_via_registry.toml │ ├── defense_evasion_common_language_runtime_loaded_via_an_unsigned_module.toml │ ├── defense_evasion_control_panel_process_with_unusual_arguments.toml │ ├── defense_evasion_crashdump_disabled_via_registry_modification.toml │ ├── defense_evasion_cross_process_api_activity_with_truncated_stack.toml │ ├── defense_evasion_defense_evasion_via_registry_modification.toml │ ├── defense_evasion_delayed_common_language_runtime_load.toml │ ├── defense_evasion_direct_syscall_from_unsigned_module.toml │ ├── defense_evasion_direct_syscall_via_assembly_bytes.toml │ ├── defense_evasion_disabling_hypervisor_protected_code_integrity_via_registry.toml │ ├── defense_evasion_dll_control_panel_items_registry_modification.toml │ ├── defense_evasion_dll_dropped_by_msiexec_followed_by_sideload.toml │ ├── defense_evasion_dll_execution_via_visual_studio_live_share.toml │ ├── defense_evasion_dll_injection_via_mavinject_utility.toml │ ├── defense_evasion_dll_side_loading_of_a_file_dropped_by_microsoft_office.toml │ ├── defense_evasion_dll_side_loading_via_a_copied_microsoft_executable.toml │ ├── defense_evasion_evasion_via_device_credential_deployment.toml │ ├── defense_evasion_evasion_via_event_tracing_for_windows_patching.toml │ ├── defense_evasion_evasion_via_file_name_masquerading.toml │ ├── defense_evasion_evasion_via_ldrpkernel32_overwrite.toml │ ├── defense_evasion_evasion_via_multiple_memory_section_mapping.toml │ ├── defense_evasion_evasion_via_sleep_api_hooking.toml │ ├── defense_evasion_execution_from_suspicious_directory.toml │ ├── defense_evasion_execution_of_a_binary_dropped_via_microsoft_bsdtar_archive_tool.toml │ ├── defense_evasion_execution_of_a_dnguard_protected_program.toml │ ├── defense_evasion_execution_of_a_file_dropped_from_kernel_mode.toml │ ├── defense_evasion_execution_via_dcom_excel_application.toml │ ├── defense_evasion_execution_via_internet_explorer_exporter.toml │ ├── defense_evasion_execution_via_msiexec_downloadandexecute_customaction.toml │ ├── defense_evasion_execution_via_program_compatibility_assistant.toml │ ├── defense_evasion_execution_via_renamed_signed_binary_proxy.toml │ ├── defense_evasion_execution_via_windows_command_line_debugging_utility.toml │ ├── defense_evasion_execution_via_windows_installer_transforms.toml │ ├── defense_evasion_firewall_policy_changed_by_a_suspicious_process.toml │ ├── defense_evasion_hollow_image_behavior_via_native_api.toml │ ├── defense_evasion_image_hollow_from_unusual_stack.toml │ ├── defense_evasion_image_load_via_synthetic_stack_spoofing.toml │ ├── defense_evasion_image_load_via_transactional_ntfs.toml │ ├── defense_evasion_indirect_command_execution_via_console_window_host.toml │ ├── defense_evasion_indirect_command_execution_via_forfiles.toml │ ├── defense_evasion_ingress_dll_transfer_followed_by_dll_sideloading.toml │ ├── defense_evasion_internet_activity_from_suspicious_unbacked_memory.toml │ ├── defense_evasion_library_load_from_a_truncated_stack.toml │ ├── defense_evasion_library_loaded_from_a_potentially_altered_call_stack.toml │ ├── defense_evasion_library_loaded_from_a_spoofed_call_stack.toml │ ├── defense_evasion_library_loaded_via_a_callback_function.toml │ ├── defense_evasion_library_loaded_via_thread_fiber_callback.toml │ ├── defense_evasion_managed_.net_code_execution_via_powershell.toml │ ├── defense_evasion_managed_.net_code_execution_via_windows_script_interpreter.toml │ ├── defense_evasion_memory_allocation_from_a_high_entropy_module.toml │ ├── defense_evasion_memory_protection_from_read_to_execute.toml │ ├── defense_evasion_microsoft_common_language_runtime_loaded_from_modified_memory.toml │ ├── defense_evasion_microsoft_common_language_runtime_loaded_from_suspicious_memory.toml │ ├── defense_evasion_module_stomping_from_a_copied_library.toml │ ├── defense_evasion_msbuild_with_unusual_arguments.toml │ ├── defense_evasion_msiexec_execution_via_a_windows_script_interpreter.toml │ ├── defense_evasion_native_api_call_from_unsigned_module.toml │ ├── defense_evasion_network_activity_from_a_reflected_process.toml │ ├── defense_evasion_network_activity_from_a_stomped_module.toml │ ├── defense_evasion_network_activity_from_modified_module.toml │ ├── defense_evasion_network_connection_via_process_with_unusual_arguments.toml │ ├── defense_evasion_network_library_load_via_ldrloaddll.toml │ ├── defense_evasion_network_module_loaded_from_suspicious_unbacked_memory.toml │ ├── defense_evasion_ntdll_library_loaded_for_a_second_time.toml │ ├── defense_evasion_ntdll_loaded_from_an_unusual_path.toml │ ├── defense_evasion_ntdll_memory_protection_change_via_unsigned_dll.toml │ ├── defense_evasion_oversized_dll_creation_followed_by_sideload.toml │ ├── defense_evasion_parallel_ntdll_loaded_from_unbacked_memory.toml │ ├── defense_evasion_parent_process_pid_spoofing.toml │ ├── defense_evasion_payload_decoded_via_certutil.toml │ ├── defense_evasion_potential_amsi_bypass_via_setthreadcontext.toml │ ├── defense_evasion_potential_autoconfigurl_settings_hijack.toml │ ├── defense_evasion_potential_beacon_masking_from_a_stomped_module.toml │ ├── defense_evasion_potential_cve_2024_21338_exploitation.toml │ ├── defense_evasion_potential_defense_evasion_via_filter_manager_control_program.toml │ ├── defense_evasion_potential_dll_hijack_via_directory_spoofing.toml │ ├── defense_evasion_potential_dll_hijacking_via_environment_paths.toml │ ├── defense_evasion_potential_dll_hollowing_from_a_writable_image.toml │ ├── defense_evasion_potential_dll_hollowing_with_transactional_ntfs.toml │ ├── defense_evasion_potential_dll_search_order_hijacking_of_an_existing_program.toml │ ├── defense_evasion_potential_dll_sideload_via_a_microsoft_signed_binary.toml │ ├── defense_evasion_potential_dll_sideload_via_a_renamed_signed_binary.toml │ ├── defense_evasion_potential_elastic_tampering_via_pendingfilerename.toml │ ├── defense_evasion_potential_endpoint_security_evasion_via_firewallrules.toml │ ├── defense_evasion_potential_evasion_via_asp.net_compiler.toml │ ├── defense_evasion_potential_evasion_via_clipup_execution.toml │ ├── defense_evasion_potential_evasion_via_dotnet_framework_installation_utility.toml │ ├── defense_evasion_potential_evasion_via_inline_execute_assembly.toml │ ├── defense_evasion_potential_evasion_via_intel_gfxdownloadwrapper.toml │ ├── defense_evasion_potential_evasion_via_invalid_code_signature.toml │ ├── defense_evasion_potential_evasion_via_oversized_image_load.toml │ ├── defense_evasion_potential_evasion_via_stack_rumbling.toml │ ├── defense_evasion_potential_evasion_with_hardware_breakpoints.toml │ ├── defense_evasion_potential_executable_stored_in_the_registry.toml │ ├── defense_evasion_potential_exploit_via_fake_rpc_messages.toml │ ├── defense_evasion_potential_hardware_breakpoints_evasion.toml │ ├── defense_evasion_potential_image_hollowing_via_mapping.toml │ ├── defense_evasion_potential_image_load_via_transactional_ntfs.toml │ ├── defense_evasion_potential_image_load_with_a_spoofed_creation_time.toml │ ├── defense_evasion_potential_initial_access_via_dll_search_order_hijacking.toml │ ├── defense_evasion_potential_injection_from_a_lua_script.toml │ ├── defense_evasion_potential_injection_via_asynchronous_procedure_call.toml │ ├── defense_evasion_potential_injection_via_dotnet_debugging.toml │ ├── defense_evasion_potential_injection_via_module_stomping.toml │ ├── defense_evasion_potential_injection_via_nsis_installer.toml │ ├── defense_evasion_potential_injection_via_pyinstaller_executable.toml │ ├── defense_evasion_potential_injection_via_the_console_window_class.toml │ ├── defense_evasion_potential_library_load_via_rop_gadgets.toml │ ├── defense_evasion_potential_logonuser_api_hooking.toml │ ├── defense_evasion_potential_masquerading_as_svchost.toml │ ├── defense_evasion_potential_masquerading_as_windows_error_manager.toml │ ├── defense_evasion_potential_module_stomping_with_network_activity.toml │ ├── defense_evasion_potential_netntlmv1_downgrade_attack.toml │ ├── defense_evasion_potential_ntdll_memory_unhooking.toml │ ├── defense_evasion_potential_operation_via_direct_syscall.toml │ ├── defense_evasion_potential_parent_process_pid_spoofing_via_malseclogon.toml │ ├── defense_evasion_potential_process_creation_via_direct_syscall.toml │ ├── defense_evasion_potential_process_creation_via_shellcode.toml │ ├── defense_evasion_potential_protected_process_dll_injection_via_rpc.toml │ ├── defense_evasion_potential_remote_code_injection.toml │ ├── defense_evasion_potential_self_deletion_of_a_running_executable.toml │ ├── defense_evasion_potential_shellcode_fluctuation_v1.toml │ ├── defense_evasion_potential_shellcode_injection_via_a_webshell.toml │ ├── defense_evasion_potential_shellcode_injection_via_clr.toml │ ├── defense_evasion_potential_shellcode_injection_via_node.js.toml │ ├── defense_evasion_potential_suspended_process_code_injection.toml │ ├── defense_evasion_potential_unbacked_memory_content_masking.toml │ ├── defense_evasion_privilege_escalation_via_microsoft_exchange_dll_hijacking.toml │ ├── defense_evasion_process_anti_debug_via_memory_patching.toml │ ├── defense_evasion_process_creation_from_a_stomped_module.toml │ ├── defense_evasion_process_creation_from_backed_rwx_memory.toml │ ├── defense_evasion_process_creation_from_unbacked_memory_via_unsigned_parent.toml │ ├── defense_evasion_process_creation_via_rop_gadgets.toml │ ├── defense_evasion_process_creation_with_unusual_mitigation.toml │ ├── defense_evasion_process_executable_image_tampering_attempt.toml │ ├── defense_evasion_process_execution_with_unusual_file_extension.toml │ ├── defense_evasion_process_explorer_device_access_by_unusual_process.toml │ ├── defense_evasion_process_from_archive_or_removable_media_via_unbacked_code.toml │ ├── defense_evasion_process_memory_write_to_a_non_child_process.toml │ ├── defense_evasion_process_stared_via_remote_thread.toml │ ├── defense_evasion_process_started_in_a_hidden_desktop.toml │ ├── defense_evasion_process_suspended_via_ttd_monitor_driver.toml │ ├── defense_evasion_protected_process_from_unusual_parent.toml │ ├── defense_evasion_protected_process_light_bypass_via_dll_tampering.toml │ ├── defense_evasion_registry_modification_from_a_potentially_altered_call_stack.toml │ ├── defense_evasion_registry_modification_via_wmi_stdregprov.toml │ ├── defense_evasion_regsvr32_scriptlet_execution.toml │ ├── defense_evasion_regsvr32_with_unusual_arguments.toml │ ├── defense_evasion_remote_file_execution_via_msiexec.toml │ ├── defense_evasion_remote_memory_write_to_a_non_child_process.toml │ ├── defense_evasion_remote_memory_write_to_trusted_target_process.toml │ ├── defense_evasion_remote_msi_package_installation_via_msiexec.toml │ ├── defense_evasion_remote_process_injection_via_mapping.toml │ ├── defense_evasion_remote_process_injection_via_python.toml │ ├── defense_evasion_remote_process_memory_write_by_low_reputation_module.toml │ ├── defense_evasion_remote_thread_context_manipulation.toml │ ├── defense_evasion_renamed_autoit_scripts_interpreter.toml │ ├── defense_evasion_renamed_third_party_administrator_tools.toml │ ├── defense_evasion_renamed_windows_automaton_script_interpreter.toml │ ├── defense_evasion_rundll32_or_regsvr32_executing_an_oversized_file.toml │ ├── defense_evasion_rundll32_or_regsvr32_loaded_a_dll_from_unbacked_memory.toml │ ├── defense_evasion_rundll32_regsvr32_loads_a_dll_downloaded_via_bits.toml │ ├── defense_evasion_rundll32_with_unusual_arguments.toml │ ├── defense_evasion_script_execution_via_microsoft_html_application.toml │ ├── defense_evasion_script_execution_via_msxsl.toml │ ├── defense_evasion_scriptlet_execution_via_cmstp.toml │ ├── defense_evasion_scriptlet_execution_via_rundll32.toml │ ├── defense_evasion_scriptlet_proxy_execution_via_pubprn.toml │ ├── defense_evasion_self_injection_via_appdomain_manager_assembly.toml │ ├── defense_evasion_shadow_copy_service_disabled_via_registry_modification.toml │ ├── defense_evasion_shellcode_allocation_from_free_memory.toml │ ├── defense_evasion_shellcode_api_behavior_from_a_signed_module.toml │ ├── defense_evasion_shellcode_behavior_from_suspicious_rwx_provenance.toml │ ├── defense_evasion_shellcode_behavior_from_unusual_memory.toml │ ├── defense_evasion_shellcode_behavior_via_.net_core.toml │ ├── defense_evasion_shellcode_execution_from_low_reputation_module.toml │ ├── defense_evasion_shellcode_execution_via_a_callback_function.toml │ ├── defense_evasion_shellcode_execution_via_python_script.toml │ ├── defense_evasion_shellcode_fluctuation_via_callback.toml │ ├── defense_evasion_shellcode_from_unusual_microsoft_signed_module.toml │ ├── defense_evasion_shellcode_heap_allocation_from_unbacked_memory.toml │ ├── defense_evasion_shellcode_injection_from_mounted_device.toml │ ├── defense_evasion_shellcode_injection_via_powershell.toml │ ├── defense_evasion_shellcode_injection_with_parent_as_provenance.toml │ ├── defense_evasion_suspicious_activity_from_a_control_panel_applet.toml │ ├── defense_evasion_suspicious_antivirus_registration.toml │ ├── defense_evasion_suspicious_api_call_via_a_windows_installer_module.toml │ ├── defense_evasion_suspicious_api_call_via_windows_script_interpreter.toml │ ├── defense_evasion_suspicious_appdomain_manager_configuration_file.toml │ ├── defense_evasion_suspicious_bitsadmin_activity.toml │ ├── defense_evasion_suspicious_bootexecute_registry_modification.toml │ ├── defense_evasion_suspicious_call_stack_trailing_bytes.toml │ ├── defense_evasion_suspicious_control_panel_dll_loaded_by_explorer.toml │ ├── defense_evasion_suspicious_dllregisterserver_execution_via_msiexec.toml │ ├── defense_evasion_suspicious_executable_heap_allocation_via_clr.toml │ ├── defense_evasion_suspicious_executable_memory_mapping.toml │ ├── defense_evasion_suspicious_executable_memory_permission_modification.toml │ ├── defense_evasion_suspicious_execution_from_a_mounted_device.toml │ ├── defense_evasion_suspicious_execution_from_an_oversized_executable.toml │ ├── defense_evasion_suspicious_execution_via_dcom.toml │ ├── defense_evasion_suspicious_execution_via_dotnet_remoting.toml │ ├── defense_evasion_suspicious_execution_via_ihxhelppaneserver.toml │ ├── defense_evasion_suspicious_file_memory_mapping_via_managed_.net.toml │ ├── defense_evasion_suspicious_image_load_by_system_protected_process.toml │ ├── defense_evasion_suspicious_image_load_from_a_stomped_module.toml │ ├── defense_evasion_suspicious_image_load_from_smb_shares.toml │ ├── defense_evasion_suspicious_image_load_via_ldrloaddll.toml │ ├── defense_evasion_suspicious_imageload_from_an_iso_mounted_device.toml │ ├── defense_evasion_suspicious_imageload_via_odbc_driver_configuration_program.toml │ ├── defense_evasion_suspicious_imageload_via_windows_certoc.toml │ ├── defense_evasion_suspicious_imageload_via_windows_update_auto_update_client.toml │ ├── defense_evasion_suspicious_kernel32_memory_protection.toml │ ├── defense_evasion_suspicious_memory_mapping_from_a_windows_installer.toml │ ├── defense_evasion_suspicious_memory_page_protection.toml │ ├── defense_evasion_suspicious_memory_protection_change_via_virtualprotect.toml │ ├── defense_evasion_suspicious_memory_protection_fluctuation.toml │ ├── defense_evasion_suspicious_memory_size_protection_via_virtualprotect.toml │ ├── defense_evasion_suspicious_msiexec_child_process.toml │ ├── defense_evasion_suspicious_network_library_load.toml │ ├── defense_evasion_suspicious_network_module_loadlibrary.toml │ ├── defense_evasion_suspicious_ntdll_image_load.toml │ ├── defense_evasion_suspicious_ntdll_memory_write.toml │ ├── defense_evasion_suspicious_null_terminated_call_stack.toml │ ├── defense_evasion_suspicious_okta_agent_cross_process_activity.toml │ ├── defense_evasion_suspicious_parent_child_relationship.toml │ ├── defense_evasion_suspicious_powershell_console_history_deletion.toml │ ├── defense_evasion_suspicious_process_creation_via_reflection.toml │ ├── defense_evasion_suspicious_process_with_a_spoofed_parent.toml │ ├── defense_evasion_suspicious_remote_memory_allocation.toml │ ├── defense_evasion_suspicious_remote_process_suspend_activity.toml │ ├── defense_evasion_suspicious_remote_process_thread_access.toml │ ├── defense_evasion_suspicious_remote_registry_modification.toml │ ├── defense_evasion_suspicious_shell_extension_handler_registry_modification.toml │ ├── defense_evasion_suspicious_suspended_process_creation.toml │ ├── defense_evasion_suspicious_system_module_image_hollowing.toml │ ├── defense_evasion_suspicious_unsigned_dll_loaded_by_a_trusted_process.toml │ ├── defense_evasion_suspicious_windows_api_call_from_virtual_disk_or_usb.toml │ ├── defense_evasion_suspicious_windows_core_module_change.toml │ ├── defense_evasion_suspicious_windows_defender_exclusions_added_via_powershell.toml │ ├── defense_evasion_suspicious_windows_defender_registry_modification.toml │ ├── defense_evasion_suspicious_windows_explorer_execution.toml │ ├── defense_evasion_suspicious_windows_lua_script_execution.toml │ ├── defense_evasion_suspicious_windows_nt_api_hooking.toml │ ├── defense_evasion_suspicious_windows_sandbox_execution.toml │ ├── defense_evasion_suspicious_wmic_xsl_script_execution.toml │ ├── defense_evasion_system_binary_proxy_execution_via_scriptrunner.toml │ ├── defense_evasion_system_boot_files_permission_change.toml │ ├── defense_evasion_thread_suspension_from_unbacked_memory.toml │ ├── defense_evasion_transacted_file_activity_via_an_unsigned_dll.toml │ ├── defense_evasion_unbacked_shellcode_from_unsigned_module.toml │ ├── defense_evasion_unsigned_dll_from_suspicious_directory.toml │ ├── defense_evasion_unsigned_dll_loaded_by_an_elastic_signed_binary.toml │ ├── defense_evasion_unsigned_dll_loaded_by_rundll32_via_com.toml │ ├── defense_evasion_untrusted_dll_loaded_by_a_persistent_program.toml │ ├── defense_evasion_unusual_dll_extension_loaded_by_rundll32_or_regsvr32.toml │ ├── defense_evasion_unusual_network_connection_via_rundll32.toml │ ├── defense_evasion_unusual_process_running_as_antimalware_protected.toml │ ├── defense_evasion_unusual_registry_modification_via_wmi.toml │ ├── defense_evasion_unusual_windows_system_service_disabled.toml │ ├── defense_evasion_user_account_control_disabled_via_registry.toml │ ├── defense_evasion_virtualalloc_api_call_from_an_unsigned_dll.toml │ ├── defense_evasion_virtualprotect_api_call_from_unusual_stack.toml │ ├── defense_evasion_virtualprotect_api_via_stack_truncation.toml │ ├── defense_evasion_virtualprotect_call_via_nttestalert.toml │ ├── defense_evasion_virtualprotect_via_indirect_syscall.toml │ ├── defense_evasion_virtualprotect_via_vectored_exception_handling.toml │ ├── defense_evasion_waasmedicsvc_com_type_lib_hijack.toml │ ├── defense_evasion_windows_api_call_via_indirect_random_syscall.toml │ ├── defense_evasion_windows_api_via_a_callback_function.toml │ ├── defense_evasion_windows_api_via_work_callback.toml │ ├── defense_evasion_windows_console_execution_from_unbacked_memory.toml │ ├── defense_evasion_windows_defender_exclusions_by_extension.toml │ ├── defense_evasion_windows_defender_exclusions_by_path.toml │ ├── defense_evasion_windows_defender_exclusions_via_wmi.toml │ ├── defense_evasion_windows_error_manager_reporting_masquerading.toml │ ├── defense_evasion_windows_firewall_exception_list_modified_via_untrusted_process.toml │ ├── defense_evasion_windows_installer_execution_via_explorer.toml │ ├── defense_evasion_windows_socket_creation_from_stomped_module.toml │ ├── defense_evasion_windows_socket_creation_from_unbacked_memory.toml │ ├── defense_evasion_windows_system_module_remote_hooking.toml │ ├── defense_evasion_windows_trojan_zloader.toml │ ├── defense_evasion_writeprocessmemory_to_suspicious_memory_location.toml │ ├── discovery_active_directory_data_collection_via_ldap.toml │ ├── discovery_ad_certificate_services_enumeration_via_ldap.toml │ ├── discovery_distributed_file_system_shares_enumeration_via_ldap.toml │ ├── discovery_domain_accounts_enumeration_via_ldap_search.toml │ ├── discovery_domain_computers_enumeration_via_ldap_search.toml │ ├── discovery_domain_password_policy_enumeration_via_ldap.toml │ ├── discovery_domain_trust_and_schema_enumeration_via_ldap.toml │ ├── discovery_external_ip_address_discovery_via_a_trusted_program.toml │ ├── discovery_external_ip_address_discovery_via_untrusted_program.toml │ ├── discovery_group_and_privileged_accounts_discovery_via_ldap.toml │ ├── discovery_password_spraying_enumeration_via_ldap.toml │ ├── discovery_potential_browser_information_discovery.toml │ ├── discovery_potential_hawkeyes_stealer_infection.toml │ ├── discovery_potential_virtual_machine_fingerprinting_via_vmdetect.toml │ ├── discovery_privileged_domain_group_enumeration_via_ldap.toml │ ├── discovery_sensitive_attributes_discovery_via_ldap.toml │ ├── discovery_suspicious_enumeration_via_ldap_search.toml │ ├── discovery_suspicious_kerberos_enumeration_via_ldap_search.toml │ ├── discovery_suspicious_security_product_enumeration.toml │ ├── discovery_suspicious_windows_ldap_image_load.toml │ ├── execution_.net_com_object_created_in_non_standard_windows_script_interpreter.toml │ ├── execution_attempt_to_mount_a_remote_webdav_share.toml │ ├── execution_command_and_scripting_interpreter_from_suspicious_parent.toml │ ├── execution_command_shell_activity_started_via_rundll32.toml │ ├── execution_command_shell_execution_from_untrusted_origin.toml │ ├── execution_dll_loaded_from_webdav_share.toml │ ├── execution_dynwrapx_image_load_via_windows_scripts.toml │ ├── execution_embedded_executable_via_windows_shortcut_file.toml │ ├── execution_encoded_powershell_execution_via_msiexec.toml │ ├── execution_execution_from_a_password_protected_self_extracting_archive.toml │ ├── execution_execution_from_unusual_directory.toml │ ├── execution_execution_from_zip_file_via_explorer.toml │ ├── execution_execution_of_a_downloaded_executable_with_low_or_unknown_reputation.toml │ ├── execution_execution_of_a_downloaded_windows_script_via_explorer.toml │ ├── execution_execution_of_a_file_downloaded_via_windows_openssh.toml │ ├── execution_execution_of_a_file_written_by_windows_script_host.toml │ ├── execution_execution_of_a_windows_script_downloaded_from_the_internet.toml │ ├── execution_execution_of_a_windows_script_downloaded_via_a_lolbin.toml │ ├── execution_execution_of_a_windows_script_file_written_by_a_suspicious_process.toml │ ├── execution_execution_of_a_windows_script_with_unusual_file_extension.toml │ ├── execution_execution_via_loki_command_and_control.toml │ ├── execution_execution_via_obfuscated_powershell_script.toml │ ├── execution_execution_via_obfuscated_windows_script.toml │ ├── execution_execution_via_outlook_application_com_object.toml │ ├── execution_execution_via_suspicious_javascript_updates.toml │ ├── execution_execution_via_syncappvpublishingserver.toml │ ├── execution_execution_via_wmi_activescript_event_consumer.toml │ ├── execution_execution_via_wmi_commandline_event_consumer.toml │ ├── execution_execution_via_wmi_followed_by_network_connection.toml │ ├── execution_java_application_execution_from_suspicious_paths.toml │ ├── execution_java_application_with_unusual_file_extension.toml │ ├── execution_malicious_reputation_of_executable_download.toml │ ├── execution_oversized_windows_script_execution.toml │ ├── execution_potential_command_and_control_via_windows_scripts.toml │ ├── execution_potential_execution_via_clickfix_phishing.toml │ ├── execution_potential_execution_via_zipexec.toml │ ├── execution_potential_obfuscated_powershell_script.toml │ ├── execution_potential_obfuscated_script_execution.toml │ ├── execution_potential_pentesting_powershell_script.toml │ ├── execution_potential_powershell_empire_execution.toml │ ├── execution_potential_reverse_shell_via_java.toml │ ├── execution_potential_reverse_shell_via_powershell.toml │ ├── execution_potential_shell_execution_via_netcat.toml │ ├── execution_powershell_empire_script_execution.toml │ ├── execution_powershell_engine_loaded_via_injection.toml │ ├── execution_powershell_execution_via_named_pipe.toml │ ├── execution_powershell_execution_via_runscripthelper.toml │ ├── execution_process_creation_from_an_unusual_wmi_client.toml │ ├── execution_script_execution_from_webdav.toml │ ├── execution_script_execution_via_apds_xss_injection.toml │ ├── execution_shell_execution_via_windows_shortcut_file.toml │ ├── execution_suspicious_api_call_from_a_powershell_script.toml │ ├── execution_suspicious_cmd_execution_via_wmi.toml │ ├── execution_suspicious_command_shell_execution_via_windows_run.toml │ ├── execution_suspicious_descendant_process_execution_via_windows_run.toml │ ├── execution_suspicious_execution_from_a_windows_script.toml │ ├── execution_suspicious_execution_from_mssql_service.toml │ ├── execution_suspicious_execution_via_microsoft_common_console.toml │ ├── execution_suspicious_execution_via_sql_powershell.toml │ ├── execution_suspicious_execution_via_windows_management_instrumentation.toml │ ├── execution_suspicious_image_load_via_windows_scripts.toml │ ├── execution_suspicious_java_execution_via_a_windows_script.toml │ ├── execution_suspicious_javascript_execution_via_node.js.toml │ ├── execution_suspicious_oversized_script_execution.toml │ ├── execution_suspicious_php_script_execution.toml │ ├── execution_suspicious_powershell_base64_decoding.toml │ ├── execution_suspicious_powershell_downloads.toml │ ├── execution_suspicious_powershell_execution.toml │ ├── execution_suspicious_powershell_execution_via_windows_scripts.toml │ ├── execution_suspicious_powershell_script_with_.net_reflection.toml │ ├── execution_suspicious_powershell_via_windows_power_user_menu.toml │ ├── execution_suspicious_python_script_interpreter.toml │ ├── execution_suspicious_script_execution_via_vbsedit_launcher.toml │ ├── execution_suspicious_windows_command_shell_execution.toml │ ├── execution_suspicious_windows_component_object_model_via_dllhost.toml │ ├── execution_suspicious_windows_script_base64_encoding.toml │ ├── execution_suspicious_windows_script_downloaded_from_the_internet.toml │ ├── execution_suspicious_windows_script_file_name.toml │ ├── execution_suspicious_windows_script_interpreter_child_process.toml │ ├── execution_suspicious_windows_script_process_execution.toml │ ├── execution_suspicious_windows_shortcut_file_creation_or_modification.toml │ ├── execution_suspicious_wmi_enumeration_via_windows_scripts.toml │ ├── execution_suspicious_wmi_library_load.toml │ ├── execution_unusual_powershell_engine_imageload.toml │ ├── execution_windows_installer_via_windows_script.toml │ ├── execution_windows_script_executed_from_a_suspicious_path.toml │ ├── execution_windows_script_execution_from_archive_file.toml │ ├── execution_windows_script_execution_via_mmc_console_file.toml │ ├── execution_windows_shortcut_file_embedded_object_execution.toml │ ├── impact_bcdedit_safe_mode_command_execution.toml │ ├── impact_inhibit_system_recovery_followed_by_a_suspicious_file_rename.toml │ ├── impact_inhibit_system_recovery_via_microsoft_office_process.toml │ ├── impact_inhibit_system_recovery_via_obfuscated_commands.toml │ ├── impact_inhibit_system_recovery_via_renamed_utilities.toml │ ├── impact_inhibit_system_recovery_via_signed_binary_proxy.toml │ ├── impact_inhibit_system_recovery_via_stopping_backup_services.toml │ ├── impact_inhibit_system_recovery_via_untrusted_parent_process.toml │ ├── impact_inhibit_system_recovery_via_windows_command_shell.toml │ ├── impact_potential_crypto_mining_activity.toml │ ├── impact_potential_data_wiping_attack_behavior.toml │ ├── impact_potential_ransomware_note_file.toml │ ├── impact_potential_ransomware_note_file_via_smb.toml │ ├── impact_shadow_copy_deletion_via_windows_management_instrumentation.toml │ ├── impact_suspicious_critical_system_files_modification.toml │ ├── impact_suspicious_file_rename_by_an_unusual_process.toml │ ├── impact_suspicious_file_rename_from_unbacked_memory.toml │ ├── impact_suspicious_file_rename_via_smb.toml │ ├── impact_vss_service_disabled_followed_by_a_suspicious_file_rename.toml │ ├── initial_access_dll_loaded_from_a_macro_enabled_document.toml │ ├── initial_access_execution_from_a_downloaded_iso_file.toml │ ├── initial_access_execution_from_a_macro_enabled_office_document.toml │ ├── initial_access_execution_from_a_remote_working_directory.toml │ ├── initial_access_execution_of_commonly_abused_utilities_via_explorer_trampoline.toml │ ├── initial_access_execution_of_file_written_or_modified_by_microsoft_equation_editor.toml │ ├── initial_access_execution_of_file_written_or_modified_by_microsoft_office.toml │ ├── initial_access_execution_via_a_suspicious_wmi_client.toml │ ├── initial_access_execution_via_microsoft_excel_xll_add_in.toml │ ├── initial_access_file_execution_via_microsoft_html_help.toml │ ├── initial_access_microsoft_equation_editor_child_process.toml │ ├── initial_access_microsoft_office_fetching_remote_content.toml │ ├── initial_access_microsoft_office_file_execution_via_script_interpreter.toml │ ├── initial_access_microsoft_office_file_execution_via_wmi.toml │ ├── initial_access_microsoft_office_loaded_a_dropped_executable_file.toml │ ├── initial_access_microsoft_office_process_setting_persistence_via_startup.toml │ ├── initial_access_potential_browser_exploit_via_fake_rpc_messages.toml │ ├── initial_access_potential_cve_2024_21412_exploitation.toml │ ├── initial_access_potential_cve_2025_33053_exploitation.toml │ ├── initial_access_potential_decoy_document_via_user_execution.toml │ ├── initial_access_potential_execution_via_archive_exploit.toml │ ├── initial_access_potential_execution_via_foxmail_exploitation.toml │ ├── initial_access_potential_execution_via_lnk_stomping.toml │ ├── initial_access_potential_execution_via_winrar_exploitation.toml │ ├── initial_access_potential_initial_access_via_rogue_rdp_server.toml │ ├── initial_access_potential_microsoft_outlook_remote_code_execution.toml │ ├── initial_access_potential_shellcode_injection_by_a_browser_process.toml │ ├── initial_access_potential_webshell_via_screenconnect_server.toml │ ├── initial_access_potential_winrar_cve_2023_38831_exploitation.toml │ ├── initial_access_powershell_obfuscation_spawned_via_microsoft_office.toml │ ├── initial_access_process_creation_via_microsoft_office_add_ins.toml │ ├── initial_access_registry_modification_via_microsoft_office.toml │ ├── initial_access_rundll32_regsvr32_loads_dropped_executable.toml │ ├── initial_access_script_file_written_by_microsoft_office_process.toml │ ├── initial_access_shortcut_file_modification_via_macro_enabled_document.toml │ ├── initial_access_signed_binary_execution_via_microsoft_office.toml │ ├── initial_access_suspicious_execution_from_a_pdf_documents.toml │ ├── initial_access_suspicious_execution_from_inet_cache.toml │ ├── initial_access_suspicious_execution_via_a_mounted_image_file.toml │ ├── initial_access_suspicious_execution_via_compiled_html_file.toml │ ├── initial_access_suspicious_execution_via_microsoft_officecmd_url_handler.toml │ ├── initial_access_suspicious_execution_via_shellbrowserwindow_shellwindow_com.toml │ ├── initial_access_suspicious_file_delivery_via_html_smuggling.toml │ ├── initial_access_suspicious_file_dropped_by_a_macro_enabled_document.toml │ ├── initial_access_suspicious_microsoft_html_help_descendant.toml │ ├── initial_access_suspicious_microsoft_iis_child_process.toml │ ├── initial_access_suspicious_microsoft_iis_worker_descendant.toml │ ├── initial_access_suspicious_microsoft_office_child_process.toml │ ├── initial_access_suspicious_microsoft_office_embedded_object.toml │ ├── initial_access_suspicious_microsoft_onenote_child_process.toml │ ├── initial_access_suspicious_ms_office_execution_via_dcom.toml │ ├── initial_access_suspicious_network_connection_from_microsoft_equation_editor.toml │ ├── initial_access_suspicious_registry_modification_via_wmi.toml │ ├── initial_access_suspicious_shortcut_file_overwrite.toml │ ├── initial_access_suspicious_trend_micro_security_agent_child_process.toml │ ├── initial_access_suspicious_virtualprotect_via_jscript9_from_internet_explorer.toml │ ├── initial_access_suspicious_windows_server_update_service_child_process.toml │ ├── initial_access_untrusted_document_opened_via_microsoft_office.toml │ ├── initial_access_untrusted_file_execution_via_microsoft_office.toml │ ├── initial_access_windows_command_shell_spawned_via_microsoft_office.toml │ ├── initial_access_wmi_image_load_via_microsoft_office.toml │ ├── initial_access_wps_office_exploit_via_dll_hijack.toml │ ├── lateral_movement_execution_of_a_file_dropped_from_smb.toml │ ├── lateral_movement_execution_of_a_file_dropped_from_smb_via_services.toml │ ├── lateral_movement_imageload_of_a_file_dropped_via_smb.toml │ ├── lateral_movement_lateral_execution_via_dcom_office_application.toml │ ├── lateral_movement_potential_lateral_movement_via_smbexec.toml │ ├── lateral_movement_potential_remote_execution_via_imsiserver.toml │ ├── lateral_movement_suspicious_nullsessionpipe_registry_modification.toml │ ├── lateral_movement_unexpected_smb_connection_from_user_mode_process.toml │ ├── lateral_movement_unsigned_file_execution_via_network_logon.toml │ ├── lateral_movement_unusual_remote_desktop_client_process.toml │ ├── persistence_browser_native_messaging_registry_modification.toml │ ├── persistence_chromium_extension_loaded_from_unusual_parent.toml │ ├── persistence_component_object_model_registry_modification_by_a_low_reputation_process.toml │ ├── persistence_dual_persistence_via_startup_and_scheduled_task.toml │ ├── persistence_microsoft_office_addin_creation.toml │ ├── persistence_microsoft_office_addin_loaded.toml │ ├── persistence_network_connection_via_startup_item.toml │ ├── persistence_office_application_startup_via_template_file_modification.toml │ ├── persistence_persistence_via_a_process_from_a_removable_or_mounted_iso_device.toml │ ├── persistence_persistence_via_autodialdll_registry_modification.toml │ ├── persistence_persistence_via_bits_setnotifycmdline_method.toml │ ├── persistence_persistence_via_extensible_firmware_modification.toml │ ├── persistence_persistence_via_msdtc_service_hijack.toml │ ├── persistence_persistence_via_winsock_name_space_dll.toml │ ├── persistence_potential_execution_via_shortcut_modification.toml │ ├── persistence_registry_or_file_modification_from_suspicious_memory.toml │ ├── persistence_registry_persistence_via_microsoft_office_descendant_process.toml │ ├── persistence_registry_run_key_modified_by_unusual_process.toml │ ├── persistence_registry_run_key_prefixed_with_asterisk.toml │ ├── persistence_scheduled_task_by_a_low_reputation_process.toml │ ├── persistence_scheduled_task_creation_by_an_unusual_process.toml │ ├── persistence_scheduled_task_creation_from_suspicious_parent.toml │ ├── persistence_scheduled_task_creation_via_unsigned_parent.toml │ ├── persistence_scheduled_task_from_a_browser_or_compression_utility_descendant.toml │ ├── persistence_scheduled_task_from_a_removable_or_mounted_iso_device.toml │ ├── persistence_script_file_written_to_startup_folder.toml │ ├── persistence_script_interpreter_process_writing_to_commonly_abused_persistence_locations.toml │ ├── persistence_self_service_persistence_by_an_unsigned_process.toml │ ├── persistence_startup_persistence_by_a_low_reputation_process.toml │ ├── persistence_startup_persistence_from_a_browser_or_compression_utility_descendant.toml │ ├── persistence_startup_persistence_from_backed_rwx_memory.toml │ ├── persistence_startup_persistence_via_microsoft_office_descendant_process.toml │ ├── persistence_startup_persistence_via_unusual_process.toml │ ├── persistence_startup_persistence_via_windows_script_interpreter.toml │ ├── persistence_suspicious_api_from_an_unsigned_service_dll.toml │ ├── persistence_suspicious_browser_files_modification.toml │ ├── persistence_suspicious_browser_preferences_file_modification.toml │ ├── persistence_suspicious_component_object_model_registry_modification.toml │ ├── persistence_suspicious_execution_via_microsoft_exchange_transport_agent.toml │ ├── persistence_suspicious_image_file_execution_options_modification.toml │ ├── persistence_suspicious_scheduled_task_creation.toml │ ├── persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml │ ├── persistence_suspicious_scheduled_task_registry_modification.toml │ ├── persistence_suspicious_service_imagepath_value.toml │ ├── persistence_suspicious_shortcut_modification.toml │ ├── persistence_suspicious_startup_persistence_via_a_windows_installer.toml │ ├── persistence_suspicious_string_value_written_to_registry_run_key.toml │ ├── persistence_suspicious_svchost_registry_modification.toml │ ├── persistence_suspicious_windows_authentication_registry_modification.toml │ ├── persistence_suspicious_windows_schedule_child_process.toml │ ├── persistence_suspicious_windows_service_dll_creation.toml │ ├── persistence_suspicious_wmi_event_consumer_subscription.toml │ ├── persistence_uncommon_persistence_via_registry_modification.toml │ ├── persistence_untrusted_process_writing_to_commonly_abused_persistence_locations.toml │ ├── persistence_unusual_file_written_or_modified_in_startup_folder.toml │ ├── persistence_unusual_startup_shell_folder_modification.toml │ ├── persistence_windows_service_configuration_hjack.toml │ ├── privilege_escalation_access_token_manipulation_via_child_process.toml │ ├── privilege_escalation_blf_file_creation_by_an_unusual_process.toml │ ├── privilege_escalation_driver_dropped_by_untrusted_executable.toml │ ├── privilege_escalation_elevation_via_common_log_file_system_exploitation.toml │ ├── privilege_escalation_kernel_driver_registered_via_ntloaddriver.toml │ ├── privilege_escalation_msi_rollback_script_file_by_unusual_process.toml │ ├── privilege_escalation_networkcleartext_logon_by_a_suspicious_process.toml │ ├── privilege_escalation_newcredential_logon_by_a_suspicious_process.toml │ ├── privilege_escalation_potential_common_log_file_system_exploit.toml │ ├── privilege_escalation_potential_common_log_file_system_vulnerability_exploitation.toml │ ├── privilege_escalation_potential_execution_via_token_theft.toml │ ├── privilege_escalation_potential_exploitation_via_comdotnet_exploit.toml │ ├── privilege_escalation_potential_privilege_escalation_via_cve_2022_38028.toml │ ├── privilege_escalation_potential_privilege_escalation_via_dll_redirection.toml │ ├── privilege_escalation_potential_privilege_escalation_via_elevated_ifileoperation.toml │ ├── privilege_escalation_potential_privilege_escalation_via_file_redirection.toml │ ├── privilege_escalation_potential_privilege_escalation_via_localpotato_exploit.toml │ ├── privilege_escalation_potential_privilege_escalation_via_logonui.toml │ ├── privilege_escalation_potential_privilege_escalation_via_missing_dll.toml │ ├── privilege_escalation_potential_privilege_escalation_via_msi_repair.toml │ ├── privilege_escalation_potential_privilege_escalation_via_rogue_winrm.toml │ ├── privilege_escalation_potential_privilege_escalation_via_token_impersonation.toml │ ├── privilege_escalation_potential_uac_bypass_via_ielevatedfactoryserver.toml │ ├── privilege_escalation_privilege_escalation_via_extended_startupinfo.toml │ ├── privilege_escalation_privilege_escalation_via_named_pipe_impersonation.toml │ ├── privilege_escalation_privilege_escalation_via_ntlmrelay2self.toml │ ├── privilege_escalation_privilege_escalation_via_seimpersonateprivilege.toml │ ├── privilege_escalation_privilege_escalation_via_windir_or_systemroot_environment_variable.toml │ ├── privilege_escalation_privilege_escalation_via_windows_installer_hijack.toml │ ├── privilege_escalation_process_creation_via_secondary_logon.toml │ ├── privilege_escalation_suspicious_execution_as_system_via_windows_command_shell.toml │ ├── privilege_escalation_suspicious_execution_via_windows_services.toml │ ├── privilege_escalation_suspicious_impersonation_as_trusted_installer.toml │ ├── privilege_escalation_suspicious_kernel_mode_address_manipulation.toml │ ├── privilege_escalation_suspicious_ntoskrnl_image_load.toml │ ├── privilege_escalation_suspicious_registry_symbolic_link.toml │ ├── privilege_escalation_suspicious_windows_service_execution.toml │ ├── privilege_escalation_uac_bypass_attempt_via_cdssync_scheduled_task_hijack.toml │ ├── privilege_escalation_uac_bypass_attempt_via_consent_dll_search_order_hijacking.toml │ ├── privilege_escalation_uac_bypass_attempt_via_dccw_dll_search_order_hijacking.toml │ ├── privilege_escalation_uac_bypass_attempt_via_dismcore_dll_side_loading.toml │ ├── privilege_escalation_uac_bypass_attempt_via_dll_side_loading_from_windows_media_player_folder.toml │ ├── privilege_escalation_uac_bypass_attempt_via_elevated_com_internet_explorer_add_on_installer.toml │ ├── privilege_escalation_uac_bypass_attempt_via_mmc_dll_search_order_hijacking.toml │ ├── privilege_escalation_uac_bypass_attempt_via_silentcleanup_task_dll_search_order_hijacking.toml │ ├── privilege_escalation_uac_bypass_attempt_via_windows_directory_masquerading.toml │ ├── privilege_escalation_uac_bypass_attempt_via_wow64_logger_dll_side_loading.toml │ ├── privilege_escalation_uac_bypass_attempt_with_ieditionupgrademanager_elevated_com_interface.toml │ ├── privilege_escalation_uac_bypass_via_computerdefaults_execution_hijack.toml │ ├── privilege_escalation_uac_bypass_via_control_panel_execution_hijack.toml │ ├── privilege_escalation_uac_bypass_via_delegateexecute_registry_modification.toml │ ├── privilege_escalation_uac_bypass_via_diskcleanup_scheduled_task_hijack.toml │ ├── privilege_escalation_uac_bypass_via_event_viewer.toml │ ├── privilege_escalation_uac_bypass_via_fodhelper_execution_hijack.toml │ ├── privilege_escalation_uac_bypass_via_hijacking_winmgmt_mmc.toml │ ├── privilege_escalation_uac_bypass_via_icmluautil_elevated_com_interface.toml │ ├── privilege_escalation_uac_bypass_via_malicious_mmc_snap_in_execution.toml │ ├── privilege_escalation_uac_bypass_via_sdclt.toml │ ├── privilege_escalation_uac_bypass_via_service_creation.toml │ ├── privilege_escalation_uac_bypass_via_unsafe_deserialization_in_event_viewer.toml │ ├── privilege_escalation_uac_bypass_via_windows_activation_execution_hijack.toml │ ├── privilege_escalation_uac_bypass_via_windows_firewall_snap_in_hijack.toml │ ├── privilege_escalation_uac_bypass_via_wsreset_execution_hijack.toml │ ├── privilege_escalation_unsigned_dll_loaded_by_dns_service.toml │ ├── privilege_escalation_unsigned_dll_loaded_from_fake_windows_directory.toml │ ├── privilege_escalation_untrusted_dll_loaded_by_a_system_windows_process.toml │ ├── privilege_escalation_unusual_child_process_integrity_level.toml │ ├── privilege_escalation_unusual_desktop_window_manager_child_process.toml │ └── privilege_escalation_unusual_privilege_escalation_to_system.toml ├── ransomware ├── README.md ├── artifact.lua └── testing │ ├── README.md │ ├── mock_ransomware.ps1 │ └── mock_ransomware.py └── yara ├── CONTRIBUTING.md ├── README.md └── rules ├── Linux_Backdoor_Bash.yar ├── Linux_Backdoor_Fontonlake.yar ├── Linux_Backdoor_Generic.yar ├── Linux_Backdoor_Python.yar ├── Linux_Backdoor_Tinyshell.yar ├── Linux_Cryptominer_Attribute.yar ├── Linux_Cryptominer_Bscope.yar ├── Linux_Cryptominer_Bulz.yar ├── Linux_Cryptominer_Camelot.yar ├── Linux_Cryptominer_Casdet.yar ├── Linux_Cryptominer_Ccminer.yar ├── Linux_Cryptominer_Flystudio.yar ├── Linux_Cryptominer_Generic.yar ├── Linux_Cryptominer_Ksmdbot.yar ├── Linux_Cryptominer_Loudminer.yar ├── Linux_Cryptominer_Malxmr.yar ├── Linux_Cryptominer_Miancha.yar ├── Linux_Cryptominer_Minertr.yar ├── Linux_Cryptominer_Pgminer.yar ├── Linux_Cryptominer_Presenoker.yar ├── Linux_Cryptominer_Roboto.yar ├── Linux_Cryptominer_Stak.yar ├── Linux_Cryptominer_Ursu.yar ├── Linux_Cryptominer_Uwamson.yar ├── Linux_Cryptominer_Xmrig.yar ├── Linux_Cryptominer_Xmrminer.yar ├── Linux_Cryptominer_Xpaj.yar ├── Linux_Cryptominer_Zexaf.yar ├── Linux_Downloader_Generic.yar ├── Linux_Exploit_Abrox.yar ├── Linux_Exploit_Alie.yar ├── Linux_Exploit_CVE_2009_1897.yar ├── Linux_Exploit_CVE_2009_2698.yar ├── Linux_Exploit_CVE_2009_2908.yar ├── Linux_Exploit_CVE_2010_3301.yar ├── Linux_Exploit_CVE_2012_0056.yar ├── Linux_Exploit_CVE_2014_3153.yar ├── Linux_Exploit_CVE_2016_4557.yar ├── Linux_Exploit_CVE_2016_5195.yar ├── Linux_Exploit_CVE_2017_100011.yar ├── Linux_Exploit_CVE_2017_16995.yar ├── Linux_Exploit_CVE_2018_10561.yar ├── Linux_Exploit_CVE_2019_13272.yar ├── Linux_Exploit_CVE_2021_3156.yar ├── Linux_Exploit_CVE_2021_3490.yar ├── Linux_Exploit_CVE_2021_4034.yar ├── Linux_Exploit_CVE_2022_0847.yar ├── Linux_Exploit_Cornelgen.yar ├── Linux_Exploit_Courier.yar ├── Linux_Exploit_Criscras.yar ├── Linux_Exploit_Dirtycow.yar ├── Linux_Exploit_Enoket.yar ├── Linux_Exploit_Foda.yar ├── Linux_Exploit_IOUring.yar ├── Linux_Exploit_Intfour.yar ├── Linux_Exploit_Local.yar ├── Linux_Exploit_Log4j.yar ├── Linux_Exploit_Lotoor.yar ├── Linux_Exploit_Moogrey.yar ├── Linux_Exploit_Openssl.yar ├── Linux_Exploit_Perl.yar ├── Linux_Exploit_Pulse.yar ├── Linux_Exploit_Race.yar ├── Linux_Exploit_Ramen.yar ├── Linux_Exploit_Sorso.yar ├── Linux_Exploit_Vmsplice.yar ├── Linux_Exploit_Wuftpd.yar ├── Linux_Generic_Threat.yar ├── Linux_Hacktool_Aduh.yar ├── Linux_Hacktool_Bruteforce.yar ├── Linux_Hacktool_Cleanlog.yar ├── Linux_Hacktool_Earthworm.yar ├── Linux_Hacktool_Exploitscan.yar ├── Linux_Hacktool_Flooder.yar ├── Linux_Hacktool_Fontonlake.yar ├── Linux_Hacktool_Infectionmonkey.yar ├── Linux_Hacktool_Lightning.yar ├── Linux_Hacktool_LigoloNG.yar ├── Linux_Hacktool_Outlaw.yar ├── Linux_Hacktool_Portscan.yar ├── Linux_Hacktool_Prochide.yar ├── Linux_Hacktool_Tcpscan.yar ├── Linux_Hacktool_Wipelog.yar ├── Linux_Packer_Patched_UPX.yar ├── Linux_Proxy_Frp.yar ├── Linux_Ransomware_Agenda.yar ├── Linux_Ransomware_Akira.yar ├── Linux_Ransomware_Babuk.yar ├── Linux_Ransomware_BlackBasta.yar ├── Linux_Ransomware_BlackSuit.yar ├── Linux_Ransomware_Clop.yar ├── Linux_Ransomware_Conti.yar ├── Linux_Ransomware_EchoRaix.yar ├── Linux_Ransomware_Erebus.yar ├── Linux_Ransomware_Esxiargs.yar ├── Linux_Ransomware_Gonnacry.yar ├── Linux_Ransomware_Hellokitty.yar ├── Linux_Ransomware_Hive.yar ├── Linux_Ransomware_ItsSoEasy.yar ├── Linux_Ransomware_LimpDemon.yar ├── Linux_Ransomware_Lockbit.yar ├── Linux_Ransomware_Monti.yar ├── Linux_Ransomware_NoEscape.yar ├── Linux_Ransomware_Quantum.yar ├── Linux_Ransomware_RagnarLocker.yar ├── Linux_Ransomware_RedAlert.yar ├── Linux_Ransomware_RoyalPest.yar ├── Linux_Ransomware_SFile.yar ├── Linux_Ransomware_Sodinokibi.yar ├── Linux_Rootkit_Adore.yar ├── Linux_Rootkit_Arkd.yar ├── Linux_Rootkit_Bedevil.yar ├── Linux_Rootkit_BrokePKG.yar ├── Linux_Rootkit_Dakkatoni.yar ├── Linux_Rootkit_Diamorphine.yar ├── Linux_Rootkit_Flipswitch.yar ├── Linux_Rootkit_Fontonlake.yar ├── Linux_Rootkit_Generic.yar ├── Linux_Rootkit_HiddenWasp.yar ├── Linux_Rootkit_Jynx.yar ├── Linux_Rootkit_Kovid.yar ├── Linux_Rootkit_Melofee.yar ├── Linux_Rootkit_Mobkit.yar ├── Linux_Rootkit_Perfctl.yar ├── Linux_Rootkit_Reptile.yar ├── Linux_Rootkit_Snapekit.yar ├── Linux_Rootkit_Suterusu.yar ├── Linux_Shellcode_Generic.yar ├── Linux_Trojan_Adlibrary.yar ├── Linux_Trojan_Asacub.yar ├── Linux_Trojan_Autocolor.yar ├── Linux_Trojan_Azeela.yar ├── Linux_Trojan_BPFDoor.yar ├── Linux_Trojan_Backconnect.yar ├── Linux_Trojan_Backegmm.yar ├── Linux_Trojan_Badbee.yar ├── Linux_Trojan_Banload.yar ├── Linux_Trojan_Bedevil.yar ├── Linux_Trojan_Bish.yar ├── Linux_Trojan_Bluez.yar ├── Linux_Trojan_Cerbu.yar ├── Linux_Trojan_Chinaz.yar ├── Linux_Trojan_Connectback.yar ├── Linux_Trojan_Ddostf.yar ├── Linux_Trojan_DinodasRAT.yar ├── Linux_Trojan_Dnsamp.yar ├── Linux_Trojan_Dofloo.yar ├── Linux_Trojan_Dropperl.yar ├── Linux_Trojan_Ebury.yar ├── Linux_Trojan_FinalDraft.yar ├── Linux_Trojan_Gafgyt.yar ├── Linux_Trojan_Ganiw.yar ├── Linux_Trojan_Generic.yar ├── Linux_Trojan_Getshell.yar ├── Linux_Trojan_Godlua.yar ├── Linux_Trojan_Godropper.yar ├── Linux_Trojan_Gognt.yar ├── Linux_Trojan_Hiddad.yar ├── Linux_Trojan_Ipstorm.yar ├── Linux_Trojan_Ircbot.yar ├── Linux_Trojan_Iroffer.yar ├── Linux_Trojan_Kaiji.yar ├── Linux_Trojan_Kinsing.yar ├── Linux_Trojan_Ladvix.yar ├── Linux_Trojan_Lady.yar ├── Linux_Trojan_Lala.yar ├── Linux_Trojan_Malxmr.yar ├── Linux_Trojan_Marut.yar ├── Linux_Trojan_Masan.yar ├── Linux_Trojan_Mech.yar ├── Linux_Trojan_Mechbot.yar ├── Linux_Trojan_Melofee.yar ├── Linux_Trojan_Merlin.yar ├── Linux_Trojan_Metasploit.yar ├── Linux_Trojan_Meterpreter.yar ├── Linux_Trojan_Mettle.yar ├── Linux_Trojan_Mirai.yar ├── Linux_Trojan_Mobidash.yar ├── Linux_Trojan_Mumblehard.yar ├── Linux_Trojan_Ngioweb.yar ├── Linux_Trojan_Nuker.yar ├── Linux_Trojan_Orbit.yar ├── Linux_Trojan_Patpooty.yar ├── Linux_Trojan_Pnscan.yar ├── Linux_Trojan_Pornoasset.yar ├── Linux_Trojan_Psybnc.yar ├── Linux_Trojan_Pumakit.yar ├── Linux_Trojan_Rbot.yar ├── Linux_Trojan_Rekoobe.yar ├── Linux_Trojan_Roopre.yar ├── Linux_Trojan_Rooter.yar ├── Linux_Trojan_Rotajakiro.yar ├── Linux_Trojan_Rozena.yar ├── Linux_Trojan_Sambashell.yar ├── Linux_Trojan_Sckit.yar ├── Linux_Trojan_Sdbot.yar ├── Linux_Trojan_Setag.yar ├── Linux_Trojan_Sfloost.yar ├── Linux_Trojan_Shark.yar ├── Linux_Trojan_Shellbot.yar ├── Linux_Trojan_Skidmap.yar ├── Linux_Trojan_Snessik.yar ├── Linux_Trojan_Snowlight.yar ├── Linux_Trojan_Springtail.yar ├── Linux_Trojan_Sqlexp.yar ├── Linux_Trojan_Sshdkit.yar ├── Linux_Trojan_Sshdoor.yar ├── Linux_Trojan_Subsevux.yar ├── Linux_Trojan_Swrort.yar ├── Linux_Trojan_Sysrv.yar ├── Linux_Trojan_Truncpx.yar ├── Linux_Trojan_Tsunami.yar ├── Linux_Trojan_Winnti.yar ├── Linux_Trojan_XZBackdoor.yar ├── Linux_Trojan_Xhide.yar ├── Linux_Trojan_Xorddos.yar ├── Linux_Trojan_Xpmmap.yar ├── Linux_Trojan_Zerobot.yar ├── Linux_Trojan_Zpevdo.yar ├── Linux_Virus_Gmon.yar ├── Linux_Virus_Rst.yar ├── Linux_Virus_Staffcounter.yar ├── Linux_Virus_Thebe.yar ├── Linux_Webshell_Generic.yar ├── Linux_Worm_Generic.yar ├── MacOS_Backdoor_Applejeus.yar ├── MacOS_Backdoor_Fakeflashlxk.yar ├── MacOS_Backdoor_Kagent.yar ├── MacOS_Backdoor_Keyboardrecord.yar ├── MacOS_Backdoor_Useragent.yar ├── MacOS_Creddump_KeychainAccess.yar ├── MacOS_Cryptominer_Generic.yar ├── MacOS_Cryptominer_Xmrig.yar ├── MacOS_Exploit_Log4j.yar ├── MacOS_Hacktool_Bifrost.yar ├── MacOS_Hacktool_Swiftbelt.yar ├── MacOS_Infostealer_MdQueryPassw.yar ├── MacOS_Infostealer_MdQuerySecret.yar ├── MacOS_Infostealer_MdQueryTCC.yar ├── MacOS_Infostealer_MdQueryToken.yar ├── MacOS_Trojan_Adload.yar ├── MacOS_Trojan_Amcleaner.yar ├── MacOS_Trojan_Aobokeylogger.yar ├── MacOS_Trojan_Bundlore.yar ├── MacOS_Trojan_Eggshell.yar ├── MacOS_Trojan_Electrorat.yar ├── MacOS_Trojan_Fplayer.yar ├── MacOS_Trojan_Generic.yar ├── MacOS_Trojan_Genieo.yar ├── MacOS_Trojan_Getshell.yar ├── MacOS_Trojan_HLoader.yar ├── MacOS_Trojan_KandyKorn.yar ├── MacOS_Trojan_Metasploit.yar ├── MacOS_Trojan_RustBucket.yar ├── MacOS_Trojan_SugarLoader.yar ├── MacOS_Trojan_Thiefquest.yar ├── MacOS_Virus_Maxofferdeal.yar ├── MacOS_Virus_Pirrit.yar ├── MacOS_Virus_Vsearch.yar ├── Macos_Hacktool_JokerSpy.yar ├── Macos_Infostealer_EncodedOsascript.yar ├── Macos_Infostealer_Wallets.yar ├── Multi_AttackSimulation_Blindspot.yar ├── Multi_Cryptominer_Xmrig.yar ├── Multi_EICAR.yar ├── Multi_Generic_Threat.yar ├── Multi_Hacktool_Gsocket.yar ├── Multi_Hacktool_Nps.yar ├── Multi_Hacktool_Rakshasa.yar ├── Multi_Hacktool_Stowaway.yar ├── Multi_Hacktool_SuperShell.yar ├── Multi_Ransomware_Akira.yar ├── Multi_Ransomware_BlackCat.yar ├── Multi_Ransomware_Luna.yar ├── Multi_Ransomware_RansomHub.yar ├── Multi_Trojan_Coreimpact.yar ├── Multi_Trojan_EmpirGo.yar ├── Multi_Trojan_FinalDraft.yar ├── Multi_Trojan_Goffloader.yar ├── Multi_Trojan_Gosar.yar ├── Multi_Trojan_Merlin.yar ├── Multi_Trojan_Mythic.yar ├── Multi_Trojan_Sliver.yar ├── Multi_Trojan_SparkRat.yar ├── Windows_AttackSimulation_Hovercraft.yar ├── Windows_Backdoor_DragonCastling.yar ├── Windows_Backdoor_Goldbackdoor.yar ├── Windows_Backdoor_TeamViewer.yar ├── Windows_Clickfraud_LuckySlots.yar ├── Windows_Cryptominer_Generic.yar ├── Windows_Exploit_CVE_2022_38028.yar ├── Windows_Exploit_Dcom.yar ├── Windows_Exploit_Eternalblue.yar ├── Windows_Exploit_FakePipe.yar ├── Windows_Exploit_Generic.yar ├── Windows_Exploit_IoRing.yar ├── Windows_Exploit_Log4j.yar ├── Windows_Exploit_Perfusion.yar ├── Windows_Exploit_RpcJunction.yar ├── Windows_Generic_MalCert.yar ├── Windows_Generic_Threat.yar ├── Windows_Hacktool_AskCreds.yar ├── Windows_Hacktool_BlackBone.yar ├── Windows_Hacktool_COFFLoader.yar ├── Windows_Hacktool_Capcom.yar ├── Windows_Hacktool_Certify.yar ├── Windows_Hacktool_CheatEngine.yar ├── Windows_Hacktool_ChromeKatz.yar ├── Windows_Hacktool_ClrOxide.yar ├── Windows_Hacktool_CpuLocker.yar ├── Windows_Hacktool_DarkLoadLibrary.yar ├── Windows_Hacktool_Dcsyncer.yar ├── Windows_Hacktool_DinvokeRust.yar ├── Windows_Hacktool_EDRWFP.yar ├── Windows_Hacktool_EDRrecon.yar ├── Windows_Hacktool_ExecuteAssembly.yar ├── Windows_Hacktool_Gmer.yar ├── Windows_Hacktool_GodPotato.yar ├── Windows_Hacktool_Iox.yar ├── Windows_Hacktool_LeiGod.yar ├── Windows_Hacktool_Mimikatz.yar ├── Windows_Hacktool_NetFilter.yar ├── Windows_Hacktool_Nimhawk.yar ├── Windows_Hacktool_Phant0m.yar ├── Windows_Hacktool_PhysMem.yar ├── Windows_Hacktool_ProcessHacker.yar ├── Windows_Hacktool_RingQ.yar ├── Windows_Hacktool_Rubeus.yar ├── Windows_Hacktool_SafetyKatz.yar ├── Windows_Hacktool_Seatbelt.yar ├── Windows_Hacktool_SharPersist.yar ├── Windows_Hacktool_SharpAppLocker.yar ├── Windows_Hacktool_SharpChromium.yar ├── Windows_Hacktool_SharpDump.yar ├── Windows_Hacktool_SharpGPOAbuse.yar ├── Windows_Hacktool_SharpHound.yar ├── Windows_Hacktool_SharpLAPS.yar ├── Windows_Hacktool_SharpMove.yar ├── Windows_Hacktool_SharpRDP.yar ├── Windows_Hacktool_SharpSCCM.yar ├── Windows_Hacktool_SharpShares.yar ├── Windows_Hacktool_SharpStay.yar ├── Windows_Hacktool_SharpUp.yar ├── Windows_Hacktool_SharpView.yar ├── Windows_Hacktool_SharpWMI.yar ├── Windows_Hacktool_SleepObfLoader.yar ├── Windows_Hacktool_WinPEAS_ng.yar ├── Windows_Infostealer_EddieStealer.yar ├── Windows_Infostealer_Generic.yar ├── Windows_Infostealer_NovaBlight.yar ├── Windows_Infostealer_PhemedroneStealer.yar ├── Windows_Infostealer_Strela.yar ├── Windows_PUP_Generic.yar ├── Windows_PUP_MediaArena.yar ├── Windows_PUP_Veriato.yar ├── Windows_Packer_ScrubCrypt.yar ├── Windows_Ransomware_Agenda.yar ├── Windows_Ransomware_Akira.yar ├── Windows_Ransomware_Avoslocker.yar ├── Windows_Ransomware_Azov.yar ├── Windows_Ransomware_Bitpaymer.yar ├── Windows_Ransomware_BlackBasta.yar ├── Windows_Ransomware_BlackHunt.yar ├── Windows_Ransomware_Blackmatter.yar ├── Windows_Ransomware_Cicada3301.yar ├── Windows_Ransomware_Clop.yar ├── Windows_Ransomware_Conti.yar ├── Windows_Ransomware_Crytox.yar ├── Windows_Ransomware_Cuba.yar ├── Windows_Ransomware_Darkside.yar ├── Windows_Ransomware_Dharma.yar ├── Windows_Ransomware_Doppelpaymer.yar ├── Windows_Ransomware_Egregor.yar ├── Windows_Ransomware_GandCrab.yar ├── Windows_Ransomware_Generic.yar ├── Windows_Ransomware_Grief.yar ├── Windows_Ransomware_Haron.yar ├── Windows_Ransomware_Hellokitty.yar ├── Windows_Ransomware_Helloxd.yar ├── Windows_Ransomware_Hive.yar ├── Windows_Ransomware_Lockbit.yar ├── Windows_Ransomware_Lockfile.yar ├── Windows_Ransomware_Magniber.yar ├── Windows_Ransomware_Makop.yar ├── Windows_Ransomware_Maui.yar ├── Windows_Ransomware_Maze.yar ├── Windows_Ransomware_Medusa.yar ├── Windows_Ransomware_Mespinoza.yar ├── Windows_Ransomware_Mountlocker.yar ├── Windows_Ransomware_Nightsky.yar ├── Windows_Ransomware_Pandora.yar ├── Windows_Ransomware_Phobos.yar ├── Windows_Ransomware_Ragnarok.yar ├── Windows_Ransomware_Ransomexx.yar ├── Windows_Ransomware_Rook.yar ├── Windows_Ransomware_Royal.yar ├── Windows_Ransomware_Ryuk.yar ├── Windows_Ransomware_Snake.yar ├── Windows_Ransomware_Sodinokibi.yar ├── Windows_Ransomware_Stop.yar ├── Windows_Ransomware_Thanos.yar ├── Windows_Ransomware_Vgod.yar ├── Windows_Ransomware_Vhd.yar ├── Windows_Ransomware_WannaCry.yar ├── Windows_Ransomware_WhisperGate.yar ├── Windows_RemoteAdmin_UltraVNC.yar ├── Windows_Rootkit_AbyssWorker.yar ├── Windows_Rootkit_R77.yar ├── Windows_Shellcode_Generic.yar ├── Windows_Shellcode_Rdi.yar ├── Windows_Trojan_A310logger.yar ├── Windows_Trojan_ACRStealer.yar ├── Windows_Trojan_Afdk.yar ├── Windows_Trojan_AgentTesla.yar ├── Windows_Trojan_Amadey.yar ├── Windows_Trojan_Arechclient2.yar ├── Windows_Trojan_ArkeiStealer.yar ├── Windows_Trojan_Asyncrat.yar ├── Windows_Trojan_AveMaria.yar ├── Windows_Trojan_Azorult.yar ├── Windows_Trojan_BITSloth.yar ├── Windows_Trojan_Babble.yar ├── Windows_Trojan_Babylonrat.yar ├── Windows_Trojan_Backoff.yar ├── Windows_Trojan_Bandook.yar ├── Windows_Trojan_Bazar.yar ├── Windows_Trojan_Beam.yar ├── Windows_Trojan_Behinder.yar ├── Windows_Trojan_Bitrat.yar ├── Windows_Trojan_BlackShades.yar ├── Windows_Trojan_Blackwood.yar ├── Windows_Trojan_Blister.yar ├── Windows_Trojan_BloodAlchemy.yar ├── Windows_Trojan_BruteRatel.yar ├── Windows_Trojan_Buerloader.yar ├── Windows_Trojan_Bughatch.yar ├── Windows_Trojan_Bumblebee.yar ├── Windows_Trojan_CaesarKbd.yar ├── Windows_Trojan_Carberp.yar ├── Windows_Trojan_CastleLoader.yar ├── Windows_Trojan_Clipbanker.yar ├── Windows_Trojan_CobaltStrike.yar ├── Windows_Trojan_Cryptbot.yar ├── Windows_Trojan_CyberGate.yar ├── Windows_Trojan_DBatLoader.yar ├── Windows_Trojan_DCRat.yar ├── Windows_Trojan_DTrack.yar ├── Windows_Trojan_Danabot.yar ├── Windows_Trojan_DarkCloud.yar ├── Windows_Trojan_DarkGate.yar ├── Windows_Trojan_DarkVNC.yar ├── Windows_Trojan_Darkcomet.yar ├── Windows_Trojan_Deimos.yar ├── Windows_Trojan_DiamondFox.yar ├── Windows_Trojan_Diceloader.yar ├── Windows_Trojan_DodgeBox.yar ├── Windows_Trojan_Donutloader.yar ├── Windows_Trojan_DoorMe.yar ├── Windows_Trojan_DoubleBack.yar ├── Windows_Trojan_DoubleLoader.yar ├── Windows_Trojan_DownTown.yar ├── Windows_Trojan_DragonBreath.yar ├── Windows_Trojan_DreamJob.yar ├── Windows_Trojan_Dridex.yar ├── Windows_Trojan_DustyWarehouse.yar ├── Windows_Trojan_EagerBee.yar ├── Windows_Trojan_Emotet.yar ├── Windows_Trojan_Fabookie.yar ├── Windows_Trojan_FalseFont.yar ├── Windows_Trojan_Farfli.yar ├── Windows_Trojan_Fickerstealer.yar ├── Windows_Trojan_FinalDraft.yar ├── Windows_Trojan_FlawedGrace.yar ├── Windows_Trojan_Formbook.yar ├── Windows_Trojan_Garble.yar ├── Windows_Trojan_Generic.yar ├── Windows_Trojan_Gh0st.yar ├── Windows_Trojan_GhostEngine.yar ├── Windows_Trojan_GhostPulse.yar ├── Windows_Trojan_Glupteba.yar ├── Windows_Trojan_Gozi.yar ├── Windows_Trojan_Grandoreiro.yar ├── Windows_Trojan_GuidLoader.yar ├── Windows_Trojan_Guloader.yar ├── Windows_Trojan_Hancitor.yar ├── Windows_Trojan_Havoc.yar ├── Windows_Trojan_Hawkeye.yar ├── Windows_Trojan_HazelCobra.yar ├── Windows_Trojan_HiddenCli.yar ├── Windows_Trojan_HiddenDriver.yar ├── Windows_Trojan_HijackLoader.yar ├── Windows_Trojan_HotPage.yar ├── Windows_Trojan_IcedID.yar ├── Windows_Trojan_JesterStealer.yar ├── Windows_Trojan_Jupyter.yar ├── Windows_Trojan_KoiLoader.yar ├── Windows_Trojan_Kronos.yar ├── Windows_Trojan_Latrodectus.yar ├── Windows_Trojan_LegionLoader.yar ├── Windows_Trojan_Limerat.yar ├── Windows_Trojan_Lobshot.yar ├── Windows_Trojan_Lokibot.yar ├── Windows_Trojan_Lumma.yar ├── Windows_Trojan_Lurker.yar ├── Windows_Trojan_M0yv.yar ├── Windows_Trojan_MagicRat.yar ├── Windows_Trojan_MassLogger.yar ├── Windows_Trojan_Mata.yar ├── Windows_Trojan_Matanbuchus.yar ├── Windows_Trojan_Merlin.yar ├── Windows_Trojan_MetaStealer.yar ├── Windows_Trojan_Metasploit.yar ├── Windows_Trojan_MicroBackdoor.yar ├── Windows_Trojan_ModPipe.yar ├── Windows_Trojan_MyloBot.yar ├── Windows_Trojan_Nanocore.yar ├── Windows_Trojan_NapListener.yar ├── Windows_Trojan_Netwire.yar ├── Windows_Trojan_Nighthawk.yar ├── Windows_Trojan_Nimplant.yar ├── Windows_Trojan_Njrat.yar ├── Windows_Trojan_NukeSped.yar ├── Windows_Trojan_Octopus.yar ├── Windows_Trojan_OnlyLogger.yar ├── Windows_Trojan_OskiStealer.yar ├── Windows_Trojan_P8Loader.yar ├── Windows_Trojan_Pandastealer.yar ├── Windows_Trojan_Parallax.yar ├── Windows_Trojan_PathLoader.yar ├── Windows_Trojan_Phoreal.yar ├── Windows_Trojan_PikaBot.yar ├── Windows_Trojan_Pingpull.yar ├── Windows_Trojan_PipeDance.yar ├── Windows_Trojan_PizzaPotion.yar ├── Windows_Trojan_PlugX.yar ├── Windows_Trojan_Pony.yar ├── Windows_Trojan_PoshC2.yar ├── Windows_Trojan_PowerSeal.yar ├── Windows_Trojan_PrivateLoader.yar ├── Windows_Trojan_ProtectS.yar ├── Windows_Trojan_Qbot.yar ├── Windows_Trojan_Quasarrat.yar ├── Windows_Trojan_Raccoon.yar ├── Windows_Trojan_RaspberryRobin.yar ├── Windows_Trojan_RedLineStealer.yar ├── Windows_Trojan_Remcos.yar ├── Windows_Trojan_Revcoderat.yar ├── Windows_Trojan_Revengerat.yar ├── Windows_Trojan_Rhadamanthys.yar ├── Windows_Trojan_RoningLoader.yar ├── Windows_Trojan_RudeBird.yar ├── Windows_Trojan_STRRAT.yar ├── Windows_Trojan_SVCReady.yar ├── Windows_Trojan_SadBridge.yar ├── Windows_Trojan_ServHelper.yar ├── Windows_Trojan_ShadowPad.yar ├── Windows_Trojan_ShelbyC2.yar ├── Windows_Trojan_ShelbyLoader.yar ├── Windows_Trojan_Shellter.yar ├── Windows_Trojan_SiestaGraph.yar ├── Windows_Trojan_Sliver.yar ├── Windows_Trojan_Smokeloader.yar ├── Windows_Trojan_SnakeKeylogger.yar ├── Windows_Trojan_SolarMarker.yar ├── Windows_Trojan_SomniRecord.yar ├── Windows_Trojan_SourShark.yar ├── Windows_Trojan_SpectralViper.yar ├── Windows_Trojan_Squirrelwaffle.yar ├── Windows_Trojan_Stealc.yar ├── Windows_Trojan_StormKitty.yar ├── Windows_Trojan_StumpZarus.yar ├── Windows_Trojan_SuddenIcon.yar ├── Windows_Trojan_SysJoker.yar ├── Windows_Trojan_SystemBC.yar ├── Windows_Trojan_Sythe.yar ├── Windows_Trojan_Tofsee.yar ├── Windows_Trojan_Tollbooth.yar ├── Windows_Trojan_Trickbot.yar ├── Windows_Trojan_TwistedTinsel.yar ├── Windows_Trojan_Vidar.yar ├── Windows_Trojan_WarmCookie.yar ├── Windows_Trojan_WhisperGate.yar ├── Windows_Trojan_WikiLoader.yar ├── Windows_Trojan_WineLoader.yar ├── Windows_Trojan_Winos.yar ├── Windows_Trojan_XWorm.yar ├── Windows_Trojan_Xeno.yar ├── Windows_Trojan_Xpertrat.yar ├── Windows_Trojan_XtremeRAT.yar ├── Windows_Trojan_Zeus.yar ├── Windows_Trojan_Zloader.yar ├── Windows_Virus_Expiro.yar ├── Windows_Virus_Floxif.yar ├── Windows_Virus_Neshta.yar ├── Windows_VulnDriver_ATSZIO.yar ├── Windows_VulnDriver_Agent64.yar ├── Windows_VulnDriver_Amifldrv.yar ├── Windows_VulnDriver_ArPot.yar ├── Windows_VulnDriver_AsIo.yar ├── Windows_VulnDriver_Asrock.yar ├── Windows_VulnDriver_Atillk.yar ├── Windows_VulnDriver_BSMI.yar ├── Windows_VulnDriver_Biostar.yar ├── Windows_VulnDriver_CCProtect.yar ├── Windows_VulnDriver_Cpuz.yar ├── Windows_VulnDriver_DBUtil.yar ├── Windows_VulnDriver_DirectIo.yar ├── Windows_VulnDriver_EchoDrv.yar ├── Windows_VulnDriver_ElRawDisk.yar ├── Windows_VulnDriver_Elby.yar ├── Windows_VulnDriver_EneIo.yar ├── Windows_VulnDriver_FidDrv.yar ├── Windows_VulnDriver_Fidpci.yar ├── Windows_VulnDriver_Fileseclab.yar ├── Windows_VulnDriver_GDrv.yar ├── Windows_VulnDriver_GlckIo.yar ├── Windows_VulnDriver_Gvci.yar ├── Windows_VulnDriver_HpPortIo.yar ├── Windows_VulnDriver_HrSword.yar ├── Windows_VulnDriver_IoBitUnlocker.yar ├── Windows_VulnDriver_Iqvw.yar ├── Windows_VulnDriver_LLAccess.yar ├── Windows_VulnDriver_Lha.yar ├── Windows_VulnDriver_MarvinHW.yar ├── Windows_VulnDriver_Mhyprot.yar ├── Windows_VulnDriver_MicroStar.yar ├── Windows_VulnDriver_MsIo.yar ├── Windows_VulnDriver_MtcBsv.yar ├── Windows_VulnDriver_PowerProfiler.yar ├── Windows_VulnDriver_PowerTool.yar ├── Windows_VulnDriver_ProcExp.yar ├── Windows_VulnDriver_ProcId.yar ├── Windows_VulnDriver_RWEverything.yar ├── Windows_VulnDriver_RentDrv.yar ├── Windows_VulnDriver_RtCore.yar ├── Windows_VulnDriver_Rtkio.yar ├── Windows_VulnDriver_Ryzen.yar ├── Windows_VulnDriver_Sandra.yar ├── Windows_VulnDriver_Segwin.yar ├── Windows_VulnDriver_Speedfan.yar ├── Windows_VulnDriver_ThreatFire.yar ├── Windows_VulnDriver_TmComm.yar ├── Windows_VulnDriver_ToshibaBios.yar ├── Windows_VulnDriver_TrueSight.yar ├── Windows_VulnDriver_VBox.yar ├── Windows_VulnDriver_Viragt.yar ├── Windows_VulnDriver_Vmdrv.yar ├── Windows_VulnDriver_WinDivert.yar ├── Windows_VulnDriver_WinFlash.yar ├── Windows_VulnDriver_WinIo.yar ├── Windows_VulnDriver_XTier.yar ├── Windows_VulnDriver_Zam.yar ├── Windows_Wiper_CaddyWiper.yar ├── Windows_Wiper_DoubleZero.yar ├── Windows_Wiper_HermeticWiper.yar └── Windows_Wiper_IsaacWiper.yar /.gitattributes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/.gitattributes -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/behavior_bug_issue.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/.github/ISSUE_TEMPLATE/behavior_bug_issue.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/behavior_custom_issue.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/.github/ISSUE_TEMPLATE/behavior_custom_issue.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/behavior_new_endpoint_rule.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/.github/ISSUE_TEMPLATE/behavior_new_endpoint_rule.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/yara_add_new_rule.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/.github/ISSUE_TEMPLATE/yara_add_new_rule.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/yara_request_coverage.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/.github/ISSUE_TEMPLATE/yara_request_coverage.md -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/yara_rule_tuning.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/.github/ISSUE_TEMPLATE/yara_rule_tuning.md -------------------------------------------------------------------------------- /.github/workflows/duplicate_issue.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/.github/workflows/duplicate_issue.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/LICENSE.txt -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/README.md -------------------------------------------------------------------------------- /SDP.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/SDP.md -------------------------------------------------------------------------------- /behavior/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/README.md -------------------------------------------------------------------------------- /behavior/rules/cross-platform/execution_eggshell_backdoor_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/cross-platform/execution_eggshell_backdoor_execution.toml -------------------------------------------------------------------------------- /behavior/rules/cross-platform/execution_empire_stager_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/cross-platform/execution_empire_stager_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/command_and_control_torsocks_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/command_and_control_torsocks_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/defense_evasion_defense_evasion_via_bind_mount.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/defense_evasion_defense_evasion_via_bind_mount.toml -------------------------------------------------------------------------------- /behavior/rules/linux/defense_evasion_linux_hidden_file_mounted.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/defense_evasion_linux_hidden_file_mounted.toml -------------------------------------------------------------------------------- /behavior/rules/linux/defense_evasion_potential_nologin_ssh_backdoor.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/defense_evasion_potential_nologin_ssh_backdoor.toml -------------------------------------------------------------------------------- /behavior/rules/linux/defense_evasion_shared_object_load_via_lolbin.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/defense_evasion_shared_object_load_via_lolbin.toml -------------------------------------------------------------------------------- /behavior/rules/linux/defense_evasion_system_binary_copied_or_moved.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/defense_evasion_system_binary_copied_or_moved.toml -------------------------------------------------------------------------------- /behavior/rules/linux/defense_evasion_timestomping_detected_via_touch.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/defense_evasion_timestomping_detected_via_touch.toml -------------------------------------------------------------------------------- /behavior/rules/linux/defense_evasion_unusual_process_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/defense_evasion_unusual_process_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_bind_shell_via_netcat_traditional.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_bind_shell_via_netcat_traditional.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_bind_shell_via_node.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_bind_shell_via_node.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_bind_shell_via_socket.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_bind_shell_via_socket.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_file_creation_by_foomatic_rip_child.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_file_creation_by_foomatic_rip_child.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_foomatic_rip_shell_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_foomatic_rip_shell_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_javascript_reverse_shell_via_node.js.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_javascript_reverse_shell_via_node.js.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_linux_powershell_encoded_command.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_linux_powershell_encoded_command.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_linux_reverse_shell.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_linux_reverse_shell.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_linux_reverse_shell_via_child.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_linux_reverse_shell_via_child.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_linux_reverse_shell_via_netcat.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_linux_reverse_shell_via_netcat.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_netcat_reverse_shell_via_busybox.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_netcat_reverse_shell_via_busybox.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_potential_gsocket_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_potential_gsocket_activity.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_potential_linux_hack_tool_launched.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_potential_linux_hack_tool_launched.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_potential_reverse_shell_via_named_pipe.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_potential_reverse_shell_via_named_pipe.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_printer_user_(lp)_shell_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_printer_user_(lp)_shell_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_suspicious_d_bus_method_call.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_suspicious_d_bus_method_call.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_suspicious_lua_command_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_suspicious_lua_command_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_suspicious_mining_process_events.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_suspicious_mining_process_events.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_suspicious_perl_command_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_suspicious_perl_command_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_suspicious_php_command_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_suspicious_php_command_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_suspicious_python_command_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_suspicious_python_command_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_suspicious_python_shell_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_suspicious_python_shell_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_suspicious_ruby_command_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_suspicious_ruby_command_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/execution_unusual_execution_from__dev_parent.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/execution_unusual_execution_from__dev_parent.toml -------------------------------------------------------------------------------- /behavior/rules/linux/impact_msr_write_access_enabled.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/impact_msr_write_access_enabled.toml -------------------------------------------------------------------------------- /behavior/rules/linux/impact_potential_coin_miner_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/impact_potential_coin_miner_execution.toml -------------------------------------------------------------------------------- /behavior/rules/linux/persistence_decode_activity_via_web_server.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/persistence_decode_activity_via_web_server.toml -------------------------------------------------------------------------------- /behavior/rules/linux/persistence_suspicious_echo_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/linux/persistence_suspicious_echo_execution.toml -------------------------------------------------------------------------------- /behavior/rules/macos/collection_sensitive_file_access_via_rsync.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/collection_sensitive_file_access_via_rsync.toml -------------------------------------------------------------------------------- /behavior/rules/macos/collection_sensitive_file_copy_via_ditto.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/collection_sensitive_file_copy_via_ditto.toml -------------------------------------------------------------------------------- /behavior/rules/macos/command_and_control_curl_from_volume_mount.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/command_and_control_curl_from_volume_mount.toml -------------------------------------------------------------------------------- /behavior/rules/macos/command_and_control_curl_to_telegram_api.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/command_and_control_curl_to_telegram_api.toml -------------------------------------------------------------------------------- /behavior/rules/macos/command_and_control_shlayer_malware_infection.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/command_and_control_shlayer_malware_infection.toml -------------------------------------------------------------------------------- /behavior/rules/macos/credential_access_potential_python_stealer.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/credential_access_potential_python_stealer.toml -------------------------------------------------------------------------------- /behavior/rules/macos/defense_evasion_dylib_load_via_ssh_keygen.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/defense_evasion_dylib_load_via_ssh_keygen.toml -------------------------------------------------------------------------------- /behavior/rules/macos/defense_evasion_file_hidden_via_chflags.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/defense_evasion_file_hidden_via_chflags.toml -------------------------------------------------------------------------------- /behavior/rules/macos/defense_evasion_file_hidden_via_setfile.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/defense_evasion_file_hidden_via_setfile.toml -------------------------------------------------------------------------------- /behavior/rules/macos/defense_evasion_killall_execution_via_python.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/defense_evasion_killall_execution_via_python.toml -------------------------------------------------------------------------------- /behavior/rules/macos/defense_evasion_launchpad_hijack.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/defense_evasion_launchpad_hijack.toml -------------------------------------------------------------------------------- /behavior/rules/macos/defense_evasion_macos_hidden_file_mounted.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/defense_evasion_macos_hidden_file_mounted.toml -------------------------------------------------------------------------------- /behavior/rules/macos/defense_evasion_reflective_binary_load.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/defense_evasion_reflective_binary_load.toml -------------------------------------------------------------------------------- /behavior/rules/macos/defense_evasion_reflective_dylib_load.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/defense_evasion_reflective_dylib_load.toml -------------------------------------------------------------------------------- /behavior/rules/macos/defense_evasion_self_deleting_python_script.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/defense_evasion_self_deleting_python_script.toml -------------------------------------------------------------------------------- /behavior/rules/macos/defense_evasion_suspicious_dd_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/defense_evasion_suspicious_dd_execution.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_cocoa_applet_binary_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_cocoa_applet_binary_execution.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_curl_output_piped_to_osascript.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_curl_output_piped_to_osascript.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_decoy_document_creation_via_curl.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_decoy_document_creation_via_curl.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_dscl_execution_via_osascript.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_dscl_execution_via_osascript.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_javascript_reverse_shell_via_nodejs.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_javascript_reverse_shell_via_nodejs.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_payload_piped_to_script_interpreter.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_payload_piped_to_script_interpreter.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_possible_java_reverse_shell.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_possible_java_reverse_shell.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_potential_decoy_document_via_open.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_potential_decoy_document_via_open.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_potential_python_reverse_shell.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_potential_python_reverse_shell.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_powershell_encoded_command.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_powershell_encoded_command.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_suspicious_apple_script_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_suspicious_apple_script_execution.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_suspicious_binary_execution_via_ssh.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_suspicious_binary_execution_via_ssh.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_suspicious_child_process_of_expect.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_suspicious_child_process_of_expect.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_suspicious_dscl_auth_validation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_suspicious_dscl_auth_validation.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_suspicious_powershell_child_process.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_suspicious_powershell_child_process.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_unusual_bundle_execution_via_shell.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_unusual_bundle_execution_via_shell.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_unusual_library_load_via_python.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_unusual_library_load_via_python.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_user_tcc_db_access_by_osascript.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_user_tcc_db_access_by_osascript.toml -------------------------------------------------------------------------------- /behavior/rules/macos/execution_volume_muted_via_osascript.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/execution_volume_muted_via_osascript.toml -------------------------------------------------------------------------------- /behavior/rules/macos/persistence_default_application_hijacking.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/persistence_default_application_hijacking.toml -------------------------------------------------------------------------------- /behavior/rules/macos/persistence_dock_tile_plug_in_load.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/persistence_dock_tile_plug_in_load.toml -------------------------------------------------------------------------------- /behavior/rules/macos/persistence_potential_persistence_via_emond.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/macos/persistence_potential_persistence_via_emond.toml -------------------------------------------------------------------------------- /behavior/rules/windows/defense_evasion_amsi_bypass_via_powershell.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/defense_evasion_amsi_bypass_via_powershell.toml -------------------------------------------------------------------------------- /behavior/rules/windows/defense_evasion_parent_process_pid_spoofing.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/defense_evasion_parent_process_pid_spoofing.toml -------------------------------------------------------------------------------- /behavior/rules/windows/defense_evasion_script_execution_via_msxsl.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/defense_evasion_script_execution_via_msxsl.toml -------------------------------------------------------------------------------- /behavior/rules/windows/defense_evasion_suspicious_ntdll_image_load.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/defense_evasion_suspicious_ntdll_image_load.toml -------------------------------------------------------------------------------- /behavior/rules/windows/defense_evasion_windows_trojan_zloader.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/defense_evasion_windows_trojan_zloader.toml -------------------------------------------------------------------------------- /behavior/rules/windows/execution_dll_loaded_from_webdav_share.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/execution_dll_loaded_from_webdav_share.toml -------------------------------------------------------------------------------- /behavior/rules/windows/execution_execution_from_unusual_directory.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/execution_execution_from_unusual_directory.toml -------------------------------------------------------------------------------- /behavior/rules/windows/execution_potential_execution_via_zipexec.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/execution_potential_execution_via_zipexec.toml -------------------------------------------------------------------------------- /behavior/rules/windows/execution_potential_reverse_shell_via_java.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/execution_potential_reverse_shell_via_java.toml -------------------------------------------------------------------------------- /behavior/rules/windows/execution_script_execution_from_webdav.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/execution_script_execution_from_webdav.toml -------------------------------------------------------------------------------- /behavior/rules/windows/execution_suspicious_cmd_execution_via_wmi.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/execution_suspicious_cmd_execution_via_wmi.toml -------------------------------------------------------------------------------- /behavior/rules/windows/execution_suspicious_php_script_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/execution_suspicious_php_script_execution.toml -------------------------------------------------------------------------------- /behavior/rules/windows/execution_suspicious_powershell_downloads.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/execution_suspicious_powershell_downloads.toml -------------------------------------------------------------------------------- /behavior/rules/windows/execution_suspicious_powershell_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/execution_suspicious_powershell_execution.toml -------------------------------------------------------------------------------- /behavior/rules/windows/execution_suspicious_wmi_library_load.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/execution_suspicious_wmi_library_load.toml -------------------------------------------------------------------------------- /behavior/rules/windows/impact_bcdedit_safe_mode_command_execution.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/impact_bcdedit_safe_mode_command_execution.toml -------------------------------------------------------------------------------- /behavior/rules/windows/impact_potential_crypto_mining_activity.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/impact_potential_crypto_mining_activity.toml -------------------------------------------------------------------------------- /behavior/rules/windows/impact_potential_ransomware_note_file.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/impact_potential_ransomware_note_file.toml -------------------------------------------------------------------------------- /behavior/rules/windows/impact_suspicious_file_rename_via_smb.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/impact_suspicious_file_rename_via_smb.toml -------------------------------------------------------------------------------- /behavior/rules/windows/persistence_microsoft_office_addin_creation.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/persistence_microsoft_office_addin_creation.toml -------------------------------------------------------------------------------- /behavior/rules/windows/persistence_microsoft_office_addin_loaded.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/persistence_microsoft_office_addin_loaded.toml -------------------------------------------------------------------------------- /behavior/rules/windows/privilege_escalation_uac_bypass_via_sdclt.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/behavior/rules/windows/privilege_escalation_uac_bypass_via_sdclt.toml -------------------------------------------------------------------------------- /ransomware/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/ransomware/README.md -------------------------------------------------------------------------------- /ransomware/artifact.lua: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/ransomware/artifact.lua -------------------------------------------------------------------------------- /ransomware/testing/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/ransomware/testing/README.md -------------------------------------------------------------------------------- /ransomware/testing/mock_ransomware.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/ransomware/testing/mock_ransomware.ps1 -------------------------------------------------------------------------------- /ransomware/testing/mock_ransomware.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/ransomware/testing/mock_ransomware.py -------------------------------------------------------------------------------- /yara/CONTRIBUTING.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/CONTRIBUTING.md -------------------------------------------------------------------------------- /yara/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/README.md -------------------------------------------------------------------------------- /yara/rules/Linux_Backdoor_Bash.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Backdoor_Bash.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Backdoor_Fontonlake.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Backdoor_Fontonlake.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Backdoor_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Backdoor_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Backdoor_Python.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Backdoor_Python.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Backdoor_Tinyshell.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Backdoor_Tinyshell.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Attribute.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Attribute.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Bscope.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Bscope.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Bulz.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Bulz.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Camelot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Camelot.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Casdet.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Casdet.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Ccminer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Ccminer.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Flystudio.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Flystudio.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Ksmdbot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Ksmdbot.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Loudminer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Loudminer.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Malxmr.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Malxmr.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Miancha.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Miancha.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Minertr.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Minertr.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Pgminer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Pgminer.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Presenoker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Presenoker.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Roboto.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Roboto.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Stak.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Stak.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Ursu.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Ursu.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Uwamson.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Uwamson.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Xmrig.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Xmrig.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Xmrminer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Xmrminer.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Xpaj.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Xpaj.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Cryptominer_Zexaf.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Cryptominer_Zexaf.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Downloader_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Downloader_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Abrox.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Abrox.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Alie.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Alie.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2009_1897.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2009_1897.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2009_2698.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2009_2698.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2009_2908.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2009_2908.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2010_3301.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2010_3301.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2012_0056.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2012_0056.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2014_3153.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2014_3153.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2016_4557.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2016_4557.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2016_5195.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2016_5195.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2017_100011.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2017_100011.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2017_16995.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2017_16995.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2018_10561.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2018_10561.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2019_13272.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2019_13272.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2021_3156.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2021_3156.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2021_3490.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2021_3490.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2021_4034.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2021_4034.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_CVE_2022_0847.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_CVE_2022_0847.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Cornelgen.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Cornelgen.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Courier.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Courier.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Criscras.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Criscras.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Dirtycow.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Dirtycow.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Enoket.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Enoket.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Foda.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Foda.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_IOUring.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_IOUring.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Intfour.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Intfour.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Local.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Local.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Log4j.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Log4j.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Lotoor.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Lotoor.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Moogrey.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Moogrey.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Openssl.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Openssl.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Perl.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Perl.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Pulse.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Pulse.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Race.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Race.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Ramen.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Ramen.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Sorso.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Sorso.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Vmsplice.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Vmsplice.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Exploit_Wuftpd.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Exploit_Wuftpd.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Generic_Threat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Generic_Threat.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Aduh.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Aduh.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Bruteforce.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Bruteforce.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Cleanlog.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Cleanlog.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Earthworm.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Earthworm.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Exploitscan.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Exploitscan.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Flooder.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Flooder.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Fontonlake.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Fontonlake.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Infectionmonkey.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Infectionmonkey.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Lightning.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Lightning.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_LigoloNG.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_LigoloNG.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Outlaw.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Outlaw.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Portscan.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Portscan.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Prochide.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Prochide.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Tcpscan.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Tcpscan.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Hacktool_Wipelog.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Hacktool_Wipelog.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Packer_Patched_UPX.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Packer_Patched_UPX.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Proxy_Frp.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Proxy_Frp.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Agenda.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Agenda.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Akira.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Akira.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Babuk.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Babuk.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_BlackBasta.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_BlackBasta.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_BlackSuit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_BlackSuit.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Clop.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Clop.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Conti.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Conti.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_EchoRaix.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_EchoRaix.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Erebus.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Erebus.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Esxiargs.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Esxiargs.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Gonnacry.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Gonnacry.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Hellokitty.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Hellokitty.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Hive.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Hive.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_ItsSoEasy.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_ItsSoEasy.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_LimpDemon.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_LimpDemon.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Lockbit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Lockbit.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Monti.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Monti.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_NoEscape.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_NoEscape.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Quantum.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Quantum.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_RagnarLocker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_RagnarLocker.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_RedAlert.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_RedAlert.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_RoyalPest.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_RoyalPest.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_SFile.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_SFile.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Ransomware_Sodinokibi.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Ransomware_Sodinokibi.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Adore.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Adore.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Arkd.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Arkd.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Bedevil.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Bedevil.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_BrokePKG.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_BrokePKG.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Dakkatoni.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Dakkatoni.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Diamorphine.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Diamorphine.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Flipswitch.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Flipswitch.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Fontonlake.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Fontonlake.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_HiddenWasp.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_HiddenWasp.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Jynx.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Jynx.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Kovid.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Kovid.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Melofee.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Melofee.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Mobkit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Mobkit.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Perfctl.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Perfctl.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Reptile.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Reptile.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Snapekit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Snapekit.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Rootkit_Suterusu.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Rootkit_Suterusu.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Shellcode_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Shellcode_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Adlibrary.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Adlibrary.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Asacub.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Asacub.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Autocolor.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Autocolor.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Azeela.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Azeela.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_BPFDoor.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_BPFDoor.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Backconnect.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Backconnect.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Backegmm.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Backegmm.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Badbee.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Badbee.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Banload.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Banload.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Bedevil.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Bedevil.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Bish.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Bish.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Bluez.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Bluez.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Cerbu.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Cerbu.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Chinaz.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Chinaz.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Connectback.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Connectback.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Ddostf.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Ddostf.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_DinodasRAT.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_DinodasRAT.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Dnsamp.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Dnsamp.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Dofloo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Dofloo.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Dropperl.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Dropperl.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Ebury.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Ebury.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_FinalDraft.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_FinalDraft.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Gafgyt.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Gafgyt.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Ganiw.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Ganiw.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Getshell.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Getshell.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Godlua.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Godlua.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Godropper.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Godropper.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Gognt.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Gognt.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Hiddad.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Hiddad.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Ipstorm.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Ipstorm.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Ircbot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Ircbot.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Iroffer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Iroffer.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Kaiji.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Kaiji.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Kinsing.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Kinsing.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Ladvix.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Ladvix.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Lady.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Lady.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Lala.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Lala.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Malxmr.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Malxmr.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Marut.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Marut.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Masan.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Masan.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Mech.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Mech.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Mechbot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Mechbot.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Melofee.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Melofee.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Merlin.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Merlin.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Metasploit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Metasploit.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Meterpreter.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Meterpreter.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Mettle.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Mettle.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Mirai.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Mirai.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Mobidash.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Mobidash.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Mumblehard.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Mumblehard.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Ngioweb.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Ngioweb.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Nuker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Nuker.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Orbit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Orbit.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Patpooty.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Patpooty.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Pnscan.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Pnscan.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Pornoasset.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Pornoasset.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Psybnc.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Psybnc.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Pumakit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Pumakit.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Rbot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Rbot.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Rekoobe.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Rekoobe.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Roopre.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Roopre.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Rooter.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Rooter.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Rotajakiro.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Rotajakiro.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Rozena.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Rozena.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sambashell.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Sambashell.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sckit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Sckit.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sdbot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Sdbot.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Setag.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Setag.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sfloost.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Sfloost.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Shark.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Shark.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Shellbot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Shellbot.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Skidmap.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Skidmap.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Snessik.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Snessik.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Snowlight.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Snowlight.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Springtail.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Springtail.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sqlexp.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Sqlexp.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sshdkit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Sshdkit.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sshdoor.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Sshdoor.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Subsevux.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Subsevux.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Swrort.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Swrort.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Sysrv.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Sysrv.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Truncpx.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Truncpx.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Tsunami.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Tsunami.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Winnti.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Winnti.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_XZBackdoor.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_XZBackdoor.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Xhide.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Xhide.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Xorddos.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Xorddos.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Xpmmap.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Xpmmap.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Zerobot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Zerobot.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Trojan_Zpevdo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Trojan_Zpevdo.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Virus_Gmon.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Virus_Gmon.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Virus_Rst.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Virus_Rst.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Virus_Staffcounter.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Virus_Staffcounter.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Virus_Thebe.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Virus_Thebe.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Webshell_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Webshell_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Linux_Worm_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Linux_Worm_Generic.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Backdoor_Applejeus.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Backdoor_Applejeus.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Backdoor_Fakeflashlxk.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Backdoor_Fakeflashlxk.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Backdoor_Kagent.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Backdoor_Kagent.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Backdoor_Keyboardrecord.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Backdoor_Keyboardrecord.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Backdoor_Useragent.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Backdoor_Useragent.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Creddump_KeychainAccess.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Creddump_KeychainAccess.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Cryptominer_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Cryptominer_Generic.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Cryptominer_Xmrig.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Cryptominer_Xmrig.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Exploit_Log4j.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Exploit_Log4j.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Hacktool_Bifrost.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Hacktool_Bifrost.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Hacktool_Swiftbelt.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Hacktool_Swiftbelt.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Infostealer_MdQueryPassw.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Infostealer_MdQueryPassw.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Infostealer_MdQuerySecret.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Infostealer_MdQuerySecret.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Infostealer_MdQueryTCC.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Infostealer_MdQueryTCC.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Infostealer_MdQueryToken.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Infostealer_MdQueryToken.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Adload.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Adload.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Amcleaner.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Amcleaner.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Aobokeylogger.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Aobokeylogger.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Bundlore.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Bundlore.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Eggshell.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Eggshell.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Electrorat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Electrorat.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Fplayer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Fplayer.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Generic.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Genieo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Genieo.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Getshell.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Getshell.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_HLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_HLoader.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_KandyKorn.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_KandyKorn.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Metasploit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Metasploit.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_RustBucket.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_RustBucket.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_SugarLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_SugarLoader.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Trojan_Thiefquest.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Trojan_Thiefquest.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Virus_Maxofferdeal.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Virus_Maxofferdeal.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Virus_Pirrit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Virus_Pirrit.yar -------------------------------------------------------------------------------- /yara/rules/MacOS_Virus_Vsearch.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/MacOS_Virus_Vsearch.yar -------------------------------------------------------------------------------- /yara/rules/Macos_Hacktool_JokerSpy.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Macos_Hacktool_JokerSpy.yar -------------------------------------------------------------------------------- /yara/rules/Macos_Infostealer_EncodedOsascript.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Macos_Infostealer_EncodedOsascript.yar -------------------------------------------------------------------------------- /yara/rules/Macos_Infostealer_Wallets.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Macos_Infostealer_Wallets.yar -------------------------------------------------------------------------------- /yara/rules/Multi_AttackSimulation_Blindspot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_AttackSimulation_Blindspot.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Cryptominer_Xmrig.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Cryptominer_Xmrig.yar -------------------------------------------------------------------------------- /yara/rules/Multi_EICAR.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_EICAR.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Generic_Threat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Generic_Threat.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Hacktool_Gsocket.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Hacktool_Gsocket.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Hacktool_Nps.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Hacktool_Nps.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Hacktool_Rakshasa.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Hacktool_Rakshasa.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Hacktool_Stowaway.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Hacktool_Stowaway.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Hacktool_SuperShell.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Hacktool_SuperShell.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Ransomware_Akira.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Ransomware_Akira.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Ransomware_BlackCat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Ransomware_BlackCat.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Ransomware_Luna.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Ransomware_Luna.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Ransomware_RansomHub.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Ransomware_RansomHub.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Trojan_Coreimpact.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Trojan_Coreimpact.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Trojan_EmpirGo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Trojan_EmpirGo.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Trojan_FinalDraft.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Trojan_FinalDraft.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Trojan_Goffloader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Trojan_Goffloader.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Trojan_Gosar.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Trojan_Gosar.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Trojan_Merlin.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Trojan_Merlin.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Trojan_Mythic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Trojan_Mythic.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Trojan_Sliver.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Trojan_Sliver.yar -------------------------------------------------------------------------------- /yara/rules/Multi_Trojan_SparkRat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Multi_Trojan_SparkRat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_AttackSimulation_Hovercraft.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_AttackSimulation_Hovercraft.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Backdoor_DragonCastling.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Backdoor_DragonCastling.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Backdoor_Goldbackdoor.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Backdoor_Goldbackdoor.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Backdoor_TeamViewer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Backdoor_TeamViewer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Clickfraud_LuckySlots.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Clickfraud_LuckySlots.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Cryptominer_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Cryptominer_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_CVE_2022_38028.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Exploit_CVE_2022_38028.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_Dcom.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Exploit_Dcom.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_Eternalblue.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Exploit_Eternalblue.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_FakePipe.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Exploit_FakePipe.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Exploit_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_IoRing.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Exploit_IoRing.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_Log4j.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Exploit_Log4j.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_Perfusion.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Exploit_Perfusion.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Exploit_RpcJunction.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Exploit_RpcJunction.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Generic_MalCert.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Generic_MalCert.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Generic_Threat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Generic_Threat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_AskCreds.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_AskCreds.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_BlackBone.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_BlackBone.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_COFFLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_COFFLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Capcom.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_Capcom.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Certify.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_Certify.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_CheatEngine.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_CheatEngine.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_ChromeKatz.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_ChromeKatz.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_ClrOxide.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_ClrOxide.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_CpuLocker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_CpuLocker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_DarkLoadLibrary.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_DarkLoadLibrary.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Dcsyncer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_Dcsyncer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_DinvokeRust.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_DinvokeRust.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_EDRWFP.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_EDRWFP.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_EDRrecon.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_EDRrecon.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_ExecuteAssembly.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_ExecuteAssembly.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Gmer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_Gmer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_GodPotato.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_GodPotato.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Iox.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_Iox.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_LeiGod.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_LeiGod.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Mimikatz.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_Mimikatz.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_NetFilter.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_NetFilter.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Nimhawk.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_Nimhawk.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Phant0m.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_Phant0m.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_PhysMem.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_PhysMem.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_ProcessHacker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_ProcessHacker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_RingQ.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_RingQ.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Rubeus.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_Rubeus.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SafetyKatz.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SafetyKatz.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_Seatbelt.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_Seatbelt.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharPersist.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharPersist.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpAppLocker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpAppLocker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpChromium.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpChromium.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpDump.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpDump.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpGPOAbuse.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpGPOAbuse.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpHound.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpHound.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpLAPS.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpLAPS.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpMove.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpMove.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpRDP.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpRDP.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpSCCM.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpSCCM.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpShares.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpShares.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpStay.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpStay.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpUp.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpUp.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpView.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpView.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SharpWMI.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SharpWMI.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_SleepObfLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_SleepObfLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Hacktool_WinPEAS_ng.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Hacktool_WinPEAS_ng.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Infostealer_EddieStealer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Infostealer_EddieStealer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Infostealer_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Infostealer_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Infostealer_NovaBlight.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Infostealer_NovaBlight.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Infostealer_PhemedroneStealer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Infostealer_PhemedroneStealer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Infostealer_Strela.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Infostealer_Strela.yar -------------------------------------------------------------------------------- /yara/rules/Windows_PUP_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_PUP_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Windows_PUP_MediaArena.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_PUP_MediaArena.yar -------------------------------------------------------------------------------- /yara/rules/Windows_PUP_Veriato.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_PUP_Veriato.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Packer_ScrubCrypt.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Packer_ScrubCrypt.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Agenda.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Agenda.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Akira.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Akira.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Avoslocker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Avoslocker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Azov.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Azov.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Bitpaymer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Bitpaymer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_BlackBasta.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_BlackBasta.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_BlackHunt.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_BlackHunt.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Blackmatter.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Blackmatter.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Cicada3301.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Cicada3301.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Clop.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Clop.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Conti.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Conti.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Crytox.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Crytox.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Cuba.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Cuba.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Darkside.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Darkside.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Dharma.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Dharma.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Doppelpaymer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Doppelpaymer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Egregor.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Egregor.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_GandCrab.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_GandCrab.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Grief.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Grief.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Haron.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Haron.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Hellokitty.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Hellokitty.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Helloxd.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Helloxd.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Hive.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Hive.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Lockbit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Lockbit.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Lockfile.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Lockfile.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Magniber.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Magniber.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Makop.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Makop.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Maui.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Maui.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Maze.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Maze.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Medusa.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Medusa.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Mespinoza.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Mespinoza.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Mountlocker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Mountlocker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Nightsky.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Nightsky.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Pandora.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Pandora.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Phobos.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Phobos.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Ragnarok.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Ragnarok.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Ransomexx.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Ransomexx.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Rook.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Rook.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Royal.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Royal.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Ryuk.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Ryuk.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Snake.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Snake.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Sodinokibi.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Sodinokibi.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Stop.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Stop.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Thanos.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Thanos.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Vgod.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Vgod.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_Vhd.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_Vhd.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_WannaCry.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_WannaCry.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Ransomware_WhisperGate.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Ransomware_WhisperGate.yar -------------------------------------------------------------------------------- /yara/rules/Windows_RemoteAdmin_UltraVNC.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_RemoteAdmin_UltraVNC.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Rootkit_AbyssWorker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Rootkit_AbyssWorker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Rootkit_R77.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Rootkit_R77.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Shellcode_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Shellcode_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Shellcode_Rdi.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Shellcode_Rdi.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_A310logger.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_A310logger.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_ACRStealer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_ACRStealer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Afdk.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Afdk.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_AgentTesla.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_AgentTesla.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Amadey.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Amadey.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Arechclient2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Arechclient2.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_ArkeiStealer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_ArkeiStealer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Asyncrat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Asyncrat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_AveMaria.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_AveMaria.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Azorult.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Azorult.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_BITSloth.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_BITSloth.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Babble.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Babble.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Babylonrat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Babylonrat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Backoff.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Backoff.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Bandook.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Bandook.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Bazar.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Bazar.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Beam.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Beam.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Behinder.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Behinder.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Bitrat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Bitrat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_BlackShades.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_BlackShades.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Blackwood.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Blackwood.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Blister.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Blister.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_BloodAlchemy.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_BloodAlchemy.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_BruteRatel.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_BruteRatel.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Buerloader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Buerloader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Bughatch.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Bughatch.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Bumblebee.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Bumblebee.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_CaesarKbd.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_CaesarKbd.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Carberp.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Carberp.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_CastleLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_CastleLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Clipbanker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Clipbanker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_CobaltStrike.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_CobaltStrike.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Cryptbot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Cryptbot.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_CyberGate.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_CyberGate.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DBatLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DBatLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DCRat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DCRat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DTrack.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DTrack.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Danabot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Danabot.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DarkCloud.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DarkCloud.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DarkGate.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DarkGate.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DarkVNC.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DarkVNC.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Darkcomet.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Darkcomet.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Deimos.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Deimos.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DiamondFox.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DiamondFox.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Diceloader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Diceloader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DodgeBox.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DodgeBox.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Donutloader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Donutloader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DoorMe.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DoorMe.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DoubleBack.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DoubleBack.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DoubleLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DoubleLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DownTown.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DownTown.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DragonBreath.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DragonBreath.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DreamJob.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DreamJob.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Dridex.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Dridex.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_DustyWarehouse.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_DustyWarehouse.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_EagerBee.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_EagerBee.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Emotet.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Emotet.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Fabookie.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Fabookie.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_FalseFont.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_FalseFont.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Farfli.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Farfli.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Fickerstealer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Fickerstealer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_FinalDraft.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_FinalDraft.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_FlawedGrace.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_FlawedGrace.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Formbook.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Formbook.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Garble.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Garble.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Generic.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Generic.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Gh0st.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Gh0st.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_GhostEngine.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_GhostEngine.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_GhostPulse.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_GhostPulse.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Glupteba.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Glupteba.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Gozi.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Gozi.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Grandoreiro.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Grandoreiro.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_GuidLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_GuidLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Guloader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Guloader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Hancitor.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Hancitor.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Havoc.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Havoc.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Hawkeye.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Hawkeye.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_HazelCobra.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_HazelCobra.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_HiddenCli.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_HiddenCli.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_HiddenDriver.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_HiddenDriver.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_HijackLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_HijackLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_HotPage.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_HotPage.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_IcedID.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_IcedID.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_JesterStealer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_JesterStealer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Jupyter.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Jupyter.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_KoiLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_KoiLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Kronos.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Kronos.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Latrodectus.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Latrodectus.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_LegionLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_LegionLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Limerat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Limerat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Lobshot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Lobshot.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Lokibot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Lokibot.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Lumma.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Lumma.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Lurker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Lurker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_M0yv.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_M0yv.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_MagicRat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_MagicRat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_MassLogger.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_MassLogger.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Mata.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Mata.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Matanbuchus.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Matanbuchus.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Merlin.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Merlin.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_MetaStealer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_MetaStealer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Metasploit.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Metasploit.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_MicroBackdoor.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_MicroBackdoor.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_ModPipe.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_ModPipe.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_MyloBot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_MyloBot.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Nanocore.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Nanocore.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_NapListener.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_NapListener.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Netwire.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Netwire.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Nighthawk.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Nighthawk.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Nimplant.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Nimplant.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Njrat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Njrat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_NukeSped.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_NukeSped.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Octopus.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Octopus.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_OnlyLogger.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_OnlyLogger.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_OskiStealer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_OskiStealer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_P8Loader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_P8Loader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Pandastealer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Pandastealer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Parallax.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Parallax.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_PathLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_PathLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Phoreal.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Phoreal.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_PikaBot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_PikaBot.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Pingpull.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Pingpull.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_PipeDance.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_PipeDance.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_PizzaPotion.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_PizzaPotion.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_PlugX.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_PlugX.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Pony.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Pony.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_PoshC2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_PoshC2.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_PowerSeal.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_PowerSeal.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_PrivateLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_PrivateLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_ProtectS.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_ProtectS.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Qbot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Qbot.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Quasarrat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Quasarrat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Raccoon.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Raccoon.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_RaspberryRobin.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_RaspberryRobin.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_RedLineStealer.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_RedLineStealer.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Remcos.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Remcos.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Revcoderat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Revcoderat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Revengerat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Revengerat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Rhadamanthys.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Rhadamanthys.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_RoningLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_RoningLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_RudeBird.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_RudeBird.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_STRRAT.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_STRRAT.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SVCReady.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SVCReady.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SadBridge.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SadBridge.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_ServHelper.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_ServHelper.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_ShadowPad.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_ShadowPad.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_ShelbyC2.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_ShelbyC2.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_ShelbyLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_ShelbyLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Shellter.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Shellter.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SiestaGraph.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SiestaGraph.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Sliver.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Sliver.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Smokeloader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Smokeloader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SnakeKeylogger.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SnakeKeylogger.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SolarMarker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SolarMarker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SomniRecord.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SomniRecord.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SourShark.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SourShark.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SpectralViper.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SpectralViper.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Squirrelwaffle.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Squirrelwaffle.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Stealc.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Stealc.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_StormKitty.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_StormKitty.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_StumpZarus.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_StumpZarus.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SuddenIcon.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SuddenIcon.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SysJoker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SysJoker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_SystemBC.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_SystemBC.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Sythe.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Sythe.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Tofsee.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Tofsee.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Tollbooth.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Tollbooth.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Trickbot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Trickbot.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_TwistedTinsel.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_TwistedTinsel.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Vidar.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Vidar.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_WarmCookie.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_WarmCookie.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_WhisperGate.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_WhisperGate.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_WikiLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_WikiLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_WineLoader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_WineLoader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Winos.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Winos.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_XWorm.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_XWorm.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Xeno.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Xeno.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Xpertrat.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Xpertrat.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_XtremeRAT.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_XtremeRAT.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Zeus.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Zeus.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Trojan_Zloader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Trojan_Zloader.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Virus_Expiro.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Virus_Expiro.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Virus_Floxif.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Virus_Floxif.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Virus_Neshta.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Virus_Neshta.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_ATSZIO.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_ATSZIO.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Agent64.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Agent64.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Amifldrv.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Amifldrv.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_ArPot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_ArPot.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_AsIo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_AsIo.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Asrock.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Asrock.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Atillk.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Atillk.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_BSMI.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_BSMI.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Biostar.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Biostar.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_CCProtect.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_CCProtect.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Cpuz.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Cpuz.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_DBUtil.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_DBUtil.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_DirectIo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_DirectIo.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_EchoDrv.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_EchoDrv.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_ElRawDisk.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_ElRawDisk.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Elby.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Elby.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_EneIo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_EneIo.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_FidDrv.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_FidDrv.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Fidpci.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Fidpci.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Fileseclab.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Fileseclab.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_GDrv.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_GDrv.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_GlckIo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_GlckIo.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Gvci.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Gvci.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_HpPortIo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_HpPortIo.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_HrSword.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_HrSword.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_IoBitUnlocker.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_IoBitUnlocker.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Iqvw.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Iqvw.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_LLAccess.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_LLAccess.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Lha.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Lha.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_MarvinHW.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_MarvinHW.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Mhyprot.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Mhyprot.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_MicroStar.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_MicroStar.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_MsIo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_MsIo.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_MtcBsv.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_MtcBsv.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_PowerProfiler.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_PowerProfiler.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_PowerTool.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_PowerTool.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_ProcExp.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_ProcExp.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_ProcId.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_ProcId.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_RWEverything.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_RWEverything.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_RentDrv.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_RentDrv.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_RtCore.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_RtCore.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Rtkio.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Rtkio.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Ryzen.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Ryzen.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Sandra.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Sandra.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Segwin.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Segwin.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Speedfan.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Speedfan.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_ThreatFire.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_ThreatFire.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_TmComm.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_TmComm.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_ToshibaBios.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_ToshibaBios.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_TrueSight.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_TrueSight.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_VBox.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_VBox.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Viragt.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Viragt.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Vmdrv.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Vmdrv.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_WinDivert.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_WinDivert.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_WinFlash.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_WinFlash.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_WinIo.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_WinIo.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_XTier.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_XTier.yar -------------------------------------------------------------------------------- /yara/rules/Windows_VulnDriver_Zam.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_VulnDriver_Zam.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Wiper_CaddyWiper.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Wiper_CaddyWiper.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Wiper_DoubleZero.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Wiper_DoubleZero.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Wiper_HermeticWiper.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Wiper_HermeticWiper.yar -------------------------------------------------------------------------------- /yara/rules/Windows_Wiper_IsaacWiper.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/protections-artifacts/HEAD/yara/rules/Windows_Wiper_IsaacWiper.yar --------------------------------------------------------------------------------