├── .dockerignore ├── .gitignore ├── CITATION.cff ├── Dockerfile ├── LICENSE ├── Paper Supplement.pdf ├── README.md ├── amides ├── .dockerignore ├── .gitignore ├── amides │ ├── __init__.py │ ├── data.py │ ├── evaluation.py │ ├── events.py │ ├── features │ │ ├── __init__.py │ │ ├── deduplicate.py │ │ ├── extraction.py │ │ ├── filter.py │ │ ├── normalize.py │ │ ├── preprocessing.py │ │ └── tokenization.py │ ├── models │ │ ├── __init__.py │ │ └── selection.py │ ├── persist.py │ ├── scale.py │ ├── sigma.py │ ├── utils.py │ └── visualization.py ├── bin │ ├── add_scaler.py │ ├── combine_models.py │ ├── confidence.py │ ├── config │ │ ├── powershell │ │ │ ├── eval_misuse_svc_rules.json │ │ │ ├── train_misuse_svc_rules.json │ │ │ └── validate_misuse_svc_rules.json │ │ ├── pr_plot_powershell_proxy_registry.json │ │ ├── process_creation │ │ │ ├── attr_plot.json │ │ │ ├── eval_attr.json │ │ │ ├── eval_misuse_svc_matches.json │ │ │ ├── eval_misuse_svc_rules.json │ │ │ ├── eval_misuse_svc_rules_tainted.json │ │ │ ├── params.json │ │ │ ├── pr_plot_tainted.json │ │ │ ├── prt_plot_misuse_rules_matches.json │ │ │ ├── train_attr_svc_rules.json │ │ │ ├── train_misuse_svc_matches.json │ │ │ ├── train_misuse_svc_rules.json │ │ │ ├── train_misuse_svc_rules_tainted_10.json │ │ │ ├── train_misuse_svc_rules_tainted_20.json │ │ │ ├── train_misuse_svc_rules_tainted_30.json │ │ │ ├── validate_misuse_svc_matches.json │ │ │ ├── validate_misuse_svc_rules.json │ │ │ ├── validate_misuse_svc_rules_tainted_10.json │ │ │ ├── validate_misuse_svc_rules_tainted_20.json │ │ │ └── validate_misuse_svc_rules_tainted_30.json │ │ ├── proxy_web │ │ │ ├── eval_misuse_svc_rules.json │ │ │ ├── train_misuse_svc_rules.json │ │ │ └── validate_misuse_svc_rules.json │ │ └── registry │ │ │ ├── eval_misuse_svc_rules.json │ │ │ ├── train_misuse_svc_rules.json │ │ │ └── validate_misuse_svc_rules.json │ ├── eval_attr.py │ ├── eval_mcc_scaling.py │ ├── extract_features.py │ ├── extract_terms.py │ ├── extract_terms_multi.py │ ├── normalize.py │ ├── plot_attr.py │ ├── plot_df_hist.py │ ├── plot_df_values.py │ ├── plot_multi_tainted.py │ ├── plot_pr.py │ ├── split_terms.py │ ├── train.py │ ├── train_new_types.py │ ├── train_new_types_multi.py │ ├── validate.py │ ├── validate_new_types.py │ └── validate_new_types_multi.py ├── classification.sh ├── classification_other_types.sh ├── experiments.sh ├── requirements.in ├── requirements.txt ├── requirements_dev.in ├── requirements_dev.txt ├── rule_attribution.sh ├── setup.py ├── tainted_training.sh ├── tests │ ├── __init__.py │ ├── data │ │ ├── json_to_jsonl.py │ │ ├── scale_events.py │ │ ├── sigma-study │ │ │ ├── events │ │ │ │ ├── proxyweb │ │ │ │ │ └── rule_1 │ │ │ │ │ │ ├── Proxy_Evasion_url_full_01.json │ │ │ │ │ │ ├── Proxy_Evasion_url_full_02.json │ │ │ │ │ │ ├── Proxy_Evasion_url_full_03.json │ │ │ │ │ │ ├── Proxy_Evasion_url_full_04.json │ │ │ │ │ │ └── properties.yml │ │ │ │ └── windows │ │ │ │ │ ├── powershell │ │ │ │ │ └── rule_1 │ │ │ │ │ │ ├── Microsoft-Windows-Powershell_4104_Evasion_Keyless_01.json │ │ │ │ │ │ ├── Microsoft-Windows-Powershell_4104_Evasion_Keyless_02.json │ │ │ │ │ │ ├── Microsoft-Windows-Powershell_4104_Evasion_Keyless_03.json │ │ │ │ │ │ ├── Microsoft-Windows-Powershell_4104_Evasion_Keyless_04.json │ │ │ │ │ │ ├── Microsoft-Windows-Powershell_4104_Evasion_Keyless_05.json │ │ │ │ │ │ └── properties.yml │ │ │ │ │ ├── process_creation │ │ │ │ │ ├── missing_evasions │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ │ │ └── properties.yml │ │ │ │ │ ├── missing_matches │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_01.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_02.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_03.json │ │ │ │ │ │ └── properties.yml │ │ │ │ │ ├── missing_properties │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_01.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_02.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_03.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ │ │ └── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ │ ├── rule_1 │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_01.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_02.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_03.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ │ │ └── properties.yml │ │ │ │ │ └── rule_2 │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_01.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_02.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_03.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ │ │ └── properties.yml │ │ │ │ │ └── registry │ │ │ │ │ └── rule_1 │ │ │ │ │ ├── Microsoft-Windows-Sysmon_12_Evasion_Details_01.json │ │ │ │ │ ├── Microsoft-Windows-Sysmon_12_Evasion_Details_02.json │ │ │ │ │ ├── Microsoft-Windows-Sysmon_12_Evasion_Details_03.json │ │ │ │ │ ├── Microsoft-Windows-Sysmon_12_Evasion_Details_04.json │ │ │ │ │ ├── Microsoft-Windows-Sysmon_12_Evasion_TargetObject_01.json │ │ │ │ │ └── properties.yml │ │ │ └── rules │ │ │ │ ├── proc_cmdline.json │ │ │ │ ├── proxyweb │ │ │ │ └── rule_1.yml │ │ │ │ ├── selected_proc_cmdline.json │ │ │ │ └── windows │ │ │ │ ├── powershell │ │ │ │ └── rule_1.yml │ │ │ │ ├── process_creation │ │ │ │ ├── rule_1.yml │ │ │ │ └── rule_2.yml │ │ │ │ └── registry │ │ │ │ └── rule_1.yml │ │ └── socbed-sample │ │ │ ├── powershell │ │ │ └── jsonl │ │ │ │ └── Microsoft-Windows-PowerShell_4104.jsonl │ │ │ └── process_creation │ │ │ ├── json │ │ │ ├── 0001.json │ │ │ ├── 0002.json │ │ │ ├── 0003.json │ │ │ ├── 0004.json │ │ │ ├── 0005.json │ │ │ ├── 0006.json │ │ │ ├── 0007.json │ │ │ ├── 0008.json │ │ │ ├── 0009.json │ │ │ ├── 0010.json │ │ │ ├── 0011.json │ │ │ ├── 0012.json │ │ │ ├── 0013.json │ │ │ ├── 0014.json │ │ │ ├── 0015.json │ │ │ ├── 0016.json │ │ │ ├── 0017.json │ │ │ ├── 0018.json │ │ │ ├── 0019.json │ │ │ └── 0020.json │ │ │ └── jsonl │ │ │ └── Microsoft-Windows-Sysmon_1.jsonl │ └── unit │ │ ├── test_data.py │ │ ├── test_events.py │ │ ├── test_extraction.py │ │ ├── test_models_selection.py │ │ ├── test_persist.py │ │ ├── test_result.py │ │ ├── test_sigma.py │ │ └── test_utils.py └── tox.ini ├── cleanup.sh ├── data ├── sigma │ ├── events │ │ ├── proxyweb │ │ │ ├── values_evasion_proxyweb │ │ │ └── values_evasion_proxyweb_multi │ │ └── windows │ │ │ ├── powershell │ │ │ ├── values_evasion_powershell │ │ │ └── values_evasion_powershell_multi │ │ │ ├── process_creation │ │ │ ├── cmstp_execution │ │ │ │ └── properties.yml │ │ │ ├── sysmon_apt_muddywater_dnstunnel │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── sysmon_hack_wce │ │ │ │ └── properties.yml │ │ │ ├── sysmon_logon_scripts_userinitmprlogonscript_proc │ │ │ │ └── properties.yml │ │ │ ├── sysmon_susp_plink_remote_forward │ │ │ │ └── properties.yml │ │ │ ├── win_advanced_ip_scanner │ │ │ │ └── properties.yml │ │ │ ├── win_apt_apt29_thinktanks │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_babyshark │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_bear_activity_gtr19 │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_bluemashroom │ │ │ │ └── properties.yml │ │ │ ├── win_apt_chafer_mar18 │ │ │ │ └── properties.yml │ │ │ ├── win_apt_cloudhopper │ │ │ │ └── properties.yml │ │ │ ├── win_apt_dragonfly │ │ │ │ └── properties.yml │ │ │ ├── win_apt_elise │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_emissarypanda_sep19 │ │ │ │ └── properties.yml │ │ │ ├── win_apt_empiremonkey │ │ │ │ └── properties.yml │ │ │ ├── win_apt_equationgroup_dll_u_load │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_evilnum_jul20 │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_gallium │ │ │ │ └── properties.yml │ │ │ ├── win_apt_greenbug_may20 │ │ │ │ └── properties.yml │ │ │ ├── win_apt_hurricane_panda │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_judgement_panda_gtr19 │ │ │ │ └── properties.yml │ │ │ ├── win_apt_ke3chang_regadd │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_lazarus_activity_dec20 │ │ │ │ └── properties.yml │ │ │ ├── win_apt_lazarus_loader │ │ │ │ └── properties.yml │ │ │ ├── win_apt_lazarus_session_highjack │ │ │ │ └── properties.yml │ │ │ ├── win_apt_mustangpanda │ │ │ │ └── properties.yml │ │ │ ├── win_apt_slingshot │ │ │ │ └── properties.yml │ │ │ ├── win_apt_sofacy │ │ │ │ └── properties.yml │ │ │ ├── win_apt_ta17_293a_ps │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_ta505_dropper │ │ │ │ └── properties.yml │ │ │ ├── win_apt_taidoor │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_tropictrooper │ │ │ │ └── properties.yml │ │ │ ├── win_apt_turla_commands │ │ │ │ └── properties.yml │ │ │ ├── win_apt_turla_comrat_may20 │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_unc2452_cmds │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_unc2452_ps │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_unidentified_nov_18 │ │ │ │ └── properties.yml │ │ │ ├── win_apt_winnti_mal_hk_jan20 │ │ │ │ └── properties.yml │ │ │ ├── win_apt_winnti_pipemon │ │ │ │ └── properties.yml │ │ │ ├── win_apt_wocao │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_07.json │ │ │ │ └── properties.yml │ │ │ ├── win_apt_zxshell │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_attrib_hiding_files │ │ │ │ └── properties.yml │ │ │ ├── win_bootconf_mod │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_bypass_squiblytwo │ │ │ │ └── properties.yml │ │ │ ├── win_change_default_file_association │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_cmdkey_recon │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_cmstp_com_object_access │ │ │ │ └── properties.yml │ │ │ ├── win_commandline_path_traversal │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_control_panel_item │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_copying_sensitive_files_with_credential_data │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_crime_fireball │ │ │ │ └── properties.yml │ │ │ ├── win_crime_maze_ransomware │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_crime_snatch_ransomware │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ └── properties.yml │ │ │ ├── win_data_compressed_with_rar │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_dns_exfiltration_tools_execution │ │ │ │ └── properties.yml │ │ │ ├── win_dnscat2_powershell_implementation │ │ │ │ └── properties.yml │ │ │ ├── win_dsquery_domain_trust_discovery │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_encoded_frombase64string │ │ │ │ └── properties.yml │ │ │ ├── win_encoded_iex │ │ │ │ └── properties.yml │ │ │ ├── win_etw_modification_cmdline │ │ │ │ └── properties.yml │ │ │ ├── win_etw_trace_evasion │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_exfiltration_and_tunneling_tools_execution │ │ │ │ └── properties.yml │ │ │ ├── win_exploit_cve_2015_1641 │ │ │ │ └── properties.yml │ │ │ ├── win_exploit_cve_2017_0261 │ │ │ │ └── properties.yml │ │ │ ├── win_exploit_cve_2017_11882 │ │ │ │ └── properties.yml │ │ │ ├── win_exploit_cve_2017_8759 │ │ │ │ └── properties.yml │ │ │ ├── win_exploit_cve_2019_1378 │ │ │ │ └── properties.yml │ │ │ ├── win_exploit_cve_2019_1388 │ │ │ │ └── properties.yml │ │ │ ├── win_exploit_cve_2020_10189 │ │ │ │ └── properties.yml │ │ │ ├── win_exploit_cve_2020_1048 │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_exploit_cve_2020_1350 │ │ │ │ └── properties.yml │ │ │ ├── win_file_permission_modifications │ │ │ │ └── properties.yml │ │ │ ├── win_grabbing_sensitive_hives_via_reg │ │ │ │ └── properties.yml │ │ │ ├── win_hack_bloodhound │ │ │ │ └── properties.yml │ │ │ ├── win_hack_koadic │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_hack_rubeus │ │ │ │ └── properties.yml │ │ │ ├── win_hack_secutyxploded │ │ │ │ └── properties.yml │ │ │ ├── win_hh_chm │ │ │ │ └── properties.yml │ │ │ ├── win_hktl_createminidump │ │ │ │ └── properties.yml │ │ │ ├── win_html_help_spawn │ │ │ │ └── properties.yml │ │ │ ├── win_hwp_exploits │ │ │ │ └── properties.yml │ │ │ ├── win_impacket_lateralization │ │ │ │ └── properties.yml │ │ │ ├── win_indirect_cmd │ │ │ │ └── properties.yml │ │ │ ├── win_install_reg_debugger_backdoor │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_07.json │ │ │ │ └── properties.yml │ │ │ ├── win_interactive_at │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_invoke_obfuscation_obfuscated_iex_commandline │ │ │ │ └── properties.yml │ │ │ ├── win_kernel_and_3rd_party_drivers_exploits_token_stealing │ │ │ │ └── properties.yml │ │ │ ├── win_lethalhta │ │ │ │ └── properties.yml │ │ │ ├── win_local_system_owner_account_discovery │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_lsass_dump │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_mal_adwind │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_malware_dridex │ │ │ │ └── properties.yml │ │ │ ├── win_malware_dtrack │ │ │ │ └── properties.yml │ │ │ ├── win_malware_emotet │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_07.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_08.json │ │ │ │ └── properties.yml │ │ │ ├── win_malware_formbook │ │ │ │ └── properties.yml │ │ │ ├── win_malware_notpetya │ │ │ │ └── properties.yml │ │ │ ├── win_malware_qbot │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_malware_ryuk │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_malware_script_dropper │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_07.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_08.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_09.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_10.json │ │ │ │ └── properties.yml │ │ │ ├── win_malware_trickbot_recon_activity │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_malware_trickbot_wermgr │ │ │ │ └── properties.yml │ │ │ ├── win_malware_wannacry │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_mavinject_proc_inj │ │ │ │ └── properties.yml │ │ │ ├── win_meterpreter_or_cobaltstrike_getsystem_service_start │ │ │ │ └── properties.yml │ │ │ ├── win_mimikatz_command_line │ │ │ │ └── properties.yml │ │ │ ├── win_mmc_spawn_shell │ │ │ │ └── properties.yml │ │ │ ├── win_mouse_lock │ │ │ │ └── properties.yml │ │ │ ├── win_mshta_javascript │ │ │ │ └── properties.yml │ │ │ ├── win_mshta_spawn_shell │ │ │ │ └── properties.yml │ │ │ ├── win_multiple_suspicious_cli │ │ │ │ └── properties.yml │ │ │ ├── win_net_enum │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_net_user_add │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_netsh_allow_port_rdp │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_netsh_fw_add │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_netsh_fw_add_susp_image │ │ │ │ └── properties.yml │ │ │ ├── win_netsh_packet_capture │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_netsh_port_fwd │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_netsh_port_fwd_3389 │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_netsh_wifi_credential_harvesting │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_network_sniffing │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_new_service_creation │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_non_interactive_powershell │ │ │ │ └── properties.yml │ │ │ ├── win_office_shell │ │ │ │ └── properties.yml │ │ │ ├── win_office_spawn_exe_from_users_directory │ │ │ │ └── properties.yml │ │ │ ├── win_plugx_susp_exe_locations │ │ │ │ └── properties.yml │ │ │ ├── win_possible_applocker_bypass │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ └── properties.yml │ │ │ ├── win_possible_privilege_escalation_using_rotten_potato │ │ │ │ └── properties.yml │ │ │ ├── win_powershell_amsi_bypass │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_powershell_audio_capture │ │ │ │ └── properties.yml │ │ │ ├── win_powershell_b64_shellcode │ │ │ │ └── properties.yml │ │ │ ├── win_powershell_bitsjob │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_powershell_dll_execution │ │ │ │ └── properties.yml │ │ │ ├── win_powershell_downgrade_attack │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ └── properties.yml │ │ │ ├── win_powershell_download │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_powershell_frombase64string │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_powershell_suspicious_parameter_variation │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_powershell_xor_commandline │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_powersploit_empire_schtasks │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_proc_wrong_parent │ │ │ │ └── properties.yml │ │ │ ├── win_process_creation_bitsadmin_download │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_process_dump_rundll32_comsvcs │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_psexesvc_start │ │ │ │ └── properties.yml │ │ │ ├── win_query_registry │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_07.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_08.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_09.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_10.json │ │ │ │ └── properties.yml │ │ │ ├── win_rdp_hijack_shadowing │ │ │ │ └── properties.yml │ │ │ ├── win_redmimicry_winnti_proc │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_remote_powershell_session_process │ │ │ │ └── properties.yml │ │ │ ├── win_remote_time_discovery │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_renamed_binary │ │ │ │ └── properties.yml │ │ │ ├── win_renamed_binary_highly_relevant │ │ │ │ └── properties.yml │ │ │ ├── win_renamed_jusched │ │ │ │ └── properties.yml │ │ │ ├── win_renamed_paexec │ │ │ │ └── properties.yml │ │ │ ├── win_renamed_powershell │ │ │ │ └── properties.yml │ │ │ ├── win_renamed_procdump │ │ │ │ └── properties.yml │ │ │ ├── win_renamed_psexec │ │ │ │ └── properties.yml │ │ │ ├── win_run_powershell_script_from_ads │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_sdbinst_shim_persistence │ │ │ │ └── properties.yml │ │ │ ├── win_service_execution │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_service_stop │ │ │ │ └── properties.yml │ │ │ ├── win_shadow_copies_access_symlink │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_shadow_copies_creation │ │ │ │ └── properties.yml │ │ │ ├── win_shadow_copies_deletion │ │ │ │ └── properties.yml │ │ │ ├── win_shell_spawn_susp_program │ │ │ │ └── properties.yml │ │ │ ├── win_silenttrinity_stage_use │ │ │ │ └── properties.yml │ │ │ ├── win_soundrec_audio_capture │ │ │ │ └── properties.yml │ │ │ ├── win_spn_enum │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_adfind │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_bcdedit │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_bginfo │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_calc │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_cdb │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_certutil_command │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_certutil_encode │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_cli_escape │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_cmd_http_appdata │ │ │ │ └── properties.yml │ │ │ ├── win_susp_codepage_switch │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_commands_recon_activity │ │ │ │ └── properties.yml │ │ │ ├── win_susp_compression_params │ │ │ │ └── properties.yml │ │ │ ├── win_susp_comsvcs_procdump │ │ │ │ └── properties.yml │ │ │ ├── win_susp_conhost │ │ │ │ └── properties.yml │ │ │ ├── win_susp_control_dll_load │ │ │ │ └── properties.yml │ │ │ ├── win_susp_copy_lateral_movement │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_copy_system32 │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_covenant │ │ │ │ └── properties.yml │ │ │ ├── win_susp_crackmapexec_execution │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_crackmapexec_powershell_obfuscation │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_csc │ │ │ │ └── properties.yml │ │ │ ├── win_susp_csc_folder │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_curl_download │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_curl_fileupload │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_curl_start_combo │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_dctask64_proc_inject │ │ │ │ └── properties.yml │ │ │ ├── win_susp_desktopimgdownldr │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_devtoolslauncher │ │ │ │ └── properties.yml │ │ │ ├── win_susp_direct_asep_reg_keys_modification │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_07.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_08.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_09.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_10.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_disable_ie_features │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_disable_raccine │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_ditsnap │ │ │ │ └── properties.yml │ │ │ ├── win_susp_dnx │ │ │ │ └── properties.yml │ │ │ ├── win_susp_double_extension │ │ │ │ └── properties.yml │ │ │ ├── win_susp_dxcap │ │ │ │ └── properties.yml │ │ │ ├── win_susp_emotet_rudll32_execution │ │ │ │ └── properties.yml │ │ │ ├── win_susp_eventlog_clear │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_07.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_exec_folder │ │ │ │ └── properties.yml │ │ │ ├── win_susp_execution_path │ │ │ │ └── properties.yml │ │ │ ├── win_susp_execution_path_webserver │ │ │ │ └── properties.yml │ │ │ ├── win_susp_explorer_break_proctree │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_file_characteristics │ │ │ │ └── properties.yml │ │ │ ├── win_susp_findstr_lnk │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_firewall_disable │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_fsutil_usage │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_gup │ │ │ │ └── properties.yml │ │ │ ├── win_susp_iss_module_install │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_mpcmdrun_download │ │ │ │ └── properties.yml │ │ │ ├── win_susp_msiexec_cwd │ │ │ │ └── properties.yml │ │ │ ├── win_susp_msiexec_web_install │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_msoffice │ │ │ │ └── properties.yml │ │ │ ├── win_susp_net_execution │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_07.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_08.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_netsh_dll_persistence │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_ntdsutil │ │ │ │ └── properties.yml │ │ │ ├── win_susp_odbcconf │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_openwith │ │ │ │ └── properties.yml │ │ │ ├── win_susp_outlook │ │ │ │ └── properties.yml │ │ │ ├── win_susp_outlook_temp │ │ │ │ └── properties.yml │ │ │ ├── win_susp_ping_hex_ip │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_powershell_empire_launch │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_powershell_empire_uac_bypass │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_powershell_enc_cmd │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_powershell_encoded_param │ │ │ │ └── properties.yml │ │ │ ├── win_susp_powershell_hidden_b64_cmd │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_powershell_parent_combo │ │ │ │ └── properties.yml │ │ │ ├── win_susp_powershell_parent_process │ │ │ │ └── properties.yml │ │ │ ├── win_susp_procdump │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_prog_location_process_starts │ │ │ │ └── properties.yml │ │ │ ├── win_susp_ps_appdata │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_ps_downloadfile │ │ │ │ └── properties.yml │ │ │ ├── win_susp_psexec_eula │ │ │ │ └── properties.yml │ │ │ ├── win_susp_psr_capture_screenshots │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_rar_flags │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_rasdial_activity │ │ │ │ └── properties.yml │ │ │ ├── win_susp_recon_activity │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_regsvr32_anomalies │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_regsvr32_flags_anomaly │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_renamed_dctask64 │ │ │ │ └── properties.yml │ │ │ ├── win_susp_renamed_debugview │ │ │ │ └── properties.yml │ │ │ ├── win_susp_run_locations │ │ │ │ └── properties.yml │ │ │ ├── win_susp_rundll32_activity │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_05.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_06.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_rundll32_by_ordinal │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_schtask_creation │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_script_execution │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_service_path_modification │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_shell_spawn_from_mssql │ │ │ │ └── properties.yml │ │ │ ├── win_susp_squirrel_lolbin │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_svchost │ │ │ │ └── properties.yml │ │ │ ├── win_susp_svchost_no_cli │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_sysprep_appdata │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_sysvol_access │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_taskmgr_localsystem │ │ │ │ └── properties.yml │ │ │ ├── win_susp_taskmgr_parent │ │ │ │ └── properties.yml │ │ │ ├── win_susp_tscon_localsystem │ │ │ │ └── properties.yml │ │ │ ├── win_susp_tscon_rdp_redirect │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_use_of_csharp_console │ │ │ │ └── properties.yml │ │ │ ├── win_susp_userinit_child │ │ │ │ └── properties.yml │ │ │ ├── win_susp_volsnap_disable │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_whoami │ │ │ │ └── properties.yml │ │ │ ├── win_susp_wmi_execution │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_wmic_proc_create_rundll32 │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_wmic_security_product_uninstall │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_susp_wuauclt │ │ │ │ └── properties.yml │ │ │ ├── win_sysmon_driver_unload │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_system_exe_anomaly │ │ │ │ └── properties.yml │ │ │ ├── win_tap_installer_execution │ │ │ │ └── properties.yml │ │ │ ├── win_task_folder_evasion │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_termserv_proc_spawn │ │ │ │ └── properties.yml │ │ │ ├── win_trust_discovery │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_uac_cmstp │ │ │ │ └── properties.yml │ │ │ ├── win_uac_fodhelper │ │ │ │ └── properties.yml │ │ │ ├── win_uac_wsreset │ │ │ │ └── properties.yml │ │ │ ├── win_using_sc_to_change_sevice_image_path_by_non_admin │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_vul_java_remote_debugging │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Evasion_Cmdline_04.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_webshell_detection │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_webshell_recon_detection │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_04.json │ │ │ │ └── properties.yml │ │ │ ├── win_webshell_spawn │ │ │ │ └── properties.yml │ │ │ ├── win_whoami_as_system │ │ │ │ └── properties.yml │ │ │ ├── win_win10_sched_task_0day │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_01.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_02.json │ │ │ │ ├── Microsoft-Windows-Sysmon_1_Match_03.json │ │ │ │ └── properties.yml │ │ │ ├── win_wmi_backdoor_exchange_transport_agent │ │ │ │ └── properties.yml │ │ │ ├── win_wmi_persistence_script_event_consumer │ │ │ │ └── properties.yml │ │ │ ├── win_wmi_spwns_powershell │ │ │ │ └── properties.yml │ │ │ ├── win_wmiprvse_spawning_process │ │ │ │ └── properties.yml │ │ │ ├── win_workflow_compiler │ │ │ │ └── properties.yml │ │ │ ├── win_wsreset_uac_bypass │ │ │ │ └── properties.yml │ │ │ └── win_xsl_script_processing │ │ │ │ └── properties.yml │ │ │ └── registry │ │ │ ├── values_evasion_registry │ │ │ └── values_evasion_registry_multi │ └── rules │ │ ├── proxyweb │ │ ├── values_rules_proxyweb │ │ └── values_rules_proxyweb_multi │ │ └── windows │ │ ├── powershell │ │ ├── values_rules_powershell │ │ └── values_rules_powershell_multi │ │ ├── process_creation │ │ ├── cmstp_execution.yml │ │ ├── sysmon_apt_muddywater_dnstunnel.yml │ │ ├── sysmon_hack_wce.yml │ │ ├── sysmon_logon_scripts_userinitmprlogonscript_proc.yml │ │ ├── sysmon_susp_plink_remote_forward.yml │ │ ├── win_advanced_ip_scanner.yml │ │ ├── win_apt_apt29_thinktanks.yml │ │ ├── win_apt_babyshark.yml │ │ ├── win_apt_bear_activity_gtr19.yml │ │ ├── win_apt_bluemashroom.yml │ │ ├── win_apt_chafer_mar18.yml │ │ ├── win_apt_cloudhopper.yml │ │ ├── win_apt_dragonfly.yml │ │ ├── win_apt_elise.yml │ │ ├── win_apt_emissarypanda_sep19.yml │ │ ├── win_apt_empiremonkey.yml │ │ ├── win_apt_equationgroup_dll_u_load.yml │ │ ├── win_apt_evilnum_jul20.yml │ │ ├── win_apt_gallium.yml │ │ ├── win_apt_greenbug_may20.yml │ │ ├── win_apt_hurricane_panda.yml │ │ ├── win_apt_judgement_panda_gtr19.yml │ │ ├── win_apt_ke3chang_regadd.yml │ │ ├── win_apt_lazarus_activity_dec20.yml │ │ ├── win_apt_lazarus_loader.yml │ │ ├── win_apt_lazarus_session_highjack.yml │ │ ├── win_apt_mustangpanda.yml │ │ ├── win_apt_slingshot.yml │ │ ├── win_apt_sofacy.yml │ │ ├── win_apt_ta17_293a_ps.yml │ │ ├── win_apt_ta505_dropper.yml │ │ ├── win_apt_taidoor.yml │ │ ├── win_apt_tropictrooper.yml │ │ ├── win_apt_turla_comrat_may20.yml │ │ ├── win_apt_unc2452_cmds.yml │ │ ├── win_apt_unc2452_ps.yml │ │ ├── win_apt_unidentified_nov_18.yml │ │ ├── win_apt_winnti_mal_hk_jan20.yml │ │ ├── win_apt_winnti_pipemon.yml │ │ ├── win_apt_wocao.yml │ │ ├── win_apt_zxshell.yml │ │ ├── win_attrib_hiding_files.yml │ │ ├── win_bootconf_mod.yml │ │ ├── win_bypass_squiblytwo.yml │ │ ├── win_change_default_file_association.yml │ │ ├── win_cmdkey_recon.yml │ │ ├── win_cmstp_com_object_access.yml │ │ ├── win_commandline_path_traversal.yml │ │ ├── win_control_panel_item.yml │ │ ├── win_copying_sensitive_files_with_credential_data.yml │ │ ├── win_crime_fireball.yml │ │ ├── win_crime_maze_ransomware.yml │ │ ├── win_crime_snatch_ransomware.yml │ │ ├── win_data_compressed_with_rar.yml │ │ ├── win_dns_exfiltration_tools_execution.yml │ │ ├── win_dsquery_domain_trust_discovery.yml │ │ ├── win_encoded_frombase64string.yml │ │ ├── win_encoded_iex.yml │ │ ├── win_etw_modification_cmdline.yml │ │ ├── win_etw_trace_evasion.yml │ │ ├── win_exfiltration_and_tunneling_tools_execution.yml │ │ ├── win_exploit_cve_2015_1641.yml │ │ ├── win_exploit_cve_2017_0261.yml │ │ ├── win_exploit_cve_2017_11882.yml │ │ ├── win_exploit_cve_2017_8759.yml │ │ ├── win_exploit_cve_2019_1378.yml │ │ ├── win_exploit_cve_2019_1388.yml │ │ ├── win_exploit_cve_2020_10189.yml │ │ ├── win_exploit_cve_2020_1048.yml │ │ ├── win_exploit_cve_2020_1350.yml │ │ ├── win_file_permission_modifications.yml │ │ ├── win_grabbing_sensitive_hives_via_reg.yml │ │ ├── win_hack_bloodhound.yml │ │ ├── win_hack_koadic.yml │ │ ├── win_hack_rubeus.yml │ │ ├── win_hack_secutyxploded.yml │ │ ├── win_hh_chm.yml │ │ ├── win_hktl_createminidump.yml │ │ ├── win_html_help_spawn.yml │ │ ├── win_hwp_exploits.yml │ │ ├── win_impacket_lateralization.yml │ │ ├── win_indirect_cmd.yml │ │ ├── win_install_reg_debugger_backdoor.yml │ │ ├── win_interactive_at.yml │ │ ├── win_invoke_obfuscation_obfuscated_iex_commandline.yml │ │ ├── win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml │ │ ├── win_lethalhta.yml │ │ ├── win_local_system_owner_account_discovery.yml │ │ ├── win_lsass_dump.yml │ │ ├── win_mal_adwind.yml │ │ ├── win_malware_dridex.yml │ │ ├── win_malware_dtrack.yml │ │ ├── win_malware_emotet.yml │ │ ├── win_malware_formbook.yml │ │ ├── win_malware_notpetya.yml │ │ ├── win_malware_qbot.yml │ │ ├── win_malware_ryuk.yml │ │ ├── win_malware_script_dropper.yml │ │ ├── win_malware_trickbot_recon_activity.yml │ │ ├── win_malware_trickbot_wermgr.yml │ │ ├── win_malware_wannacry.yml │ │ ├── win_mavinject_proc_inj.yml │ │ ├── win_meterpreter_or_cobaltstrike_getsystem_service_start.yml │ │ ├── win_mimikatz_command_line.yml │ │ ├── win_mmc_spawn_shell.yml │ │ ├── win_mouse_lock.yml │ │ ├── win_mshta_javascript.yml │ │ ├── win_mshta_spawn_shell.yml │ │ ├── win_net_enum.yml │ │ ├── win_net_user_add.yml │ │ ├── win_netsh_allow_port_rdp.yml │ │ ├── win_netsh_fw_add.yml │ │ ├── win_netsh_fw_add_susp_image.yml │ │ ├── win_netsh_packet_capture.yml │ │ ├── win_netsh_port_fwd.yml │ │ ├── win_netsh_port_fwd_3389.yml │ │ ├── win_netsh_wifi_credential_harvesting.yml │ │ ├── win_network_sniffing.yml │ │ ├── win_new_service_creation.yml │ │ ├── win_non_interactive_powershell.yml │ │ ├── win_office_shell.yml │ │ ├── win_office_spawn_exe_from_users_directory.yml │ │ ├── win_plugx_susp_exe_locations.yml │ │ ├── win_possible_applocker_bypass.yml │ │ ├── win_possible_privilege_escalation_using_rotten_potato.yml │ │ ├── win_powershell_amsi_bypass.yml │ │ ├── win_powershell_audio_capture.yml │ │ ├── win_powershell_b64_shellcode.yml │ │ ├── win_powershell_bitsjob.yml │ │ ├── win_powershell_dll_execution.yml │ │ ├── win_powershell_downgrade_attack.yml │ │ ├── win_powershell_download.yml │ │ ├── win_powershell_frombase64string.yml │ │ ├── win_powershell_suspicious_parameter_variation.yml │ │ ├── win_powershell_xor_commandline.yml │ │ ├── win_powersploit_empire_schtasks.yml │ │ ├── win_proc_wrong_parent.yml │ │ ├── win_process_creation_bitsadmin_download.yml │ │ ├── win_process_dump_rundll32_comsvcs.yml │ │ ├── win_psexesvc_start.yml │ │ ├── win_query_registry.yml │ │ ├── win_rdp_hijack_shadowing.yml │ │ ├── win_redmimicry_winnti_proc.yml │ │ ├── win_remote_powershell_session_process.yml │ │ ├── win_remote_time_discovery.yml │ │ ├── win_renamed_binary.yml │ │ ├── win_renamed_binary_highly_relevant.yml │ │ ├── win_renamed_jusched.yml │ │ ├── win_renamed_paexec.yml │ │ ├── win_renamed_powershell.yml │ │ ├── win_renamed_procdump.yml │ │ ├── win_renamed_psexec.yml │ │ ├── win_run_powershell_script_from_ads.yml │ │ ├── win_sdbinst_shim_persistence.yml │ │ ├── win_service_execution.yml │ │ ├── win_service_stop.yml │ │ ├── win_shadow_copies_access_symlink.yml │ │ ├── win_shadow_copies_creation.yml │ │ ├── win_shadow_copies_deletion.yml │ │ ├── win_shell_spawn_susp_program.yml │ │ ├── win_silenttrinity_stage_use.yml │ │ ├── win_soundrec_audio_capture.yml │ │ ├── win_spn_enum.yml │ │ ├── win_susp_adfind.yml │ │ ├── win_susp_bcdedit.yml │ │ ├── win_susp_bginfo.yml │ │ ├── win_susp_calc.yml │ │ ├── win_susp_cdb.yml │ │ ├── win_susp_certutil_command.yml │ │ ├── win_susp_certutil_encode.yml │ │ ├── win_susp_cli_escape.yml │ │ ├── win_susp_cmd_http_appdata.yml │ │ ├── win_susp_codepage_switch.yml │ │ ├── win_susp_compression_params.yml │ │ ├── win_susp_comsvcs_procdump.yml │ │ ├── win_susp_conhost.yml │ │ ├── win_susp_control_dll_load.yml │ │ ├── win_susp_copy_lateral_movement.yml │ │ ├── win_susp_copy_system32.yml │ │ ├── win_susp_covenant.yml │ │ ├── win_susp_crackmapexec_execution.yml │ │ ├── win_susp_crackmapexec_powershell_obfuscation.yml │ │ ├── win_susp_csc.yml │ │ ├── win_susp_csc_folder.yml │ │ ├── win_susp_curl_download.yml │ │ ├── win_susp_curl_fileupload.yml │ │ ├── win_susp_curl_start_combo.yml │ │ ├── win_susp_dctask64_proc_inject.yml │ │ ├── win_susp_desktopimgdownldr.yml │ │ ├── win_susp_devtoolslauncher.yml │ │ ├── win_susp_direct_asep_reg_keys_modification.yml │ │ ├── win_susp_disable_ie_features.yml │ │ ├── win_susp_disable_raccine.yml │ │ ├── win_susp_ditsnap.yml │ │ ├── win_susp_dnx.yml │ │ ├── win_susp_double_extension.yml │ │ ├── win_susp_dxcap.yml │ │ ├── win_susp_emotet_rudll32_execution.yml │ │ ├── win_susp_eventlog_clear.yml │ │ ├── win_susp_exec_folder.yml │ │ ├── win_susp_execution_path.yml │ │ ├── win_susp_execution_path_webserver.yml │ │ ├── win_susp_explorer_break_proctree.yml │ │ ├── win_susp_file_characteristics.yml │ │ ├── win_susp_findstr_lnk.yml │ │ ├── win_susp_firewall_disable.yml │ │ ├── win_susp_fsutil_usage.yml │ │ ├── win_susp_gup.yml │ │ ├── win_susp_iss_module_install.yml │ │ ├── win_susp_mpcmdrun_download.yml │ │ ├── win_susp_msiexec_cwd.yml │ │ ├── win_susp_msiexec_web_install.yml │ │ ├── win_susp_msoffice.yml │ │ ├── win_susp_net_execution.yml │ │ ├── win_susp_netsh_dll_persistence.yml │ │ ├── win_susp_ntdsutil.yml │ │ ├── win_susp_odbcconf.yml │ │ ├── win_susp_openwith.yml │ │ ├── win_susp_outlook.yml │ │ ├── win_susp_outlook_temp.yml │ │ ├── win_susp_ping_hex_ip.yml │ │ ├── win_susp_powershell_empire_launch.yml │ │ ├── win_susp_powershell_empire_uac_bypass.yml │ │ ├── win_susp_powershell_enc_cmd.yml │ │ ├── win_susp_powershell_encoded_param.yml │ │ ├── win_susp_powershell_hidden_b64_cmd.yml │ │ ├── win_susp_powershell_parent_combo.yml │ │ ├── win_susp_powershell_parent_process.yml │ │ ├── win_susp_procdump.yml │ │ ├── win_susp_prog_location_process_starts.yml │ │ ├── win_susp_ps_appdata.yml │ │ ├── win_susp_ps_downloadfile.yml │ │ ├── win_susp_psexec_eula.yml │ │ ├── win_susp_psr_capture_screenshots.yml │ │ ├── win_susp_rar_flags.yml │ │ ├── win_susp_rasdial_activity.yml │ │ ├── win_susp_recon_activity.yml │ │ ├── win_susp_regsvr32_anomalies.yml │ │ ├── win_susp_regsvr32_flags_anomaly.yml │ │ ├── win_susp_renamed_dctask64.yml │ │ ├── win_susp_renamed_debugview.yml │ │ ├── win_susp_run_locations.yml │ │ ├── win_susp_rundll32_activity.yml │ │ ├── win_susp_rundll32_by_ordinal.yml │ │ ├── win_susp_schtask_creation.yml │ │ ├── win_susp_script_execution.yml │ │ ├── win_susp_service_path_modification.yml │ │ ├── win_susp_shell_spawn_from_mssql.yml │ │ ├── win_susp_squirrel_lolbin.yml │ │ ├── win_susp_svchost.yml │ │ ├── win_susp_svchost_no_cli.yml │ │ ├── win_susp_sysprep_appdata.yml │ │ ├── win_susp_sysvol_access.yml │ │ ├── win_susp_taskmgr_localsystem.yml │ │ ├── win_susp_taskmgr_parent.yml │ │ ├── win_susp_tscon_localsystem.yml │ │ ├── win_susp_tscon_rdp_redirect.yml │ │ ├── win_susp_use_of_csharp_console.yml │ │ ├── win_susp_userinit_child.yml │ │ ├── win_susp_volsnap_disable.yml │ │ ├── win_susp_whoami.yml │ │ ├── win_susp_wmi_execution.yml │ │ ├── win_susp_wmic_proc_create_rundll32.yml │ │ ├── win_susp_wmic_security_product_uninstall.yml │ │ ├── win_susp_wuauclt.yml │ │ ├── win_sysmon_driver_unload.yml │ │ ├── win_system_exe_anomaly.yml │ │ ├── win_tap_installer_execution.yml │ │ ├── win_task_folder_evasion.yml │ │ ├── win_termserv_proc_spawn.yml │ │ ├── win_trust_discovery.yml │ │ ├── win_uac_cmstp.yml │ │ ├── win_uac_fodhelper.yml │ │ ├── win_uac_wsreset.yml │ │ ├── win_using_sc_to_change_sevice_image_path_by_non_admin.yml │ │ ├── win_vul_java_remote_debugging.yml │ │ ├── win_webshell_detection.yml │ │ ├── win_webshell_recon_detection.yml │ │ ├── win_webshell_spawn.yml │ │ ├── win_whoami_as_system.yml │ │ ├── win_win10_sched_task_0day.yml │ │ ├── win_wmi_backdoor_exchange_transport_agent.yml │ │ ├── win_wmi_persistence_script_event_consumer.yml │ │ ├── win_wmi_spwns_powershell.yml │ │ ├── win_wmiprvse_spawning_process.yml │ │ ├── win_workflow_compiler.yml │ │ ├── win_wsreset_uac_bypass.yml │ │ └── win_xsl_script_processing.yml │ │ └── registry │ │ ├── values_rules_registry │ │ └── values_rules_registry_multi └── socbed │ ├── powershell │ ├── all │ ├── train │ └── validation │ ├── process_creation │ ├── all │ ├── train │ └── validation │ ├── proxy_web │ ├── all │ ├── train │ └── validation │ └── registry │ ├── all │ ├── train │ └── validation ├── docs └── amides.png ├── remove_containers.sh ├── remove_image.sh ├── run_experiments.sh └── start_env.sh /.dockerignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/.dockerignore -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CITATION.cff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/CITATION.cff -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/Dockerfile -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/LICENSE -------------------------------------------------------------------------------- /Paper Supplement.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/Paper Supplement.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/README.md -------------------------------------------------------------------------------- /amides/.dockerignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/.dockerignore -------------------------------------------------------------------------------- /amides/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/.gitignore -------------------------------------------------------------------------------- /amides/amides/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /amides/amides/data.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/data.py -------------------------------------------------------------------------------- /amides/amides/evaluation.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/evaluation.py -------------------------------------------------------------------------------- /amides/amides/events.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/events.py -------------------------------------------------------------------------------- /amides/amides/features/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /amides/amides/features/deduplicate.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/features/deduplicate.py -------------------------------------------------------------------------------- /amides/amides/features/extraction.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/features/extraction.py -------------------------------------------------------------------------------- /amides/amides/features/filter.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/features/filter.py -------------------------------------------------------------------------------- /amides/amides/features/normalize.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/features/normalize.py -------------------------------------------------------------------------------- /amides/amides/features/preprocessing.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/features/preprocessing.py -------------------------------------------------------------------------------- /amides/amides/features/tokenization.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/features/tokenization.py -------------------------------------------------------------------------------- /amides/amides/models/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /amides/amides/models/selection.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/models/selection.py -------------------------------------------------------------------------------- /amides/amides/persist.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/persist.py -------------------------------------------------------------------------------- /amides/amides/scale.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/scale.py -------------------------------------------------------------------------------- /amides/amides/sigma.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/sigma.py -------------------------------------------------------------------------------- /amides/amides/utils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/utils.py -------------------------------------------------------------------------------- /amides/amides/visualization.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/amides/visualization.py -------------------------------------------------------------------------------- /amides/bin/add_scaler.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/add_scaler.py -------------------------------------------------------------------------------- /amides/bin/combine_models.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/combine_models.py -------------------------------------------------------------------------------- /amides/bin/confidence.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/confidence.py -------------------------------------------------------------------------------- /amides/bin/config/powershell/eval_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/powershell/eval_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/powershell/train_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/powershell/train_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/powershell/validate_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/powershell/validate_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/pr_plot_powershell_proxy_registry.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/pr_plot_powershell_proxy_registry.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/attr_plot.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/attr_plot.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/eval_attr.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/eval_attr.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/eval_misuse_svc_matches.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/eval_misuse_svc_matches.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/eval_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/eval_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/eval_misuse_svc_rules_tainted.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/eval_misuse_svc_rules_tainted.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/params.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/params.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/pr_plot_tainted.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/pr_plot_tainted.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/prt_plot_misuse_rules_matches.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/prt_plot_misuse_rules_matches.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/train_attr_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/train_attr_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/train_misuse_svc_matches.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/train_misuse_svc_matches.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/train_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/train_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/train_misuse_svc_rules_tainted_10.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/train_misuse_svc_rules_tainted_10.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/train_misuse_svc_rules_tainted_20.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/train_misuse_svc_rules_tainted_20.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/train_misuse_svc_rules_tainted_30.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/train_misuse_svc_rules_tainted_30.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/validate_misuse_svc_matches.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/validate_misuse_svc_matches.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/validate_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/validate_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/validate_misuse_svc_rules_tainted_10.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/validate_misuse_svc_rules_tainted_10.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/validate_misuse_svc_rules_tainted_20.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/validate_misuse_svc_rules_tainted_20.json -------------------------------------------------------------------------------- /amides/bin/config/process_creation/validate_misuse_svc_rules_tainted_30.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/process_creation/validate_misuse_svc_rules_tainted_30.json -------------------------------------------------------------------------------- /amides/bin/config/proxy_web/eval_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/proxy_web/eval_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/proxy_web/train_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/proxy_web/train_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/proxy_web/validate_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/proxy_web/validate_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/registry/eval_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/registry/eval_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/registry/train_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/registry/train_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/config/registry/validate_misuse_svc_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/config/registry/validate_misuse_svc_rules.json -------------------------------------------------------------------------------- /amides/bin/eval_attr.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/eval_attr.py -------------------------------------------------------------------------------- /amides/bin/eval_mcc_scaling.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/eval_mcc_scaling.py -------------------------------------------------------------------------------- /amides/bin/extract_features.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/extract_features.py -------------------------------------------------------------------------------- /amides/bin/extract_terms.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/extract_terms.py -------------------------------------------------------------------------------- /amides/bin/extract_terms_multi.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/extract_terms_multi.py -------------------------------------------------------------------------------- /amides/bin/normalize.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/normalize.py -------------------------------------------------------------------------------- /amides/bin/plot_attr.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/plot_attr.py -------------------------------------------------------------------------------- /amides/bin/plot_df_hist.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/plot_df_hist.py -------------------------------------------------------------------------------- /amides/bin/plot_df_values.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/plot_df_values.py -------------------------------------------------------------------------------- /amides/bin/plot_multi_tainted.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/plot_multi_tainted.py -------------------------------------------------------------------------------- /amides/bin/plot_pr.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/plot_pr.py -------------------------------------------------------------------------------- /amides/bin/split_terms.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/split_terms.py -------------------------------------------------------------------------------- /amides/bin/train.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/train.py -------------------------------------------------------------------------------- /amides/bin/train_new_types.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/train_new_types.py -------------------------------------------------------------------------------- /amides/bin/train_new_types_multi.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/train_new_types_multi.py -------------------------------------------------------------------------------- /amides/bin/validate.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/validate.py -------------------------------------------------------------------------------- /amides/bin/validate_new_types.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/validate_new_types.py -------------------------------------------------------------------------------- /amides/bin/validate_new_types_multi.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/bin/validate_new_types_multi.py -------------------------------------------------------------------------------- /amides/classification.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/classification.sh -------------------------------------------------------------------------------- /amides/classification_other_types.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/classification_other_types.sh -------------------------------------------------------------------------------- /amides/experiments.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/experiments.sh -------------------------------------------------------------------------------- /amides/requirements.in: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/requirements.in -------------------------------------------------------------------------------- /amides/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/requirements.txt -------------------------------------------------------------------------------- /amides/requirements_dev.in: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/requirements_dev.in -------------------------------------------------------------------------------- /amides/requirements_dev.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/requirements_dev.txt -------------------------------------------------------------------------------- /amides/rule_attribution.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/rule_attribution.sh -------------------------------------------------------------------------------- /amides/setup.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/setup.py -------------------------------------------------------------------------------- /amides/tainted_training.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tainted_training.sh -------------------------------------------------------------------------------- /amides/tests/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /amides/tests/data/json_to_jsonl.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/json_to_jsonl.py -------------------------------------------------------------------------------- /amides/tests/data/scale_events.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/scale_events.py -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/proxyweb/rule_1/Proxy_Evasion_url_full_01.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/events/proxyweb/rule_1/Proxy_Evasion_url_full_01.json -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/proxyweb/rule_1/Proxy_Evasion_url_full_02.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/events/proxyweb/rule_1/Proxy_Evasion_url_full_02.json -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/proxyweb/rule_1/Proxy_Evasion_url_full_03.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/events/proxyweb/rule_1/Proxy_Evasion_url_full_03.json -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/proxyweb/rule_1/Proxy_Evasion_url_full_04.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/events/proxyweb/rule_1/Proxy_Evasion_url_full_04.json -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/proxyweb/rule_1/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/events/proxyweb/rule_1/properties.yml -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/windows/powershell/rule_1/Microsoft-Windows-Powershell_4104_Evasion_Keyless_04.json: -------------------------------------------------------------------------------- 1 | { 2 | "Keyless": "Remove-Item (Get-PSReadLineOption).HistorySavePath" 3 | } 4 | -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/windows/powershell/rule_1/Microsoft-Windows-Powershell_4104_Evasion_Keyless_05.json: -------------------------------------------------------------------------------- 1 | { 2 | "Keyless": "Remove-Item (Get-PSReadLineOption).HistorySavePath" 3 | } 4 | -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/windows/powershell/rule_1/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/events/windows/powershell/rule_1/properties.yml -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/windows/process_creation/rule_1/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/events/windows/process_creation/rule_1/properties.yml -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/windows/process_creation/rule_2/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/events/windows/process_creation/rule_2/properties.yml -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/events/windows/registry/rule_1/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/events/windows/registry/rule_1/properties.yml -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/rules/proc_cmdline.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/rules/proc_cmdline.json -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/rules/proxyweb/rule_1.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/rules/proxyweb/rule_1.yml -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/rules/selected_proc_cmdline.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/rules/selected_proc_cmdline.json -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/rules/windows/powershell/rule_1.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/rules/windows/powershell/rule_1.yml -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/rules/windows/process_creation/rule_1.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/rules/windows/process_creation/rule_1.yml -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/rules/windows/process_creation/rule_2.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/rules/windows/process_creation/rule_2.yml -------------------------------------------------------------------------------- /amides/tests/data/sigma-study/rules/windows/registry/rule_1.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/sigma-study/rules/windows/registry/rule_1.yml -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/powershell/jsonl/Microsoft-Windows-PowerShell_4104.jsonl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/powershell/jsonl/Microsoft-Windows-PowerShell_4104.jsonl -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0001.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0001.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0002.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0002.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0003.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0003.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0004.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0004.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0005.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0005.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0006.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0006.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0007.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0007.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0008.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0008.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0009.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0009.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0010.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0010.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0011.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0011.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0012.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0012.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0013.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0013.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0014.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0014.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0015.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0015.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0016.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0016.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0017.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0017.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0018.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0018.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0019.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0019.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/json/0020.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/json/0020.json -------------------------------------------------------------------------------- /amides/tests/data/socbed-sample/process_creation/jsonl/Microsoft-Windows-Sysmon_1.jsonl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/data/socbed-sample/process_creation/jsonl/Microsoft-Windows-Sysmon_1.jsonl -------------------------------------------------------------------------------- /amides/tests/unit/test_data.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/unit/test_data.py -------------------------------------------------------------------------------- /amides/tests/unit/test_events.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/unit/test_events.py -------------------------------------------------------------------------------- /amides/tests/unit/test_extraction.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/unit/test_extraction.py -------------------------------------------------------------------------------- /amides/tests/unit/test_models_selection.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/unit/test_models_selection.py -------------------------------------------------------------------------------- /amides/tests/unit/test_persist.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/unit/test_persist.py -------------------------------------------------------------------------------- /amides/tests/unit/test_result.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/unit/test_result.py -------------------------------------------------------------------------------- /amides/tests/unit/test_sigma.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/unit/test_sigma.py -------------------------------------------------------------------------------- /amides/tests/unit/test_utils.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tests/unit/test_utils.py -------------------------------------------------------------------------------- /amides/tox.ini: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/amides/tox.ini -------------------------------------------------------------------------------- /cleanup.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/cleanup.sh -------------------------------------------------------------------------------- /data/sigma/events/proxyweb/values_evasion_proxyweb: -------------------------------------------------------------------------------- 1 | http://172.18.0.2/dvwa/list//suc?name=foo 2 | -------------------------------------------------------------------------------- /data/sigma/events/proxyweb/values_evasion_proxyweb_multi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/proxyweb/values_evasion_proxyweb_multi -------------------------------------------------------------------------------- /data/sigma/events/windows/powershell/values_evasion_powershell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/powershell/values_evasion_powershell -------------------------------------------------------------------------------- /data/sigma/events/windows/powershell/values_evasion_powershell_multi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/powershell/values_evasion_powershell_multi -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/cmstp_execution/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/cmstp_execution/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/sysmon_apt_muddywater_dnstunnel/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/sysmon_apt_muddywater_dnstunnel/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/sysmon_hack_wce/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/sysmon_hack_wce/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/sysmon_susp_plink_remote_forward/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/sysmon_susp_plink_remote_forward/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_advanced_ip_scanner/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_advanced_ip_scanner/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_apt29_thinktanks/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_apt29_thinktanks/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_babyshark/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_babyshark/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_bear_activity_gtr19/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_bear_activity_gtr19/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_bluemashroom/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_bluemashroom/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_chafer_mar18/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_chafer_mar18/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_cloudhopper/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_cloudhopper/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_dragonfly/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_dragonfly/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_elise/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_elise/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_emissarypanda_sep19/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_emissarypanda_sep19/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_empiremonkey/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_empiremonkey/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_equationgroup_dll_u_load/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_equationgroup_dll_u_load/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_evilnum_jul20/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_evilnum_jul20/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_gallium/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_gallium/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_greenbug_may20/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_greenbug_may20/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_hurricane_panda/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_hurricane_panda/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_judgement_panda_gtr19/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_judgement_panda_gtr19/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_ke3chang_regadd/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_ke3chang_regadd/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_lazarus_activity_dec20/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_lazarus_activity_dec20/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_lazarus_loader/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_lazarus_loader/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_lazarus_session_highjack/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_lazarus_session_highjack/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_mustangpanda/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_mustangpanda/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_slingshot/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_slingshot/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_sofacy/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_sofacy/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_ta17_293a_ps/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_ta17_293a_ps/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_ta505_dropper/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_ta505_dropper/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_taidoor/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_taidoor/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_tropictrooper/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_tropictrooper/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_turla_commands/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_turla_commands/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_turla_comrat_may20/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_turla_comrat_may20/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_unc2452_cmds/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_unc2452_cmds/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_unc2452_ps/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_unc2452_ps/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_unidentified_nov_18/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_unidentified_nov_18/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_winnti_mal_hk_jan20/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_winnti_mal_hk_jan20/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_winnti_pipemon/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_winnti_pipemon/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_wocao/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_wocao/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_apt_zxshell/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_apt_zxshell/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_attrib_hiding_files/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_attrib_hiding_files/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_bootconf_mod/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_bootconf_mod/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_bypass_squiblytwo/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_bypass_squiblytwo/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_cmdkey_recon/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_cmdkey_recon/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_cmstp_com_object_access/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_cmstp_com_object_access/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_commandline_path_traversal/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_commandline_path_traversal/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_control_panel_item/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_control_panel_item/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_crime_fireball/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_crime_fireball/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_crime_maze_ransomware/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_crime_maze_ransomware/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_crime_snatch_ransomware/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_crime_snatch_ransomware/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_data_compressed_with_rar/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_data_compressed_with_rar/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_encoded_frombase64string/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_encoded_frombase64string/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_encoded_iex/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_encoded_iex/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_etw_modification_cmdline/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_etw_modification_cmdline/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_etw_trace_evasion/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_etw_trace_evasion/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_exploit_cve_2015_1641/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_exploit_cve_2015_1641/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_exploit_cve_2017_0261/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_exploit_cve_2017_0261/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_exploit_cve_2017_11882/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_exploit_cve_2017_11882/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_exploit_cve_2017_8759/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_exploit_cve_2017_8759/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_exploit_cve_2019_1378/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_exploit_cve_2019_1378/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_exploit_cve_2019_1388/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_exploit_cve_2019_1388/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_exploit_cve_2020_10189/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_exploit_cve_2020_10189/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_exploit_cve_2020_1048/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_exploit_cve_2020_1048/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_exploit_cve_2020_1350/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_exploit_cve_2020_1350/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_file_permission_modifications/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_file_permission_modifications/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_hack_bloodhound/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_hack_bloodhound/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_hack_koadic/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_hack_koadic/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_hack_rubeus/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_hack_rubeus/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_hack_secutyxploded/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_hack_secutyxploded/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_hh_chm/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_hh_chm/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_hktl_createminidump/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_hktl_createminidump/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_html_help_spawn/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_html_help_spawn/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_hwp_exploits/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_hwp_exploits/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_impacket_lateralization/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_impacket_lateralization/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_indirect_cmd/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_indirect_cmd/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_install_reg_debugger_backdoor/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_install_reg_debugger_backdoor/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_interactive_at/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_interactive_at/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_lethalhta/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_lethalhta/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_lsass_dump/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_lsass_dump/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_mal_adwind/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_mal_adwind/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_malware_dridex/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_malware_dridex/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_malware_dtrack/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_malware_dtrack/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_malware_emotet/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_malware_emotet/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_malware_formbook/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_malware_formbook/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_malware_notpetya/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_malware_notpetya/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_malware_qbot/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_malware_qbot/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_malware_ryuk/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_malware_ryuk/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_malware_script_dropper/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_malware_script_dropper/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_malware_trickbot_wermgr/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_malware_trickbot_wermgr/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_malware_wannacry/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_malware_wannacry/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_mavinject_proc_inj/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_mavinject_proc_inj/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_mimikatz_command_line/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_mimikatz_command_line/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_mmc_spawn_shell/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_mmc_spawn_shell/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_mouse_lock/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_mouse_lock/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_mshta_javascript/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_mshta_javascript/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_mshta_spawn_shell/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_mshta_spawn_shell/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_multiple_suspicious_cli/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_multiple_suspicious_cli/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_net_enum/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_net_enum/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_net_user_add/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_net_user_add/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_netsh_allow_port_rdp/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_netsh_allow_port_rdp/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_netsh_fw_add/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_netsh_fw_add/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_netsh_fw_add_susp_image/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_netsh_fw_add_susp_image/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_netsh_packet_capture/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_netsh_packet_capture/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_netsh_port_fwd/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_netsh_port_fwd/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_netsh_port_fwd_3389/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_netsh_port_fwd_3389/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_network_sniffing/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_network_sniffing/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_new_service_creation/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_new_service_creation/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_non_interactive_powershell/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_non_interactive_powershell/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_office_shell/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_office_shell/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_plugx_susp_exe_locations/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_plugx_susp_exe_locations/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_possible_applocker_bypass/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_possible_applocker_bypass/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_powershell_amsi_bypass/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_powershell_amsi_bypass/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_powershell_audio_capture/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_powershell_audio_capture/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_powershell_b64_shellcode/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_powershell_b64_shellcode/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_powershell_bitsjob/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_powershell_bitsjob/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_powershell_dll_execution/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_powershell_dll_execution/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_powershell_downgrade_attack/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_powershell_downgrade_attack/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_powershell_download/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_powershell_download/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_powershell_frombase64string/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_powershell_frombase64string/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_powershell_xor_commandline/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_powershell_xor_commandline/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_powersploit_empire_schtasks/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_powersploit_empire_schtasks/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_proc_wrong_parent/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_proc_wrong_parent/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_process_dump_rundll32_comsvcs/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_process_dump_rundll32_comsvcs/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_psexesvc_start/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_psexesvc_start/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_query_registry/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_query_registry/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_rdp_hijack_shadowing/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_rdp_hijack_shadowing/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_redmimicry_winnti_proc/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_redmimicry_winnti_proc/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_remote_time_discovery/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_remote_time_discovery/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_renamed_binary/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_renamed_binary/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_renamed_jusched/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_renamed_jusched/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_renamed_paexec/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_renamed_paexec/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_renamed_powershell/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_renamed_powershell/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_renamed_procdump/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_renamed_procdump/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_renamed_psexec/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_renamed_psexec/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_sdbinst_shim_persistence/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_sdbinst_shim_persistence/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_service_execution/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_service_execution/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_service_stop/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_service_stop/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_shadow_copies_access_symlink/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_shadow_copies_access_symlink/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_shadow_copies_creation/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_shadow_copies_creation/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_shadow_copies_deletion/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_shadow_copies_deletion/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_shell_spawn_susp_program/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_shell_spawn_susp_program/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_silenttrinity_stage_use/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_silenttrinity_stage_use/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_soundrec_audio_capture/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_soundrec_audio_capture/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_spn_enum/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_spn_enum/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_adfind/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_adfind/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_bcdedit/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_bcdedit/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_bginfo/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_bginfo/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_calc/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_calc/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_cdb/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_cdb/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_certutil_command/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_certutil_command/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_certutil_encode/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_certutil_encode/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_cli_escape/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_cli_escape/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_cmd_http_appdata/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_cmd_http_appdata/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_codepage_switch/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_codepage_switch/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_commands_recon_activity/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_commands_recon_activity/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_compression_params/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_compression_params/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_comsvcs_procdump/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_comsvcs_procdump/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_conhost/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_conhost/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_control_dll_load/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_control_dll_load/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_copy_lateral_movement/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_copy_lateral_movement/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_copy_system32/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_copy_system32/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_covenant/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_covenant/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_csc/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_csc/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_csc_folder/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_csc_folder/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_curl_download/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_curl_download/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_curl_fileupload/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_curl_fileupload/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_curl_start_combo/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_curl_start_combo/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_dctask64_proc_inject/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_dctask64_proc_inject/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_desktopimgdownldr/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_desktopimgdownldr/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_devtoolslauncher/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_devtoolslauncher/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_disable_ie_features/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_disable_ie_features/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_disable_raccine/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_disable_raccine/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_ditsnap/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_ditsnap/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_dnx/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_dnx/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_double_extension/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_double_extension/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_dxcap/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_dxcap/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_eventlog_clear/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_eventlog_clear/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_exec_folder/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_exec_folder/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_execution_path/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_execution_path/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_file_characteristics/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_file_characteristics/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_findstr_lnk/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_findstr_lnk/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_firewall_disable/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_firewall_disable/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_fsutil_usage/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_fsutil_usage/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_gup/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_gup/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_iss_module_install/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_iss_module_install/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_mpcmdrun_download/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_mpcmdrun_download/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_msiexec_cwd/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_msiexec_cwd/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_msiexec_web_install/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_msiexec_web_install/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_msoffice/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_msoffice/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_net_execution/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_net_execution/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_netsh_dll_persistence/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_netsh_dll_persistence/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_ntdsutil/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_ntdsutil/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_odbcconf/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_odbcconf/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_openwith/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_openwith/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_outlook/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_outlook/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_outlook_temp/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_outlook_temp/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_ping_hex_ip/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_ping_hex_ip/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_powershell_enc_cmd/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_powershell_enc_cmd/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_procdump/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_procdump/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_ps_appdata/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_ps_appdata/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_ps_downloadfile/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_ps_downloadfile/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_psexec_eula/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_psexec_eula/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_rar_flags/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_rar_flags/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_rasdial_activity/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_rasdial_activity/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_recon_activity/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_recon_activity/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_regsvr32_anomalies/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_regsvr32_anomalies/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_renamed_dctask64/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_renamed_dctask64/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_renamed_debugview/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_renamed_debugview/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_run_locations/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_run_locations/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_rundll32_activity/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_rundll32_activity/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_rundll32_by_ordinal/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_rundll32_by_ordinal/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_schtask_creation/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_schtask_creation/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_script_execution/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_script_execution/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_squirrel_lolbin/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_squirrel_lolbin/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_svchost/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_svchost/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_svchost_no_cli/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_svchost_no_cli/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_sysprep_appdata/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_sysprep_appdata/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_sysvol_access/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_sysvol_access/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_taskmgr_localsystem/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_taskmgr_localsystem/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_taskmgr_parent/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_taskmgr_parent/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_tscon_localsystem/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_tscon_localsystem/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_tscon_rdp_redirect/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_tscon_rdp_redirect/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_use_of_csharp_console/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_use_of_csharp_console/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_userinit_child/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_userinit_child/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_volsnap_disable/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_volsnap_disable/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_whoami/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_whoami/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_wmi_execution/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_wmi_execution/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_susp_wuauclt/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_susp_wuauclt/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_sysmon_driver_unload/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_sysmon_driver_unload/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_system_exe_anomaly/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_system_exe_anomaly/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_tap_installer_execution/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_tap_installer_execution/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_task_folder_evasion/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_task_folder_evasion/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_termserv_proc_spawn/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_termserv_proc_spawn/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_trust_discovery/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_trust_discovery/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_uac_cmstp/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_uac_cmstp/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_uac_fodhelper/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_uac_fodhelper/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_uac_wsreset/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_uac_wsreset/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_vul_java_remote_debugging/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_vul_java_remote_debugging/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_webshell_detection/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_webshell_detection/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_webshell_recon_detection/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_webshell_recon_detection/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_webshell_spawn/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_webshell_spawn/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_whoami_as_system/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_whoami_as_system/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_win10_sched_task_0day/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_win10_sched_task_0day/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_wmi_spwns_powershell/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_wmi_spwns_powershell/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_wmiprvse_spawning_process/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_wmiprvse_spawning_process/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_workflow_compiler/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_workflow_compiler/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_wsreset_uac_bypass/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_wsreset_uac_bypass/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/process_creation/win_xsl_script_processing/properties.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/process_creation/win_xsl_script_processing/properties.yml -------------------------------------------------------------------------------- /data/sigma/events/windows/registry/values_evasion_registry: -------------------------------------------------------------------------------- 1 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foo\\%%windir%%\Temp\calc.exe 2 | -------------------------------------------------------------------------------- /data/sigma/events/windows/registry/values_evasion_registry_multi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/events/windows/registry/values_evasion_registry_multi -------------------------------------------------------------------------------- /data/sigma/rules/proxyweb/values_rules_proxyweb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/proxyweb/values_rules_proxyweb -------------------------------------------------------------------------------- /data/sigma/rules/proxyweb/values_rules_proxyweb_multi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/proxyweb/values_rules_proxyweb_multi -------------------------------------------------------------------------------- /data/sigma/rules/windows/powershell/values_rules_powershell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/powershell/values_rules_powershell -------------------------------------------------------------------------------- /data/sigma/rules/windows/powershell/values_rules_powershell_multi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/powershell/values_rules_powershell_multi -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/cmstp_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/cmstp_execution.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/sysmon_hack_wce.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/sysmon_hack_wce.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_advanced_ip_scanner.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_advanced_ip_scanner.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_apt29_thinktanks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_apt29_thinktanks.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_babyshark.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_babyshark.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_bluemashroom.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_bluemashroom.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_chafer_mar18.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_chafer_mar18.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_cloudhopper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_cloudhopper.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_dragonfly.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_dragonfly.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_elise.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_elise.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_empiremonkey.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_empiremonkey.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_evilnum_jul20.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_evilnum_jul20.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_gallium.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_gallium.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_greenbug_may20.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_greenbug_may20.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_hurricane_panda.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_hurricane_panda.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_ke3chang_regadd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_ke3chang_regadd.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_lazarus_loader.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_lazarus_loader.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_mustangpanda.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_mustangpanda.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_slingshot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_slingshot.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_sofacy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_sofacy.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_ta17_293a_ps.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_ta17_293a_ps.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_ta505_dropper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_ta505_dropper.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_taidoor.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_taidoor.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_tropictrooper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_tropictrooper.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_turla_comrat_may20.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_turla_comrat_may20.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_unc2452_cmds.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_unc2452_cmds.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_unc2452_ps.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_unc2452_ps.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_unidentified_nov_18.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_unidentified_nov_18.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_winnti_pipemon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_winnti_pipemon.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_wocao.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_wocao.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_apt_zxshell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_apt_zxshell.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_attrib_hiding_files.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_attrib_hiding_files.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_bootconf_mod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_bootconf_mod.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_bypass_squiblytwo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_bypass_squiblytwo.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_change_default_file_association.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_change_default_file_association.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_cmdkey_recon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_cmdkey_recon.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_cmstp_com_object_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_cmstp_com_object_access.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_commandline_path_traversal.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_commandline_path_traversal.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_control_panel_item.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_control_panel_item.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_crime_fireball.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_crime_fireball.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_crime_maze_ransomware.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_crime_maze_ransomware.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_crime_snatch_ransomware.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_crime_snatch_ransomware.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_data_compressed_with_rar.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_data_compressed_with_rar.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_encoded_frombase64string.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_encoded_frombase64string.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_encoded_iex.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_encoded_iex.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_etw_modification_cmdline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_etw_modification_cmdline.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_etw_trace_evasion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_etw_trace_evasion.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_exploit_cve_2015_1641.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_exploit_cve_2015_1641.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_exploit_cve_2017_0261.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_exploit_cve_2017_0261.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_exploit_cve_2017_11882.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_exploit_cve_2017_11882.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_exploit_cve_2017_8759.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_exploit_cve_2017_8759.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_exploit_cve_2019_1378.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_exploit_cve_2019_1378.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_exploit_cve_2019_1388.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_exploit_cve_2019_1388.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_exploit_cve_2020_10189.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_exploit_cve_2020_10189.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_exploit_cve_2020_1048.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_exploit_cve_2020_1048.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_exploit_cve_2020_1350.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_exploit_cve_2020_1350.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_file_permission_modifications.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_file_permission_modifications.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_hack_bloodhound.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_hack_bloodhound.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_hack_koadic.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_hack_koadic.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_hack_rubeus.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_hack_rubeus.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_hack_secutyxploded.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_hack_secutyxploded.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_hh_chm.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_hh_chm.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_hktl_createminidump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_hktl_createminidump.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_html_help_spawn.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_html_help_spawn.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_hwp_exploits.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_hwp_exploits.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_impacket_lateralization.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_impacket_lateralization.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_indirect_cmd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_indirect_cmd.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_interactive_at.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_interactive_at.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_lethalhta.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_lethalhta.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_local_system_owner_account_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_local_system_owner_account_discovery.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_lsass_dump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_lsass_dump.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_mal_adwind.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_mal_adwind.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_dridex.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_dridex.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_dtrack.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_dtrack.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_emotet.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_emotet.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_formbook.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_formbook.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_notpetya.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_notpetya.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_qbot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_qbot.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_ryuk.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_ryuk.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_script_dropper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_script_dropper.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_trickbot_wermgr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_trickbot_wermgr.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_malware_wannacry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_malware_wannacry.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_mavinject_proc_inj.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_mavinject_proc_inj.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_mimikatz_command_line.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_mimikatz_command_line.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_mmc_spawn_shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_mmc_spawn_shell.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_mouse_lock.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_mouse_lock.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_mshta_javascript.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_mshta_javascript.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_mshta_spawn_shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_mshta_spawn_shell.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_net_enum.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_net_enum.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_net_user_add.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_net_user_add.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_netsh_allow_port_rdp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_netsh_allow_port_rdp.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_netsh_fw_add.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_netsh_fw_add.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_netsh_packet_capture.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_netsh_packet_capture.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_netsh_port_fwd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_netsh_port_fwd.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_netsh_port_fwd_3389.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_netsh_port_fwd_3389.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_network_sniffing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_network_sniffing.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_new_service_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_new_service_creation.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_non_interactive_powershell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_non_interactive_powershell.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_office_shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_office_shell.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_plugx_susp_exe_locations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_plugx_susp_exe_locations.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_possible_applocker_bypass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_possible_applocker_bypass.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_powershell_amsi_bypass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_powershell_amsi_bypass.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_powershell_audio_capture.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_powershell_audio_capture.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_powershell_b64_shellcode.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_powershell_b64_shellcode.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_powershell_bitsjob.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_powershell_bitsjob.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_powershell_dll_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_powershell_dll_execution.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_powershell_downgrade_attack.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_powershell_downgrade_attack.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_powershell_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_powershell_download.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_powershell_frombase64string.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_powershell_frombase64string.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_powershell_xor_commandline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_powershell_xor_commandline.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_powersploit_empire_schtasks.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_powersploit_empire_schtasks.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_proc_wrong_parent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_proc_wrong_parent.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_psexesvc_start.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_psexesvc_start.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_query_registry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_query_registry.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_rdp_hijack_shadowing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_rdp_hijack_shadowing.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_redmimicry_winnti_proc.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_redmimicry_winnti_proc.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_remote_powershell_session_process.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_remote_powershell_session_process.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_remote_time_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_remote_time_discovery.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_renamed_binary.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_renamed_binary.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_renamed_jusched.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_renamed_jusched.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_renamed_paexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_renamed_paexec.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_renamed_powershell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_renamed_powershell.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_renamed_procdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_renamed_procdump.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_renamed_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_renamed_psexec.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_run_powershell_script_from_ads.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_run_powershell_script_from_ads.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_sdbinst_shim_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_sdbinst_shim_persistence.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_service_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_service_execution.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_service_stop.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_service_stop.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_shadow_copies_access_symlink.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_shadow_copies_access_symlink.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_shadow_copies_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_shadow_copies_creation.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_shadow_copies_deletion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_shadow_copies_deletion.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_shell_spawn_susp_program.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_shell_spawn_susp_program.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_silenttrinity_stage_use.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_silenttrinity_stage_use.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_soundrec_audio_capture.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_soundrec_audio_capture.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_spn_enum.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_spn_enum.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_adfind.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_adfind.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_bcdedit.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_bcdedit.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_bginfo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_bginfo.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_calc.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_calc.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_cdb.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_cdb.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_certutil_command.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_certutil_command.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_certutil_encode.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_certutil_encode.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_cli_escape.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_cli_escape.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_cmd_http_appdata.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_cmd_http_appdata.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_codepage_switch.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_codepage_switch.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_compression_params.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_compression_params.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_comsvcs_procdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_comsvcs_procdump.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_conhost.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_conhost.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_control_dll_load.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_control_dll_load.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_copy_lateral_movement.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_copy_lateral_movement.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_copy_system32.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_copy_system32.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_covenant.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_covenant.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_crackmapexec_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_crackmapexec_execution.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_csc.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_csc.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_csc_folder.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_csc_folder.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_curl_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_curl_download.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_curl_fileupload.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_curl_fileupload.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_curl_start_combo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_curl_start_combo.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_desktopimgdownldr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_desktopimgdownldr.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_devtoolslauncher.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_devtoolslauncher.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_disable_ie_features.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_disable_ie_features.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_disable_raccine.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_disable_raccine.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_ditsnap.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_ditsnap.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_dnx.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_dnx.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_double_extension.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_double_extension.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_dxcap.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_dxcap.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_emotet_rudll32_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_emotet_rudll32_execution.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_eventlog_clear.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_eventlog_clear.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_exec_folder.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_exec_folder.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_execution_path.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_execution_path.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_execution_path_webserver.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_execution_path_webserver.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_explorer_break_proctree.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_explorer_break_proctree.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_file_characteristics.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_file_characteristics.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_findstr_lnk.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_findstr_lnk.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_firewall_disable.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_firewall_disable.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_fsutil_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_fsutil_usage.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_gup.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_gup.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_iss_module_install.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_iss_module_install.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_mpcmdrun_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_mpcmdrun_download.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_msiexec_cwd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_msiexec_cwd.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_msiexec_web_install.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_msiexec_web_install.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_msoffice.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_msoffice.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_net_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_net_execution.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_ntdsutil.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_ntdsutil.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_odbcconf.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_odbcconf.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_openwith.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_openwith.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_outlook.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_outlook.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_outlook_temp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_outlook_temp.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_ping_hex_ip.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_ping_hex_ip.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_powershell_empire_launch.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_powershell_empire_launch.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_powershell_encoded_param.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_powershell_encoded_param.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_powershell_parent_combo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_powershell_parent_combo.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_powershell_parent_process.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_powershell_parent_process.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_procdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_procdump.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_prog_location_process_starts.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_prog_location_process_starts.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_ps_appdata.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_ps_appdata.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_ps_downloadfile.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_ps_downloadfile.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_psexec_eula.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_psexec_eula.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_rar_flags.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_rar_flags.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_rasdial_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_rasdial_activity.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_recon_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_recon_activity.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_renamed_dctask64.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_renamed_dctask64.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_renamed_debugview.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_renamed_debugview.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_run_locations.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_run_locations.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_rundll32_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_rundll32_activity.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_schtask_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_schtask_creation.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_script_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_script_execution.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_service_path_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_service_path_modification.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_squirrel_lolbin.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_squirrel_lolbin.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_svchost.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_svchost.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_svchost_no_cli.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_svchost_no_cli.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_sysprep_appdata.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_sysprep_appdata.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_sysvol_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_sysvol_access.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_taskmgr_parent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_taskmgr_parent.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_tscon_localsystem.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_tscon_localsystem.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_use_of_csharp_console.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_use_of_csharp_console.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_userinit_child.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_userinit_child.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_volsnap_disable.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_volsnap_disable.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_whoami.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_whoami.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_wmi_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_wmi_execution.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_susp_wuauclt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_susp_wuauclt.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_sysmon_driver_unload.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_sysmon_driver_unload.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_system_exe_anomaly.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_system_exe_anomaly.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_tap_installer_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_tap_installer_execution.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_task_folder_evasion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_task_folder_evasion.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_termserv_proc_spawn.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_termserv_proc_spawn.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_trust_discovery.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_trust_discovery.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_uac_cmstp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_uac_cmstp.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_uac_fodhelper.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_uac_fodhelper.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_uac_wsreset.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_uac_wsreset.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_vul_java_remote_debugging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_vul_java_remote_debugging.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_webshell_detection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_webshell_detection.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_webshell_recon_detection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_webshell_recon_detection.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_webshell_spawn.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_webshell_spawn.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_whoami_as_system.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_whoami_as_system.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_win10_sched_task_0day.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_win10_sched_task_0day.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_wmi_spwns_powershell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_wmi_spwns_powershell.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_wmiprvse_spawning_process.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_wmiprvse_spawning_process.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_workflow_compiler.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_workflow_compiler.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_wsreset_uac_bypass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_wsreset_uac_bypass.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/process_creation/win_xsl_script_processing.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/process_creation/win_xsl_script_processing.yml -------------------------------------------------------------------------------- /data/sigma/rules/windows/registry/values_rules_registry: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/registry/values_rules_registry -------------------------------------------------------------------------------- /data/sigma/rules/windows/registry/values_rules_registry_multi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/sigma/rules/windows/registry/values_rules_registry_multi -------------------------------------------------------------------------------- /data/socbed/powershell/all: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/powershell/all -------------------------------------------------------------------------------- /data/socbed/powershell/train: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/powershell/train -------------------------------------------------------------------------------- /data/socbed/powershell/validation: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/powershell/validation -------------------------------------------------------------------------------- /data/socbed/process_creation/all: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/process_creation/all -------------------------------------------------------------------------------- /data/socbed/process_creation/train: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/process_creation/train -------------------------------------------------------------------------------- /data/socbed/process_creation/validation: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/process_creation/validation -------------------------------------------------------------------------------- /data/socbed/proxy_web/all: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/proxy_web/all -------------------------------------------------------------------------------- /data/socbed/proxy_web/train: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/proxy_web/train -------------------------------------------------------------------------------- /data/socbed/proxy_web/validation: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/proxy_web/validation -------------------------------------------------------------------------------- /data/socbed/registry/all: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/registry/all -------------------------------------------------------------------------------- /data/socbed/registry/train: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/registry/train -------------------------------------------------------------------------------- /data/socbed/registry/validation: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/data/socbed/registry/validation -------------------------------------------------------------------------------- /docs/amides.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/docs/amides.png -------------------------------------------------------------------------------- /remove_containers.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/remove_containers.sh -------------------------------------------------------------------------------- /remove_image.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/remove_image.sh -------------------------------------------------------------------------------- /run_experiments.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/run_experiments.sh -------------------------------------------------------------------------------- /start_env.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fkie-cad/amides/HEAD/start_env.sh --------------------------------------------------------------------------------