├── 2022_BlackCat_Ransomware ├── win_susp_process_blackcat_execution.yml ├── win_susp_process_blackcat_execution_getuuid.yml ├── win_susp_process_blackcat_exfiltration.yml ├── win_susp_process_exec_in_perflogs_path.yml ├── win_susp_process_fsutil_allowing_connections.yml ├── win_susp_process_maxmpxct_reg_mod.yml ├── win_susp_reg_added_maxmpxct_sysmon.yml └── win_susp_reg_set_maxmpxct_sysmon.yml ├── 2022_ChromeLoader ├── chrome_loadextension_chromeloader.yml └── cmd_external_drive_batch_script_execution_chromeloader.yml ├── 2022_Gootloader ├── registry_key_creation_gootloader.yml └── wscript_execution_in_appdata_gootloader.yml ├── 2022_HTMLSmuggling ├── 1_win_zipfile_drop.yml ├── 2_win_susp_file_extraction.yml ├── 3_win_security_iso_mount.yml ├── 4_win_process_creation_ext_drive.yml ├── 4_win_process_creation_ext_drive_old.yml ├── TestQueries.txt └── correlation_temporal_html_smuggling.yml ├── 2022_Hive_Ransomware ├── win_bcd_registry_modification_hive.yml ├── win_susp_bcdedit_hive.yml └── win_susp_wevtutil_hive.yml ├── 2022_QakBot ├── win_qakbot_dropped_file_creation_4663.yml ├── win_qakbot_dropped_file_creation_sysmon.yml ├── win_qakbot_susp_calc_dll_load_trellix.yml ├── win_qakbot_susp_calc_process_trellix.yml ├── win_qakbot_susp_cmdline_from_injected_process.yml ├── win_qakbot_susp_process_injection_to_explorer.yml └── win_qakbot_susp_schtasks_process_trellix.yml ├── 2022_RedCanary_ThreatDetectionReport ├── bitsadmin_mal_download.yml ├── certutil_mal_download.yml ├── cmd_bypassing_security_controls.yml ├── cmd_obfuscated_commands.yml ├── cmd_powershell_base64.yml ├── cmd_susp_process_ancestry.yml ├── lsass_process_access_injection.yml ├── lsass_susp_parent_child_relationships.yml ├── notepad_internal_name_mismatch.yml ├── notepad_network_connection.yml ├── notpowershell_unusual_commandline.yml ├── powershell_base64.yml ├── powershell_disable_defender_components.yml ├── powershell_encoded_flag.yml ├── powershell_high_count_susp_chars.yml ├── powershell_modify_defender_components.yml ├── powershell_process_injection.yml ├── powershell_renamed.yml ├── powershell_susp_cmdlets.yml ├── powershell_susp_wmi_cmdlets.yml ├── process_execution_without_commandline.yml ├── rundll32_app_bypass_dllregisterserver.yml ├── rundll32_susp_export_functionality.yml ├── rundll32_susp_process_ancestry.yml ├── rundll32_without_commandline.yml ├── schtasks_create_shell.yml ├── schtasks_network_connections.yml ├── schtasks_susp_behavior.yml ├── shrpubw_execution_from_unexpected_path.yml ├── svchost_wout_normal_parameters.yml ├── wmi_recon_activity.yml ├── wmi_susp_process_lineage.yml ├── wmic_shadow_copy_deletion.yml └── wmic_susp_commands.yml ├── 2022_RenameSystemUtilities ├── file_creation_exe_extension.yml ├── file_creation_exe_in_temp_directories_4663.yml ├── proc_creation_non_exe_demo.yml └── proc_creation_susp_rcedit_execution.yml ├── 2022_Solarmarker ├── win_susp_file_ext_reg_key.yml ├── win_susp_solarmarker_file_creation.yml └── win_victim_id_file_creation.yml ├── 2022_ViceSociety_Ransomware ├── pwsh_ms_defender_tampering_vsociety.yml ├── win_encrypted_extension_file_creation_vsociety.yml ├── win_exe_deployment_from_remote_share_vsociety.yml ├── win_ntdsutil_credential_theft_vsociety.yml ├── win_susp_net_user_creation_vsociety.yml └── win_susp_reg_defender_tampering_vsociety.yml ├── 2023_DarkGate ├── file_event_win_malware_darkgate_autoit3.yml └── proc_creation_win_malware_darkgate_autoit3_from_appdata.yml ├── 2023_External_RemoteSvc_Logons └── win_security_successful_external_remote_svc_login.yml ├── 2023_Impacket ├── GetUserSPNs │ └── zeek_impacket_kerberos_rc4.yml ├── atexec │ ├── win_file_creation_impacket_atexec.yml │ ├── win_proc_creation_impacket_atexec.yml │ ├── win_registry_events_impacket_atexec.yml │ └── win_schtasks_impacket_atexec.yml ├── dcomexec │ └── zeek_dce_impacket_remote_create_instance_dcomexec.yml ├── psexec │ ├── win_file_creation_impacket_psexec.yml │ └── win_pipe_created_remcom_impacket_psexec.yml ├── secretsdump │ └── zeek_dce_impacket_rpc_secretsdump.yml └── smbclient │ └── file_event_win_impacket_exe.yml ├── 2023_OneNote_Malware ├── create_stream_hash_double_extension.yml ├── dns_query_double_extension.yml ├── file_event_double_extension.yml ├── net_connection_win_double_extension.yml ├── win_proc_creation_double_extension.yml ├── win_proc_creation_regasm_process_injection.yml └── win_proc_right_to_left_override.yml ├── 2023_RedCanary_ThreatDetectionReport ├── technique_cmd_bypassing_controls.yml ├── technique_cmd_explorer_start_exit_cmd.yml ├── technique_cmd_obfuscated_commands.yml ├── technique_cmd_schtasks_create_shell.yml ├── technique_cmd_susp_process_ancestry.yml ├── technique_cmd_svc_shell_command.yml ├── technique_ingress_tool_transfer_bitsadmin_download.yml ├── technique_ingress_tool_transfer_certutil_download.yml ├── technique_lsass_memory_lsass_access.yml ├── technique_lsass_memory_lsass_non_sytem.yml ├── technique_lsass_memory_rundll32_minidump.yml ├── technique_lsass_memory_susp_lineage.yml ├── technique_motw_bypass_iso_write_susp_folder.yml ├── technique_process_injection_powershell_injection.yml ├── technique_process_injection_process_sans_cmdline.yml ├── technique_process_injection_susp_net_conn.yml ├── technique_pwsh_base64_encoding.yml ├── technique_pwsh_encoded_command_switch.yml ├── technique_pwsh_obfuscated_commands.yml ├── technique_pwsh_susp_cmdlets.yml ├── technique_rename_sys_utils_unexpected_internal_name.yml ├── technique_rename_sys_utils_unusual_cmdlines.yml ├── technique_rundll32_app_bypass_dllregisterserver.yml ├── technique_rundll32_inject_to_lsass.yml ├── technique_rundll32_no_cmdline.yml ├── technique_rundll32_susp_lineage.yml ├── technique_setuid_setgid_binary_search.yml ├── technique_smb_win_admin_shares_file_write.yml ├── technique_smb_win_admin_shares_impacket_svc_via_registry.yml ├── technique_smb_win_admin_shares_process_execution.yml ├── technique_wmi_office_products_spawning_wmic.yml ├── technique_wmi_reconnaissance.yml ├── technique_wmi_shadow_copy_deletion.yml ├── technique_wmi_susp_commands.yml ├── technique_wmi_susp_lineage.yml ├── technique_wmi_susp_pwsh_cmdlets.yml ├── technique_wmi_unusual_module_loads.yml ├── threat_adsearch_reg_runkey_persistence_execution.yml ├── threat_adsearch_startup_folder_persistence.yml ├── threat_bloodhound_common_cmd_actions.yml ├── threat_cobalt_strike_beacon_getsystem_cmd_pattern.yml ├── threat_cobalt_strike_beacon_implant.yml ├── threat_cobalt_strike_uac_bypass_w_cliconfg.yml ├── threat_emotet_excel_regsvr32_execution.yml ├── threat_gamarue_rundll32_dll_filename.yml ├── threat_gootloader_appdata_js_execution.yml ├── threat_gootloader_cscript_msdos_shortnames.yml ├── threat_impacket_atexec_execution.yml ├── threat_impacket_smbexec_execution.yml ├── threat_impacket_wmiexec_execution.yml ├── threat_mimikatz_kirbi_file_creation.yml ├── threat_mimikatz_module_names_in_cmdline.yml ├── threat_plugx_wsc_proxy_dll_search_order_hijacking.yml ├── threat_qbot_mounted_drive_execution.yml ├── threat_qbot_rundll32_non_standard_file_proxy_execution.yml ├── threat_raspberry_robin_msiexec_execution.yml ├── threat_socgholish_homoglyph_cyrillic_lookalikes.yml ├── threat_socgholish_nltest_domain_trust_enumeration.yml ├── threat_socgholish_whoami_output_to_file.yml ├── threat_yellow_cockatoo_startup_lnk_file.yml └── threat_yellow_cockatoo_susp_dotnet_methods.yml ├── 2023_WebDAV_SearchMS ├── file_event_win_webdav_tmpfile_creation.yml ├── proc_creation_win_webdav_lnk_execution.yml └── proxy_webdav_search_ms.yml ├── 2024_Cicada3301_Ransomware ├── correlation_proc_creation_win_taskkill_cicada3301.yml ├── correlation_win_system_service_stopped_cicada3301.yml ├── file_creation_win_cicada_psexec.yml ├── proc_creation_win_cicada3301_execution.yml ├── proc_creation_win_hyperv_stopvm.yml └── proc_creation_win_iisreset_stop.yml ├── 2024_RedCanary_ThreatDetectionReport ├── technique_applescript_applet_download_as_payload.yml ├── technique_applescript_input_prompt.yml ├── technique_command_shell_bypass_security_controls.yml ├── technique_command_shell_from_explorer.yml ├── technique_command_shell_from_schtask.yml ├── technique_command_shell_from_service_ctrl_mgr.yml ├── technique_command_shell_obfuscated_commands.yml ├── technique_command_shell_suspicious_ancestry.yml ├── technique_email_forwarding_rule_suspicious_criteria.yml ├── technique_email_forwarding_rule_suspicious_folders.yml ├── technique_email_forwarding_rule_suspicious_names.yml ├── technique_ingress_tools_transfer_bitsadmin_download.yml ├── technique_ingress_tools_transfer_certreq_download.yml ├── technique_ingress_tools_transfer_certutil_download.yml ├── technique_installer_packages_non_ms_publisher_id.yml ├── technique_installer_packages_psf_powershell_execution.yml ├── technique_kernel_modules_nondepmod_modifying_modules_dep.yml ├── technique_kernel_modules_shells_modifying_files_in_lkm_directories.yml ├── technique_kernel_modules_systemd_loading_lkm_insmod.yml ├── technique_kernel_modules_systemd_loading_lkm_modprobe.yml ├── technique_obfuscation_base64_encoding.yml ├── technique_obfuscation_zipfile_spawning_javascript.yml ├── technique_os_cred_dumping_secretsdump_file_modification.yml ├── technique_powershell_base64_encoding.yml ├── technique_powershell_encoded_command.yml ├── technique_powershell_obfuscation_escape_chars.yml ├── technique_powershell_susp_cmdlets.yml ├── technique_rename_system_utils_powershell_notepad.yml ├── technique_rename_system_utils_unusual_cmdline.yml ├── technique_rundll32_dllregister_server_function.yml ├── technique_rundll32_injection_to_lsass.yml ├── technique_rundll32_no_cmdline.yml ├── technique_rundll32_suspicious_export_functionalities.yml ├── technique_rundll32_suspicious_lineage.yml ├── technique_wmi_office_product_parent.yml ├── technique_wmi_reconnaissance.yml ├── technique_wmi_shadowcopy_deletion.yml ├── technique_wmi_suspicious_commands.yml ├── technique_wmi_suspicious_powershell_cmdlets.yml ├── technique_wmi_suspicious_process_lineage.yml ├── technique_wmi_unusual_module_loads.yml ├── threat_chromeloader_nwjs_runtime_installation_paths.yml ├── threat_gamarue_rundll32_cmdline.yml ├── threat_impacket_atexec_execution.yml ├── threat_impacket_secretsdump_execution.yml ├── threat_impacket_smbexec_execution.yml ├── threat_impacket_wmiexec_execution.yml ├── threat_mimikatz_kirbi_file.yml ├── threat_mimikatz_module_names.yml ├── threat_qbot_mounted_drive_script_execution.yml ├── threat_raspberry_robin_cmdline_netconn_no_params.yml ├── threat_raspberry_robin_msiexec_download.yml ├── threat_smashjacker_appinit_dll_installation.yml ├── threat_smashjacker_web_browser_loading_extension.yml ├── threat_socgholish_nltest_domain_trust_enum.yml ├── threat_socgholish_whoami_recon_file_output.yml ├── threat_socgholish_wscript_from_browser_with_netconn.yml ├── threat_yellow_cockatoo_ps_startup_folder_persistence.yml └── threat_yellow_cockatoo_ps_susp_dotnet_methods.yml ├── 2025_ArcGIS_Server_SOE_Abuse ├── file_event_win_arcsoc_creating_susp_files.yml └── proc_creation_win_arcsoc_susp_child_process.yml ├── LICENSE └── README.md /2022_BlackCat_Ransomware/win_susp_process_blackcat_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_BlackCat_Ransomware/win_susp_process_blackcat_execution.yml -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_process_blackcat_execution_getuuid.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_BlackCat_Ransomware/win_susp_process_blackcat_execution_getuuid.yml -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_process_blackcat_exfiltration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_BlackCat_Ransomware/win_susp_process_blackcat_exfiltration.yml -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_process_exec_in_perflogs_path.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_BlackCat_Ransomware/win_susp_process_exec_in_perflogs_path.yml -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_process_fsutil_allowing_connections.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_BlackCat_Ransomware/win_susp_process_fsutil_allowing_connections.yml -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_process_maxmpxct_reg_mod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_BlackCat_Ransomware/win_susp_process_maxmpxct_reg_mod.yml -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_reg_added_maxmpxct_sysmon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_BlackCat_Ransomware/win_susp_reg_added_maxmpxct_sysmon.yml -------------------------------------------------------------------------------- /2022_BlackCat_Ransomware/win_susp_reg_set_maxmpxct_sysmon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_BlackCat_Ransomware/win_susp_reg_set_maxmpxct_sysmon.yml -------------------------------------------------------------------------------- /2022_ChromeLoader/chrome_loadextension_chromeloader.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_ChromeLoader/chrome_loadextension_chromeloader.yml -------------------------------------------------------------------------------- /2022_ChromeLoader/cmd_external_drive_batch_script_execution_chromeloader.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_ChromeLoader/cmd_external_drive_batch_script_execution_chromeloader.yml -------------------------------------------------------------------------------- /2022_Gootloader/registry_key_creation_gootloader.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_Gootloader/registry_key_creation_gootloader.yml -------------------------------------------------------------------------------- /2022_Gootloader/wscript_execution_in_appdata_gootloader.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_Gootloader/wscript_execution_in_appdata_gootloader.yml -------------------------------------------------------------------------------- /2022_HTMLSmuggling/1_win_zipfile_drop.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_HTMLSmuggling/1_win_zipfile_drop.yml -------------------------------------------------------------------------------- /2022_HTMLSmuggling/2_win_susp_file_extraction.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_HTMLSmuggling/2_win_susp_file_extraction.yml -------------------------------------------------------------------------------- /2022_HTMLSmuggling/3_win_security_iso_mount.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_HTMLSmuggling/3_win_security_iso_mount.yml -------------------------------------------------------------------------------- /2022_HTMLSmuggling/4_win_process_creation_ext_drive.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_HTMLSmuggling/4_win_process_creation_ext_drive.yml -------------------------------------------------------------------------------- /2022_HTMLSmuggling/4_win_process_creation_ext_drive_old.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_HTMLSmuggling/4_win_process_creation_ext_drive_old.yml -------------------------------------------------------------------------------- /2022_HTMLSmuggling/TestQueries.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_HTMLSmuggling/TestQueries.txt -------------------------------------------------------------------------------- /2022_HTMLSmuggling/correlation_temporal_html_smuggling.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_HTMLSmuggling/correlation_temporal_html_smuggling.yml -------------------------------------------------------------------------------- /2022_Hive_Ransomware/win_bcd_registry_modification_hive.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_Hive_Ransomware/win_bcd_registry_modification_hive.yml -------------------------------------------------------------------------------- /2022_Hive_Ransomware/win_susp_bcdedit_hive.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_Hive_Ransomware/win_susp_bcdedit_hive.yml -------------------------------------------------------------------------------- /2022_Hive_Ransomware/win_susp_wevtutil_hive.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_Hive_Ransomware/win_susp_wevtutil_hive.yml -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_dropped_file_creation_4663.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_QakBot/win_qakbot_dropped_file_creation_4663.yml -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_dropped_file_creation_sysmon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_QakBot/win_qakbot_dropped_file_creation_sysmon.yml -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_susp_calc_dll_load_trellix.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_QakBot/win_qakbot_susp_calc_dll_load_trellix.yml -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_susp_calc_process_trellix.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_QakBot/win_qakbot_susp_calc_process_trellix.yml -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_susp_cmdline_from_injected_process.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_QakBot/win_qakbot_susp_cmdline_from_injected_process.yml -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_susp_process_injection_to_explorer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_QakBot/win_qakbot_susp_process_injection_to_explorer.yml -------------------------------------------------------------------------------- /2022_QakBot/win_qakbot_susp_schtasks_process_trellix.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_QakBot/win_qakbot_susp_schtasks_process_trellix.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/bitsadmin_mal_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/bitsadmin_mal_download.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/certutil_mal_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/certutil_mal_download.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/cmd_bypassing_security_controls.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/cmd_bypassing_security_controls.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/cmd_obfuscated_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/cmd_obfuscated_commands.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/cmd_powershell_base64.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/cmd_powershell_base64.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/cmd_susp_process_ancestry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/cmd_susp_process_ancestry.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/lsass_process_access_injection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/lsass_process_access_injection.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/lsass_susp_parent_child_relationships.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/lsass_susp_parent_child_relationships.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/notepad_internal_name_mismatch.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/notepad_internal_name_mismatch.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/notepad_network_connection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/notepad_network_connection.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/notpowershell_unusual_commandline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/notpowershell_unusual_commandline.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_base64.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/powershell_base64.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_disable_defender_components.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/powershell_disable_defender_components.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_encoded_flag.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/powershell_encoded_flag.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_high_count_susp_chars.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/powershell_high_count_susp_chars.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_modify_defender_components.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/powershell_modify_defender_components.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_process_injection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/powershell_process_injection.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_renamed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/powershell_renamed.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_susp_cmdlets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/powershell_susp_cmdlets.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/powershell_susp_wmi_cmdlets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/powershell_susp_wmi_cmdlets.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/process_execution_without_commandline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/process_execution_without_commandline.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/rundll32_app_bypass_dllregisterserver.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/rundll32_app_bypass_dllregisterserver.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/rundll32_susp_export_functionality.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/rundll32_susp_export_functionality.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/rundll32_susp_process_ancestry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/rundll32_susp_process_ancestry.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/rundll32_without_commandline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/rundll32_without_commandline.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/schtasks_create_shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/schtasks_create_shell.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/schtasks_network_connections.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/schtasks_network_connections.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/schtasks_susp_behavior.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/schtasks_susp_behavior.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/shrpubw_execution_from_unexpected_path.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/shrpubw_execution_from_unexpected_path.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/svchost_wout_normal_parameters.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/svchost_wout_normal_parameters.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/wmi_recon_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/wmi_recon_activity.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/wmi_susp_process_lineage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/wmi_susp_process_lineage.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/wmic_shadow_copy_deletion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/wmic_shadow_copy_deletion.yml -------------------------------------------------------------------------------- /2022_RedCanary_ThreatDetectionReport/wmic_susp_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RedCanary_ThreatDetectionReport/wmic_susp_commands.yml -------------------------------------------------------------------------------- /2022_RenameSystemUtilities/file_creation_exe_extension.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RenameSystemUtilities/file_creation_exe_extension.yml -------------------------------------------------------------------------------- /2022_RenameSystemUtilities/file_creation_exe_in_temp_directories_4663.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RenameSystemUtilities/file_creation_exe_in_temp_directories_4663.yml -------------------------------------------------------------------------------- /2022_RenameSystemUtilities/proc_creation_non_exe_demo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RenameSystemUtilities/proc_creation_non_exe_demo.yml -------------------------------------------------------------------------------- /2022_RenameSystemUtilities/proc_creation_susp_rcedit_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_RenameSystemUtilities/proc_creation_susp_rcedit_execution.yml -------------------------------------------------------------------------------- /2022_Solarmarker/win_susp_file_ext_reg_key.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_Solarmarker/win_susp_file_ext_reg_key.yml -------------------------------------------------------------------------------- /2022_Solarmarker/win_susp_solarmarker_file_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_Solarmarker/win_susp_solarmarker_file_creation.yml -------------------------------------------------------------------------------- /2022_Solarmarker/win_victim_id_file_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_Solarmarker/win_victim_id_file_creation.yml -------------------------------------------------------------------------------- /2022_ViceSociety_Ransomware/pwsh_ms_defender_tampering_vsociety.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_ViceSociety_Ransomware/pwsh_ms_defender_tampering_vsociety.yml -------------------------------------------------------------------------------- /2022_ViceSociety_Ransomware/win_encrypted_extension_file_creation_vsociety.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_ViceSociety_Ransomware/win_encrypted_extension_file_creation_vsociety.yml -------------------------------------------------------------------------------- /2022_ViceSociety_Ransomware/win_exe_deployment_from_remote_share_vsociety.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_ViceSociety_Ransomware/win_exe_deployment_from_remote_share_vsociety.yml -------------------------------------------------------------------------------- /2022_ViceSociety_Ransomware/win_ntdsutil_credential_theft_vsociety.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_ViceSociety_Ransomware/win_ntdsutil_credential_theft_vsociety.yml -------------------------------------------------------------------------------- /2022_ViceSociety_Ransomware/win_susp_net_user_creation_vsociety.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_ViceSociety_Ransomware/win_susp_net_user_creation_vsociety.yml -------------------------------------------------------------------------------- /2022_ViceSociety_Ransomware/win_susp_reg_defender_tampering_vsociety.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2022_ViceSociety_Ransomware/win_susp_reg_defender_tampering_vsociety.yml -------------------------------------------------------------------------------- /2023_DarkGate/file_event_win_malware_darkgate_autoit3.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_DarkGate/file_event_win_malware_darkgate_autoit3.yml -------------------------------------------------------------------------------- /2023_DarkGate/proc_creation_win_malware_darkgate_autoit3_from_appdata.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_DarkGate/proc_creation_win_malware_darkgate_autoit3_from_appdata.yml -------------------------------------------------------------------------------- /2023_External_RemoteSvc_Logons/win_security_successful_external_remote_svc_login.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_External_RemoteSvc_Logons/win_security_successful_external_remote_svc_login.yml -------------------------------------------------------------------------------- /2023_Impacket/GetUserSPNs/zeek_impacket_kerberos_rc4.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_Impacket/GetUserSPNs/zeek_impacket_kerberos_rc4.yml -------------------------------------------------------------------------------- /2023_Impacket/atexec/win_file_creation_impacket_atexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_Impacket/atexec/win_file_creation_impacket_atexec.yml -------------------------------------------------------------------------------- /2023_Impacket/atexec/win_proc_creation_impacket_atexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_Impacket/atexec/win_proc_creation_impacket_atexec.yml -------------------------------------------------------------------------------- /2023_Impacket/atexec/win_registry_events_impacket_atexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_Impacket/atexec/win_registry_events_impacket_atexec.yml -------------------------------------------------------------------------------- /2023_Impacket/atexec/win_schtasks_impacket_atexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_Impacket/atexec/win_schtasks_impacket_atexec.yml -------------------------------------------------------------------------------- /2023_Impacket/dcomexec/zeek_dce_impacket_remote_create_instance_dcomexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_Impacket/dcomexec/zeek_dce_impacket_remote_create_instance_dcomexec.yml -------------------------------------------------------------------------------- /2023_Impacket/psexec/win_file_creation_impacket_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_Impacket/psexec/win_file_creation_impacket_psexec.yml -------------------------------------------------------------------------------- /2023_Impacket/psexec/win_pipe_created_remcom_impacket_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_Impacket/psexec/win_pipe_created_remcom_impacket_psexec.yml -------------------------------------------------------------------------------- /2023_Impacket/secretsdump/zeek_dce_impacket_rpc_secretsdump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_Impacket/secretsdump/zeek_dce_impacket_rpc_secretsdump.yml -------------------------------------------------------------------------------- /2023_Impacket/smbclient/file_event_win_impacket_exe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_Impacket/smbclient/file_event_win_impacket_exe.yml -------------------------------------------------------------------------------- /2023_OneNote_Malware/create_stream_hash_double_extension.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_OneNote_Malware/create_stream_hash_double_extension.yml -------------------------------------------------------------------------------- /2023_OneNote_Malware/dns_query_double_extension.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_OneNote_Malware/dns_query_double_extension.yml -------------------------------------------------------------------------------- /2023_OneNote_Malware/file_event_double_extension.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_OneNote_Malware/file_event_double_extension.yml -------------------------------------------------------------------------------- /2023_OneNote_Malware/net_connection_win_double_extension.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_OneNote_Malware/net_connection_win_double_extension.yml -------------------------------------------------------------------------------- /2023_OneNote_Malware/win_proc_creation_double_extension.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_OneNote_Malware/win_proc_creation_double_extension.yml -------------------------------------------------------------------------------- /2023_OneNote_Malware/win_proc_creation_regasm_process_injection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_OneNote_Malware/win_proc_creation_regasm_process_injection.yml -------------------------------------------------------------------------------- /2023_OneNote_Malware/win_proc_right_to_left_override.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_OneNote_Malware/win_proc_right_to_left_override.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_bypassing_controls.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_cmd_bypassing_controls.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_explorer_start_exit_cmd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_cmd_explorer_start_exit_cmd.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_obfuscated_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_cmd_obfuscated_commands.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_schtasks_create_shell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_cmd_schtasks_create_shell.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_susp_process_ancestry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_cmd_susp_process_ancestry.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_cmd_svc_shell_command.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_cmd_svc_shell_command.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_ingress_tool_transfer_bitsadmin_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_ingress_tool_transfer_bitsadmin_download.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_ingress_tool_transfer_certutil_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_ingress_tool_transfer_certutil_download.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_lsass_access.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_lsass_access.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_lsass_non_sytem.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_lsass_non_sytem.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_rundll32_minidump.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_rundll32_minidump.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_susp_lineage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_lsass_memory_susp_lineage.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_motw_bypass_iso_write_susp_folder.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_motw_bypass_iso_write_susp_folder.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_process_injection_powershell_injection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_process_injection_powershell_injection.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_process_injection_process_sans_cmdline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_process_injection_process_sans_cmdline.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_process_injection_susp_net_conn.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_process_injection_susp_net_conn.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_pwsh_base64_encoding.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_pwsh_base64_encoding.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_pwsh_encoded_command_switch.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_pwsh_encoded_command_switch.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_pwsh_obfuscated_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_pwsh_obfuscated_commands.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_pwsh_susp_cmdlets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_pwsh_susp_cmdlets.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rename_sys_utils_unexpected_internal_name.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_rename_sys_utils_unexpected_internal_name.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rename_sys_utils_unusual_cmdlines.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_rename_sys_utils_unusual_cmdlines.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rundll32_app_bypass_dllregisterserver.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_rundll32_app_bypass_dllregisterserver.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rundll32_inject_to_lsass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_rundll32_inject_to_lsass.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rundll32_no_cmdline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_rundll32_no_cmdline.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_rundll32_susp_lineage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_rundll32_susp_lineage.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_setuid_setgid_binary_search.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_setuid_setgid_binary_search.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_smb_win_admin_shares_file_write.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_smb_win_admin_shares_file_write.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_smb_win_admin_shares_impacket_svc_via_registry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_smb_win_admin_shares_impacket_svc_via_registry.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_smb_win_admin_shares_process_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_smb_win_admin_shares_process_execution.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_office_products_spawning_wmic.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_wmi_office_products_spawning_wmic.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_reconnaissance.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_wmi_reconnaissance.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_shadow_copy_deletion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_wmi_shadow_copy_deletion.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_susp_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_wmi_susp_commands.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_susp_lineage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_wmi_susp_lineage.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_susp_pwsh_cmdlets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_wmi_susp_pwsh_cmdlets.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/technique_wmi_unusual_module_loads.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/technique_wmi_unusual_module_loads.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_adsearch_reg_runkey_persistence_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_adsearch_reg_runkey_persistence_execution.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_adsearch_startup_folder_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_adsearch_startup_folder_persistence.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_bloodhound_common_cmd_actions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_bloodhound_common_cmd_actions.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_cobalt_strike_beacon_getsystem_cmd_pattern.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_cobalt_strike_beacon_getsystem_cmd_pattern.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_cobalt_strike_beacon_implant.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_cobalt_strike_beacon_implant.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_cobalt_strike_uac_bypass_w_cliconfg.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_cobalt_strike_uac_bypass_w_cliconfg.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_emotet_excel_regsvr32_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_emotet_excel_regsvr32_execution.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_gamarue_rundll32_dll_filename.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_gamarue_rundll32_dll_filename.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_gootloader_appdata_js_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_gootloader_appdata_js_execution.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_gootloader_cscript_msdos_shortnames.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_gootloader_cscript_msdos_shortnames.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_impacket_atexec_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_impacket_atexec_execution.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_impacket_smbexec_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_impacket_smbexec_execution.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_impacket_wmiexec_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_impacket_wmiexec_execution.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_mimikatz_kirbi_file_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_mimikatz_kirbi_file_creation.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_mimikatz_module_names_in_cmdline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_mimikatz_module_names_in_cmdline.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_plugx_wsc_proxy_dll_search_order_hijacking.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_plugx_wsc_proxy_dll_search_order_hijacking.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_qbot_mounted_drive_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_qbot_mounted_drive_execution.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_qbot_rundll32_non_standard_file_proxy_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_qbot_rundll32_non_standard_file_proxy_execution.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_raspberry_robin_msiexec_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_raspberry_robin_msiexec_execution.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_socgholish_homoglyph_cyrillic_lookalikes.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_socgholish_homoglyph_cyrillic_lookalikes.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_socgholish_nltest_domain_trust_enumeration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_socgholish_nltest_domain_trust_enumeration.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_socgholish_whoami_output_to_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_socgholish_whoami_output_to_file.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_startup_lnk_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_startup_lnk_file.yml -------------------------------------------------------------------------------- /2023_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_susp_dotnet_methods.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_susp_dotnet_methods.yml -------------------------------------------------------------------------------- /2023_WebDAV_SearchMS/file_event_win_webdav_tmpfile_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_WebDAV_SearchMS/file_event_win_webdav_tmpfile_creation.yml -------------------------------------------------------------------------------- /2023_WebDAV_SearchMS/proc_creation_win_webdav_lnk_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_WebDAV_SearchMS/proc_creation_win_webdav_lnk_execution.yml -------------------------------------------------------------------------------- /2023_WebDAV_SearchMS/proxy_webdav_search_ms.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2023_WebDAV_SearchMS/proxy_webdav_search_ms.yml -------------------------------------------------------------------------------- /2024_Cicada3301_Ransomware/correlation_proc_creation_win_taskkill_cicada3301.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_Cicada3301_Ransomware/correlation_proc_creation_win_taskkill_cicada3301.yml -------------------------------------------------------------------------------- /2024_Cicada3301_Ransomware/correlation_win_system_service_stopped_cicada3301.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_Cicada3301_Ransomware/correlation_win_system_service_stopped_cicada3301.yml -------------------------------------------------------------------------------- /2024_Cicada3301_Ransomware/file_creation_win_cicada_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_Cicada3301_Ransomware/file_creation_win_cicada_psexec.yml -------------------------------------------------------------------------------- /2024_Cicada3301_Ransomware/proc_creation_win_cicada3301_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_Cicada3301_Ransomware/proc_creation_win_cicada3301_execution.yml -------------------------------------------------------------------------------- /2024_Cicada3301_Ransomware/proc_creation_win_hyperv_stopvm.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_Cicada3301_Ransomware/proc_creation_win_hyperv_stopvm.yml -------------------------------------------------------------------------------- /2024_Cicada3301_Ransomware/proc_creation_win_iisreset_stop.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_Cicada3301_Ransomware/proc_creation_win_iisreset_stop.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_applescript_applet_download_as_payload.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_applescript_applet_download_as_payload.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_applescript_input_prompt.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_applescript_input_prompt.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_command_shell_bypass_security_controls.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_command_shell_bypass_security_controls.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_command_shell_from_explorer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_command_shell_from_explorer.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_command_shell_from_schtask.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_command_shell_from_schtask.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_command_shell_from_service_ctrl_mgr.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_command_shell_from_service_ctrl_mgr.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_command_shell_obfuscated_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_command_shell_obfuscated_commands.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_command_shell_suspicious_ancestry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_command_shell_suspicious_ancestry.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_email_forwarding_rule_suspicious_criteria.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_email_forwarding_rule_suspicious_criteria.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_email_forwarding_rule_suspicious_folders.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_email_forwarding_rule_suspicious_folders.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_email_forwarding_rule_suspicious_names.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_email_forwarding_rule_suspicious_names.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_ingress_tools_transfer_bitsadmin_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_ingress_tools_transfer_bitsadmin_download.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_ingress_tools_transfer_certreq_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_ingress_tools_transfer_certreq_download.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_ingress_tools_transfer_certutil_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_ingress_tools_transfer_certutil_download.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_installer_packages_non_ms_publisher_id.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_installer_packages_non_ms_publisher_id.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_installer_packages_psf_powershell_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_installer_packages_psf_powershell_execution.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_nondepmod_modifying_modules_dep.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_nondepmod_modifying_modules_dep.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_shells_modifying_files_in_lkm_directories.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_shells_modifying_files_in_lkm_directories.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_systemd_loading_lkm_insmod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_systemd_loading_lkm_insmod.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_systemd_loading_lkm_modprobe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_kernel_modules_systemd_loading_lkm_modprobe.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_obfuscation_base64_encoding.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_obfuscation_base64_encoding.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_obfuscation_zipfile_spawning_javascript.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_obfuscation_zipfile_spawning_javascript.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_os_cred_dumping_secretsdump_file_modification.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_os_cred_dumping_secretsdump_file_modification.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_powershell_base64_encoding.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_powershell_base64_encoding.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_powershell_encoded_command.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_powershell_encoded_command.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_powershell_obfuscation_escape_chars.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_powershell_obfuscation_escape_chars.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_powershell_susp_cmdlets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_powershell_susp_cmdlets.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rename_system_utils_powershell_notepad.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_rename_system_utils_powershell_notepad.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rename_system_utils_unusual_cmdline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_rename_system_utils_unusual_cmdline.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rundll32_dllregister_server_function.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_rundll32_dllregister_server_function.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rundll32_injection_to_lsass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_rundll32_injection_to_lsass.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rundll32_no_cmdline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_rundll32_no_cmdline.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rundll32_suspicious_export_functionalities.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_rundll32_suspicious_export_functionalities.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_rundll32_suspicious_lineage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_rundll32_suspicious_lineage.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_office_product_parent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_wmi_office_product_parent.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_reconnaissance.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_wmi_reconnaissance.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_shadowcopy_deletion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_wmi_shadowcopy_deletion.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_suspicious_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_wmi_suspicious_commands.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_suspicious_powershell_cmdlets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_wmi_suspicious_powershell_cmdlets.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_suspicious_process_lineage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_wmi_suspicious_process_lineage.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/technique_wmi_unusual_module_loads.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/technique_wmi_unusual_module_loads.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_chromeloader_nwjs_runtime_installation_paths.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_chromeloader_nwjs_runtime_installation_paths.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_gamarue_rundll32_cmdline.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_gamarue_rundll32_cmdline.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_impacket_atexec_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_impacket_atexec_execution.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_impacket_secretsdump_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_impacket_secretsdump_execution.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_impacket_smbexec_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_impacket_smbexec_execution.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_impacket_wmiexec_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_impacket_wmiexec_execution.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_mimikatz_kirbi_file.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_mimikatz_kirbi_file.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_mimikatz_module_names.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_mimikatz_module_names.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_qbot_mounted_drive_script_execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_qbot_mounted_drive_script_execution.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_raspberry_robin_cmdline_netconn_no_params.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_raspberry_robin_cmdline_netconn_no_params.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_raspberry_robin_msiexec_download.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_raspberry_robin_msiexec_download.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_smashjacker_appinit_dll_installation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_smashjacker_appinit_dll_installation.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_smashjacker_web_browser_loading_extension.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_smashjacker_web_browser_loading_extension.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_socgholish_nltest_domain_trust_enum.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_socgholish_nltest_domain_trust_enum.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_socgholish_whoami_recon_file_output.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_socgholish_whoami_recon_file_output.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_socgholish_wscript_from_browser_with_netconn.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_socgholish_wscript_from_browser_with_netconn.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_ps_startup_folder_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_ps_startup_folder_persistence.yml -------------------------------------------------------------------------------- /2024_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_ps_susp_dotnet_methods.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2024_RedCanary_ThreatDetectionReport/threat_yellow_cockatoo_ps_susp_dotnet_methods.yml -------------------------------------------------------------------------------- /2025_ArcGIS_Server_SOE_Abuse/file_event_win_arcsoc_creating_susp_files.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2025_ArcGIS_Server_SOE_Abuse/file_event_win_arcsoc_creating_susp_files.yml -------------------------------------------------------------------------------- /2025_ArcGIS_Server_SOE_Abuse/proc_creation_win_arcsoc_susp_child_process.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/2025_ArcGIS_Server_SOE_Abuse/proc_creation_win_arcsoc_susp_child_process.yml -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mbabinski/Sigma-Rules/HEAD/README.md --------------------------------------------------------------------------------