├── AWS ├── Dashboards │ ├── CloudTrail Anomaly Detection.ndjson │ ├── CloudTrail Overview.ndjson │ ├── Flows - Local to Remote.ndjson │ ├── Flows - Remote to Local.ndjson │ ├── Flows Overview.ndjson │ ├── all-cloudtrail-dashboards.ndjson │ └── readme.md ├── aws-rules.ndjson └── readme.md ├── Hunt Catalog ├── Windows.md ├── authentication.md ├── cloud.md ├── correlation.md ├── cross-platform.md ├── database.md ├── exfiltration.md ├── linux.md ├── mac.md ├── machine learning.md ├── network.md ├── readme.md └── web.md ├── LICENSE.md ├── Linux ├── Rules │ ├── CVE-2019-14287 │ │ └── Sudo with # char in arguments; possible CVE 2019-14287 LPE.ndjson │ ├── ShmooCon 2020 │ │ ├── Linux - Dynamic Linker Configuration Change.ndjson │ │ ├── Linux - Dynamic Linker File in Process Arguments.ndjson │ │ └── shmoocon-2020-loader-siem-rules.ndjson │ ├── linux-rules.ndjson │ └── readme.md ├── Searches │ ├── .All Linux Searches.ndjson │ ├── .all Linux 2.ndjson │ ├── Linux Auditctl Command Activity.ndjson │ ├── Linux Base64 Command Activity.ndjson │ ├── Linux Compiler Activity.ndjson │ ├── Linux Cron Activity.ndjson │ ├── Linux Echo Command Activity.ndjson │ ├── Linux FTP Command Activity.ndjson │ ├── Linux Group Changes.ndjson │ ├── Linux Hping Activity.ndjson │ ├── Linux Ifconfig Command Activity.ndjson │ ├── Linux Iodine Activity.ndjson │ ├── Linux Java Process Connecting to the Internet.ndjson │ ├── Linux Kernel Module Activity.ndjson │ ├── Linux Mknod Activity.ndjson │ ├── Linux Netcat Network Connection.ndjson │ ├── Linux Netcat shell activity.ndjson │ ├── Linux Nmap Activity.ndjson │ ├── Linux Nping Activity.ndjson │ ├── Linux Passwd Command Activity.ndjson │ ├── Linux Port 22 Connection Outbound.ndjson │ ├── Linux Process Started in Temp Directory.ndjson │ ├── Linux Ptrace Activity.ndjson │ ├── Linux Rawshark Activity.ndjson │ ├── Linux Rdesktop Activity.ndjson │ ├── Linux SCP Activity.ndjson │ ├── Linux Shell Activity By Web Server.ndjson │ ├── Linux Socat activity.ndjson │ ├── Linux Strace Activity.ndjson │ ├── Linux Sudo Activity.ndjson │ ├── Linux Systemctl Activity.ndjson │ ├── Linux Tcpdump Activity.ndjson │ ├── Linux Traceroute Command Activity.ndjson │ ├── Linux User Changes.ndjson │ ├── Linux Web Client Activity.ndjson │ ├── Linux Web Download.ndjson │ ├── Linux Whoami Commmand.ndjson │ ├── Linux Whois Activity.ndjson │ ├── Linux busybox process activity.ndjson │ ├── Linux chmod +s command activity.ndjson │ ├── Linux dd process activity.ndjson │ ├── Linux dmesg activity.ndjson │ ├── Linux env process activity by a user.ndjson │ ├── Linux file editor activity.ndjson │ ├── Linux find command activity by a user.ndjson │ ├── Linux finger command activity.ndjson │ ├── Linux flock command activity by a user.ndjson │ ├── Linux gdb activity.ndjson │ ├── Linux git process activity.ndjson │ ├── Linux head command activity by a user.ndjson │ ├── Linux ionice command activity by a user.ndjson │ ├── Linux ip command activity by a user.ndjson │ ├── Linux jrunscript process activity.ndjson │ ├── Linux ld.so process activity.ndjson │ ├── Linux less command activity.ndjson │ ├── Linux lzop activity - possible @JulianRunnels.ndjson │ ├── Linux mail process activity.ndjson │ ├── Linux make process activity.ndjson │ ├── Linux makemime activity - possible @JulianRunnels.ndjson │ ├── Linux man command activity.ndjson │ ├── Linux more command activity.ndjson │ ├── Linux mount command activity by a user.ndjson │ ├── Linux mv command activity by a user.ndjson │ ├── Linux mysql command activity by a user.ndjson │ ├── Linux nano activity by a user.ndjson │ ├── Linux nice command activity.ndjson │ ├── Linux perl activity by a user.ndjson │ ├── Linux process named install.ndjson │ ├── Linux python activity by a user.ndjson │ ├── Linux readelf command activity.ndjson │ ├── Linux reverse shell, PHP.ndjson │ ├── Linux reverse shell, python.ndjson │ ├── Linux reverse shell, ruby.ndjson │ ├── Linux rpmquery command activity.ndjson │ ├── Linux rsynch command activity.ndjson │ ├── Linux ruby activity by a user.ndjson │ ├── Linux run-mailcap command activity.ndjson │ ├── Linux run-parts command activity by a user.ndjson │ ├── Linux screen command activity.ndjson │ ├── Linux sed command activity by a user.ndjson │ ├── Linux service command activity.ndjson │ ├── Linux sftp command activity.ndjson │ ├── Linux smbclient command activity.ndjson │ ├── Linux sort command activity by a user.ndjson │ ├── Linux sqlite process activity.ndjson │ ├── Linux start-stop-daemon process activity.ndjson │ ├── Linux tail command activity.ndjson │ ├── Linux tar command activity by a user.ndjson │ ├── Linux tcp device activity.ndjson │ ├── Linux tcpdump command execution.ndjson │ ├── Linux tee command activity.ndjson │ ├── Linux telnet activity.ndjson │ ├── Linux tftp activity.ndjson │ ├── Linux time command activity.ndjson │ ├── Linux uncommon process activity - possible gtfobin.ndjson │ ├── Linux uniq command activity.ndjson │ ├── Linux unusual shell activity.ndjson │ ├── Linux user command activity with shell command arguments.ndjson │ ├── Linux xargs command activity by a user.ndjson │ ├── Linux yum activity.ndjson │ └── Linux zip command activity.ndjson └── Tests │ ├── Linux Event Generators │ ├── README.md │ ├── process-atoms.json │ └── process-reaction.json │ ├── Linux Hping Activity.ndjson │ ├── Linux Iodine Activity.ndjson │ ├── Linux Kernel Module Activity.ndjson │ ├── Linux Mknod Activity.ndjson │ ├── Linux Netcat Network Connection.ndjson │ ├── Linux Nmap Activity.ndjson │ ├── Linux Nping Activity.ndjson │ ├── Linux Process Started in Temp Directory.ndjson │ ├── Linux Socat activity.ndjson │ ├── Linux Strace Activity.ndjson │ ├── Linux Tcpdump Activity.ndjson │ ├── Linux Whoami Commmand.ndjson │ └── Linux ld.so process activity.ndjson ├── Lists ├── 18001-list-directory-traversal.md ├── 23001-list-linux-accounts.md ├── 28001-list-SQL-commands.md ├── 28002-list-RCI-commands.md ├── 28003-list-environment-variables.md ├── 28004-list-XSS-strings.md ├── 28005-list-SQL-injection.md ├── 28006-list-SQL-Windows.md ├── 78001-list-web-scanner.md └── URI-list.md ├── Network ├── .all network searches.ndjson ├── Linux Network - Anomalous Process Using HTTPS Ports.ndjson ├── Network - DNS Directly to the Internet.ndjson ├── Network - FTP (File Transfer Protocol) Activity to the Internet.ndjson ├── Network - IRC (Internet Relay Chat) Protocol Activity to the Internet.ndjson ├── Network - NAT Traversal Port Activity.ndjson ├── Network - PPTP (Point to Point Tunneling Protocol) Activity.ndjson ├── Network - Port 26 Activity.ndjson ├── Network - Port 8000 Activity to the Internet.ndjson ├── Network - Port 8000 Activity.ndjson ├── Network - Proxy Port Activity to the Internet.ndjson ├── Network - RDP (Remote Desktop Protocol) from the Internet.ndjson ├── Network - RDP (Remote Desktop Protocol) to the Internet.ndjson ├── Network - RPC (Remote Procedure Call) from the Internet.ndjson ├── Network - RPC (Remote Procedure Call) to the Internet.ndjson ├── Network - SMB (Windows File Sharing) Activity to the Internet.ndjson ├── Network - SMTP to the Internet.ndjson ├── Network - SQL Server Port Activity to the Internet.ndjson ├── Network - SSH (Secure Shell) from the Internet.ndjson ├── Network - SSH (Secure Shell) to the Internet.ndjson ├── Network - Telnet Port Activity.ndjson ├── Network - Tor Activity to the Internet.ndjson ├── Network - VNC (Virtual Network Computing) From the Internet.ndjson ├── Network - VNC (Virtual Network Computing) To the Internet.ndjson ├── Network Event Generator │ ├── README.md │ ├── network-atoms.json │ └── network-reaction.json ├── README.md └── Windows Network - Anomalous Windows Process Using HTTPS Ports.ndjson ├── README.md ├── Suricata ├── Searches │ ├── .all Suricata searches.ndjson │ ├── Suricata Base64 Encoded Invoke-Command Powershell Execution.ndjson │ ├── Suricata Base64 Encoded New-Object Powershell Execution.ndjson │ ├── Suricata Base64 Encoded Start-Process Powershell Execution.ndjson │ ├── Suricata CobaltStrike Artifact in an DNS Request.ndjson │ ├── Suricata Commonly Abused DNS Domain Detected.ndjson │ ├── Suricata DNS Traffic on Unusual TCP Port.ndjson │ ├── Suricata DNS Traffic on Unusual UDP Port.ndjson │ ├── Suricata Directory Reversal Characters in an HTTP Request.ndjson │ ├── Suricata Directory Traversal Characters in HTTP Response.ndjson │ ├── Suricata Directory Traversal in Downloaded Zip File.ndjson │ ├── Suricata Double Encoded Characters in a URI.ndjson │ ├── Suricata Double Encoded Characters in an HTTP POST.ndjson │ ├── Suricata FTP Traffic on Unusual Port, Internet Destination.ndjson │ ├── Suricata HTTP Traffic On Unusual Port, Internet Destination.ndjson │ ├── Suricata IMAP Traffic on Unusual Port, internet Destination.ndjson │ ├── Suricata LaZagne Artifact in an HTTP POST.ndjson │ ├── Suricata Mimikatz Artifacts in an HTTP POST.ndjson │ ├── Suricata Mimikatz String Detected in HTTP Response.ndjson │ ├── Suricata Possible Cobalt Strike Malleable C2 Null Response.ndjson │ ├── Suricata Possible SQL Injection - SQL Commands in HTTP Transactions.ndjson │ ├── Suricata RPC Traffic on HTTP Ports.ndjson │ ├── Suricata SSH Traffic Not on Port 22, Internet Destination.ndjson │ ├── Suricata Serialized PHP Detected.ndjson │ ├── Suricata TLS Traffic on Unusual Port, Internet Destination.ndjson │ ├── Suricata Windows Executable Served by JPEG Web Content.ndjson │ ├── Suricata eval PHP Function in an HTTP Request.ndjson │ ├── Suricata non-DNS Traffic on TCP Port 53.ndjson │ ├── Suricata non-DNS Traffic on UDP Port 53.ndjson │ ├── Suricata non-FTP Traffic on Port 21.ndjson │ ├── Suricata non-HTTP Traffic on TCP Port 80.ndjson │ ├── Suricata non-IMAP Traffic on Port 1443 (IMAP).ndjson │ ├── Suricata non-SMB Traffic on TCP Port 139 (SMB).ndjson │ ├── Suricata non-SSH Traffic on Port 22.ndjson │ ├── Suricata non-TLS on TLS Port.ndjson │ ├── Suricata shell_exec PHP Function in an HTTP POST.ndjson │ └── readme.md ├── readme.md └── suricata-siem-rules.ndjson ├── Windows ├── .all windows rules.ndjson ├── Anomalous process started as SYSTEM.ndjson ├── Anomalous process started by Internet Explorer.ndjson ├── BlueKeep Activity Failed Logins for Username AAAAAAA.ndjson ├── CVE-2020-0601 │ ├── CVE-2020-0601-siem-rules.ndjson │ ├── README.md │ ├── Windows Audit-CVE Event Log Message - CVE-2020-0601 Indicator.ndjson │ └── Windows crypt32.dll Vulnerable to CVE-2020-0601.ndjson ├── CVE-2020-0688 │ └── Command Shell Started by IIS Worker.ndjson ├── Cacls command activity.ndjson ├── Command shell started by Internet Explorer.ndjson ├── Command shell started by Powershell.ndjson ├── Command shell started by Svchost.ndjson ├── FileZilla network activity.ndjson ├── FileZilla process activity.ndjson ├── Internet LOLBins │ ├── .all internet calling lolbins.ndjson │ ├── README.md │ ├── Windows Background Intelligent Transfer Service (BITS) Connecting to the Internet.ndjson │ ├── Windows Certutil Connecting to the Internet.ndjson │ ├── Windows Command Prompt Connecting to the Internet.ndjson │ ├── Windows HTML Help executable Program Connecting to the Internet.ndjson │ ├── Windows Microsoft HTML Application (HTA) Connecting to the Internet.ndjson │ ├── Windows Misc LOLBin Connecting to the Internet.ndjson │ ├── Windows Powershell Connecting to the Internet.ndjson │ ├── Windows Register Server Program Connecting to the Internet.ndjson │ └── Windows Script Interpreter Connecting to the Internet.ndjson ├── Ipconfig command activity.ndjson ├── MSBuild and Silent Trinity │ ├── MSBuild-searches.ndjson │ ├── MSBuild-siem-rules.ndjson │ └── README.md ├── PSexec activity.ndjson ├── Powershell download from a URI.ndjson ├── Powershell network connection.ndjson ├── Process started by Acrobat reader - possible payload.ndjson ├── Process started by MS Office program - possible payload.ndjson ├── Process started by Norton Security.ndjson ├── Process started by Windows Defender.ndjson ├── Sentinel │ ├── .all sentinel searches.ndjson │ ├── README.md │ ├── Windows Credential Dumping Commands.ndjson │ ├── Windows Credential Dumping via ImageLoad.ndjson │ ├── Windows Credential Dumping via Registry Save.ndjson │ ├── Windows Data Compression Using Powershell.ndjson │ ├── Windows Defense Evasion - Decoding Using Certutil.ndjson │ ├── Windows Defense Evasion or Persistence via Hidden Files.ndjson │ ├── Windows Defense Evasion via Windows Event Log Tools.ndjson │ ├── Windows Defense evasion via Filter Manager.ndjson │ ├── Windows Execution via .NET COM Assemblies.ndjson │ ├── Windows Execution via Compiled HTML File.ndjson │ ├── Windows Execution via Connection Manager.ndjson │ ├── Windows Execution via Microsoft HTML Application (HTA).ndjson │ ├── Windows Execution via Regsvr32.ndjson │ ├── Windows Execution via Trusted Developer Utilities.ndjson │ ├── Windows Indirect Command Execution.ndjson │ ├── Windows Management Instrumentation (WMI) Execution.ndjson │ ├── Windows Payload Obfuscation via Certutil.ndjson │ ├── Windows Persistence or Priv Escalation via Hooking.ndjson │ ├── Windows Persistence via Application Shimming.ndjson │ ├── Windows Persistence via BITS Jobs.ndjson │ ├── Windows Persistence via Modification of Existing Service.ndjson │ ├── Windows Persistence via Netshell Helper DLL.ndjson │ ├── Windows Priv Escalation via Accessibility Features.ndjson │ ├── Windows Process Discovery via Tasklist Command.ndjson │ ├── Windows Registry Query, Local.ndjson │ ├── Windows Registry Query, Network.ndjson │ ├── Windows Remote Management Execution.ndjson │ ├── Windows Scheduled Task Activity.ndjson │ ├── Windows Signed Binary Proxy Execution Download.ndjson │ └── Windows Signed Binary Proxy Execution.ndjson ├── Sigma Searches │ ├── Process Event Searches │ │ ├── .All Windows process rules.ndjson │ │ ├── Active Directory diagnostic tool utility - possible attack on the NTDS.DIT database.ndjson │ │ ├── Active Directory group policy directory access by a process.ndjson │ │ ├── Anomalous calculator process.ndjson │ │ ├── Anomalous child process started by the userinit process.ndjson │ │ ├── Anomalous parent process for csc.exe - possible payload delivery.ndjson │ │ ├── BITSadmin file download activity.ndjson │ │ ├── Certutil file encoding activity - possible data exfil.ndjson │ │ ├── Clearing of the WMI trace log - possible LockaerGoga ransomware activity.ndjson │ │ ├── Cmdkey Cached Credentials Recon.ndjson │ │ ├── Command execution with URL and AppData parameters - possible dropper.ndjson │ │ ├── Command that clears the WMI trace log - possible LockerGoga ransomware activity.ndjson │ │ ├── Empire PowerShell launch parameters - possible Empire activity.ndjson │ │ ├── Execution of Renamed PaExec.ndjson │ │ ├── IIS Native-Code Module Command Line Installation.ndjson │ │ ├── Java process activity in the AppData folder as used by Adwind JRAT malware.ndjson │ │ ├── Java process running with remote debugging enabled.ndjson │ │ ├── MBR modifications by bcdedit.exe - possible ransomware.ndjson │ │ ├── MS Office Product starting a process in a user directory - possible payload.ndjson │ │ ├── MSHTA Spawning Windows Shell.ndjson │ │ ├── MSHTA spwaned by SVCHOST as seen in LethalHTA.ndjson │ │ ├── MavInject Process Injection.ndjson │ │ ├── Microsoft Workflow Compiler activity - possible execution of arbitrary unsigned code.ndjson │ │ ├── Netsh Allow Incoming Connections by Port or Application on Windows Firewall.ndjson │ │ ├── Netsh Port Forwarding.ndjson │ │ ├── Netsh RDP Port Forwarding of Port 3389 - RDP tunneling.ndjson │ │ ├── Netsh RDP Port Forwarding.ndjson │ │ ├── Notepad++ updater in an anomalous directory - possible DLL side-loading attack.ndjson │ │ ├── Ping command using a hexidecimal IP address.ndjson │ │ ├── Possible Applocker Bypass.ndjson │ │ ├── Possible CVE-2017-1882 exploit starting child processes from EQNEDT32.EXE.ndjson │ │ ├── Possible shim database persistence via sdbinst.exe writing to default shim database path.ndjson │ │ ├── PowerShell Base64 Encoded Shellcode.ndjson │ │ ├── PowerShell download from URL - possible payload.ndjson │ │ ├── Powershell AMSI bypass via .NET reflection - possible attempt to disable AMSI scanning.ndjson │ │ ├── Powershell activity by the WMI service.ndjson │ │ ├── Powershell activity in an AppData folder - suspicious powershell activity.ndjson │ │ ├── Powershell execution via a DLL.ndjson │ │ ├── Powershell process started by a script interpreter.ndjson │ │ ├── Procdump activity on the lsass.exe process.ndjson │ │ ├── Process Execution in web server document root folder.ndjson │ │ ├── Process started by MMC - possible lateral movement using the MMC application's COM object.ndjson │ │ ├── Process started by the Task Manager.ndjson │ │ ├── Process started by the terminal service server - possible Bluekeep CVE-2019-0708 exploit activity.ndjson │ │ ├── PsExec Service Start.ndjson │ │ ├── RASdial process activity.ndjson │ │ ├── RDP session redirect activity using TSCON.ndjson │ │ ├── Renamed Powershell.exe.ndjson │ │ ├── Rundll32 execution from control.exe as used by Equation Group and Exploit Kits.ndjson │ │ ├── Scheduled task creation by a user.ndjson │ │ ├── Service principal name enumeration - possible Kerberoasting.ndjson │ │ ├── Shell process started by a web server - possible web shell or web exploit activity.ndjson │ │ ├── Suspicious Windows Parent Child Process Relationship.ndjson │ │ ├── Suspicious XOR Encoded PowerShell Command Line.ndjson │ │ ├── Suspicious command activity by a web server process - possible web shell activity.ndjson │ │ ├── Suspicious script file execution.ndjson │ │ ├── Svchost process with anomalous parent process.ndjson │ │ ├── Sysprep process activity in the AppData folder - possible Thrip activity.ndjson │ │ ├── Taskmgr process activity by the SYSTEM account.ndjson │ │ ├── Tscon process activity by the SYSTEM account.ndjson │ │ ├── Volume shadow deletion activity - possible ransomware.ndjson │ │ ├── WMI SquiblyTwo Attack.ndjson │ │ ├── WMI script event consumer activity - possible WMI persistence.ndjson │ │ ├── WScript or CScript dropper - possible payload.ndjson │ │ ├── Whoami command activity by a user.ndjson │ │ ├── Winword starting child process FLTLDR.exe - possible CVE-2017-0261 or 2017-0262 activity.ndjson │ │ ├── Winword starting child process MicroScMgmt.exe - possible CVE-2015-1641 activity.ndjson │ │ └── Winword starting child process csc.exe - possible CVE-2017-8759 activity.ndjson │ ├── README.md │ ├── SpaceCake to Sigma Matrix - Event Log Searches.md │ ├── SpaceCake to Sigma Matrix - Process Searches.md │ └── Windows Event Log Searches │ │ ├── .All Windows Event Searches.ndjson │ │ ├── DHCP server callout errors - possible DLL injection.ndjson │ │ ├── DHCP server loaded the callout DLL - possible DLL injection.ndjson │ │ ├── DNS server error failed loading the ServerLevelPluginDLL - possible DLL injection.ndjson │ │ ├── Malicious service installed.ndjson │ │ ├── Malware indicators in Windows event log.ndjson │ │ ├── Microsoft malware protection engine crashed.ndjson │ │ ├── Mimikatz indicators in Windows event log.ndjson │ │ ├── Overpass the hash attempt - logon type 9 (NewCredentials) = possible Mimikatz activity.ndjson │ │ ├── Pass the hash activity in event logs - possible lateral movement.ndjson │ │ ├── Password change on a DSRM account - possible persistence.ndjson │ │ ├── Remote login by an admin user.ndjson │ │ ├── Ruler hacktool activity.ndjson │ │ ├── SAM dump activity - password dumping.ndjson │ │ ├── SID history added to Active Directory object - possible privilege elevation.ndjson │ │ ├── Security event log was cleared.ndjson │ │ ├── Suspicious system time modification.ndjson │ │ ├── System backup catalog deleted.ndjson │ │ ├── USB device connected.ndjson │ │ ├── Unusual failed logon codes - possible account tampering.ndjson │ │ ├── Windows event log cleared.ndjson │ │ └── smbexec.py service installed.ndjson ├── Spoofed Windows process name - possible malware.ndjson ├── Suspicious process activity in a Windows directory.ndjson ├── Suspicious process started by a script.ndjson ├── WinDump activity.ndjson ├── WinRar activity.ndjson ├── WinSCP network activity.ndjson ├── WinSCP process activity.ndjson ├── Windows - New External Device Attached.ndjson ├── Windows 7Zip activity.ndjson ├── Windows Burp CE activity.ndjson ├── Windows Fiddler proxy activity.ndjson ├── Windows Iodine activity.ndjson ├── Windows Mimikatz activity.ndjson ├── Windows Netcat activity.ndjson ├── Windows Netcat network activity.ndjson ├── Windows Network Monitor activity.ndjson ├── Windows Pipeline Tampering │ ├── README.md │ └── tampering.ndjson ├── Windows WMI command activity.ndjson ├── Windows Wireshark activity.ndjson ├── Windows bulk file copy commands.ndjson ├── Windows certutil command activity.ndjson ├── Windows device driver loaded - event 7045.ndjson ├── Windows device driver loaded - sysmon event 6.ndjson ├── Windows ftp command activity.ndjson ├── Windows image load from a temp directory.ndjson ├── Windows net command activity by the SYSTEM account.ndjson ├── Windows net command activity.ndjson ├── Windows net localgroup command activity.ndjson ├── Windows net use command activity.ndjson ├── Windows net user command activity.ndjson ├── Windows netsh command activity.ndjson ├── Windows networking command activity.ndjson ├── Windows nmap activity.ndjson ├── Windows nmap scan activity.ndjson ├── Windows password dumper activity - pwdump.ndjson ├── Windows process activity in a temp directory.ndjson ├── Windows process activity in a user folder.ndjson ├── Windows process activity in the downloads folder.ndjson ├── Windows process in a suspicious path.ndjson ├── Windows process started by the Java runtime.ndjson ├── Windows putty activity.ndjson ├── Windows runas command activity.ndjson ├── Windows sc command activity.ndjson ├── Windows scheduled task creation.ndjson ├── Windows schtasks command activity.ndjson ├── Windows script interpreter activity.ndjson ├── Windows tasklist command activity.ndjson └── Windows whoami command activity.ndjson └── img ├── adama-cic-2.jpg ├── adama-cic.jpg ├── cylon 2.jpg ├── cylon.jpg ├── pacu.png ├── snorts.png └── snorts2.png /AWS/Dashboards/CloudTrail Anomaly Detection.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/AWS/Dashboards/CloudTrail Anomaly Detection.ndjson -------------------------------------------------------------------------------- /AWS/Dashboards/CloudTrail Overview.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/AWS/Dashboards/CloudTrail Overview.ndjson -------------------------------------------------------------------------------- /AWS/Dashboards/Flows - Local to Remote.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/AWS/Dashboards/Flows - Local to Remote.ndjson -------------------------------------------------------------------------------- /AWS/Dashboards/Flows - Remote to Local.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/AWS/Dashboards/Flows - Remote to Local.ndjson -------------------------------------------------------------------------------- /AWS/Dashboards/Flows Overview.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/AWS/Dashboards/Flows Overview.ndjson -------------------------------------------------------------------------------- /AWS/Dashboards/all-cloudtrail-dashboards.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/AWS/Dashboards/all-cloudtrail-dashboards.ndjson -------------------------------------------------------------------------------- /AWS/Dashboards/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/AWS/Dashboards/readme.md -------------------------------------------------------------------------------- /AWS/aws-rules.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/AWS/aws-rules.ndjson -------------------------------------------------------------------------------- /AWS/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/AWS/readme.md -------------------------------------------------------------------------------- /Hunt Catalog/Windows.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/Windows.md -------------------------------------------------------------------------------- /Hunt Catalog/authentication.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/authentication.md -------------------------------------------------------------------------------- /Hunt Catalog/cloud.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/cloud.md -------------------------------------------------------------------------------- /Hunt Catalog/correlation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/correlation.md -------------------------------------------------------------------------------- /Hunt Catalog/cross-platform.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/cross-platform.md -------------------------------------------------------------------------------- /Hunt Catalog/database.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/database.md -------------------------------------------------------------------------------- /Hunt Catalog/exfiltration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/exfiltration.md -------------------------------------------------------------------------------- /Hunt Catalog/linux.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/linux.md -------------------------------------------------------------------------------- /Hunt Catalog/mac.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/mac.md -------------------------------------------------------------------------------- /Hunt Catalog/machine learning.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/machine learning.md -------------------------------------------------------------------------------- /Hunt Catalog/network.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/network.md -------------------------------------------------------------------------------- /Hunt Catalog/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/readme.md -------------------------------------------------------------------------------- /Hunt Catalog/web.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Hunt Catalog/web.md -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/LICENSE.md -------------------------------------------------------------------------------- /Linux/Rules/CVE-2019-14287/Sudo with # char in arguments; possible CVE 2019-14287 LPE.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Rules/CVE-2019-14287/Sudo with # char in arguments; possible CVE 2019-14287 LPE.ndjson -------------------------------------------------------------------------------- /Linux/Rules/ShmooCon 2020/Linux - Dynamic Linker Configuration Change.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Rules/ShmooCon 2020/Linux - Dynamic Linker Configuration Change.ndjson -------------------------------------------------------------------------------- /Linux/Rules/ShmooCon 2020/Linux - Dynamic Linker File in Process Arguments.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Rules/ShmooCon 2020/Linux - Dynamic Linker File in Process Arguments.ndjson -------------------------------------------------------------------------------- /Linux/Rules/ShmooCon 2020/shmoocon-2020-loader-siem-rules.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Rules/ShmooCon 2020/shmoocon-2020-loader-siem-rules.ndjson -------------------------------------------------------------------------------- /Linux/Rules/linux-rules.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Rules/linux-rules.ndjson -------------------------------------------------------------------------------- /Linux/Rules/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Rules/readme.md -------------------------------------------------------------------------------- /Linux/Searches/.All Linux Searches.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/.All Linux Searches.ndjson -------------------------------------------------------------------------------- /Linux/Searches/.all Linux 2.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/.all Linux 2.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Auditctl Command Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Auditctl Command Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Base64 Command Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Base64 Command Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Compiler Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Compiler Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Cron Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Cron Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Echo Command Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Echo Command Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux FTP Command Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux FTP Command Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Group Changes.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Group Changes.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Hping Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Hping Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Ifconfig Command Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Ifconfig Command Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Iodine Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Iodine Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Java Process Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Java Process Connecting to the Internet.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Kernel Module Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Kernel Module Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Mknod Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Mknod Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Netcat Network Connection.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Netcat Network Connection.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Netcat shell activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Netcat shell activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Nmap Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Nmap Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Nping Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Nping Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Passwd Command Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Passwd Command Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Port 22 Connection Outbound.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Port 22 Connection Outbound.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Process Started in Temp Directory.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Process Started in Temp Directory.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Ptrace Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Ptrace Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Rawshark Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Rawshark Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Rdesktop Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Rdesktop Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux SCP Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux SCP Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Shell Activity By Web Server.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Shell Activity By Web Server.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Socat activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Socat activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Strace Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Strace Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Sudo Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Sudo Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Systemctl Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Systemctl Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Tcpdump Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Tcpdump Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Traceroute Command Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Traceroute Command Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux User Changes.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux User Changes.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Web Client Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Web Client Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Web Download.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Web Download.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Whoami Commmand.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Whoami Commmand.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux Whois Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux Whois Activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux busybox process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux busybox process activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux chmod +s command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux chmod +s command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux dd process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux dd process activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux dmesg activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux dmesg activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux env process activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux env process activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux file editor activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux file editor activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux find command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux find command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux finger command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux finger command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux flock command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux flock command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux gdb activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux gdb activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux git process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux git process activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux head command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux head command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux ionice command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux ionice command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux ip command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux ip command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux jrunscript process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux jrunscript process activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux ld.so process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux ld.so process activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux less command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux less command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux lzop activity - possible @JulianRunnels.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux lzop activity - possible @JulianRunnels.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux mail process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux mail process activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux make process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux make process activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux makemime activity - possible @JulianRunnels.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux makemime activity - possible @JulianRunnels.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux man command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux man command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux more command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux more command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux mount command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux mount command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux mv command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux mv command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux mysql command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux mysql command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux nano activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux nano activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux nice command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux nice command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux perl activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux perl activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux process named install.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux process named install.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux python activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux python activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux readelf command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux readelf command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux reverse shell, PHP.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux reverse shell, PHP.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux reverse shell, python.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux reverse shell, python.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux reverse shell, ruby.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux reverse shell, ruby.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux rpmquery command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux rpmquery command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux rsynch command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux rsynch command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux ruby activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux ruby activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux run-mailcap command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux run-mailcap command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux run-parts command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux run-parts command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux screen command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux screen command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux sed command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux sed command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux service command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux service command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux sftp command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux sftp command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux smbclient command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux smbclient command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux sort command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux sort command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux sqlite process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux sqlite process activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux start-stop-daemon process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux start-stop-daemon process activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux tail command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux tail command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux tar command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux tar command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux tcp device activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux tcp device activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux tcpdump command execution.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux tcpdump command execution.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux tee command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux tee command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux telnet activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux telnet activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux tftp activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux tftp activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux time command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux time command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux uncommon process activity - possible gtfobin.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux uncommon process activity - possible gtfobin.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux uniq command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux uniq command activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux unusual shell activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux unusual shell activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux user command activity with shell command arguments.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux user command activity with shell command arguments.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux xargs command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux xargs command activity by a user.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux yum activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux yum activity.ndjson -------------------------------------------------------------------------------- /Linux/Searches/Linux zip command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Searches/Linux zip command activity.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Event Generators/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Event Generators/README.md -------------------------------------------------------------------------------- /Linux/Tests/Linux Event Generators/process-atoms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Event Generators/process-atoms.json -------------------------------------------------------------------------------- /Linux/Tests/Linux Event Generators/process-reaction.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Event Generators/process-reaction.json -------------------------------------------------------------------------------- /Linux/Tests/Linux Hping Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Hping Activity.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Iodine Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Iodine Activity.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Kernel Module Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Kernel Module Activity.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Mknod Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Mknod Activity.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Netcat Network Connection.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Netcat Network Connection.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Nmap Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Nmap Activity.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Nping Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Nping Activity.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Process Started in Temp Directory.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Process Started in Temp Directory.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Socat activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Socat activity.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Strace Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Strace Activity.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Tcpdump Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Tcpdump Activity.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux Whoami Commmand.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux Whoami Commmand.ndjson -------------------------------------------------------------------------------- /Linux/Tests/Linux ld.so process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Linux/Tests/Linux ld.so process activity.ndjson -------------------------------------------------------------------------------- /Lists/18001-list-directory-traversal.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Lists/18001-list-directory-traversal.md -------------------------------------------------------------------------------- /Lists/23001-list-linux-accounts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Lists/23001-list-linux-accounts.md -------------------------------------------------------------------------------- /Lists/28001-list-SQL-commands.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Lists/28001-list-SQL-commands.md -------------------------------------------------------------------------------- /Lists/28002-list-RCI-commands.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Lists/28002-list-RCI-commands.md -------------------------------------------------------------------------------- /Lists/28003-list-environment-variables.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Lists/28003-list-environment-variables.md -------------------------------------------------------------------------------- /Lists/28004-list-XSS-strings.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Lists/28004-list-XSS-strings.md -------------------------------------------------------------------------------- /Lists/28005-list-SQL-injection.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Lists/28005-list-SQL-injection.md -------------------------------------------------------------------------------- /Lists/28006-list-SQL-Windows.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Lists/28006-list-SQL-Windows.md -------------------------------------------------------------------------------- /Lists/78001-list-web-scanner.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Lists/78001-list-web-scanner.md -------------------------------------------------------------------------------- /Lists/URI-list.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Lists/URI-list.md -------------------------------------------------------------------------------- /Network/.all network searches.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/.all network searches.ndjson -------------------------------------------------------------------------------- /Network/Linux Network - Anomalous Process Using HTTPS Ports.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Linux Network - Anomalous Process Using HTTPS Ports.ndjson -------------------------------------------------------------------------------- /Network/Network - DNS Directly to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - DNS Directly to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - FTP (File Transfer Protocol) Activity to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - FTP (File Transfer Protocol) Activity to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - IRC (Internet Relay Chat) Protocol Activity to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - IRC (Internet Relay Chat) Protocol Activity to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - NAT Traversal Port Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - NAT Traversal Port Activity.ndjson -------------------------------------------------------------------------------- /Network/Network - PPTP (Point to Point Tunneling Protocol) Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - PPTP (Point to Point Tunneling Protocol) Activity.ndjson -------------------------------------------------------------------------------- /Network/Network - Port 26 Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - Port 26 Activity.ndjson -------------------------------------------------------------------------------- /Network/Network - Port 8000 Activity to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - Port 8000 Activity to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - Port 8000 Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - Port 8000 Activity.ndjson -------------------------------------------------------------------------------- /Network/Network - Proxy Port Activity to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - Proxy Port Activity to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - RDP (Remote Desktop Protocol) from the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - RDP (Remote Desktop Protocol) from the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - RDP (Remote Desktop Protocol) to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - RDP (Remote Desktop Protocol) to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - RPC (Remote Procedure Call) from the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - RPC (Remote Procedure Call) from the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - RPC (Remote Procedure Call) to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - RPC (Remote Procedure Call) to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - SMB (Windows File Sharing) Activity to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - SMB (Windows File Sharing) Activity to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - SMTP to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - SMTP to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - SQL Server Port Activity to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - SQL Server Port Activity to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - SSH (Secure Shell) from the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - SSH (Secure Shell) from the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - SSH (Secure Shell) to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - SSH (Secure Shell) to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - Telnet Port Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - Telnet Port Activity.ndjson -------------------------------------------------------------------------------- /Network/Network - Tor Activity to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - Tor Activity to the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - VNC (Virtual Network Computing) From the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - VNC (Virtual Network Computing) From the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network - VNC (Virtual Network Computing) To the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network - VNC (Virtual Network Computing) To the Internet.ndjson -------------------------------------------------------------------------------- /Network/Network Event Generator/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network Event Generator/README.md -------------------------------------------------------------------------------- /Network/Network Event Generator/network-atoms.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network Event Generator/network-atoms.json -------------------------------------------------------------------------------- /Network/Network Event Generator/network-reaction.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Network Event Generator/network-reaction.json -------------------------------------------------------------------------------- /Network/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/README.md -------------------------------------------------------------------------------- /Network/Windows Network - Anomalous Windows Process Using HTTPS Ports.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Network/Windows Network - Anomalous Windows Process Using HTTPS Ports.ndjson -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/README.md -------------------------------------------------------------------------------- /Suricata/Searches/.all Suricata searches.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/.all Suricata searches.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Base64 Encoded Invoke-Command Powershell Execution.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Base64 Encoded Invoke-Command Powershell Execution.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Base64 Encoded New-Object Powershell Execution.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Base64 Encoded New-Object Powershell Execution.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Base64 Encoded Start-Process Powershell Execution.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Base64 Encoded Start-Process Powershell Execution.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata CobaltStrike Artifact in an DNS Request.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata CobaltStrike Artifact in an DNS Request.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Commonly Abused DNS Domain Detected.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Commonly Abused DNS Domain Detected.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata DNS Traffic on Unusual TCP Port.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata DNS Traffic on Unusual TCP Port.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata DNS Traffic on Unusual UDP Port.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata DNS Traffic on Unusual UDP Port.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Directory Reversal Characters in an HTTP Request.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Directory Reversal Characters in an HTTP Request.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Directory Traversal Characters in HTTP Response.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Directory Traversal Characters in HTTP Response.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Directory Traversal in Downloaded Zip File.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Directory Traversal in Downloaded Zip File.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Double Encoded Characters in a URI.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Double Encoded Characters in a URI.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Double Encoded Characters in an HTTP POST.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Double Encoded Characters in an HTTP POST.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata FTP Traffic on Unusual Port, Internet Destination.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata FTP Traffic on Unusual Port, Internet Destination.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata HTTP Traffic On Unusual Port, Internet Destination.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata HTTP Traffic On Unusual Port, Internet Destination.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata IMAP Traffic on Unusual Port, internet Destination.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata IMAP Traffic on Unusual Port, internet Destination.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata LaZagne Artifact in an HTTP POST.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata LaZagne Artifact in an HTTP POST.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Mimikatz Artifacts in an HTTP POST.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Mimikatz Artifacts in an HTTP POST.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Mimikatz String Detected in HTTP Response.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Mimikatz String Detected in HTTP Response.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Possible Cobalt Strike Malleable C2 Null Response.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Possible Cobalt Strike Malleable C2 Null Response.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Possible SQL Injection - SQL Commands in HTTP Transactions.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Possible SQL Injection - SQL Commands in HTTP Transactions.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata RPC Traffic on HTTP Ports.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata RPC Traffic on HTTP Ports.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata SSH Traffic Not on Port 22, Internet Destination.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata SSH Traffic Not on Port 22, Internet Destination.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Serialized PHP Detected.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Serialized PHP Detected.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata TLS Traffic on Unusual Port, Internet Destination.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata TLS Traffic on Unusual Port, Internet Destination.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata Windows Executable Served by JPEG Web Content.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata Windows Executable Served by JPEG Web Content.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata eval PHP Function in an HTTP Request.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata eval PHP Function in an HTTP Request.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-DNS Traffic on TCP Port 53.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata non-DNS Traffic on TCP Port 53.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-DNS Traffic on UDP Port 53.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata non-DNS Traffic on UDP Port 53.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-FTP Traffic on Port 21.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata non-FTP Traffic on Port 21.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-HTTP Traffic on TCP Port 80.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata non-HTTP Traffic on TCP Port 80.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-IMAP Traffic on Port 1443 (IMAP).ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata non-IMAP Traffic on Port 1443 (IMAP).ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-SMB Traffic on TCP Port 139 (SMB).ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata non-SMB Traffic on TCP Port 139 (SMB).ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-SSH Traffic on Port 22.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata non-SSH Traffic on Port 22.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata non-TLS on TLS Port.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata non-TLS on TLS Port.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/Suricata shell_exec PHP Function in an HTTP POST.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/Suricata shell_exec PHP Function in an HTTP POST.ndjson -------------------------------------------------------------------------------- /Suricata/Searches/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/Searches/readme.md -------------------------------------------------------------------------------- /Suricata/readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/readme.md -------------------------------------------------------------------------------- /Suricata/suricata-siem-rules.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Suricata/suricata-siem-rules.ndjson -------------------------------------------------------------------------------- /Windows/.all windows rules.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/.all windows rules.ndjson -------------------------------------------------------------------------------- /Windows/Anomalous process started as SYSTEM.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Anomalous process started as SYSTEM.ndjson -------------------------------------------------------------------------------- /Windows/Anomalous process started by Internet Explorer.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Anomalous process started by Internet Explorer.ndjson -------------------------------------------------------------------------------- /Windows/BlueKeep Activity Failed Logins for Username AAAAAAA.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/BlueKeep Activity Failed Logins for Username AAAAAAA.ndjson -------------------------------------------------------------------------------- /Windows/CVE-2020-0601/CVE-2020-0601-siem-rules.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/CVE-2020-0601/CVE-2020-0601-siem-rules.ndjson -------------------------------------------------------------------------------- /Windows/CVE-2020-0601/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/CVE-2020-0601/README.md -------------------------------------------------------------------------------- /Windows/CVE-2020-0601/Windows Audit-CVE Event Log Message - CVE-2020-0601 Indicator.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/CVE-2020-0601/Windows Audit-CVE Event Log Message - CVE-2020-0601 Indicator.ndjson -------------------------------------------------------------------------------- /Windows/CVE-2020-0601/Windows crypt32.dll Vulnerable to CVE-2020-0601.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/CVE-2020-0601/Windows crypt32.dll Vulnerable to CVE-2020-0601.ndjson -------------------------------------------------------------------------------- /Windows/CVE-2020-0688/Command Shell Started by IIS Worker.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/CVE-2020-0688/Command Shell Started by IIS Worker.ndjson -------------------------------------------------------------------------------- /Windows/Cacls command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Cacls command activity.ndjson -------------------------------------------------------------------------------- /Windows/Command shell started by Internet Explorer.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Command shell started by Internet Explorer.ndjson -------------------------------------------------------------------------------- /Windows/Command shell started by Powershell.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Command shell started by Powershell.ndjson -------------------------------------------------------------------------------- /Windows/Command shell started by Svchost.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Command shell started by Svchost.ndjson -------------------------------------------------------------------------------- /Windows/FileZilla network activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/FileZilla network activity.ndjson -------------------------------------------------------------------------------- /Windows/FileZilla process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/FileZilla process activity.ndjson -------------------------------------------------------------------------------- /Windows/Internet LOLBins/.all internet calling lolbins.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/.all internet calling lolbins.ndjson -------------------------------------------------------------------------------- /Windows/Internet LOLBins/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/README.md -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Background Intelligent Transfer Service (BITS) Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/Windows Background Intelligent Transfer Service (BITS) Connecting to the Internet.ndjson -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Certutil Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/Windows Certutil Connecting to the Internet.ndjson -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Command Prompt Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/Windows Command Prompt Connecting to the Internet.ndjson -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows HTML Help executable Program Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/Windows HTML Help executable Program Connecting to the Internet.ndjson -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Microsoft HTML Application (HTA) Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/Windows Microsoft HTML Application (HTA) Connecting to the Internet.ndjson -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Misc LOLBin Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/Windows Misc LOLBin Connecting to the Internet.ndjson -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Powershell Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/Windows Powershell Connecting to the Internet.ndjson -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Register Server Program Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/Windows Register Server Program Connecting to the Internet.ndjson -------------------------------------------------------------------------------- /Windows/Internet LOLBins/Windows Script Interpreter Connecting to the Internet.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Internet LOLBins/Windows Script Interpreter Connecting to the Internet.ndjson -------------------------------------------------------------------------------- /Windows/Ipconfig command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Ipconfig command activity.ndjson -------------------------------------------------------------------------------- /Windows/MSBuild and Silent Trinity/MSBuild-searches.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/MSBuild and Silent Trinity/MSBuild-searches.ndjson -------------------------------------------------------------------------------- /Windows/MSBuild and Silent Trinity/MSBuild-siem-rules.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/MSBuild and Silent Trinity/MSBuild-siem-rules.ndjson -------------------------------------------------------------------------------- /Windows/MSBuild and Silent Trinity/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/MSBuild and Silent Trinity/README.md -------------------------------------------------------------------------------- /Windows/PSexec activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/PSexec activity.ndjson -------------------------------------------------------------------------------- /Windows/Powershell download from a URI.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Powershell download from a URI.ndjson -------------------------------------------------------------------------------- /Windows/Powershell network connection.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Powershell network connection.ndjson -------------------------------------------------------------------------------- /Windows/Process started by Acrobat reader - possible payload.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Process started by Acrobat reader - possible payload.ndjson -------------------------------------------------------------------------------- /Windows/Process started by MS Office program - possible payload.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Process started by MS Office program - possible payload.ndjson -------------------------------------------------------------------------------- /Windows/Process started by Norton Security.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Process started by Norton Security.ndjson -------------------------------------------------------------------------------- /Windows/Process started by Windows Defender.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Process started by Windows Defender.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/.all sentinel searches.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/.all sentinel searches.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/README.md -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Credential Dumping Commands.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Credential Dumping Commands.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Credential Dumping via ImageLoad.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Credential Dumping via ImageLoad.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Credential Dumping via Registry Save.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Credential Dumping via Registry Save.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Data Compression Using Powershell.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Data Compression Using Powershell.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Defense Evasion - Decoding Using Certutil.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Defense Evasion - Decoding Using Certutil.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Defense Evasion or Persistence via Hidden Files.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Defense Evasion or Persistence via Hidden Files.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Defense Evasion via Windows Event Log Tools.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Defense Evasion via Windows Event Log Tools.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Defense evasion via Filter Manager.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Defense evasion via Filter Manager.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via .NET COM Assemblies.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Execution via .NET COM Assemblies.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via Compiled HTML File.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Execution via Compiled HTML File.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via Connection Manager.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Execution via Connection Manager.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via Microsoft HTML Application (HTA).ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Execution via Microsoft HTML Application (HTA).ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via Regsvr32.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Execution via Regsvr32.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Execution via Trusted Developer Utilities.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Execution via Trusted Developer Utilities.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Indirect Command Execution.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Indirect Command Execution.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Management Instrumentation (WMI) Execution.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Management Instrumentation (WMI) Execution.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Payload Obfuscation via Certutil.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Payload Obfuscation via Certutil.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Persistence or Priv Escalation via Hooking.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Persistence or Priv Escalation via Hooking.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Persistence via Application Shimming.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Persistence via Application Shimming.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Persistence via BITS Jobs.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Persistence via BITS Jobs.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Persistence via Modification of Existing Service.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Persistence via Modification of Existing Service.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Persistence via Netshell Helper DLL.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Persistence via Netshell Helper DLL.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Priv Escalation via Accessibility Features.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Priv Escalation via Accessibility Features.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Process Discovery via Tasklist Command.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Process Discovery via Tasklist Command.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Registry Query, Local.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Registry Query, Local.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Registry Query, Network.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Registry Query, Network.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Remote Management Execution.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Remote Management Execution.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Scheduled Task Activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Scheduled Task Activity.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Signed Binary Proxy Execution Download.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Signed Binary Proxy Execution Download.ndjson -------------------------------------------------------------------------------- /Windows/Sentinel/Windows Signed Binary Proxy Execution.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sentinel/Windows Signed Binary Proxy Execution.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/.All Windows process rules.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/.All Windows process rules.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Active Directory diagnostic tool utility - possible attack on the NTDS.DIT database.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Active Directory diagnostic tool utility - possible attack on the NTDS.DIT database.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Active Directory group policy directory access by a process.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Active Directory group policy directory access by a process.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Anomalous calculator process.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Anomalous calculator process.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Anomalous child process started by the userinit process.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Anomalous child process started by the userinit process.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Anomalous parent process for csc.exe - possible payload delivery.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Anomalous parent process for csc.exe - possible payload delivery.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/BITSadmin file download activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/BITSadmin file download activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Certutil file encoding activity - possible data exfil.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Certutil file encoding activity - possible data exfil.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Clearing of the WMI trace log - possible LockaerGoga ransomware activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Clearing of the WMI trace log - possible LockaerGoga ransomware activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Cmdkey Cached Credentials Recon.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Cmdkey Cached Credentials Recon.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Command execution with URL and AppData parameters - possible dropper.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Command execution with URL and AppData parameters - possible dropper.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Command that clears the WMI trace log - possible LockerGoga ransomware activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Command that clears the WMI trace log - possible LockerGoga ransomware activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Empire PowerShell launch parameters - possible Empire activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Empire PowerShell launch parameters - possible Empire activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Execution of Renamed PaExec.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Execution of Renamed PaExec.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/IIS Native-Code Module Command Line Installation.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/IIS Native-Code Module Command Line Installation.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Java process activity in the AppData folder as used by Adwind JRAT malware.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Java process activity in the AppData folder as used by Adwind JRAT malware.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Java process running with remote debugging enabled.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Java process running with remote debugging enabled.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/MBR modifications by bcdedit.exe - possible ransomware.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/MBR modifications by bcdedit.exe - possible ransomware.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/MS Office Product starting a process in a user directory - possible payload.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/MS Office Product starting a process in a user directory - possible payload.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/MSHTA Spawning Windows Shell.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/MSHTA Spawning Windows Shell.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/MSHTA spwaned by SVCHOST as seen in LethalHTA.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/MSHTA spwaned by SVCHOST as seen in LethalHTA.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/MavInject Process Injection.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/MavInject Process Injection.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Microsoft Workflow Compiler activity - possible execution of arbitrary unsigned code.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Microsoft Workflow Compiler activity - possible execution of arbitrary unsigned code.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Netsh Allow Incoming Connections by Port or Application on Windows Firewall.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Netsh Allow Incoming Connections by Port or Application on Windows Firewall.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Netsh Port Forwarding.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Netsh Port Forwarding.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Netsh RDP Port Forwarding of Port 3389 - RDP tunneling.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Netsh RDP Port Forwarding of Port 3389 - RDP tunneling.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Netsh RDP Port Forwarding.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Netsh RDP Port Forwarding.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Notepad++ updater in an anomalous directory - possible DLL side-loading attack.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Notepad++ updater in an anomalous directory - possible DLL side-loading attack.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Ping command using a hexidecimal IP address.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Ping command using a hexidecimal IP address.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Possible Applocker Bypass.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Possible Applocker Bypass.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Possible CVE-2017-1882 exploit starting child processes from EQNEDT32.EXE.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Possible CVE-2017-1882 exploit starting child processes from EQNEDT32.EXE.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Possible shim database persistence via sdbinst.exe writing to default shim database path.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Possible shim database persistence via sdbinst.exe writing to default shim database path.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/PowerShell Base64 Encoded Shellcode.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/PowerShell Base64 Encoded Shellcode.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/PowerShell download from URL - possible payload.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/PowerShell download from URL - possible payload.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Powershell AMSI bypass via .NET reflection - possible attempt to disable AMSI scanning.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Powershell AMSI bypass via .NET reflection - possible attempt to disable AMSI scanning.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Powershell activity by the WMI service.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Powershell activity by the WMI service.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Powershell activity in an AppData folder - suspicious powershell activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Powershell activity in an AppData folder - suspicious powershell activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Powershell execution via a DLL.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Powershell execution via a DLL.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Powershell process started by a script interpreter.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Powershell process started by a script interpreter.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Procdump activity on the lsass.exe process.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Procdump activity on the lsass.exe process.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Process Execution in web server document root folder.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Process Execution in web server document root folder.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Process started by MMC - possible lateral movement using the MMC application's COM object.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Process started by MMC - possible lateral movement using the MMC application's COM object.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Process started by the Task Manager.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Process started by the Task Manager.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Process started by the terminal service server - possible Bluekeep CVE-2019-0708 exploit activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Process started by the terminal service server - possible Bluekeep CVE-2019-0708 exploit activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/PsExec Service Start.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/PsExec Service Start.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/RASdial process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/RASdial process activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/RDP session redirect activity using TSCON.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/RDP session redirect activity using TSCON.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Renamed Powershell.exe.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Renamed Powershell.exe.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Rundll32 execution from control.exe as used by Equation Group and Exploit Kits.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Rundll32 execution from control.exe as used by Equation Group and Exploit Kits.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Scheduled task creation by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Scheduled task creation by a user.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Service principal name enumeration - possible Kerberoasting.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Service principal name enumeration - possible Kerberoasting.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Shell process started by a web server - possible web shell or web exploit activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Shell process started by a web server - possible web shell or web exploit activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Suspicious Windows Parent Child Process Relationship.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Suspicious Windows Parent Child Process Relationship.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Suspicious XOR Encoded PowerShell Command Line.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Suspicious XOR Encoded PowerShell Command Line.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Suspicious command activity by a web server process - possible web shell activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Suspicious command activity by a web server process - possible web shell activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Suspicious script file execution.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Suspicious script file execution.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Svchost process with anomalous parent process.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Svchost process with anomalous parent process.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Sysprep process activity in the AppData folder - possible Thrip activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Sysprep process activity in the AppData folder - possible Thrip activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Taskmgr process activity by the SYSTEM account.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Taskmgr process activity by the SYSTEM account.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Tscon process activity by the SYSTEM account.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Tscon process activity by the SYSTEM account.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Volume shadow deletion activity - possible ransomware.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Volume shadow deletion activity - possible ransomware.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/WMI SquiblyTwo Attack.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/WMI SquiblyTwo Attack.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/WMI script event consumer activity - possible WMI persistence.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/WMI script event consumer activity - possible WMI persistence.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/WScript or CScript dropper - possible payload.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/WScript or CScript dropper - possible payload.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Whoami command activity by a user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Whoami command activity by a user.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Winword starting child process FLTLDR.exe - possible CVE-2017-0261 or 2017-0262 activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Winword starting child process FLTLDR.exe - possible CVE-2017-0261 or 2017-0262 activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Winword starting child process MicroScMgmt.exe - possible CVE-2015-1641 activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Winword starting child process MicroScMgmt.exe - possible CVE-2015-1641 activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Process Event Searches/Winword starting child process csc.exe - possible CVE-2017-8759 activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Process Event Searches/Winword starting child process csc.exe - possible CVE-2017-8759 activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/README.md -------------------------------------------------------------------------------- /Windows/Sigma Searches/SpaceCake to Sigma Matrix - Event Log Searches.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/SpaceCake to Sigma Matrix - Event Log Searches.md -------------------------------------------------------------------------------- /Windows/Sigma Searches/SpaceCake to Sigma Matrix - Process Searches.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/SpaceCake to Sigma Matrix - Process Searches.md -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/.All Windows Event Searches.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/.All Windows Event Searches.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/DHCP server callout errors - possible DLL injection.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/DHCP server callout errors - possible DLL injection.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/DHCP server loaded the callout DLL - possible DLL injection.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/DHCP server loaded the callout DLL - possible DLL injection.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/DNS server error failed loading the ServerLevelPluginDLL - possible DLL injection.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/DNS server error failed loading the ServerLevelPluginDLL - possible DLL injection.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Malicious service installed.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Malicious service installed.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Malware indicators in Windows event log.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Malware indicators in Windows event log.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Microsoft malware protection engine crashed.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Microsoft malware protection engine crashed.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Mimikatz indicators in Windows event log.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Mimikatz indicators in Windows event log.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Overpass the hash attempt - logon type 9 (NewCredentials) = possible Mimikatz activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Overpass the hash attempt - logon type 9 (NewCredentials) = possible Mimikatz activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Pass the hash activity in event logs - possible lateral movement.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Pass the hash activity in event logs - possible lateral movement.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Password change on a DSRM account - possible persistence.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Password change on a DSRM account - possible persistence.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Remote login by an admin user.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Remote login by an admin user.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Ruler hacktool activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Ruler hacktool activity.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/SAM dump activity - password dumping.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/SAM dump activity - password dumping.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/SID history added to Active Directory object - possible privilege elevation.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/SID history added to Active Directory object - possible privilege elevation.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Security event log was cleared.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Security event log was cleared.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Suspicious system time modification.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Suspicious system time modification.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/System backup catalog deleted.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/System backup catalog deleted.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/USB device connected.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/USB device connected.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Unusual failed logon codes - possible account tampering.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Unusual failed logon codes - possible account tampering.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/Windows event log cleared.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/Windows event log cleared.ndjson -------------------------------------------------------------------------------- /Windows/Sigma Searches/Windows Event Log Searches/smbexec.py service installed.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Sigma Searches/Windows Event Log Searches/smbexec.py service installed.ndjson -------------------------------------------------------------------------------- /Windows/Spoofed Windows process name - possible malware.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Spoofed Windows process name - possible malware.ndjson -------------------------------------------------------------------------------- /Windows/Suspicious process activity in a Windows directory.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Suspicious process activity in a Windows directory.ndjson -------------------------------------------------------------------------------- /Windows/Suspicious process started by a script.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Suspicious process started by a script.ndjson -------------------------------------------------------------------------------- /Windows/WinDump activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/WinDump activity.ndjson -------------------------------------------------------------------------------- /Windows/WinRar activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/WinRar activity.ndjson -------------------------------------------------------------------------------- /Windows/WinSCP network activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/WinSCP network activity.ndjson -------------------------------------------------------------------------------- /Windows/WinSCP process activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/WinSCP process activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows - New External Device Attached.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows - New External Device Attached.ndjson -------------------------------------------------------------------------------- /Windows/Windows 7Zip activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows 7Zip activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows Burp CE activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows Burp CE activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows Fiddler proxy activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows Fiddler proxy activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows Iodine activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows Iodine activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows Mimikatz activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows Mimikatz activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows Netcat activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows Netcat activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows Netcat network activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows Netcat network activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows Network Monitor activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows Network Monitor activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows Pipeline Tampering/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows Pipeline Tampering/README.md -------------------------------------------------------------------------------- /Windows/Windows Pipeline Tampering/tampering.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows Pipeline Tampering/tampering.ndjson -------------------------------------------------------------------------------- /Windows/Windows WMI command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows WMI command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows Wireshark activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows Wireshark activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows bulk file copy commands.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows bulk file copy commands.ndjson -------------------------------------------------------------------------------- /Windows/Windows certutil command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows certutil command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows device driver loaded - event 7045.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows device driver loaded - event 7045.ndjson -------------------------------------------------------------------------------- /Windows/Windows device driver loaded - sysmon event 6.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows device driver loaded - sysmon event 6.ndjson -------------------------------------------------------------------------------- /Windows/Windows ftp command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows ftp command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows image load from a temp directory.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows image load from a temp directory.ndjson -------------------------------------------------------------------------------- /Windows/Windows net command activity by the SYSTEM account.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows net command activity by the SYSTEM account.ndjson -------------------------------------------------------------------------------- /Windows/Windows net command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows net command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows net localgroup command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows net localgroup command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows net use command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows net use command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows net user command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows net user command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows netsh command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows netsh command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows networking command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows networking command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows nmap activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows nmap activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows nmap scan activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows nmap scan activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows password dumper activity - pwdump.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows password dumper activity - pwdump.ndjson -------------------------------------------------------------------------------- /Windows/Windows process activity in a temp directory.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows process activity in a temp directory.ndjson -------------------------------------------------------------------------------- /Windows/Windows process activity in a user folder.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows process activity in a user folder.ndjson -------------------------------------------------------------------------------- /Windows/Windows process activity in the downloads folder.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows process activity in the downloads folder.ndjson -------------------------------------------------------------------------------- /Windows/Windows process in a suspicious path.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows process in a suspicious path.ndjson -------------------------------------------------------------------------------- /Windows/Windows process started by the Java runtime.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows process started by the Java runtime.ndjson -------------------------------------------------------------------------------- /Windows/Windows putty activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows putty activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows runas command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows runas command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows sc command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows sc command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows scheduled task creation.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows scheduled task creation.ndjson -------------------------------------------------------------------------------- /Windows/Windows schtasks command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows schtasks command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows script interpreter activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows script interpreter activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows tasklist command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows tasklist command activity.ndjson -------------------------------------------------------------------------------- /Windows/Windows whoami command activity.ndjson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/Windows/Windows whoami command activity.ndjson -------------------------------------------------------------------------------- /img/adama-cic-2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/img/adama-cic-2.jpg -------------------------------------------------------------------------------- /img/adama-cic.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/img/adama-cic.jpg -------------------------------------------------------------------------------- /img/cylon 2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/img/cylon 2.jpg -------------------------------------------------------------------------------- /img/cylon.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/img/cylon.jpg -------------------------------------------------------------------------------- /img/pacu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/img/pacu.png -------------------------------------------------------------------------------- /img/snorts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/img/snorts.png -------------------------------------------------------------------------------- /img/snorts2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/randomuserid/Adama/HEAD/img/snorts2.png --------------------------------------------------------------------------------