├── .gitignore ├── LICENSE ├── LOL_BINs ├── proc_creation_windows_Dumpbin_LoLBin.yml ├── proc_creation_windows_MSTeams_side-loading.yml ├── proc_creation_windows_VSDiagnostics_LoLBin.yml ├── proc_creation_windows_Wermgr_injection.yml ├── proc_creation_windows_appcmd.yml ├── proc_creation_windows_cmstp_fake_profiles.yml ├── proc_creation_windows_devdrv_bypass_fsutil.yml ├── proc_creation_windows_errorhandler_persistence.yml ├── proc_creation_windows_setup_pythonw.yml ├── proc_creation_windows_udl_exec.yml └── registry_set_devdrv_bypass_registry.yml ├── MISC ├── proc_creation_windows_AMSI_Bypass.yml ├── proc_creation_windows_AlltTheEmojis.yml ├── proc_creation_windows_DisableRestrictedAdmin.yml ├── proc_creation_windows_Powershell_downloader_cradle.yml ├── proc_creation_windows_explorer_shell_execute.yml ├── proc_creation_windows_hh_LOLBA.yml ├── proc_creation_windows_pythonfunctionwarnings_disabled.yml ├── proc_creation_windows_reg_enabling_rdp.yml ├── proc_creation_windows_registry_hide_user.yml ├── proc_creation_windows_schtask_enc-psh.yml ├── proc_creation_windows_schtasks_win-def-removal.yml └── proc_creation_windows_win-lazagne.yml ├── README.md ├── Threat Hunting Queries ├── README.md ├── proc_creation_windows_Action1_RMM.yml ├── proc_creation_windows_Anyviewer.yml ├── proc_creation_windows_MOVEit_exploitation.yml ├── proc_creation_windows_ammyy_admin.yml ├── proc_creation_windows_exec_script_from_zip.yml └── proc_creation_windows_meshagent.yml ├── check_required_fields.py ├── id_generation.py ├── malware ├── proc_creation_windows_ChromeLoader.yml ├── proc_creation_windows_Emotet_04_22.yml ├── proc_creation_windows_Explorer_NOUACCHECK.yml ├── proc_creation_windows_GuLoader_08_07.yml ├── proc_creation_windows_OneNote_Execution.yml ├── proc_creation_windows_Raspberry_Robin_mal-exec.yml ├── proc_creation_windows_Raspberry_Robin_usb-exec.yml ├── proc_creation_windows_Serpent_payload_exec.yml ├── proc_creation_windows_SocGholish_FakeUpdates.yml └── proc_creation_windows_Ursnif_cmd_redirection.yml ├── renaming.py ├── vulnerability_exploitation ├── proc_creation_windows_7z_CVE-2022-29072.yml ├── proc_creation_windows_VMWare_CVE-2022-22954.yml └── proc_creation_windows_VMware_Horizon_LOG4J.yml └── windows_exploitation ├── net_connection_windows_ADWS_abuse.yml ├── proc_creation_windows_SOAPHound.yml ├── proc_creation_windows_WSUS_abuse.yml ├── proc_creation_windows_ms-msdt_exploitation.yml ├── proc_creation_windows_sdiagnhost-ms-msdt_exploitation.yml ├── proc_creation_windows_zero_exe.yml ├── win_security_DC_Impersonation.yml ├── win_security_KrbRelayUp.yml ├── win_security_LAPS_CredDumping.yml └── win_security_kerberoasting_activity.yml /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/.gitignore -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LICENSE -------------------------------------------------------------------------------- /LOL_BINs/proc_creation_windows_Dumpbin_LoLBin.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/proc_creation_windows_Dumpbin_LoLBin.yml -------------------------------------------------------------------------------- /LOL_BINs/proc_creation_windows_MSTeams_side-loading.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/proc_creation_windows_MSTeams_side-loading.yml -------------------------------------------------------------------------------- /LOL_BINs/proc_creation_windows_VSDiagnostics_LoLBin.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/proc_creation_windows_VSDiagnostics_LoLBin.yml -------------------------------------------------------------------------------- /LOL_BINs/proc_creation_windows_Wermgr_injection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/proc_creation_windows_Wermgr_injection.yml -------------------------------------------------------------------------------- /LOL_BINs/proc_creation_windows_appcmd.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/proc_creation_windows_appcmd.yml -------------------------------------------------------------------------------- /LOL_BINs/proc_creation_windows_cmstp_fake_profiles.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/proc_creation_windows_cmstp_fake_profiles.yml -------------------------------------------------------------------------------- /LOL_BINs/proc_creation_windows_devdrv_bypass_fsutil.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/proc_creation_windows_devdrv_bypass_fsutil.yml -------------------------------------------------------------------------------- /LOL_BINs/proc_creation_windows_errorhandler_persistence.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/proc_creation_windows_errorhandler_persistence.yml -------------------------------------------------------------------------------- /LOL_BINs/proc_creation_windows_setup_pythonw.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/proc_creation_windows_setup_pythonw.yml -------------------------------------------------------------------------------- /LOL_BINs/proc_creation_windows_udl_exec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/proc_creation_windows_udl_exec.yml -------------------------------------------------------------------------------- /LOL_BINs/registry_set_devdrv_bypass_registry.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/LOL_BINs/registry_set_devdrv_bypass_registry.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_AMSI_Bypass.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_AMSI_Bypass.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_AlltTheEmojis.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_AlltTheEmojis.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_DisableRestrictedAdmin.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_DisableRestrictedAdmin.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_Powershell_downloader_cradle.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_Powershell_downloader_cradle.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_explorer_shell_execute.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_explorer_shell_execute.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_hh_LOLBA.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_hh_LOLBA.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_pythonfunctionwarnings_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_pythonfunctionwarnings_disabled.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_reg_enabling_rdp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_reg_enabling_rdp.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_registry_hide_user.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_registry_hide_user.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_schtask_enc-psh.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_schtask_enc-psh.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_schtasks_win-def-removal.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_schtasks_win-def-removal.yml -------------------------------------------------------------------------------- /MISC/proc_creation_windows_win-lazagne.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/MISC/proc_creation_windows_win-lazagne.yml -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/README.md -------------------------------------------------------------------------------- /Threat Hunting Queries/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/Threat Hunting Queries/README.md -------------------------------------------------------------------------------- /Threat Hunting Queries/proc_creation_windows_Action1_RMM.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/Threat Hunting Queries/proc_creation_windows_Action1_RMM.yml -------------------------------------------------------------------------------- /Threat Hunting Queries/proc_creation_windows_Anyviewer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/Threat Hunting Queries/proc_creation_windows_Anyviewer.yml -------------------------------------------------------------------------------- /Threat Hunting Queries/proc_creation_windows_MOVEit_exploitation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/Threat Hunting Queries/proc_creation_windows_MOVEit_exploitation.yml -------------------------------------------------------------------------------- /Threat Hunting Queries/proc_creation_windows_ammyy_admin.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/Threat Hunting Queries/proc_creation_windows_ammyy_admin.yml -------------------------------------------------------------------------------- /Threat Hunting Queries/proc_creation_windows_exec_script_from_zip.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/Threat Hunting Queries/proc_creation_windows_exec_script_from_zip.yml -------------------------------------------------------------------------------- /Threat Hunting Queries/proc_creation_windows_meshagent.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/Threat Hunting Queries/proc_creation_windows_meshagent.yml -------------------------------------------------------------------------------- /check_required_fields.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/check_required_fields.py -------------------------------------------------------------------------------- /id_generation.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/id_generation.py -------------------------------------------------------------------------------- /malware/proc_creation_windows_ChromeLoader.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/malware/proc_creation_windows_ChromeLoader.yml -------------------------------------------------------------------------------- /malware/proc_creation_windows_Emotet_04_22.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/malware/proc_creation_windows_Emotet_04_22.yml -------------------------------------------------------------------------------- /malware/proc_creation_windows_Explorer_NOUACCHECK.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/malware/proc_creation_windows_Explorer_NOUACCHECK.yml -------------------------------------------------------------------------------- /malware/proc_creation_windows_GuLoader_08_07.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/malware/proc_creation_windows_GuLoader_08_07.yml -------------------------------------------------------------------------------- /malware/proc_creation_windows_OneNote_Execution.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/malware/proc_creation_windows_OneNote_Execution.yml -------------------------------------------------------------------------------- /malware/proc_creation_windows_Raspberry_Robin_mal-exec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/malware/proc_creation_windows_Raspberry_Robin_mal-exec.yml -------------------------------------------------------------------------------- /malware/proc_creation_windows_Raspberry_Robin_usb-exec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/malware/proc_creation_windows_Raspberry_Robin_usb-exec.yml -------------------------------------------------------------------------------- /malware/proc_creation_windows_Serpent_payload_exec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/malware/proc_creation_windows_Serpent_payload_exec.yml -------------------------------------------------------------------------------- /malware/proc_creation_windows_SocGholish_FakeUpdates.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/malware/proc_creation_windows_SocGholish_FakeUpdates.yml -------------------------------------------------------------------------------- /malware/proc_creation_windows_Ursnif_cmd_redirection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/malware/proc_creation_windows_Ursnif_cmd_redirection.yml -------------------------------------------------------------------------------- /renaming.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/renaming.py -------------------------------------------------------------------------------- /vulnerability_exploitation/proc_creation_windows_7z_CVE-2022-29072.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/vulnerability_exploitation/proc_creation_windows_7z_CVE-2022-29072.yml -------------------------------------------------------------------------------- /vulnerability_exploitation/proc_creation_windows_VMWare_CVE-2022-22954.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/vulnerability_exploitation/proc_creation_windows_VMWare_CVE-2022-22954.yml -------------------------------------------------------------------------------- /vulnerability_exploitation/proc_creation_windows_VMware_Horizon_LOG4J.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/vulnerability_exploitation/proc_creation_windows_VMware_Horizon_LOG4J.yml -------------------------------------------------------------------------------- /windows_exploitation/net_connection_windows_ADWS_abuse.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/windows_exploitation/net_connection_windows_ADWS_abuse.yml -------------------------------------------------------------------------------- /windows_exploitation/proc_creation_windows_SOAPHound.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/windows_exploitation/proc_creation_windows_SOAPHound.yml -------------------------------------------------------------------------------- /windows_exploitation/proc_creation_windows_WSUS_abuse.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/windows_exploitation/proc_creation_windows_WSUS_abuse.yml -------------------------------------------------------------------------------- /windows_exploitation/proc_creation_windows_ms-msdt_exploitation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/windows_exploitation/proc_creation_windows_ms-msdt_exploitation.yml -------------------------------------------------------------------------------- /windows_exploitation/proc_creation_windows_sdiagnhost-ms-msdt_exploitation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/windows_exploitation/proc_creation_windows_sdiagnhost-ms-msdt_exploitation.yml -------------------------------------------------------------------------------- /windows_exploitation/proc_creation_windows_zero_exe.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/windows_exploitation/proc_creation_windows_zero_exe.yml -------------------------------------------------------------------------------- /windows_exploitation/win_security_DC_Impersonation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/windows_exploitation/win_security_DC_Impersonation.yml -------------------------------------------------------------------------------- /windows_exploitation/win_security_KrbRelayUp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/windows_exploitation/win_security_KrbRelayUp.yml -------------------------------------------------------------------------------- /windows_exploitation/win_security_LAPS_CredDumping.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/windows_exploitation/win_security_LAPS_CredDumping.yml -------------------------------------------------------------------------------- /windows_exploitation/win_security_kerberoasting_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsale/Sigma_rules/HEAD/windows_exploitation/win_security_kerberoasting_activity.yml --------------------------------------------------------------------------------