CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
fb66b987ea11cb5252658c3b7746a958bbfa2c56
hayabusa/rules/Sigma
History
..
av_exploiting.yml
av_hacktool.yml
av_password_dumper.yml
av_printernightmare_cve_2021_34527.yml
av_relevant_files.yml
av_webshell.yml
dns_net_mal_cobaltstrike.yml
dns_net_susp_ipify.yml
dns_query_hybridconnectionmgr_servicebus.yml
dns_query_mega_nz.yml
dns_query_possible_dns_rebinding.yml
dns_query_regsvr32_network_activity.yml
driver_load_mal_creddumper.yml
driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
driver_load_powershell_script_installed_as_service.yml
driver_load_susp_temp_use.yml
driver_load_vuln_dell_driver.yml
driver_load_windivert.yml
edr_command_execution_by_office_applications.yml
file_event_advanced_ip_scanner.yml
file_event_apt_unidentified_nov_18.yml
file_event_cve_2021_31979_cve_2021_33771_exploits.yml
file_event_hack_dumpert.yml
file_event_hktl_createminidump.yml
file_event_mal_adwind.yml
file_event_mal_octopus_scanner.yml
file_event_mal_vhd_download.yml
file_event_mimikatz_kirbi_file_creation.yml
file_event_moriya_rootkit.yml
file_event_pingback_backdoor.yml
file_event_script_creation_by_office_using_file_ext.yml
file_event_tool_psexec.yml
file_event_uac_bypass_winsat.yml
file_event_uac_bypass_wmp.yml
file_event_winrm_awl_bypass.yml
file_event_wmiprvse_wbemcomn_dll_hijack.yml
image_load_pingback_backdoor.yml
image_load_silenttrinity_stage_use.yml
image_load_wmiprvse_wbemcomn_dll_hijack.yml
pipe_created_tool_psexec.yml
powershell_accessing_win_api.yml
powershell_adrecon_execution.yml
powershell_alternate_powershell_hosts.yml
powershell_automated_collection.yml
powershell_azurehound_commands.yml
powershell_bad_opsec_artifacts.yml
powershell_cl_invocation_lolscript_count.yml
powershell_cl_invocation_lolscript.yml
powershell_cl_mutexverifiers_lolscript_count.yml
powershell_cl_mutexverifiers_lolscript.yml
powershell_classic_alternate_powershell_hosts.yml
powershell_classic_powercat.yml
powershell_classic_remote_powershell_session.yml
powershell_classic_susp_athremotefxvgpudisablementcommand.yml
powershell_classic_susp_zip_compress.yml
powershell_classic_suspicious_download.yml
powershell_clear_powershell_history.yml
powershell_create_local_user.yml
powershell_data_compressed.yml
powershell_decompress_commands.yml
powershell_delete_volume_shadow_copies.yml
powershell_detect_vm_env.yml
powershell_dnscat_execution.yml
powershell_downgrade_attack.yml
powershell_exe_calling_ps.yml
powershell_get_clipboard.yml
powershell_icmp_exfiltration.yml
powershell_invoke_nightmare.yml
powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
powershell_invoke_obfuscation_clip.yml
powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
powershell_invoke_obfuscation_obfuscated_iex.yml
powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
powershell_invoke_obfuscation_stdin.yml
powershell_invoke_obfuscation_var_in_scriptblocktext.yml
powershell_invoke_obfuscation_var.yml
powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
powershell_invoke_obfuscation_via_compress.yml
powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
powershell_invoke_obfuscation_via_rundll.yml
powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
powershell_invoke_obfuscation_via_stdin.yml
powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
powershell_invoke_obfuscation_via_use_clip.yml
powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
powershell_invoke_obfuscation_via_use_mhsta.yml
powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
powershell_invoke_obfuscation_via_use_rundll32.yml
powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
powershell_invoke_obfuscation_via_var.yml
powershell_keylogging.yml
powershell_malicious_commandlets.yml
powershell_malicious_keywords.yml
powershell_memorydump_getstoragediagnosticinfo.yml
powershell_nishang_malicious_commandlets.yml
powershell_ntfs_ads_access.yml
powershell_powercat.yml
powershell_powerview_malicious_commandlets.yml
powershell_prompt_credentials.yml
powershell_psattack.yml
powershell_remote_powershell_session.yml
powershell_renamed_powershell.yml
powershell_set_policies_to_unsecure_level.yml
powershell_shellcode_b64.yml
powershell_shellintel_malicious_commandlets.yml
powershell_software_discovery.yml
powershell_store_file_in_alternate_data_stream.yml
powershell_susp_athremotefxvgpudisablementcommand.yml
powershell_susp_zip_compress_in_scriptblocktext.yml
powershell_susp_zip_compress.yml
powershell_suspicious_download_in_contextinfo.yml
powershell_suspicious_download_in_scriptblocktext.yml
powershell_suspicious_download.yml
powershell_suspicious_export_pfxcertificate.yml
powershell_suspicious_getprocess_lsass.yml
powershell_suspicious_invocation_generic_in_contextinfo.yml
powershell_suspicious_invocation_generic_in_scriptblocktext.yml
powershell_suspicious_invocation_generic.yml
powershell_suspicious_invocation_specific_in_contextinfo.yml
powershell_suspicious_invocation_specific_in_scripblocktext.yml
powershell_suspicious_invocation_specific.yml
powershell_suspicious_keywords.yml
powershell_suspicious_mail_acces.yml
powershell_suspicious_mounted_share_deletion.yml
powershell_suspicious_recon.yml
powershell_suspicious_win32_pnpentity.yml
powershell_suspicious_windowstyle.yml
powershell_syncappvpublishingserver_exe_in_contextinfo.yml
powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
powershell_syncappvpublishingserver_exe.yml
powershell_tamper_with_windows_defender.yml
powershell_timestomp.yml
powershell_trigger_profiles.yml
powershell_web_request.yml
powershell_windows_firewall_profile_disabled.yml
powershell_winlogon_helper_dll.yml
powershell_wmi_persistence.yml
powershell_wmimplant.yml
powershell_wsman_com_provider_no_powershell.yml
powershell_xor_commandline.yml
process_creation_abusing_windows_telemetry_for_persistence.yml
process_creation_advanced_ip_scanner.yml
process_creation_alternate_data_streams.yml
process_creation_apt_gallium_sha1.yml
process_creation_apt_gallium.yml
process_creation_apt_pandemic.yml
process_creation_apt_slingshot.yml
process_creation_apt_turla_commands_critical.yml
process_creation_apt_wocao.yml
process_creation_automated_collection.yml
process_creation_c3_load_by_rundll32.yml
process_creation_certoc_execution.yml
process_creation_clip.yml
process_creation_cobaltstrike_load_by_rundll32.yml
process_creation_conti_cmd_ransomware.yml
process_creation_coti_sqlcmd.yml
process_creation_discover_private_keys.yml
process_creation_dns_serverlevelplugindll.yml
process_creation_dotnet.yml
process_creation_hack_dumpert.yml
process_creation_infdefaultinstall.yml
process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
process_creation_lolbins_by_office_applications.yml
process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
process_creation_lolbins_with_wmiprvse_parent_process.yml
process_creation_mal_blue_mockingbird.yml
process_creation_mal_darkside_ransomware.yml
process_creation_mal_lockergoga_ransomware.yml
process_creation_mal_ryuk.yml
process_creation_msdeploy.yml
process_creation_office_applications_spawning_wmi_commandline.yml
process_creation_office_from_proxy_executing_regsvr32_payload2.yml
process_creation_office_from_proxy_executing_regsvr32_payload.yml
process_creation_office_spawning_wmi_commandline.yml
process_creation_pingback_backdoor.yml
process_creation_protocolhandler_suspicious_file.yml
process_creation_root_certificate_installed.yml
process_creation_sdelete.yml
process_creation_software_discovery.yml
process_creation_stickykey_like_backdoor.yml
process_creation_stordiag_execution.yml
process_creation_susp_7z.yml
process_creation_susp_athremotefxvgpudisablementcommand.yml
process_creation_susp_del.yml
process_creation_susp_recon.yml
process_creation_susp_web_request_cmd.yml
process_creation_susp_winzip.yml
process_creation_susp_zip_compress.yml
process_creation_syncappvpublishingserver_exe.yml
process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
process_creation_sysinternals_eula_accepted.yml
process_creation_sysmon_uac_bypass_eventvwr.yml
process_creation_tool_psexec.yml
process_creation_tttracer_mod_load.yml
process_creation_win_exchange_transportagent.yml
process_creationn_apt_chafer_mar18.yml
process_mailboxexport_share.yml
process_susp_esentutl_params.yml
registry_event_abusing_windows_telemetry_for_persistence.yml
registry_event_apt_chafer_mar18.yml
registry_event_apt_pandemic.yml
registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
registry_event_defender_disabled.yml
registry_event_defender_exclusions.yml
registry_event_defender_realtime_protection_disabled.yml
registry_event_dns_serverlevelplugindll.yml
registry_event_mal_adwind.yml
registry_event_mal_azorult.yml
registry_event_mal_blue_mockingbird.yml
registry_event_mal_flowcloud.yml
registry_event_mal_netwire.yml
registry_event_mal_ursnif.yml
registry_event_mstsc_history_cleared.yml
registry_event_net_ntlm_downgrade.yml
registry_event_stickykey_like_backdoor.yml
registry_event_sysinternals_eula_accepted.yml
registry_event_uac_bypass_eventvwr.yml
registry_event_uac_bypass_winsat.yml
registry_event_uac_bypass_wmp.yml
silenttrinity_stager_msbuild_activity.yml
sysmon_abusing_azure_browser_sso.yml
sysmon_abusing_debug_privilege.yml
sysmon_accesschk_usage_after_priv_escalation.yml
sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
sysmon_ads_executable.yml
sysmon_alternate_powershell_hosts_moduleload.yml
sysmon_alternate_powershell_hosts_pipe.yml
sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
sysmon_always_install_elevated_windows_installer.yml
sysmon_apt_leviathan.yml
sysmon_apt_muddywater_dnstunnel.yml
sysmon_apt_oceanlotus_registry.yml
sysmon_apt_sourgrum.yml
sysmon_apt_turla_namedpipes.yml
sysmon_asep_reg_keys_modification.yml
sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
sysmon_bypass_via_wsreset.yml
sysmon_cactustorch.yml
sysmon_cmstp_execution_by_access.yml
sysmon_cmstp_execution_by_creation.yml
sysmon_cmstp_execution_by_registry.yml
sysmon_cobaltstrike_bof_injection_pattern.yml
sysmon_cobaltstrike_process_injection.yml
sysmon_cobaltstrike_service_installs.yml
sysmon_comhijack_sdclt.yml
sysmon_config_modification_error.yml
sysmon_config_modification_status.yml
sysmon_createremotethread_loadlibrary.yml
sysmon_creation_mavinject_dll.yml
sysmon_creation_system_file.yml
sysmon_cred_dump_lsass_access.yml
sysmon_cred_dump_tools_dropped_files.yml
sysmon_cred_dump_tools_named_pipes.yml
sysmon_cve_2020_1048.yml
sysmon_cve_2021_26857_msexchange.yml
sysmon_cve_2021_26858_msexchange.yml
sysmon_dcom_iertutil_dll_hijack.yml
sysmon_delete_prefetch.yml
sysmon_detect_powerup_dllhijacking.yml
sysmon_dhcp_calloutdll.yml
sysmon_direct_syscall_ntopenprocess.yml
sysmon_disable_microsoft_office_security_features.yml
sysmon_disable_security_events_logging_adding_reg_key_minint.yml
sysmon_disable_wdigest_credential_guard.yml
sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
sysmon_disabled_pua_protection_on_microsoft_defender.yml
sysmon_disabled_tamper_protection_on_microsoft_defender.yml
sysmon_dllhost_net_connections.yml
sysmon_dns_over_https_enabled.yml
sysmon_efspotato_namedpipe.yml
sysmon_enabling_cor_profiler_env_variables.yml
sysmon_etw_disabled.yml
sysmon_excel_outbound_network_connection.yml
sysmon_expand_cabinet_files.yml
sysmon_foggyweb_nobelium.yml
sysmon_ghostpack_safetykatz.yml
sysmon_hack_wce_reg.yml
sysmon_hack_wce.yml
sysmon_high_integrity_sdclt.yml
sysmon_hybridconnectionmgr_svc_installation.yml
sysmon_in_memory_assembly_execution.yml
sysmon_in_memory_powershell.yml
sysmon_invoke_phantom.yml
sysmon_lazagne_cred_dump_lsass_access.yml
sysmon_littlecorporal_generated_maldoc.yml
sysmon_load_undocumented_autoelevated_com_interface.yml
sysmon_logon_scripts_userinitmprlogonscript_proc.yml
sysmon_logon_scripts_userinitmprlogonscript_reg.yml
sysmon_long_powershell_commandline.yml
sysmon_lsass_dump_comsvcs_dll.yml
sysmon_lsass_memdump.yml
sysmon_lsass_memory_dump_file_creation.yml
sysmon_mal_cobaltstrike_re.yml
sysmon_mal_cobaltstrike.yml
sysmon_mal_namedpipes.yml
sysmon_malware_backconnect_ports.yml
sysmon_malware_verclsid_shellcode.yml
sysmon_mimikatz_detection_lsass.yml
sysmon_mimikatz_trough_winrm.yml
sysmon_modify_screensaver_binary_path.yml
sysmon_narrator_feedback_persistance.yml
sysmon_netcat_execution.yml
sysmon_new_application_appcompat.yml
sysmon_new_dll_added_to_appcertdlls_registry_key.yml
sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
sysmon_notepad_network_connection.yml
sysmon_office_persistence.yml
sysmon_office_test_regadd.yml
sysmon_office_vsto_persistence.yml
sysmon_outlook_newform.yml
sysmon_password_dumper_lsass.yml
sysmon_pcre_net_load.yml
sysmon_pcre_net_temp_file.yml
sysmon_powershell_as_service.yml
sysmon_powershell_code_injection.yml
sysmon_powershell_execution_pipe.yml
sysmon_powershell_exploit_scripts.yml
sysmon_powershell_network_connection.yml
sysmon_powershell_startup_shortcuts.yml
sysmon_proxy_execution_wuauclt.yml
sysmon_psexec_pipes_artifacts.yml
sysmon_pypykatz_cred_dump_lsass_access.yml
sysmon_quarkspw_filedump.yml
sysmon_raw_disk_access_using_illegitimate_tools.yml
sysmon_rclone_execution.yml
sysmon_rdp_registry_modification.yml
sysmon_rdp_reverse_tunnel.yml
sysmon_rdp_settings_hijack.yml
sysmon_redmimicry_winnti_filedrop.yml
sysmon_redmimicry_winnti_reg.yml
sysmon_reg_office_security.yml
sysmon_reg_silentprocessexit_lsass.yml
sysmon_reg_silentprocessexit.yml
sysmon_reg_vbs_payload_stored.yml
sysmon_regedit_export_to_ads.yml
sysmon_registry_add_local_hidden_user.yml
sysmon_registry_persistence_key_linking.yml
sysmon_registry_persistence_search_order.yml
sysmon_registry_susp_printer_driver.yml
sysmon_registry_trust_record_modification.yml
sysmon_regsvr32_network_activity.yml
sysmon_remote_powershell_session_network.yml
sysmon_removal_amsi_registry_key.yml
sysmon_removal_com_hijacking_registry_key.yml
sysmon_remove_windows_defender_definition_files.yml
sysmon_rundll32_net_connections.yml
sysmon_runkey_winekey.yml
sysmon_runonce_persistence.yml
sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
sysmon_sdclt_child_process.yml
sysmon_spoolsv_dll_load.yml
sysmon_ssp_added_lsa_config.yml
sysmon_startup_folder_file_write.yml
sysmon_susp_adfs_namedpipe_connection.yml
sysmon_susp_adsi_cache_usage.yml
sysmon_susp_atbroker_change.yml
sysmon_susp_clr_logs.yml
sysmon_susp_cobaltstrike_pipe_patterns.yml
sysmon_susp_desktop_ini.yml
sysmon_susp_download_run_key.yml
sysmon_susp_fax_dll.yml
sysmon_susp_image_load.yml
sysmon_susp_lsass_dll_load.yml
sysmon_susp_mic_cam_access.yml
sysmon_susp_office_dotnet_assembly_dll_load.yml
sysmon_susp_office_dotnet_clr_dll_load.yml
sysmon_susp_office_dotnet_gac_dll_load.yml
sysmon_susp_office_dsparse_dll_load.yml
sysmon_susp_office_kerberos_dll_load.yml
sysmon_susp_pfx_file_creation.yml
sysmon_susp_plink_remote_forward.yml
sysmon_susp_powershell_rundll32.yml
sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
sysmon_susp_prog_location_network_connection.yml
sysmon_susp_python_image_load.yml
sysmon_susp_rdp.yml
sysmon_susp_reg_persist_explorer_run.yml
sysmon_susp_run_key_img_folder.yml
sysmon_susp_script_dotnet_clr_dll_load.yml
sysmon_susp_service_installed.yml
sysmon_susp_service_modification.yml
sysmon_susp_system_drawing_load.yml
sysmon_susp_webdav_client_execution.yml
sysmon_susp_winword_vbadll_load.yml
sysmon_susp_winword_wmidll_load.yml
sysmon_susp_wmi_consumer_namedpipe.yml
sysmon_suspicious_dbghelp_dbgcore_load.yml
sysmon_suspicious_keyboard_layout_load.yml
sysmon_suspicious_outbound_kerberos_connection.yml
sysmon_suspicious_powershell_profile_create.yml
sysmon_suspicious_remote_thread.yml
sysmon_svchost_cred_dump.yml
sysmon_svchost_dll_search_order_hijack.yml
sysmon_sysinternals_sdelete_file_deletion.yml
sysmon_sysinternals_sdelete_registry_keys.yml
sysmon_taskcache_entry.yml
sysmon_tsclient_filewrite_startup.yml
sysmon_tttracer_mod_load.yml
sysmon_uac_bypass_consent_comctl32.yml
sysmon_uac_bypass_dotnet_profiler.yml
sysmon_uac_bypass_ieinstal.yml
sysmon_uac_bypass_msconfig_gui.yml
sysmon_uac_bypass_ntfs_reparse_point.yml
sysmon_uac_bypass_sdclt.yml
sysmon_uac_bypass_shell_open.yml
sysmon_uac_bypass_via_dism.yml
sysmon_uac_bypass_wow64_logger.yml
sysmon_uipromptforcreds_dlls.yml
sysmon_uninstall_crowdstrike_falcon.yml
sysmon_unsigned_image_loaded_into_lsass.yml
sysmon_vmtoolsd_susp_child_process.yml
sysmon_volume_shadow_copy_service_keys.yml
sysmon_wab_dllpath_reg_change.yml
sysmon_wdigest_enable_uselogoncredential.yml
sysmon_webshell_creation_detect.yml
sysmon_win_binary_github_com.yml
sysmon_win_binary_susp_com.yml
sysmon_win_reg_persistence.yml
sysmon_win_reg_telemetry_persistence.yml
sysmon_wmi_event_subscription.yml
sysmon_wmi_module_load.yml
sysmon_wmi_persistence_commandline_event_consumer.yml
sysmon_wmi_persistence_script_event_consumer_write.yml
sysmon_wmi_susp_encoded_scripts.yml
sysmon_wmi_susp_scripting.yml
sysmon_wmic_remote_xsl_scripting_dlls.yml
sysmon_wsman_provider_image_load.yml
sysmon_wuauclt_network_connection.yml
win_aadhealth_mon_agent_regkey_access.yml
win_aadhealth_svc_agent_regkey_access.yml
win_account_backdoor_dcsync_rights.yml
win_account_discovery.yml
win_ad_find_discovery.yml
win_ad_object_writedac_access.yml
win_ad_replication_non_machine_account.yml
win_ad_user_enumeration.yml
win_admin_rdp_login.yml
win_admin_share_access.yml
win_alert_active_directory_user_control.yml
win_alert_ad_user_backdoors.yml
win_alert_enable_weak_encryption.yml
win_alert_lsass_access.yml
win_alert_mimikatz_keywords.yml
win_alert_ruler.yml
win_anydesk_silent_install.yml
win_applocker_file_was_not_allowed_to_run.yml
win_apt_apt29_thinktanks.yml
win_apt_babyshark.yml
win_apt_bear_activity_gtr19.yml
win_apt_bluemashroom.yml
win_apt_carbonpaper_turla.yml
win_apt_chafer_mar18_security.yml
win_apt_chafer_mar18_system.yml
win_apt_cloudhopper.yml
win_apt_dragonfly.yml
win_apt_elise.yml
win_apt_emissarypanda_sep19.yml
win_apt_empiremonkey.yml
win_apt_equationgroup_dll_u_load.yml
win_apt_evilnum_jul20.yml
win_apt_gallium.yml
win_apt_greenbug_may20.yml
win_apt_hafnium.yml
win_apt_hurricane_panda.yml
win_apt_judgement_panda_gtr19.yml
win_apt_ke3chang_regadd.yml
win_apt_lazarus_activity_apr21.yml
win_apt_lazarus_activity_dec20.yml
win_apt_lazarus_loader.yml
win_apt_lazarus_session_highjack.yml
win_apt_mustangpanda.yml
win_apt_revil_kaseya.yml
win_apt_slingshot.yml
win_apt_sofacy.yml
win_apt_stonedrill.yml
win_apt_ta17_293a_ps.yml
win_apt_ta505_dropper.yml
win_apt_taidoor.yml
win_apt_tropictrooper.yml
win_apt_turla_comrat_may20.yml
win_apt_turla_service_png.yml
win_apt_unc2452_cmds.yml
win_apt_unc2452_ps.yml
win_apt_unidentified_nov_18.yml
win_apt_winnti_mal_hk_jan20.yml
win_apt_winnti_pipemon.yml
win_apt_wocao.yml
win_apt_zxshell.yml
win_arbitrary_shell_execution_via_settingcontent.yml
win_asr_bypass_via_appvlp_re.yml
win_atsvc_task.yml
win_attrib_hiding_files.yml
win_audit_cve.yml
win_av_relevant_match.yml
win_bad_opsec_sacrificial_processes.yml
win_bootconf_mod.yml
win_bypass_squiblytwo.yml
win_camera_microphone_access.yml
win_change_default_file_association.yml
win_cl_invocation_lolscript.yml
win_cl_mutexverifiers_lolscript.yml
win_class_exec_xwizard.yml
win_cmdkey_recon.yml
win_cmstp_com_object_access.yml
win_cobaltstrike_process_patterns.yml
win_cobaltstrike_service_installs.yml
win_commandline_path_traversal_evasion.yml
win_commandline_path_traversal.yml
win_control_panel_item.yml
win_copying_sensitive_files_with_credential_data.yml
win_credential_access_via_password_filter.yml
win_crime_fireball.yml
win_crime_maze_ransomware.yml
win_crime_snatch_ransomware.yml
win_crypto_mining_monero.yml
win_cve_2021_1675_printspooler_del.yml
win_cve_2021_1675_printspooler.yml
win_data_compressed_with_rar.yml
win_dce_rpc_smb_spoolss_named_pipe.yml
win_dcom_iertutil_dll_hijack.yml
win_dcsync.yml
win_defender_amsi_trigger.yml
win_defender_bypass.yml
win_defender_disabled.yml
win_defender_exclusions.yml
win_defender_history_delete.yml
win_defender_psexec_wmi_asr.yml
win_defender_tamper_protection_trigger.yml
win_defender_threat.yml
win_detecting_fake_instances_of_hxtsr.yml
win_disable_event_logging.yml
win_dll_sideload_xwizard.yml
win_dns_exfiltration_tools_execution.yml
win_dnscat2_powershell_implementation.yml
win_dpapi_domain_backupkey_extraction.yml
win_dpapi_domain_masterkey_backup_attempt.yml
win_encoded_frombase64string.yml
win_encoded_iex.yml
win_etw_modification_cmdline.yml
win_etw_modification.yml
win_etw_trace_evasion.yml
win_event_log_cleared.yml
win_exchange_proxylogon_oabvirtualdir.yml
win_exchange_proxyshell_certificate_generation.yml
win_exchange_proxyshell_mailbox_export.yml
win_exchange_proxyshell_remove_mailbox_export.yml
win_exchange_transportagent_failed.yml
win_exchange_transportagent.yml
win_exfiltration_and_tunneling_tools_execution.yml
win_exploit_cve_2015_1641.yml
win_exploit_cve_2017_0261.yml
win_exploit_cve_2017_8759.yml
win_exploit_cve_2017_11882.yml
win_exploit_cve_2019_1378.yml
win_exploit_cve_2019_1388.yml
win_exploit_cve_2020_1048.yml
win_exploit_cve_2020_1350.yml
win_exploit_cve_2020_10189.yml
win_exploit_cve_2021_1675_printspooler_operational.yml
win_exploit_cve_2021_1675_printspooler_security.yml
win_exploit_cve_2021_1675_printspooler.yml
win_exploit_systemnightmare.yml
win_external_device.yml
win_file_permission_modifications.yml
win_file_winword_cve_2021_40444.yml
win_global_catalog_enumeration.yml
win_gpo_scheduledtasks.yml
win_grabbing_sensitive_hives_via_reg.yml
win_hack_adcspwn.yml
win_hack_bloodhound.yml
win_hack_koadic.yml
win_hack_rubeus.yml
win_hack_secutyxploded.yml
win_hack_smbexec.yml
win_hh_chm.yml
win_hidden_user_creation.yml
win_hiding_malware_in_fonts_folder.yml
win_hivenightmare_file_exports.yml
win_hktl_createminidump.yml
win_hktl_uacme_uac_bypass.yml
win_html_help_spawn.yml
win_hwp_exploits.yml
win_hybridconnectionmgr_svc_installation.yml
win_hybridconnectionmgr_svc_running.yml
win_impacket_compiled_tools.yml
win_impacket_lateralization.yml
win_impacket_psexec.yml
win_impacket_secretdump.yml
win_indirect_cmd_compatibility_assistant.yml
win_indirect_cmd.yml
win_install_reg_debugger_backdoor.yml
win_interactive_at.yml
win_invoke_obfuscation_clip_services_security.yml
win_invoke_obfuscation_clip_services.yml
win_invoke_obfuscation_clip.yml
win_invoke_obfuscation_obfuscated_iex_commandline.yml
win_invoke_obfuscation_obfuscated_iex_services_security.yml
win_invoke_obfuscation_obfuscated_iex_services.yml
win_invoke_obfuscation_stdin_services_security.yml
win_invoke_obfuscation_stdin_services.yml
win_invoke_obfuscation_stdin.yml
win_invoke_obfuscation_var_services_security.yml
win_invoke_obfuscation_var_services.yml
win_invoke_obfuscation_var.yml
win_invoke_obfuscation_via_compress_services_security.yml
win_invoke_obfuscation_via_compress_services.yml
win_invoke_obfuscation_via_compress.yml
win_invoke_obfuscation_via_rundll_services_security.yml
win_invoke_obfuscation_via_rundll_services.yml
win_invoke_obfuscation_via_rundll.yml
win_invoke_obfuscation_via_stdin_services_security.yml
win_invoke_obfuscation_via_stdin_services.yml
win_invoke_obfuscation_via_stdin.yml
win_invoke_obfuscation_via_use_clip_services_security.yml
win_invoke_obfuscation_via_use_clip_services.yml
win_invoke_obfuscation_via_use_clip.yml
win_invoke_obfuscation_via_use_mhsta.yml
win_invoke_obfuscation_via_use_mshta_services_security.yml
win_invoke_obfuscation_via_use_mshta_services.yml
win_invoke_obfuscation_via_use_rundll32_services_security.yml
win_invoke_obfuscation_via_use_rundll32_services.yml
win_invoke_obfuscation_via_use_rundll32.yml
win_invoke_obfuscation_via_var_services_security.yml
win_invoke_obfuscation_via_var_services.yml
win_invoke_obfuscation_via_var.yml
win_iso_mount.yml
win_lateral_movement_condrv.yml
win_ldap_recon.yml
win_lethalhta.yml
win_lm_namedpipe.yml
win_local_system_owner_account_discovery.yml
win_lolbas_execution_of_nltest.yml
win_lolbas_execution_of_wuauclt.yml
win_lolbin_execution_via_winget.yml
win_lsass_access_non_system_account.yml
win_lsass_dump.yml
win_mal_adwind.yml
win_mal_creddumper.yml
win_mal_wceaux_dll.yml
win_malware_conti_7zip.yml
win_malware_conti_shadowcopy.yml
win_malware_conti.yml
win_malware_dridex.yml
win_malware_dtrack.yml
win_malware_emotet.yml
win_malware_formbook.yml
win_malware_notpetya.yml
win_malware_qbot.yml
win_malware_ryuk.yml
win_malware_script_dropper.yml
win_malware_trickbot_recon_activity.yml
win_malware_trickbot_wermgr.yml
win_malware_wannacry.yml
win_manage_bde_lolbas.yml
win_mavinject_proc_inj.yml
win_metasploit_authentication.yml
win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
win_mimikatz_command_line.yml
win_mmc20_lateral_movement.yml
win_mmc_spawn_shell.yml
win_modif_of_services_for_via_commandline.yml
win_monitoring_for_persistence_via_bits.yml
win_moriya_rootkit.yml
win_mouse_lock.yml
win_mshta_javascript.yml
win_mshta_spawn_shell.yml
win_multiple_suspicious_cli.yml
win_net_crypto_mining.yml
win_net_enum.yml
win_net_ntlm_downgrade.yml
win_net_use_admin_share.yml
win_net_user_add.yml
win_netsh_allow_port_rdp.yml
win_netsh_fw_add_susp_image.yml
win_netsh_fw_add.yml
win_netsh_packet_capture.yml
win_netsh_port_fwd_3389.yml
win_netsh_port_fwd.yml
win_netsh_wifi_credential_harvesting.yml
win_network_sniffing.yml
win_new_or_renamed_user_account_with_dollar_sign.yml
win_new_service_creation.yml
win_nltest_recon.yml
win_non_interactive_powershell.yml
win_non_priv_reg_or_ps.yml
win_not_allowed_rdp_access.yml
win_ntfs_vuln_exploit.yml
win_office_shell.yml
win_office_spawn_exe_from_users_directory.yml
win_outlook_c2_macro_creation.yml
win_outlook_c2_registry_key.yml
win_outlook_registry_todaypage.yml
win_outlook_registry_webview.yml
win_overpass_the_hash.yml
win_pass_the_hash_2.yml
win_pass_the_hash.yml
win_pc_set_policies_to_unsecure_level.yml
win_pc_susp_cmdl32_lolbas.yml
win_pc_susp_schtasks_user_temp.yml
win_pc_susp_zipexec.yml
win_pcap_drivers.yml
win_petitpotam_network_share.yml
win_petitpotam_susp_tgt_request.yml
win_plugx_susp_exe_locations.yml
win_portproxy_registry_key.yml
win_possible_applocker_bypass.yml
win_possible_dc_shadow.yml
win_possible_privilege_escalation_via_service_registry_permissions.yml
win_possible_zerologon_exploitation_using_wellknown_tools.yml
win_powershell_amsi_bypass.yml
win_powershell_audio_capture.yml
win_powershell_b64_shellcode.yml
win_powershell_bitsjob.yml
win_powershell_cmdline_reversed_strings.yml
win_powershell_cmdline_special_characters.yml
win_powershell_cmdline_specific_comb_methods.yml
win_powershell_defender_exclusion.yml
win_powershell_disable_windef_av.yml
win_powershell_dll_execution.yml
win_powershell_downgrade_attack.yml
win_powershell_download.yml
win_powershell_frombase64string.yml
win_powershell_reverse_shell_connection.yml
win_powershell_script_installed_as_service.yml
win_powershell_suspicious_parameter_variation.yml
win_powershell_xor_commandline.yml
win_powersploit_empire_schtasks.yml
win_privesc_cve_2020_1472.yml
win_proc_wrong_parent.yml
win_procdump.yml
win_process_creation_bitsadmin_download.yml
win_process_dump_rdrleakdiag.yml
win_process_dump_rundll32_comsvcs.yml
win_protected_storage_service_access.yml
win_psexesvc_start.yml
win_purplesharp_indicators.yml
win_quarkspwdump_clearing_hive_access_history.yml
win_query_registry.yml
win_rare_schtask_creation.yml
win_rare_schtasks_creations.yml
win_rare_service_installs.yml
win_rasautou_dll_execution.yml
win_rclone_exec_file.yml
win_rdp_bluekeep_poc_scanner.yml
win_rdp_hijack_shadowing.yml
win_rdp_localhost_login.yml
win_rdp_potential_cve_2019_0708.yml
win_rdp_reverse_tunnel.yml
win_redmimicry_winnti_proc.yml
win_reg_add_run_key.yml
win_regedit_export_critical_keys.yml
win_regedit_export_keys.yml
win_regedit_import_keys_ads.yml
win_regedit_import_keys.yml
win_regini_ads.yml
win_regini.yml
win_register_new_logon_process_by_rubeus.yml
win_registry_mimikatz_printernightmare.yml
win_remote_powershell_session_process.yml
win_remote_powershell_session.yml
win_remote_registry_management_using_reg_utility.yml
win_remote_time_discovery.yml
win_renamed_binary_highly_relevant.yml
win_renamed_binary.yml
win_renamed_jusched.yml
win_renamed_megasync.yml
win_renamed_paexec.yml
win_renamed_powershell.yml
win_renamed_procdump.yml
win_renamed_psexec.yml
win_renamed_whoami.yml
win_root_certificate_installed.yml
win_run_powershell_script_from_ads.yml
win_run_powershell_script_from_input_stream.yml
win_run_virtualbox.yml
win_rundll32_without_parameters.yml
win_sam_registry_hive_handle_request.yml
win_scheduled_task_deletion.yml
win_scm_database_handle_failure.yml
win_scm_database_privileged_operation.yml
win_scrcons_remote_wmi_scripteventconsumer.yml
win_script_event_consumer_spawn.yml
win_sdbinst_shim_persistence.yml
win_security_cobaltstrike_service_installs.yml
win_security_mal_creddumper.yml
win_security_mal_service_installs.yml
win_security_metasploit_or_impacket_smb_psexec_service_install.yml
win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
win_security_powershell_script_installed_as_service.yml
win_security_tap_driver_installation.yml
win_security_wmi_persistence.yml
win_service_execution.yml
win_service_stop.yml
win_set_oabvirtualdirectory_externalurl.yml
win_shadow_copies_access_symlink.yml
win_shadow_copies_creation.yml
win_shadow_copies_deletion.yml
win_shell_spawn_mshta.yml
win_shell_spawn_susp_program.yml
win_silenttrinity_stage_use.yml
win_smb_file_creation_admin_shares.yml
win_software_atera_rmm_agent_install.yml
win_soundrec_audio_capture.yml
win_spn_enum.yml
win_sticky_keys_unauthenticated_privileged_console_access.yml
win_sus_auditpol_usage.yml
win_susp_add_domain_trust.yml
win_susp_add_sid_history.yml
win_susp_adfind.yml
win_susp_atbroker.yml
win_susp_backup_delete.yml
win_susp_bcdedit.yml
win_susp_bginfo.yml
win_susp_bitstransfer.yml
win_susp_calc.yml
win_susp_cdb.yml
win_susp_certutil_command.yml
win_susp_certutil_encode.yml
win_susp_child_process_as_system_.yml
win_susp_cli_escape.yml
win_susp_cmd_http_appdata.yml
win_susp_cmd_shadowcopy_access.yml
win_susp_codeintegrity_check_failure.yml
win_susp_codepage_switch.yml
win_susp_commands_recon_activity.yml
win_susp_compression_params.yml
win_susp_comsvcs_procdump.yml
win_susp_conhost.yml
win_susp_control_cve_2021_40444.yml
win_susp_control_dll_load.yml
win_susp_copy_lateral_movement.yml
win_susp_copy_system32.yml
win_susp_covenant.yml
win_susp_crackmapexec_execution.yml
win_susp_crackmapexec_powershell_obfuscation.yml
win_susp_csc_folder.yml
win_susp_csc.yml
win_susp_csi.yml
win_susp_curl_download.yml
win_susp_curl_fileupload.yml
win_susp_curl_start_combo.yml
win_susp_dctask64_proc_inject.yml
win_susp_desktopimgdownldr_file.yml
win_susp_desktopimgdownldr.yml
win_susp_devtoolslauncher.yml
win_susp_dhcp_config_failed.yml
win_susp_dhcp_config.yml
win_susp_direct_asep_reg_keys_modification.yml
win_susp_disable_eventlog.yml
win_susp_disable_ie_features.yml
win_susp_disable_raccine.yml
win_susp_diskshadow.yml
win_susp_ditsnap.yml
win_susp_dns_config.yml
win_susp_dnx.yml
win_susp_double_extension.yml
win_susp_dsrm_password_change.yml
win_susp_dxcap.yml
win_susp_emotet_rudll32_execution.yml
win_susp_esentutl_activity.yml
win_susp_eventlog_clear.yml
win_susp_eventlog_cleared.yml
win_susp_execution_path_webserver.yml
win_susp_execution_path.yml
win_susp_explorer_break_proctree.yml
win_susp_explorer.yml
win_susp_failed_guest_logon.yml
win_susp_failed_logon_reasons.yml
win_susp_failed_logon_source.yml
win_susp_failed_logons_single_source2.yml
win_susp_failed_logons_single_source.yml
win_susp_file_characteristics.yml
win_susp_file_download_via_gfxdownloadwrapper.yml
win_susp_findstr_lnk.yml
win_susp_findstr.yml
win_susp_finger_usage.yml
win_susp_firewall_disable.yml
win_susp_fsutil_usage.yml
win_susp_ftp.yml
win_susp_gup.yml
win_susp_interactive_logons.yml
win_susp_iss_module_install.yml
win_susp_kerberos_manipulation.yml
win_susp_ldap_dataexchange.yml
win_susp_local_anon_logon_created.yml
win_susp_logon_explicit_credentials.yml
win_susp_lsass_dump_generic.yml
win_susp_lsass_dump.yml
win_susp_mounted_share_deletion.yml
win_susp_mpcmdrun_download.yml
win_susp_mshta_execution.yml
win_susp_mshta_pattern.yml
win_susp_msiexec_cwd.yml
win_susp_msiexec_web_install.yml
win_susp_msmpeng_crash.yml
win_susp_msoffice.yml
win_susp_multiple_files_renamed_or_deleted.yml
win_susp_net_execution.yml
win_susp_net_recon_activity.yml
win_susp_netsh_dll_persistence.yml
win_susp_ngrok_pua.yml
win_susp_ntdsutil.yml
win_susp_ntlm_auth.yml
win_susp_ntlm_rdp.yml
win_susp_odbcconf.yml
win_susp_openwith.yml
win_susp_outlook_temp.yml
win_susp_outlook.yml
win_susp_pcwutl.yml
win_susp_pester.yml
win_susp_ping_hex_ip.yml
win_susp_powershell_empire_launch.yml
win_susp_powershell_empire_uac_bypass.yml
win_susp_powershell_enc_cmd.yml
win_susp_powershell_encoded_param.yml
win_susp_powershell_getprocess_lsass.yml
win_susp_powershell_hidden_b64_cmd.yml
win_susp_powershell_parent_combo.yml
win_susp_powershell_parent_process.yml
win_susp_powershell_sam_access.yml
win_susp_print.yml
win_susp_procdump_lsass.yml
win_susp_procdump.yml
win_susp_proceshacker.yml
win_susp_ps_appdata.yml
win_susp_ps_downloadfile.yml
win_susp_psexec_eula.yml
win_susp_psexec.yml
win_susp_psexex_paexec_flags.yml
win_susp_psr_capture_screenshots.yml
win_susp_raccess_sensitive_fext.yml
win_susp_rar_flags.yml
win_susp_rasdial_activity.yml
win_susp_razorinstaller_explorer.yml
win_susp_rc4_kerberos.yml
win_susp_rclone_exec.yml
win_susp_rclone_execution.yml
win_susp_recon_activity.yml
win_susp_reg_disable_sec_services.yml
win_susp_regedit_trustedinstaller.yml
win_susp_register_cimprovider.yml
win_susp_registration_via_cscript.yml
win_susp_regsvr32_anomalies.yml
win_susp_regsvr32_flags_anomaly.yml
win_susp_regsvr32_no_dll.yml
win_susp_renamed_dctask64.yml
win_susp_renamed_debugview.yml
win_susp_renamed_paexec.yml
win_susp_rottenpotato.yml
win_susp_rpcping.yml
win_susp_run_locations.yml
win_susp_rundll32_activity.yml
win_susp_rundll32_by_ordinal.yml
win_susp_rundll32_inline_vbs.yml
win_susp_rundll32_no_params.yml
win_susp_rundll32_setupapi_installhinfsection.yml
win_susp_rundll32_sys.yml
win_susp_runonce_execution.yml
win_susp_runscripthelper.yml
win_susp_sam_dump.yml
win_susp_schtask_creation_temp_folder.yml
win_susp_schtask_creation.yml
win_susp_screenconnect_access.yml
win_susp_screensaver_reg.yml
win_susp_script_exec_from_temp.yml
win_susp_script_execution.yml
win_susp_sdelete.yml
win_susp_service_dacl_modification.yml
win_susp_service_dir.yml
win_susp_service_path_modification.yml
win_susp_servu_exploitation_cve_2021_35211.yml
win_susp_servu_process_pattern.yml
win_susp_shell_spawn_from_mssql.yml
win_susp_shell_spawn_from_winrm.yml
win_susp_shimcache_flush.yml
win_susp_splwow64.yml
win_susp_spoolsv_child_processes.yml
win_susp_sqldumper_activity.yml
win_susp_squirrel_lolbin.yml
win_susp_svchost_clfsw32.yml
win_susp_svchost_no_cli.yml
win_susp_svchost.yml
win_susp_sysprep_appdata.yml
win_susp_sysvol_access.yml
win_susp_taskmgr_localsystem.yml
win_susp_taskmgr_parent.yml
win_susp_time_modification.yml
win_susp_tracker_execution.yml
win_susp_tscon_localsystem.yml
win_susp_tscon_rdp_redirect.yml
win_susp_uac_bypass_trustedpath.yml
win_susp_use_of_csharp_console.yml
win_susp_use_of_sqlps_bin.yml
win_susp_use_of_sqltoolsps_bin.yml
win_susp_use_of_te_bin.yml
win_susp_use_of_vsjitdebugger_bin.yml
win_susp_userinit_child.yml
win_susp_vboxdrvinst.yml
win_susp_vbscript_unc2452.yml
win_susp_volsnap_disable.yml
win_susp_vssadmin_ntds_activity.yml
win_susp_whoami_anomaly.yml
win_susp_whoami.yml
win_susp_winrm_awl_bypass.yml
win_susp_winrm_execution.yml
win_susp_wmi_execution.yml
win_susp_wmi_login.yml
win_susp_wmic_eventconsumer_create.yml
win_susp_wmic_proc_create_rundll32.yml
win_susp_wmic_security_product_uninstall.yml
win_susp_workfolders.yml
win_susp_wsl_lolbin.yml
win_susp_wuauclt.yml
win_suspicious_outbound_kerberos_connection.yml
win_suspicious_vss_ps_load.yml
win_svcctl_remote_service.yml
win_syskey_registry_access.yml
win_sysmon_channel_reference_deletion.yml
win_sysmon_driver_unload.yml
win_system_defender_disabled.yml
win_system_exe_anomaly.yml
win_system_susp_eventlog_cleared.yml
win_tap_driver_installation.yml
win_tap_installer_execution.yml
win_task_folder_evasion.yml
win_termserv_proc_spawn.yml
win_tool_psexec.yml
win_tools_relay_attacks.yml
win_transferring_files_with_credential_data_via_network_shares.yml
win_trust_discovery.yml
win_uac_bypass_changepk_slui.yml
win_uac_bypass_cleanmgr.yml
win_uac_bypass_computerdefaults.yml
win_uac_bypass_consent_comctl32.yml
win_uac_bypass_dismhost.yml
win_uac_bypass_ieinstal.yml
win_uac_bypass_msconfig_gui.yml
win_uac_bypass_ntfs_reparse_point.yml
win_uac_bypass_pkgmgr_dism.yml
win_uac_bypass_winsat.yml
win_uac_bypass_wmp.yml
win_uac_bypass_wsreset.yml
win_uac_cmstp.yml
win_uac_fodhelper.yml
win_uac_wsreset.yml
win_usb_device_plugged.yml
win_user_added_to_local_administrators.yml
win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
win_user_creation.yml
win_user_driver_loaded.yml
win_using_sc_to_change_sevice_image_path_by_non_admin.yml
win_using_settingsynchost_as_lolbin.yml
win_verclsid_runs_com.yml
win_visual_basic_compiler.yml
win_volume_shadow_copy_mount.yml
win_vssaudit_secevent_source_registration.yml
win_vul_cve_2020_0688.yml
win_vul_cve_2020_1472.yml
win_vul_java_remote_debugging.yml
win_webshell_detection.yml
win_webshell_recon_detection.yml
win_webshell_spawn.yml
win_whoami_as_system.yml
win_whoami_priv.yml
win_win10_sched_task_0day.yml
win_winword_dll_load.yml
win_wmi_backdoor_exchange_transport_agent.yml
win_wmi_persistence_script_event_consumer.yml
win_wmi_persistence.yml
win_wmi_spwns_powershell.yml
win_wmiprvse_spawning_process.yml
win_wmiprvse_wbemcomn_dll_hijack.yml
win_workflow_compiler.yml
win_write_protect_for_storage_disabled.yml
win_wsreset_uac_bypass.yml
win_xsl_script_processing.yml