Welcome to my sigma redcannary cover project
Purpose
Knowing which rule should trigger when running a redcannary test
Caution: a test can generate a lot of noise…
Tests
T1560.001
Compress Data and lock with password for Exfiltration with winzip [‘windows’] (sigma rule )
Data Compressed - nix - gzip Single File [‘linux’, ‘macos’] (sigma rule )
Compress Data for Exfiltration With Rar [‘windows’] (sigma rule )
Compress Data and lock with password for Exfiltration with 7zip [‘windows’] (sigma rule )
Encrypts collected data with AES-256 and Base64 [‘linux’, ‘macos’] (sigma rule )
ESXi - Remove Syslog remote IP [‘windows’] (sigma rule )
Data Encrypted with zip and gpg symmetric [‘linux’, ‘macos’] (sigma rule )
Compress Data and lock with password for Exfiltration with winrar [‘windows’] (sigma rule )
Data Compressed - nix - tar Folder or File [‘linux’, ‘macos’] (sigma rule )
Data Compressed - nix - zip [‘linux’, ‘macos’] (sigma rule )
T1070.002
Delete system log files using srm utility [‘macos’] (sigma rule )
Delete system journal logs via rm and journalctl utilities [‘linux’] (sigma rule )
Delete system log files using shred utility [‘macos’] (sigma rule )
rm -rf [‘linux’] (sigma rule )
Overwrite FreeBSD system log via echo utility [‘linux’] (sigma rule )
rm -rf [‘macos’, ‘linux’] (sigma rule )
Real-time system log clearance/deletion [‘macos’] (sigma rule )
System log file deletion via find utility [‘macos’] (sigma rule )
Overwrite Linux Log [‘linux’] (sigma rule )
Truncate system log files via truncate utility (freebsd) [‘linux’] (sigma rule )
Overwrite Linux Mail Spool [‘linux’] (sigma rule )
Delete system log files using OSAScript [‘macos’] (sigma rule )
Overwrite macOS system log via echo utility [‘macos’] (sigma rule )
Delete system log files via unlink utility (freebsd) [‘linux’] (sigma rule )
Truncate system log files via truncate utility [‘macos’] (sigma rule )
Delete log files using built-in log utility [‘macos’] (sigma rule )
Delete log files via cat utility by appending /dev/null or /dev/zero [‘macos’] (sigma rule )
Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) [‘linux’] (sigma rule )
Delete system log files via unlink utility [‘macos’] (sigma rule )
Delete system log files using Applescript [‘macos’] (sigma rule )
T1030
Data Transfer Size Limits [‘macos’, ‘linux’] (sigma rule )
Network-Based Data Transfer in Small Chunks [‘windows’] (sigma rule )
T1222.002
chmod - Change file or folder mode (numeric mode) [‘linux’, ‘macos’] (sigma rule )
chattr - Remove immutable file attribute [‘macos’, ‘linux’] (sigma rule )
chown - Change file or folder mode ownership only [‘linux’, ‘macos’] (sigma rule )
Chmod through c script [‘macos’, ‘linux’] (sigma rule )
Chown through c script (freebsd) [‘linux’] (sigma rule )
chmod - Change file or folder mode (numeric mode) recursively [‘linux’, ‘macos’] (sigma rule )
chown - Change file or folder ownership and group recursively [‘macos’, ‘linux’] (sigma rule )
Chown through c script [‘macos’, ‘linux’] (sigma rule )
chmod - Change file or folder mode (symbolic mode) [‘linux’, ‘macos’] (sigma rule )
chmod - Change file or folder mode (symbolic mode) recursively [‘linux’, ‘macos’] (sigma rule )
chown - Change file or folder ownership and group [‘macos’, ‘linux’] (sigma rule )
chflags - Remove immutable file attribute [‘linux’] (sigma rule )
Chmod through c script (freebsd) [‘linux’] (sigma rule )
chown - Change file or folder ownership recursively [‘macos’, ‘linux’] (sigma rule )
T1087.002
Suspicious LAPS Attributes Query with Get-ADComputer all properties [‘windows’] (sigma rule )
Kerbrute - userenum [‘windows’] (sigma rule )
Suspicious LAPS Attributes Query with adfind all properties [‘windows’] (sigma rule )
Enumerate logged on users via CMD (Domain) [‘windows’] (sigma rule )
Enumerate Active Directory Users with ADSISearcher [‘windows’] (sigma rule )
Enumerate Default Domain Admin Details (Domain) [‘windows’] (sigma rule )
Adfind -Listing password policy [‘windows’] (sigma rule )
WinPwn - generaldomaininfo [‘windows’] (sigma rule )
Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope [‘windows’] (sigma rule )
Adfind - Enumerate Active Directory Exchange AD Objects [‘windows’] (sigma rule )
Wevtutil - Discover NTLM Users Remote [‘windows’] (sigma rule )
Adfind - Enumerate Active Directory Admins [‘windows’] (sigma rule )
Enumerate Active Directory for Unconstrained Delegation [‘windows’] (sigma rule )
Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property [‘windows’] (sigma rule )
Active Directory Domain Search [‘linux’] (sigma rule )
Get-DomainUser with PowerView [‘windows’] (sigma rule )
Enumerate Linked Policies In ADSISearcher Discovery [‘windows’] (sigma rule )
Account Enumeration with LDAPDomainDump [‘linux’] (sigma rule )
Enumerate all accounts via PowerShell (Domain) [‘windows’] (sigma rule )
Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd [‘windows’] (sigma rule )
Enumerate Root Domain linked policies Discovery [‘windows’] (sigma rule )
Enumerate all accounts (Domain) [‘windows’] (sigma rule )
Adfind - Enumerate Active Directory User Objects [‘windows’] (sigma rule )
Automated AD Recon (ADRecon) [‘windows’] (sigma rule )
T1558.002
Crafting Active Directory silver tickets with mimikatz [‘windows’] (sigma rule )
T1555.004
Access Saved Credentials via VaultCmd [‘windows’] (sigma rule )
WinPwn - Loot local Credentials - Invoke-WCMDump [‘windows’] (sigma rule )
T1090.003
Psiphon [‘windows’] (sigma rule )
Tor Proxy Usage - MacOS [‘macos’] (sigma rule )
Tor Proxy Usage - Debian/Ubuntu/FreeBSD [‘linux’] (sigma rule )
Tor Proxy Usage - Windows [‘windows’] (sigma rule )
T1112
Disable Windows Notification Center [‘windows’] (sigma rule )
Modify registry to store logon credentials [‘windows’] (sigma rule )
Mimic Ransomware - Allow Multiple RDP Sessions per User [‘windows’] (sigma rule )
Use Powershell to Modify registry to store logon credentials [‘windows’] (sigma rule )
Hide Windows Clock Group Policy Feature [‘windows’] (sigma rule )
Do Not Connect To Win Update [‘windows’] (sigma rule )
Activate Windows NoSetTaskbar Group Policy Feature [‘windows’] (sigma rule )
Enabling Remote Desktop Protocol via Remote Registry [‘windows’] (sigma rule )
Event Viewer Registry Modification - Redirection Program [‘windows’] (sigma rule )
Set-Up Proxy Server [‘windows’] (sigma rule )
Ursnif Malware Registry Key Creation [‘windows’] (sigma rule )
Windows Powershell Logging Disabled [‘windows’] (sigma rule )
Allow RDP Remote Assistance Feature [‘windows’] (sigma rule )
Disable Win Defender Notification [‘windows’] (sigma rule )
Activate Windows NoClose Group Policy Feature [‘windows’] (sigma rule )
Disable Windows Change Password Feature [‘windows’] (sigma rule )
Windows HideSCAPower Group Policy Feature [‘windows’] (sigma rule )
Windows HideSCANetwork Group Policy Feature [‘windows’] (sigma rule )
Windows Modify Show Compress Color And Info Tip Registry [‘windows’] (sigma rule )
RDP Authentication Level Override [‘windows’] (sigma rule )
Windows Auto Update Option to Notify before download [‘windows’] (sigma rule )
Disable Remote Desktop Security Settings Through Registry [‘windows’] (sigma rule )
Windows HideSCAVolume Group Policy Feature [‘windows’] (sigma rule )
Javascript in registry [‘windows’] (sigma rule )
Activate Windows NoDesktop Group Policy Feature [‘windows’] (sigma rule )
Event Viewer Registry Modification - Redirection URL [‘windows’] (sigma rule )
BlackByte Ransomware Registry Changes - Powershell [‘windows’] (sigma rule )
Disable Windows Shutdown Button [‘windows’] (sigma rule )
Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [‘windows’] (sigma rule )
Snake Malware Registry Blob [‘windows’] (sigma rule )
Disable Windows CMD application [‘windows’] (sigma rule )
Disable Windows Security Center Notifications [‘windows’] (sigma rule )
Activities To Disable Secondary Authentication Detected By Modified Registry Value. [‘windows’] (sigma rule )
Activate Windows NoPropertiesMyDocuments Group Policy Feature [‘windows’] (sigma rule )
Activate Windows NoRun Group Policy Feature [‘windows’] (sigma rule )
Disable Remote Desktop Anti-Alias Setting Through Registry [‘windows’] (sigma rule )
Terminal Server Client Connection History Cleared [‘windows’] (sigma rule )
Activate Windows NoControlPanel Group Policy Feature [‘windows’] (sigma rule )
Enabling Restricted Admin Mode via Command_Prompt [‘windows’] (sigma rule )
Disabling ShowUI Settings of Windows Error Reporting (WER) [‘windows’] (sigma rule )
NetWire RAT Registry Key Creation [‘windows’] (sigma rule )
Disable Windows OS Auto Update [‘windows’] (sigma rule )
Disable Windows Toast Notifications [‘windows’] (sigma rule )
Disable Windows Auto Reboot for current logon user [‘windows’] (sigma rule )
Change Powershell Execution Policy to Bypass [‘windows’] (sigma rule )
Disable Windows Lock Workstation Feature [‘windows’] (sigma rule )
Disable Windows LogOff Button [‘windows’] (sigma rule )
Disable Windows Prefetch Through Registry [‘windows’] (sigma rule )
Disable Windows Task Manager application [‘windows’] (sigma rule )
Tamper Win Defender Protection [‘windows’] (sigma rule )
Modify Registry of Local Machine - cmd [‘windows’] (sigma rule )
Modify Internet Zone Protocol Defaults in Current User Registry - cmd [‘windows’] (sigma rule )
Modify Registry of Current User Profile - cmd [‘windows’] (sigma rule )
Suppress Win Defender Notifications [‘windows’] (sigma rule )
Mimic Ransomware - Enable Multiple User Sessions [‘windows’] (sigma rule )
Add domain to Trusted sites Zone [‘windows’] (sigma rule )
Windows HideSCAHealth Group Policy Feature [‘windows’] (sigma rule )
Enable RDP via Registry (fDenyTSConnections) [‘windows’] (sigma rule )
Activate Windows NoFileMenu Group Policy Feature [‘windows’] (sigma rule )
Disable Windows Error Reporting Settings [‘windows’] (sigma rule )
Windows Add Registry Value to Load Service in Safe Mode with Network [‘windows’] (sigma rule )
DisallowRun Execution Of Certain Applications [‘windows’] (sigma rule )
Windows Add Registry Value to Load Service in Safe Mode without Network [‘windows’] (sigma rule )
Activate Windows NoFind Group Policy Feature [‘windows’] (sigma rule )
Allow Simultaneous Download Registry [‘windows’] (sigma rule )
Disable Windows Registry Tool [‘windows’] (sigma rule )
Activate Windows NoTrayContextMenu Group Policy Feature [‘windows’] (sigma rule )
BlackByte Ransomware Registry Changes - CMD [‘windows’] (sigma rule )
Enable Proxy Settings [‘windows’] (sigma rule )
Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [‘windows’] (sigma rule )
Scarab Ransomware Defense Evasion Activities [‘windows’] (sigma rule )
T1135
Network Share Discovery PowerShell [‘windows’] (sigma rule )
Network Share Discovery - FreeBSD [‘linux’] (sigma rule )
PowerView ShareFinder [‘windows’] (sigma rule )
Network Share Discovery command prompt [‘windows’] (sigma rule )
WinPwn - shareenumeration [‘windows’] (sigma rule )
Enumerate All Network Shares with SharpShares [‘windows’] (sigma rule )
Network Share Discovery [‘macos’] (sigma rule )
Network Share Discovery via dir command [‘windows’] (sigma rule )
Enumerate All Network Shares with Snaffler [‘windows’] (sigma rule )
Share Discovery with PowerView [‘windows’] (sigma rule )
View available share drives [‘windows’] (sigma rule )
Network Share Discovery - linux [‘linux’] (sigma rule )
T1564.001
Hidden files [‘macos’] (sigma rule )
Hide a Directory [‘macos’] (sigma rule )
Create Windows System File with Attrib [‘windows’] (sigma rule )
Hide Files Through Registry [‘windows’] (sigma rule )
Create Windows Hidden File with Attrib [‘windows’] (sigma rule )
Create a hidden file in a hidden directory [‘linux’, ‘macos’] (sigma rule )
Create Windows System File with powershell [‘windows’] (sigma rule )
Mac Hidden file [‘macos’] (sigma rule )
Show all hidden files [‘macos’] (sigma rule )
Create Windows Hidden File with powershell [‘windows’] (sigma rule )
T1562.006
LockBit Black - Disable the ETW Provider of Windows Defender -Powershell [‘windows’] (sigma rule )
Auditing Configuration Changes on Linux Host [‘linux’] (sigma rule )
Logging Configuration Changes on Linux Host [‘linux’] (sigma rule )
LockBit Black - Disable the ETW Provider of Windows Defender -cmd [‘windows’] (sigma rule )
Disable Powershell ETW Provider - Windows [‘windows’] (sigma rule )
Disable .NET Event Tracing for Windows Via Registry (powershell) [‘windows’] (sigma rule )
Auditing Configuration Changes on FreeBSD Host [‘linux’] (sigma rule )
Disable .NET Event Tracing for Windows Via Registry (cmd) [‘windows’] (sigma rule )
Logging Configuration Changes on FreeBSD Host [‘linux’] (sigma rule )
T1204.002
Excel 4 Macro [‘windows’] (sigma rule )
LNK Payload Download [‘windows’] (sigma rule )
Office launching .bat file from AppData [‘windows’] (sigma rule )
OSTap Style Macro Execution [‘windows’] (sigma rule )
Headless Chrome code execution via VBA [‘windows’] (sigma rule )
Potentially Unwanted Applications (PUA) [‘windows’] (sigma rule )
Office Generic Payload Download [‘windows’] (sigma rule )
Mirror Blast Emulation [‘windows’] (sigma rule )
Maldoc choice flags command execution [‘windows’] (sigma rule )
OSTAP JS version [‘windows’] (sigma rule )
OSTap Payload Download [‘windows’] (sigma rule )
T1048.003
Exfiltration Over Alternative Protocol - FTP - Rclone [‘windows’] (sigma rule )
Exfiltration Over Alternative Protocol - SMTP [‘windows’] (sigma rule )
Exfiltration Over Alternative Protocol - HTTP [‘macos’, ‘linux’] (sigma rule )
MAZE FTP Upload [‘windows’] (sigma rule )
Exfiltration Over Alternative Protocol - DNS [‘linux’] (sigma rule )
Exfiltration Over Alternative Protocol - HTTP [‘windows’] (sigma rule )
Python3 http.server [‘linux’] (sigma rule )
Exfiltration Over Alternative Protocol - ICMP [‘windows’] (sigma rule )
T1027
Execution from Compressed File [‘windows’] (sigma rule )
Execute base64-encoded PowerShell [‘windows’] (sigma rule )
DLP Evasion via Sensitive Data in VBA Macro over email [‘windows’] (sigma rule )
Obfuscated Command Line using special Unicode characters [‘windows’] (sigma rule )
Execution from Compressed JScript File [‘windows’] (sigma rule )
Decode base64 Data into Script [‘macos’, ‘linux’] (sigma rule )
Snake Malware Encrypted crmlog file [‘windows’] (sigma rule )
DLP Evasion via Sensitive Data in VBA Macro over HTTP [‘windows’] (sigma rule )
Obfuscated Command in PowerShell [‘windows’] (sigma rule )
Execute base64-encoded PowerShell from Windows Registry [‘windows’] (sigma rule )
T1136.001
Create a new Windows admin user via .NET [‘windows’] (sigma rule )
Create a new user in PowerShell [‘windows’] (sigma rule )
Create a new user in FreeBSD with root
GID. [‘linux’] (sigma rule )
Create a new user in a command prompt [‘windows’] (sigma rule )
Create a user account on a Linux system [‘linux’] (sigma rule )
Create a user account on a MacOS system [‘macos’] (sigma rule )
Create a new user in Linux with root
UID and GID. [‘linux’] (sigma rule )
Create a new Windows admin user [‘windows’] (sigma rule )
Create a user account on a FreeBSD system [‘linux’] (sigma rule )
T1518.001
Security Software Discovery - Sysmon Service [‘windows’] (sigma rule )
Security Software Discovery - pgrep (FreeBSD) [‘linux’] (sigma rule )
Security Software Discovery - ps (macOS) [‘macos’] (sigma rule )
Security Software Discovery - ps (Linux) [‘linux’] (sigma rule )
Security Software Discovery [‘windows’] (sigma rule )
Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets [‘windows’] (sigma rule )
Security Software Discovery - AV Discovery via WMI [‘windows’] (sigma rule )
Security Software Discovery - Windows Firewall Enumeration [‘windows’] (sigma rule )
Security Software Discovery - powershell [‘windows’] (sigma rule )
Security Software Discovery - Windows Defender Enumeration [‘windows’] (sigma rule )
T1078.003
Add a new/existing user to the admin group using dseditgroup utility - macOS [‘macos’] (sigma rule )
Login as nobody (freebsd) [‘linux’] (sigma rule )
WinPwn - Loot local Credentials - Safetykatz [‘windows’] (sigma rule )
Login as nobody (Linux) [‘linux’] (sigma rule )
Create local account with admin privileges - MacOS [‘macos’] (sigma rule )
Create local account with admin privileges [‘windows’] (sigma rule )
Reactivate a locked/expired account (Linux) [‘linux’] (sigma rule )
WinPwn - Loot local Credentials - powerhell kittie [‘windows’] (sigma rule )
Reactivate a locked/expired account (FreeBSD) [‘linux’] (sigma rule )
Create local account with admin privileges using sysadminctl utility - MacOS [‘macos’] (sigma rule )
Create local account (Linux) [‘linux’] (sigma rule )
Enable root account using dsenableroot utility - MacOS [‘macos’] (sigma rule )
T1003.002
esentutl.exe SAM copy [‘windows’] (sigma rule )
dump volume shadow copy hives with System.IO.File [‘windows’] (sigma rule )
PowerDump Hashes and Usernames from Registry [‘windows’] (sigma rule )
Registry dump of SAM, creds, and secrets [‘windows’] (sigma rule )
WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [‘windows’] (sigma rule )
Registry parse with pypykatz [‘windows’] (sigma rule )
dump volume shadow copy hives with certutil [‘windows’] (sigma rule )
T1558.003
WinPwn - Kerberoasting [‘windows’] (sigma rule )
WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [‘windows’] (sigma rule )
Request All Tickets via PowerShell [‘windows’] (sigma rule )
Extract all accounts in use as SPN using setspn [‘windows’] (sigma rule )
Request A Single Ticket via PowerShell [‘windows’] (sigma rule )
Rubeus kerberoast [‘windows’] (sigma rule )
Request for service tickets [‘windows’] (sigma rule )
T1040
Windows Internal Packet Capture [‘windows’] (sigma rule )
Packet Capture Linux using tshark or tcpdump [‘linux’] (sigma rule )
Filtered Packet Capture macOS using /dev/bpfN with sudo [‘macos’] (sigma rule )
Packet Capture macOS using tcpdump or tshark [‘macos’] (sigma rule )
Windows Internal pktmon capture [‘windows’] (sigma rule )
Packet Capture macOS using /dev/bpfN with sudo [‘macos’] (sigma rule )
Windows Internal pktmon set filter [‘windows’] (sigma rule )
Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [‘linux’] (sigma rule )
Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [‘linux’] (sigma rule )
PowerShell Network Sniffing [‘windows’] (sigma rule )
Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [‘linux’] (sigma rule )
Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [‘linux’] (sigma rule )
Packet Capture Windows Command Prompt [‘windows’] (sigma rule )
Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [‘linux’] (sigma rule )
Packet Capture FreeBSD using /dev/bpfN with sudo [‘linux’] (sigma rule )
Packet Capture FreeBSD using tshark or tcpdump [‘linux’] (sigma rule )
T1036.004
Creating W32Time similar named service using sc [‘windows’] (sigma rule )
Creating W32Time similar named service using schtasks [‘windows’] (sigma rule )
linux rename /proc/pid/comm using prctl [‘linux’] (sigma rule )
T1548.002
UACME Bypass Method 61 [‘windows’] (sigma rule )
UAC Bypass with WSReset Registry Modification [‘windows’] (sigma rule )
Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [‘windows’] (sigma rule )
Bypass UAC using ComputerDefaults (PowerShell) [‘windows’] (sigma rule )
UACME Bypass Method 33 [‘windows’] (sigma rule )
Bypass UAC using Fodhelper [‘windows’] (sigma rule )
Bypass UAC using Event Viewer (PowerShell) [‘windows’] (sigma rule )
Disable ConsentPromptBehaviorAdmin via registry keys [‘windows’] (sigma rule )
UACME Bypass Method 34 [‘windows’] (sigma rule )
Disable UAC using reg.exe [‘windows’] (sigma rule )
UACME Bypass Method 31 [‘windows’] (sigma rule )
WinPwn - UAC Bypass ccmstp technique [‘windows’] (sigma rule )
UACME Bypass Method 59 [‘windows’] (sigma rule )
Bypass UAC using Fodhelper - PowerShell [‘windows’] (sigma rule )
Bypass UAC using Event Viewer (cmd) [‘windows’] (sigma rule )
UACME Bypass Method 23 [‘windows’] (sigma rule )
Bypass UAC by Mocking Trusted Directories [‘windows’] (sigma rule )
WinPwn - UAC Bypass DccwBypassUAC technique [‘windows’] (sigma rule )
UACME Bypass Method 56 [‘windows’] (sigma rule )
Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [‘windows’] (sigma rule )
Disable UAC notification via registry keys [‘windows’] (sigma rule )
Bypass UAC using sdclt DelegateExecute [‘windows’] (sigma rule )
UACME Bypass Method 39 [‘windows’] (sigma rule )
WinPwn - UAC Magic [‘windows’] (sigma rule )
Bypass UAC using SilentCleanup task [‘windows’] (sigma rule )
WinPwn - UAC Bypass DiskCleanup technique [‘windows’] (sigma rule )
T1053.005
Scheduled Task (“Ghost Task”) via Registry Key Manipulation [‘windows’] (sigma rule )
Scheduled Task Startup Script [‘windows’] (sigma rule )
Scheduled Task Executing Base64 Encoded Commands From Registry [‘windows’] (sigma rule )
Powershell Cmdlet Scheduled Task [‘windows’] (sigma rule )
Import XML Schedule Task with Hidden Attribute [‘windows’] (sigma rule )
WMI Invoke-CimMethod Scheduled Task [‘windows’] (sigma rule )
PowerShell Modify A Scheduled Task [‘windows’] (sigma rule )
Scheduled task Local [‘windows’] (sigma rule )
Scheduled task Remote [‘windows’] (sigma rule )
Task Scheduler via VBA [‘windows’] (sigma rule )
T1110.001
Password Brute User using Kerbrute Tool [‘windows’] (sigma rule )
ESXi - Brute Force Until Account Lockout [‘windows’] (sigma rule )
SUDO Brute Force - Debian [‘linux’] (sigma rule )
SUDO Brute Force - FreeBSD [‘linux’] (sigma rule )
Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [‘windows’] (sigma rule )
Brute Force Credentials of single Active Directory domain users via SMB [‘windows’] (sigma rule )
Brute Force Credentials of single Azure AD user [‘azure-ad’] (sigma rule )
SUDO Brute Force - Redhat [‘linux’] (sigma rule )
T1082
WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [‘windows’] (sigma rule )
List OS Information [‘linux’, ‘macos’] (sigma rule )
WinPwn - itm4nprivesc [‘windows’] (sigma rule )
WinPwn - winPEAS [‘windows’] (sigma rule )
ESXi - Darkside system information discovery [‘linux’] (sigma rule )
FreeBSD List Kernel Modules [‘linux’] (sigma rule )
Linux VM Check via Hardware [‘linux’] (sigma rule )
BIOS Information Discovery through Registry [‘windows’] (sigma rule )
FreeBSD VM Check via Kernel Modules [‘linux’] (sigma rule )
Environment variables discovery on windows [‘windows’] (sigma rule )
WinPwn - Powersploits privesc checks [‘windows’] (sigma rule )
WinPwn - Morerecon [‘windows’] (sigma rule )
Show System Integrity Protection status (MacOS) [‘macos’] (sigma rule )
WinPwn - General privesc checks [‘windows’] (sigma rule )
WinPwn - GeneralRecon [‘windows’] (sigma rule )
System Information Discovery [‘windows’] (sigma rule )
Windows MachineGUID Discovery [‘windows’] (sigma rule )
Linux VM Check via Kernel Modules [‘linux’] (sigma rule )
System Information Discovery [‘windows’] (sigma rule )
WinPwn - PowerSharpPack - Seatbelt [‘windows’] (sigma rule )
Linux List Kernel Modules [‘linux’] (sigma rule )
ESXi - VM Discovery using ESXCLI [‘linux’] (sigma rule )
Azure Security Scan with SkyArk [‘azure-ad’] (sigma rule )
Griffon Recon [‘windows’] (sigma rule )
Environment variables discovery on freebsd, macos and linux [‘linux’, ‘macos’] (sigma rule )
WinPwn - PowerSharpPack - Watson searching for missing windows patches [‘windows’] (sigma rule )
Driver Enumeration using DriverQuery [‘windows’] (sigma rule )
System Information Discovery with WMIC [‘windows’] (sigma rule )
Check computer location [‘windows’] (sigma rule )
Hostname Discovery [‘linux’, ‘macos’] (sigma rule )
WinPwn - RBCD-Check [‘windows’] (sigma rule )
System Information Discovery [‘macos’] (sigma rule )
Hostname Discovery (Windows) [‘windows’] (sigma rule )
T1110.003
Password Spray (DomainPasswordSpray) [‘windows’] (sigma rule )
Password Spray using Kerbrute Tool [‘windows’] (sigma rule )
Password Spray all Domain Users [‘windows’] (sigma rule )
Password Spray Invoke-DomainPasswordSpray Light [‘windows’] (sigma rule )
Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [‘windows’] (sigma rule )
AWS - Password Spray an AWS using GoAWSConsoleSpray [‘iaas:aws’] (sigma rule )
Password spray all Azure AD users with a single password [‘azure-ad’] (sigma rule )
Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) [‘azure-ad’] (sigma rule )
WinPwn - DomainPasswordSpray Attacks [‘windows’] (sigma rule )
T1187
PetitPotam [‘windows’] (sigma rule )
Trigger an authenticated RPC call to a target server with no Sign flag set [‘windows’] (sigma rule )
WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS [‘windows’] (sigma rule )
T1176
Chrome/Chromium (Developer Mode) [‘linux’, ‘windows’, ‘macos’] (sigma rule )
Firefox [‘linux’, ‘windows’, ‘macos’] (sigma rule )
Google Chrome Load Unpacked Extension With Command Line [‘windows’] (sigma rule )
Edge Chromium Addon - VPN [‘windows’, ‘macos’] (sigma rule )
Chrome/Chromium (Chrome Web Store) [‘linux’, ‘windows’, ‘macos’] (sigma rule )
T1562.003
Setting the HISTCONTROL environment variable [‘linux’] (sigma rule )
Clear bash history [‘linux’] (sigma rule )
Setting the HISTFILE environment variable [‘linux’] (sigma rule )
Disable history collection (freebsd) [‘linux’] (sigma rule )
Disable Windows Command Line Auditing using Powershell Cmdlet [‘windows’] (sigma rule )
Setting the HISTIGNORE environment variable [‘linux’] (sigma rule )
Mac HISTCONTROL [‘macos’, ‘linux’] (sigma rule )
Disable Windows Command Line Auditing using reg.exe [‘windows’] (sigma rule )
Setting the HISTFILESIZE environment variable [‘linux’] (sigma rule )
Disable history collection [‘linux’, ‘macos’] (sigma rule )
Setting the HISTFILE environment variable (freebsd) [‘linux’] (sigma rule )
Setting the HISTSIZE environment variable [‘linux’] (sigma rule )
T1087.001
Show if a user account has ever logged in remotely [‘linux’] (sigma rule )
View sudoers access [‘linux’, ‘macos’] (sigma rule )
Enumerate users and groups [‘macos’] (sigma rule )
Enumerate all accounts via PowerShell (Local) [‘windows’] (sigma rule )
Enumerate all accounts (Local) [‘linux’] (sigma rule )
Enumerate logged on users via CMD (Local) [‘windows’] (sigma rule )
View accounts with UID 0 [‘linux’, ‘macos’] (sigma rule )
Enumerate users and groups [‘linux’, ‘macos’] (sigma rule )
List opened files by user [‘linux’, ‘macos’] (sigma rule )
Enumerate all accounts on Windows (Local) [‘windows’] (sigma rule )
T1059.001
PowerShell Command Execution [‘windows’] (sigma rule )
SOAPHound - Dump BloodHound Data [‘windows’] (sigma rule )
Mimikatz - Cradlecraft PsSendKeys [‘windows’] (sigma rule )
PowerShell Session Creation and Use [‘windows’] (sigma rule )
PowerShell Invoke Known Malicious Cmdlets [‘windows’] (sigma rule )
ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [‘windows’] (sigma rule )
PowerShell Fileless Script Execution [‘windows’] (sigma rule )
Powershell invoke mshta.exe download [‘windows’] (sigma rule )
Run BloodHound from local disk [‘windows’] (sigma rule )
ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [‘windows’] (sigma rule )
PowerUp Invoke-AllChecks [‘windows’] (sigma rule )
Run Bloodhound from Memory using Download Cradle [‘windows’] (sigma rule )
Mimikatz [‘windows’] (sigma rule )
ATHPowerShellCommandLineParameter -Command parameter variations [‘windows’] (sigma rule )
NTFS Alternate Data Stream Access [‘windows’] (sigma rule )
Invoke-AppPathBypass [‘windows’] (sigma rule )
Abuse Nslookup with DNS Records [‘windows’] (sigma rule )
ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [‘windows’] (sigma rule )
Powershell XML requests [‘windows’] (sigma rule )
Powershell MsXml COM object - with prompt [‘windows’] (sigma rule )
Powershell Invoke-DownloadCradle [‘windows’] (sigma rule )
SOAPHound - Build Cache [‘windows’] (sigma rule )
T1059.004
Environment variable scripts [‘linux’] (sigma rule )
Current kernel information enumeration [‘linux’] (sigma rule )
Harvest SUID executable files [‘linux’] (sigma rule )
Change login shell [‘linux’] (sigma rule )
Command-Line Interface [‘linux’, ‘macos’] (sigma rule )
Obfuscated command line scripts [‘linux’] (sigma rule )
What shells are available [‘linux’] (sigma rule )
LinEnum tool execution [‘linux’] (sigma rule )
What shell is running [‘linux’] (sigma rule )
New script file in the tmp directory [‘linux’] (sigma rule )
Create and Execute Bash Shell Script [‘linux’, ‘macos’] (sigma rule )
Command line scripts [‘linux’] (sigma rule )
Detecting pipe-to-shell [‘linux’] (sigma rule )
T1098.003
Azure AD - Add Company Administrator Role to a user [‘azure-ad’] (sigma rule )
Simulate - Post BEC persistence via user password reset followed by user added to company administrator role [‘azure-ad’] (sigma rule )
T1018
Get-DomainController with PowerView [‘windows’] (sigma rule )
Remote System Discovery - netstat [‘linux’] (sigma rule )
Enumerate Active Directory Computers with ADSISearcher [‘windows’] (sigma rule )
Remote System Discovery - ip neighbour [‘linux’] (sigma rule )
Adfind - Enumerate Active Directory Domain Controller Objects [‘windows’] (sigma rule )
Enumerate Active Directory Computers with Get-AdComputer [‘windows’] (sigma rule )
Remote System Discovery - net group Domain Computers [‘windows’] (sigma rule )
Remote System Discovery - arp nix [‘linux’, ‘macos’] (sigma rule )
Remote System Discovery - net [‘windows’] (sigma rule )
Adfind - Enumerate Active Directory Computer Objects [‘windows’] (sigma rule )
Remote System Discovery - net group Domain Controller [‘windows’] (sigma rule )
Get-WmiObject to Enumerate Domain Controllers [‘windows’] (sigma rule )
Remote System Discovery - sweep [‘linux’, ‘macos’] (sigma rule )
Remote System Discovery - adidnsdump [‘windows’] (sigma rule )
Remote System Discovery - ip tcp_metrics [‘linux’] (sigma rule )
Remote System Discovery - nslookup [‘windows’] (sigma rule )
Enumerate domain computers within Active Directory using DirectorySearcher [‘windows’] (sigma rule )
Remote System Discovery - ping sweep [‘windows’] (sigma rule )
Remote System Discovery - ip route [‘linux’] (sigma rule )
Enumerate Remote Hosts with Netscan [‘windows’] (sigma rule )
Remote System Discovery - nltest [‘windows’] (sigma rule )
Remote System Discovery - arp [‘windows’] (sigma rule )
T1562.004
Edit UFW firewall ufw.conf file [‘linux’] (sigma rule )
Opening ports for proxy - HARDRAIN [‘windows’] (sigma rule )
Stop/Start UFW firewall systemctl [‘linux’] (sigma rule )
ESXi - Disable Firewall via Esxcli [‘windows’] (sigma rule )
Add and delete UFW firewall rules [‘linux’] (sigma rule )
Stop/Start UFW firewall [‘linux’] (sigma rule )
Disable iptables [‘linux’] (sigma rule )
LockBit Black - Unusual Windows firewall registry modification -cmd [‘windows’] (sigma rule )
Tail the UFW firewall log file [‘linux’] (sigma rule )
Stop/Start Packet Filter [‘linux’] (sigma rule )
LockBit Black - Unusual Windows firewall registry modification -Powershell [‘windows’] (sigma rule )
Edit UFW firewall main configuration file [‘linux’] (sigma rule )
Disable Microsoft Defender Firewall [‘windows’] (sigma rule )
Allow SMB and RDP on Microsoft Defender Firewall [‘windows’] (sigma rule )
Turn off UFW logging [‘linux’] (sigma rule )
Disable Microsoft Defender Firewall via Registry [‘windows’] (sigma rule )
Allow Executable Through Firewall Located in Non-Standard Location [‘windows’] (sigma rule )
Edit UFW firewall sysctl.conf file [‘linux’] (sigma rule )
Edit UFW firewall user.rules file [‘linux’] (sigma rule )
Blackbit - Disable Windows Firewall using netsh firewall [‘windows’] (sigma rule )
Open a local port through Windows Firewall to any profile [‘windows’] (sigma rule )
Modify/delete iptables firewall rules [‘linux’] (sigma rule )
Set a firewall rule using New-NetFirewallRule [‘windows’] (sigma rule )
Add and delete Packet Filter rules [‘linux’] (sigma rule )
T1546.015
Powershell Execute COM Object [‘windows’] (sigma rule )
COM Hijacking - InprocServer32 [‘windows’] (sigma rule )
COM hijacking via TreatAs [‘windows’] (sigma rule )
COM Hijacking with RunDLL32 (Local Server Switch) [‘windows’] (sigma rule )
T1098
Azure AD - adding service principal to Azure AD role [‘azure-ad’] (sigma rule )
AWS - Create a group and add a user to that group [‘iaas:aws’] (sigma rule )
Azure AD - adding permission to application [‘azure-ad’] (sigma rule )
Domain Password Policy Check: No Number in Password [‘windows’] (sigma rule )
Password Change on Directory Service Restore Mode (DSRM) Account [‘windows’] (sigma rule )
Domain Account and Group Manipulate [‘windows’] (sigma rule )
GCP - Delete Service Account Key [‘iaas:gcp’] (sigma rule )
Azure AD - adding user to Azure AD role [‘azure-ad’] (sigma rule )
Domain Password Policy Check: No Lowercase Character in Password [‘windows’] (sigma rule )
Domain Password Policy Check: Only Two Character Classes [‘windows’] (sigma rule )
Domain Password Policy Check: No Special Character in Password [‘windows’] (sigma rule )
Domain Password Policy Check: Common Password Use [‘windows’] (sigma rule )
Domain Password Policy Check: Short Password [‘windows’] (sigma rule )
Azure - adding user to Azure role in subscription [‘iaas:azure’] (sigma rule )
Admin Account Manipulate [‘windows’] (sigma rule )
Azure - adding service principal to Azure role in subscription [‘iaas:azure’] (sigma rule )
Domain Password Policy Check: No Uppercase Character in Password [‘windows’] (sigma rule )
T1105
File Download via PowerShell [‘windows’] (sigma rule )
rsync remote file copy (pull) [‘linux’, ‘macos’] (sigma rule )
Download a file using wscript [‘windows’] (sigma rule )
File download via nscurl [‘macos’] (sigma rule )
File download with finger.exe on Windows [‘windows’] (sigma rule )
Windows - BITSAdmin BITS Download [‘windows’] (sigma rule )
Curl Upload File [‘windows’] (sigma rule )
Download a File with Windows Defender MpCmdRun.exe [‘windows’] (sigma rule )
OSTAP Worming Activity [‘windows’] (sigma rule )
scp remote file copy (pull) [‘linux’, ‘macos’] (sigma rule )
Windows - PowerShell Download [‘windows’] (sigma rule )
sftp remote file copy (pull) [‘linux’, ‘macos’] (sigma rule )
Arbitrary file download using the Notepad++ GUP.exe binary [‘windows’] (sigma rule )
certutil download (verifyctl) [‘windows’] (sigma rule )
Lolbas replace.exe use to copy file [‘windows’] (sigma rule )
whois file download [‘linux’, ‘macos’] (sigma rule )
Nimgrab - Transfer Files [‘windows’] (sigma rule )
Printer Migration Command-Line Tool UNC share folder into a zip file [‘windows’] (sigma rule )
Lolbas replace.exe use to copy UNC file [‘windows’] (sigma rule )
rsync remote file copy (push) [‘linux’, ‘macos’] (sigma rule )
Download a file with Microsoft Connection Manager Auto-Download [‘windows’] (sigma rule )
Download a file with IMEWDBLD.exe [‘windows’] (sigma rule )
iwr or Invoke Web-Request download [‘windows’] (sigma rule )
Linux Download File and Run [‘linux’] (sigma rule )
scp remote file copy (push) [‘linux’, ‘macos’] (sigma rule )
MAZE Propagation Script [‘windows’] (sigma rule )
sftp remote file copy (push) [‘linux’, ‘macos’] (sigma rule )
Curl Download File [‘windows’] (sigma rule )
svchost writing a file to a UNC path [‘windows’] (sigma rule )
certutil download (urlcache) [‘windows’] (sigma rule )
certreq download [‘windows’] (sigma rule )
T1219
Splashtop Streamer Execution [‘windows’] (sigma rule )
TeamViewer Files Detected Test on Windows [‘windows’] (sigma rule )
Ammyy Admin Software Execution [‘windows’] (sigma rule )
UltraViewer - RAT Execution [‘windows’] (sigma rule )
UltraVNC Execution [‘windows’] (sigma rule )
Splashtop Execution [‘windows’] (sigma rule )
MSP360 Connect Execution [‘windows’] (sigma rule )
NetSupport - RAT Execution [‘windows’] (sigma rule )
ScreenConnect Application Download and Install on Windows [‘windows’] (sigma rule )
RustDesk Files Detected Test on Windows [‘windows’] (sigma rule )
GoToAssist Files Detected Test on Windows [‘windows’] (sigma rule )
LogMeIn Files Detected Test on Windows [‘windows’] (sigma rule )
RemotePC Software Execution [‘windows’] (sigma rule )
AnyDesk Files Detected Test on Windows [‘windows’] (sigma rule )
T1021.002
Copy and Execute File with PsExec [‘windows’] (sigma rule )
Map admin share [‘windows’] (sigma rule )
Map Admin Share PowerShell [‘windows’] (sigma rule )
Execute command writing output to local Admin Share [‘windows’] (sigma rule )
T1136.003
Azure AD - Create a new user via Azure CLI [‘azure-ad’] (sigma rule )
AWS - Create a new IAM user [‘iaas:aws’] (sigma rule )
Azure AD - Create a new user [‘azure-ad’] (sigma rule )
T1033
Find computers where user has session - Stealth mode (PowerView) [‘windows’] (sigma rule )
System Owner/User Discovery [‘linux’, ‘macos’] (sigma rule )
System Discovery - SocGholish whoami [‘windows’] (sigma rule )
User Discovery With Env Vars PowerShell Script [‘windows’] (sigma rule )
System Owner/User Discovery Using Command Prompt [‘windows’] (sigma rule )
System Owner/User Discovery [‘windows’] (sigma rule )
GetCurrent User with PowerShell Script [‘windows’] (sigma rule )
T1543.002
Create SysV Service [‘linux’] (sigma rule )
Create Systemd Service [‘linux’] (sigma rule )
Create Systemd Service file, Enable the service , Modify and Reload the service. [‘linux’] (sigma rule )
T1552.001
WinPwn - SessionGopher [‘windows’] (sigma rule )
Access unattend.xml [‘windows’] (sigma rule )
WinPwn - passhunt [‘windows’] (sigma rule )
WinPwn - sensitivefiles [‘windows’] (sigma rule )
WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [‘windows’] (sigma rule )
Extracting passwords with findstr [‘windows’] (sigma rule )
Find AWS credentials [‘macos’, ‘linux’] (sigma rule )
Extract Browser and System credentials with LaZagne [‘macos’] (sigma rule )
Find and Access Github Credentials [‘linux’, ‘macos’] (sigma rule )
WinPwn - Snaffler [‘windows’] (sigma rule )
Extract passwords with grep [‘linux’, ‘macos’] (sigma rule )
WinPwn - powershellsensitive [‘windows’] (sigma rule )
T1562.001
AMSI Bypass - Remove AMSI Provider Reg Key [‘windows’] (sigma rule )
Disable syslog (freebsd) [‘linux’] (sigma rule )
Tamper with Windows Defender ATP PowerShell [‘windows’] (sigma rule )
Tamper with Windows Defender Registry - Reg.exe [‘windows’] (sigma rule )
LockBit Black - Disable Privacy Settings Experience Using Registry -cmd [‘windows’] (sigma rule )
Tamper with Windows Defender Registry - Powershell [‘windows’] (sigma rule )
LockBit Black - Use Registry Editor to turn on automatic logon -cmd [‘windows’] (sigma rule )
Suspend History [‘linux’] (sigma rule )
Disable Hypervisor-Enforced Code Integrity (HVCI) [‘windows’] (sigma rule )
Uninstall Crowdstrike Falcon on Windows [‘windows’] (sigma rule )
Disable macOS Gatekeeper [‘macos’] (sigma rule )
WMIC Tamper with Windows Defender Evade Scanning Folder [‘windows’] (sigma rule )
Tamper with Windows Defender Registry [‘windows’] (sigma rule )
AMSI Bypass - AMSI InitFailed [‘windows’] (sigma rule )
Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [‘windows’] (sigma rule )
Tamper with Windows Defender Command Prompt [‘windows’] (sigma rule )
Disable Memory Swap [‘linux’] (sigma rule )
Delete Windows Defender Scheduled Tasks [‘windows’] (sigma rule )
Stop Crowdstrike Falcon on Linux [‘linux’] (sigma rule )
Disable OpenDNS Umbrella [‘macos’] (sigma rule )
Clear Pagging Cache [‘linux’] (sigma rule )
Tamper with Windows Defender Evade Scanning -Folder [‘windows’] (sigma rule )
Delete Microsoft Defender ASR Rules - GPO [‘windows’] (sigma rule )
Disable SELinux [‘linux’] (sigma rule )
Stop and Remove Arbitrary Security Windows Service [‘windows’] (sigma rule )
Unload Sysmon Filter Driver [‘windows’] (sigma rule )
Disable Carbon Black Response [‘macos’] (sigma rule )
Tamper with Defender ATP on Linux/MacOS [‘linux’, ‘macos’] (sigma rule )
AMSI Bypass - Override AMSI via COM [‘windows’] (sigma rule )
Reboot Linux Host via Kernel System Request [‘linux’] (sigma rule )
Stop and unload Crowdstrike Falcon on macOS [‘macos’] (sigma rule )
office-365-Disable-AntiPhishRule [‘office-365’] (sigma rule )
ESXi - Disable Account Lockout Policy via PowerCLI [‘linux’] (sigma rule )
LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [‘windows’] (sigma rule )
Disable Arbitrary Security Windows Service [‘windows’] (sigma rule )
Tamper with Windows Defender Evade Scanning -Extension [‘windows’] (sigma rule )
AWS - GuardDuty Suspension or Deletion [‘iaas:aws’] (sigma rule )
Disable LittleSnitch [‘macos’] (sigma rule )
Disable Cb Response [‘linux’] (sigma rule )
Disable Windows Defender with DISM [‘windows’] (sigma rule )
Disable syslog [‘linux’] (sigma rule )
WinPwn - Kill the event log services for stealth [‘windows’] (sigma rule )
Disable Microsoft Office Security Features [‘windows’] (sigma rule )
Remove Windows Defender Definition Files [‘windows’] (sigma rule )
Disable Defender Using NirSoft AdvancedRun [‘windows’] (sigma rule )
Tamper with Windows Defender Evade Scanning -Process [‘windows’] (sigma rule )
Delete Microsoft Defender ASR Rules - InTune [‘windows’] (sigma rule )
Uninstall Sysmon [‘windows’] (sigma rule )
Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [‘windows’] (sigma rule )
Clear History [‘linux’] (sigma rule )
Kill antimalware protected processes using Backstab [‘windows’] (sigma rule )
Tamper with Windows Defender ATP using Aliases - PowerShell [‘windows’] (sigma rule )
T1057
Process Discovery - get-wmiObject [‘windows’] (sigma rule )
Process Discovery - ps [‘linux’, ‘macos’] (sigma rule )
Process Discovery - Process Hacker [‘windows’] (sigma rule )
Discover Specific Process - tasklist [‘windows’] (sigma rule )
Process Discovery - Get-Process [‘windows’] (sigma rule )
Process Discovery - tasklist [‘windows’] (sigma rule )
Process Discovery - wmic process [‘windows’] (sigma rule )
T1547.001
HKLM - Policy Settings Explorer Run Key [‘windows’] (sigma rule )
Modify BootExecute Value [‘windows’] (sigma rule )
Suspicious vbs file run from startup Folder [‘windows’] (sigma rule )
Suspicious bat file run from startup Folder [‘windows’] (sigma rule )
Change Startup Folder - HKCU Modify User Shell Folders Startup Value [‘windows’] (sigma rule )
HKLM - Append Command to Winlogon Userinit KEY Value [‘windows’] (sigma rule )
HKCU - Policy Settings Explorer Run Key [‘windows’] (sigma rule )
Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [‘windows’] (sigma rule )
Add Executable Shortcut Link to User Startup Folder [‘windows’] (sigma rule )
Reg Key RunOnce [‘windows’] (sigma rule )
Suspicious jse file run from startup Folder [‘windows’] (sigma rule )
PowerShell Registry RunOnce [‘windows’] (sigma rule )
secedit used to create a Run key in the HKLM Hive [‘windows’] (sigma rule )
SystemBC Malware-as-a-Service Registry [‘windows’] (sigma rule )
Add persistance via Recycle bin [‘windows’] (sigma rule )
Reg Key Run [‘windows’] (sigma rule )
HKLM - Modify default System Shell - Winlogon Shell KEY Value [‘windows’] (sigma rule )
T1546.005
Trap EXIT [‘macos’, ‘linux’] (sigma rule )
Trap EXIT (freebsd) [‘linux’] (sigma rule )
Trap SIGINT (freebsd) [‘linux’] (sigma rule )
Trap SIGINT [‘macos’, ‘linux’] (sigma rule )
T1555.001
Export Certificate Item(s) [‘macos’] (sigma rule )
Import Certificate Item(s) into Keychain [‘macos’] (sigma rule )
Keychain Dump [‘macos’] (sigma rule )
T1056.001
Logging bash history to syslog [‘linux’] (sigma rule )
Auditd keylogger [‘linux’] (sigma rule )
MacOS Swift Keylogger [‘macos’] (sigma rule )
Input Capture [‘windows’] (sigma rule )
Logging sh history to syslog/messages [‘linux’] (sigma rule )
Living off the land Terminal Input Capture on Linux with pam.d [‘linux’] (sigma rule )
SSHD PAM keylogger [‘linux’] (sigma rule )
Bash session based keylogger [‘linux’] (sigma rule )
T1136.002
Active Directory Create Admin Account [‘linux’] (sigma rule )
Create a new Domain Account using PowerShell [‘windows’] (sigma rule )
Create a new account similar to ANONYMOUS LOGON [‘windows’] (sigma rule )
Create a new Windows domain admin user [‘windows’] (sigma rule )
Active Directory Create User Account (Non-elevated) [‘linux’] (sigma rule )
T1046
Port Scan NMap for Windows [‘windows’] (sigma rule )
WinPwn - bluekeep [‘windows’] (sigma rule )
Port Scan using python [‘windows’] (sigma rule )
Port Scan [‘linux’, ‘macos’] (sigma rule )
Port Scan Nmap [‘linux’, ‘macos’] (sigma rule )
WinPwn - fruit [‘windows’] (sigma rule )
WinPwn - spoolvulnscan [‘windows’] (sigma rule )
Network Service Discovery for Containers [‘containers’] (sigma rule )
Port-Scanning /24 Subnet with PowerShell [‘windows’] (sigma rule )
WinPwn - MS17-10 [‘windows’] (sigma rule )
T1539
Steal Firefox Cookies (Windows) [‘windows’] (sigma rule )
Steal Chrome Cookies via Remote Debugging (Mac) [‘macos’] (sigma rule )
Steal Chrome Cookies (Windows) [‘windows’] (sigma rule )
T1036.003
Masquerading as FreeBSD or Linux crond process. [‘linux’] (sigma rule )
Masquerading - powershell.exe running as taskhostw.exe [‘windows’] (sigma rule )
File Extension Masquerading [‘windows’] (sigma rule )
Masquerading - wscript.exe running as svchost.exe [‘windows’] (sigma rule )
Malicious process Masquerading as LSM.exe [‘windows’] (sigma rule )
Masquerading as Windows LSASS process [‘windows’] (sigma rule )
Masquerading - windows exe running as different windows exe [‘windows’] (sigma rule )
Masquerading - non-windows exe running as windows exe [‘windows’] (sigma rule )
Masquerading - cscript.exe running as notepad.exe [‘windows’] (sigma rule )
T1070.003
Clear history of a bunch of shells [‘linux’, ‘macos’] (sigma rule )
Prevent Powershell History Logging [‘windows’] (sigma rule )
Clear Bash history (echo) [‘linux’] (sigma rule )
Clear Bash history (ln dev/null) [‘linux’, ‘macos’] (sigma rule )
Clear Bash history (rm) [‘linux’, ‘macos’] (sigma rule )
Use Space Before Command to Avoid Logging to History [‘linux’, ‘macos’] (sigma rule )
Clear and Disable Bash History Logging [‘linux’, ‘macos’] (sigma rule )
Clear Bash history (cat dev/null) [‘linux’, ‘macos’] (sigma rule )
Clear Docker Container Logs [‘linux’] (sigma rule )
Clear Powershell History by Deleting History File [‘windows’] (sigma rule )
Disable Bash History Logging with SSH -T [‘linux’] (sigma rule )
Set Custom AddToHistoryHandler to Avoid History File Logging [‘windows’] (sigma rule )
Clear Bash history (truncate) [‘linux’] (sigma rule )
T1529
Reboot System via poweroff
- FreeBSD [‘linux’] (sigma rule )
Restart System - Windows [‘windows’] (sigma rule )
ESXi - Avoslocker enumerates VMs and forcefully kills VMs [‘linux’] (sigma rule )
Reboot System via poweroff
- Linux [‘linux’] (sigma rule )
Reboot System via halt
- Linux [‘linux’] (sigma rule )
Shutdown System via shutdown
- FreeBSD/macOS/Linux [‘linux’, ‘macos’] (sigma rule )
ESXi - Terminates VMs using pkill [‘linux’] (sigma rule )
Shutdown System - Windows [‘windows’] (sigma rule )
Shutdown System via halt
- FreeBSD/Linux [‘linux’] (sigma rule )
Shutdown System via poweroff
- FreeBSD/Linux [‘linux’] (sigma rule )
Restart System via shutdown
- FreeBSD/macOS/Linux [‘linux’, ‘macos’] (sigma rule )
Reboot System via halt
- FreeBSD [‘linux’] (sigma rule )
Logoff System - Windows [‘windows’] (sigma rule )
Restart System via reboot
- FreeBSD/macOS/Linux [‘linux’, ‘macos’] (sigma rule )
T1216.001
PubPrn.vbs Signed Script Bypass [‘windows’] (sigma rule )
T1556.003
Malicious PAM rule (freebsd) [‘linux’] (sigma rule )
Malicious PAM rule [‘linux’] (sigma rule )
Malicious PAM module [‘linux’] (sigma rule )
T1069.001
SharpHound3 - LocalAdmin [‘windows’] (sigma rule )
Permission Groups Discovery (Local) [‘linux’, ‘macos’] (sigma rule )
Wmic Group Discovery [‘windows’] (sigma rule )
Basic Permission Groups Discovery Windows (Local) [‘windows’] (sigma rule )
Permission Groups Discovery for Containers- Local Groups [‘containers’] (sigma rule )
WMIObject Group Discovery [‘windows’] (sigma rule )
Permission Groups Discovery PowerShell (Local) [‘windows’] (sigma rule )
T1546.004
Add command to .shrc [‘linux’] (sigma rule )
System shell profile scripts [‘linux’] (sigma rule )
Create/Append to .bash_logout [‘linux’] (sigma rule )
Add command to .bashrc [‘macos’, ‘linux’] (sigma rule )
Add command to .bash_profile [‘macos’, ‘linux’] (sigma rule )
Append to the system shell profile [‘linux’] (sigma rule )
Append commands user shell profile [‘linux’] (sigma rule )
T1547.014
HKLM - Add malicious StubPath value to existing Active Setup Entry [‘windows’] (sigma rule )
HKLM - re-execute ‘Internet Explorer Core Fonts’ StubPath payload by decreasing version number [‘windows’] (sigma rule )
HKLM - Add atomic_test key to launch executable as part of user setup [‘windows’] (sigma rule )
T1218
Renamed Microsoft.Workflow.Compiler.exe Payload Executions [‘windows’] (sigma rule )
InfDefaultInstall.exe .inf Execution [‘windows’] (sigma rule )
LOLBAS Msedge to Spawn Process [‘windows’] (sigma rule )
ProtocolHandler.exe Downloaded a Suspicious File [‘windows’] (sigma rule )
Provlaunch.exe Executes Arbitrary Command via Registry Key [‘windows’] (sigma rule )
Load Arbitrary DLL via Wuauclt (Windows Update Client) [‘windows’] (sigma rule )
Microsoft.Workflow.Compiler.exe Payload Execution [‘windows’] (sigma rule )
mavinject - Inject DLL into running process [‘windows’] (sigma rule )
Lolbin Gpscript logon option [‘windows’] (sigma rule )
DiskShadow Command Execution [‘windows’] (sigma rule )
Register-CimProvider - Execute evil dll [‘windows’] (sigma rule )
Invoke-ATHRemoteFXvGPUDisablementCommand base test [‘windows’] (sigma rule )
LOLBAS CustomShellHost to Spawn Process [‘windows’] (sigma rule )
Lolbin Gpscript startup option [‘windows’] (sigma rule )
Lolbas ie4uinit.exe use as proxy [‘windows’] (sigma rule )
T1048.002
Exfiltrate data in a file over HTTPS using wget [‘linux’] (sigma rule )
Exfiltrate data HTTPS using curl freebsd,linux or macos [‘macos’, ‘linux’] (sigma rule )
Exfiltrate data HTTPS using curl windows [‘windows’] (sigma rule )
Exfiltrate data as text over HTTPS using wget [‘linux’] (sigma rule )
T1218.005
Mshta Executes Remote HTML Application (HTA) [‘windows’] (sigma rule )
Mshta used to Execute PowerShell [‘windows’] (sigma rule )
Invoke HTML Application - JScript Engine with Inline Protocol Handler [‘windows’] (sigma rule )
Invoke HTML Application - Direct download from URI [‘windows’] (sigma rule )
Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [‘windows’] (sigma rule )
Invoke HTML Application - Simulate Lateral Movement over UNC Path [‘windows’] (sigma rule )
Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [‘windows’] (sigma rule )
Mshta executes VBScript to execute malicious command [‘windows’] (sigma rule )
Invoke HTML Application - Jscript Engine Simulating Double Click [‘windows’] (sigma rule )
Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [‘windows’] (sigma rule )
T1548.001
Set a SetUID flag on file (freebsd) [‘linux’] (sigma rule )
Make and modify capabilities of a binary [‘linux’] (sigma rule )
Make and modify binary from C source (freebsd) [‘linux’] (sigma rule )
Do reconnaissance for files that have the setgid bit set [‘linux’] (sigma rule )
Set a SetGID flag on file [‘macos’, ‘linux’] (sigma rule )
Do reconnaissance for files that have the setuid bit set [‘linux’] (sigma rule )
Set a SetUID flag on file [‘macos’, ‘linux’] (sigma rule )
Make and modify binary from C source [‘macos’, ‘linux’] (sigma rule )
Set a SetGID flag on file (freebsd) [‘linux’] (sigma rule )
Provide the SetUID capability to a file [‘linux’] (sigma rule )
T1562.008
AWS - CloudWatch Log Group Deletes [‘iaas:aws’] (sigma rule )
AWS - Remove VPC Flow Logs using Stratus [‘linux’, ‘macos’, ‘iaas:aws’] (sigma rule )
AWS CloudWatch Log Stream Deletes [‘iaas:aws’] (sigma rule )
Office 365 - Set Audit Bypass For a Mailbox [‘office-365’] (sigma rule )
GCP - Delete Activity Event Log [‘iaas:gcp’] (sigma rule )
AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [‘linux’, ‘macos’, ‘iaas:aws’] (sigma rule )
Azure - Eventhub Deletion [‘iaas:azure’] (sigma rule )
Office 365 - Exchange Audit Log Disabled [‘office-365’] (sigma rule )
AWS - CloudTrail Changes [‘iaas:aws’] (sigma rule )
AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [‘linux’, ‘macos’] (sigma rule )
T1555.003
Simulating access to Opera Login Data [‘windows’] (sigma rule )
Simulating access to Windows Edge Login Data [‘windows’] (sigma rule )
Decrypt Mozilla Passwords with Firepwd.py [‘windows’] (sigma rule )
Dump Chrome Login Data with esentutl [‘windows’] (sigma rule )
BrowserStealer (Chrome / Firefox / Microsoft Edge) [‘windows’] (sigma rule )
WinPwn - BrowserPwn [‘windows’] (sigma rule )
Run Chrome-password Collector [‘windows’] (sigma rule )
Simulating Access to Chrome Login Data - MacOS [‘macos’] (sigma rule )
LaZagne.py - Dump Credentials from Firefox Browser [‘linux’] (sigma rule )
WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [‘windows’] (sigma rule )
WinPwn - Loot local Credentials - mimi-kittenz [‘windows’] (sigma rule )
Stage Popular Credential Files for Exfiltration [‘windows’] (sigma rule )
LaZagne - Credentials from Browser [‘windows’] (sigma rule )
Search macOS Safari Cookies [‘macos’] (sigma rule )
Simulating access to Windows Firefox Login Data [‘windows’] (sigma rule )
WebBrowserPassView - Credentials from Browser [‘windows’] (sigma rule )
Simulating access to Chrome Login Data [‘windows’] (sigma rule )
T1622
Detect a Debugger Presence in the Machine [‘windows’] (sigma rule )
T1053.006
Create a system level transient systemd service and timer [‘linux’] (sigma rule )
Create a user level transient systemd service and timer [‘linux’] (sigma rule )
Create Systemd Service and Timer [‘linux’] (sigma rule )
T1069.002
Find local admins on all machines in domain (PowerView) [‘windows’] (sigma rule )
Get-DomainGroupMember with PowerView [‘windows’] (sigma rule )
Enumerate Active Directory Groups with Get-AdGroup [‘windows’] (sigma rule )
Elevated group enumeration using net group (Domain) [‘windows’] (sigma rule )
Basic Permission Groups Discovery Windows (Domain) [‘windows’] (sigma rule )
Find machines where user has local admin access (PowerView) [‘windows’] (sigma rule )
Find Local Admins via Group Policy (PowerView) [‘windows’] (sigma rule )
Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [‘linux’] (sigma rule )
Enumerate Users Not Requiring Pre Auth (ASRepRoast) [‘windows’] (sigma rule )
Active Directory Enumeration with LDIFDE [‘windows’] (sigma rule )
Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [‘windows’] (sigma rule )
Get-DomainGroup with PowerView [‘windows’] (sigma rule )
Enumerate Active Directory Groups with ADSISearcher [‘windows’] (sigma rule )
Adfind - Query Active Directory Groups [‘windows’] (sigma rule )
Permission Groups Discovery PowerShell (Domain) [‘windows’] (sigma rule )
T1218.001
Compiled HTML Help Local Payload [‘windows’] (sigma rule )
Decompile Local CHM File [‘windows’] (sigma rule )
Invoke CHM Simulate Double click [‘windows’] (sigma rule )
Invoke CHM with InfoTech Storage Protocol Handler [‘windows’] (sigma rule )
Compiled HTML Help Remote Payload [‘windows’] (sigma rule )
Invoke CHM with default Shortcut Command Execution [‘windows’] (sigma rule )
Invoke CHM with Script Engine and Help Topic [‘windows’] (sigma rule )
Invoke CHM Shortcut Command with ITS and Help Topic [‘windows’] (sigma rule )
T1021.003
PowerShell Lateral Movement using MMC20 [‘windows’] (sigma rule )
PowerShell Lateral Movement Using Excel Application Object [‘windows’] (sigma rule )
T1201
Examine password complexity policy - Ubuntu [‘linux’] (sigma rule )
Examine password expiration policy - All Linux [‘linux’] (sigma rule )
Get-DomainPolicy with PowerView [‘windows’] (sigma rule )
Examine password complexity policy - CentOS/RHEL 6.x [‘linux’] (sigma rule )
Examine password complexity policy - CentOS/RHEL 7.x [‘linux’] (sigma rule )
Examine local password policy - Windows [‘windows’] (sigma rule )
Examine password policy - macOS [‘macos’] (sigma rule )
Examine AWS Password Policy [‘iaas:aws’] (sigma rule )
Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [‘windows’] (sigma rule )
Examine password complexity policy - FreeBSD [‘linux’] (sigma rule )
Use of SecEdit.exe to export the local security policy (including the password policy) [‘windows’] (sigma rule )
Examine domain password policy - Windows [‘windows’] (sigma rule )
T1070.004
Delete an entire folder - FreeBSD/Linux/macOS [‘linux’, ‘macos’] (sigma rule )
Overwrite and delete a file with shred [‘linux’] (sigma rule )
Delete TeamViewer Log Files [‘windows’] (sigma rule )
Delete a single file - Windows cmd [‘windows’] (sigma rule )
Delete an entire folder - Windows PowerShell [‘windows’] (sigma rule )
Delete Prefetch File [‘windows’] (sigma rule )
Delete a single file - FreeBSD/Linux/macOS [‘linux’, ‘macos’] (sigma rule )
Delete a single file - Windows PowerShell [‘windows’] (sigma rule )
Delete Filesystem - Linux [‘linux’] (sigma rule )
Delete an entire folder - Windows cmd [‘windows’] (sigma rule )
T1555
WinPwn - Loot local Credentials - lazagne [‘windows’] (sigma rule )
Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [‘windows’] (sigma rule )
Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [‘windows’] (sigma rule )
Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [‘windows’] (sigma rule )
Extract Windows Credential Manager via VBA [‘windows’] (sigma rule )
WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [‘windows’] (sigma rule )
WinPwn - Loot local Credentials - Wifi Credentials [‘windows’] (sigma rule )
Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [‘windows’] (sigma rule )
T1055.001
WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [‘windows’] (sigma rule )
Process Injection via mavinject.exe [‘windows’] (sigma rule )
T1078.001
Enable Guest account with RDP capability and admin privileges [‘windows’] (sigma rule )
Enable Guest Account on macOS [‘macos’] (sigma rule )
Activate Guest Account [‘windows’] (sigma rule )
T1072
Radmin Viewer Utility [‘windows’] (sigma rule )
Deploy 7-Zip Using Chocolatey [‘windows’] (sigma rule )
PDQ Deploy RAT [‘windows’] (sigma rule )
T1055
Read-Write-Execute process Injection [‘windows’] (sigma rule )
Remote Process Injection in LSASS via mimikatz [‘windows’] (sigma rule )
Process Injection with Go using CreateThread WinAPI (Natively) [‘windows’] (sigma rule )
Section View Injection [‘windows’] (sigma rule )
Remote Process Injection with Go using RtlCreateUserThread WinAPI [‘windows’] (sigma rule )
Remote Process Injection with Go using CreateRemoteThread WinAPI [‘windows’] (sigma rule )
Dirty Vanity process Injection [‘windows’] (sigma rule )
Process Injection with Go using CreateThread WinAPI [‘windows’] (sigma rule )
Process Injection with Go using EtwpCreateEtwThread WinAPI [‘windows’] (sigma rule )
Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [‘windows’] (sigma rule )
Shellcode execution via VBA [‘windows’] (sigma rule )
Process Injection with Go using UuidFromStringA WinAPI [‘windows’] (sigma rule )
UUID custom process Injection [‘windows’] (sigma rule )
T1217
List Internet Explorer Bookmarks using the command prompt [‘windows’] (sigma rule )
List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [‘windows’] (sigma rule )
List Mozilla Firefox bookmarks on Windows with command prompt [‘windows’] (sigma rule )
List Mozilla Firefox Bookmark Database Files on macOS [‘macos’] (sigma rule )
List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [‘linux’] (sigma rule )
List Google Chrome / Opera Bookmarks on Windows with powershell [‘windows’] (sigma rule )
List Google Chrome Bookmark JSON Files on macOS [‘macos’] (sigma rule )
List Google Chromium Bookmark JSON Files on FreeBSD [‘linux’] (sigma rule )
List Safari Bookmarks on MacOS [‘macos’] (sigma rule )
T1558.001
Crafting Active Directory golden tickets with mimikatz [‘windows’] (sigma rule )
Crafting Active Directory golden tickets with Rubeus [‘windows’] (sigma rule )
T1553.005
Remove the Zone.Identifier alternate data stream [‘windows’] (sigma rule )
Execute LNK file from ISO [‘windows’] (sigma rule )
Mount an ISO image and run executable from the ISO [‘windows’] (sigma rule )
Mount ISO image [‘windows’] (sigma rule )
T1574.009
Execution of program.exe as service with unquoted service path [‘windows’] (sigma rule )
T1546.011
Registry key creation and/or modification events for SDB [‘windows’] (sigma rule )
Application Shim Installation [‘windows’] (sigma rule )
New shim database files created in the default shim database directory [‘windows’] (sigma rule )
T1124
System Time Discovery in FreeBSD/macOS [‘linux’, ‘macos’] (sigma rule )
System Time Discovery - PowerShell [‘windows’] (sigma rule )
System Time Discovery W32tm as a Delay [‘windows’] (sigma rule )
System Time with Windows time Command [‘windows’] (sigma rule )
System Time Discovery [‘windows’] (sigma rule )
T1558.004
Get-DomainUser with PowerView [‘windows’] (sigma rule )
WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [‘windows’] (sigma rule )
Rubeus asreproast [‘windows’] (sigma rule )
T1546
HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [‘windows’] (sigma rule )
HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [‘windows’] (sigma rule )
Persistence with Custom AutodialDLL [‘windows’] (sigma rule )
WMI Invoke-CimMethod Start Process [‘windows’] (sigma rule )
T1564.004
Create ADS command prompt [‘windows’] (sigma rule )
Alternate Data Streams (ADS) [‘windows’] (sigma rule )
Create ADS PowerShell [‘windows’] (sigma rule )
Store file in Alternate Data Stream (ADS) [‘windows’] (sigma rule )
Create Hidden Directory via $index_allocation [‘windows’] (sigma rule )
T1110.004
SSH Credential Stuffing From MacOS [‘macos’] (sigma rule )
SSH Credential Stuffing From Linux [‘linux’] (sigma rule )
SSH Credential Stuffing From FreeBSD [‘linux’] (sigma rule )
Brute Force:Credential Stuffing using Kerbrute Tool [‘windows’] (sigma rule )
T1518
WinPwn - powerSQL [‘windows’] (sigma rule )
Applications Installed [‘windows’] (sigma rule )
Find and Display Safari Browser Version [‘macos’] (sigma rule )
Find and Display Internet Explorer Browser Version [‘windows’] (sigma rule )
WinPwn - DotNet [‘windows’] (sigma rule )
WinPwn - Dotnetsearch [‘windows’] (sigma rule )
T1078.004
Creating GCP Service Account and Service Account Key [‘google-workspace’, ‘iaas:gcp’] (sigma rule )
Azure Persistence Automation Runbook Created or Modified [‘iaas:azure’] (sigma rule )
GCP - Create Custom IAM Role [‘iaas:gcp’] (sigma rule )
T1037.002
Logon Scripts - Mac [‘macos’] (sigma rule )
T1569.002
Snake Malware Service Create [‘windows’] (sigma rule )
psexec.py (Impacket) [‘linux’] (sigma rule )
Use PsExec to execute a command on a remote host [‘windows’] (sigma rule )
Modifying ACL of Service Control Manager via SDET [‘windows’] (sigma rule )
Execute a Command as a Service [‘windows’] (sigma rule )
Use RemCom to execute a command on a remote host [‘windows’] (sigma rule )
BlackCat pre-encryption cmds with Lateral Movement [‘windows’] (sigma rule )
T1003.001
Offline Credential Theft With Mimikatz [‘windows’] (sigma rule )
Dump LSASS.exe using imported Microsoft DLLs [‘windows’] (sigma rule )
LSASS read with pypykatz [‘windows’] (sigma rule )
Powershell Mimikatz [‘windows’] (sigma rule )
Dump LSASS.exe Memory using Windows Task Manager [‘windows’] (sigma rule )
Dump LSASS with createdump.exe from .Net v5 [‘windows’] (sigma rule )
Dump LSASS.exe Memory using NanoDump [‘windows’] (sigma rule )
Dump LSASS.exe Memory using Out-Minidump.ps1 [‘windows’] (sigma rule )
Dump LSASS.exe using lolbin rdrleakdiag.exe [‘windows’] (sigma rule )
Create Mini Dump of LSASS.exe using ProcDump [‘windows’] (sigma rule )
Dump LSASS.exe Memory using direct system calls and API unhooking [‘windows’] (sigma rule )
Dump LSASS.exe Memory through Silent Process Exit [‘windows’] (sigma rule )
Dump LSASS.exe Memory using ProcDump [‘windows’] (sigma rule )
Dump LSASS.exe Memory using comsvcs.dll [‘windows’] (sigma rule )
T1070.008
Copy and Modify Mailbox Data on Windows [‘windows’] (sigma rule )
Copy and Modify Mailbox Data on Linux [‘linux’] (sigma rule )
Copy and Delete Mailbox Data on Windows [‘windows’] (sigma rule )
Copy and Modify Mailbox Data on macOS [‘macos’] (sigma rule )
Copy and Delete Mailbox Data on Linux [‘linux’] (sigma rule )
Copy and Delete Mailbox Data on macOS [‘macos’] (sigma rule )
T1059.003
Suspicious Execution via Windows Command Shell [‘windows’] (sigma rule )
Writes text to a file and displays it. [‘windows’] (sigma rule )
Create and Execute Batch Script [‘windows’] (sigma rule )
Simulate BlackByte Ransomware Print Bombing [‘windows’] (sigma rule )
Command prompt writing script to file then executes it [‘windows’] (sigma rule )
Command Prompt read contents from CMD file and execute [‘windows’] (sigma rule )
T1003
Dump svchost.exe to gather RDP credentials [‘windows’] (sigma rule )
Send NTLM Hash with RPC Test Connection [‘windows’] (sigma rule )
Gsecdump [‘windows’] (sigma rule )
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [‘windows’] (sigma rule )
Dump Credential Manager using keymgr.dll and rundll32.exe [‘windows’] (sigma rule )
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [‘windows’] (sigma rule )
Credential Dumping with NPPSpy [‘windows’] (sigma rule )
T1553.004
Install root CA on macOS [‘macos’] (sigma rule )
Install root CA on CentOS/RHEL [‘linux’] (sigma rule )
Install root CA on FreeBSD [‘linux’] (sigma rule )
Add Root Certificate to CurrentUser Certificate Store [‘windows’] (sigma rule )
Install root CA on Windows [‘windows’] (sigma rule )
Install root CA on Windows with certutil [‘windows’] (sigma rule )
Install root CA on Debian/Ubuntu [‘linux’] (sigma rule )
T1120
Win32_PnPEntity Hardware Inventory [‘windows’] (sigma rule )
WinPwn - printercheck [‘windows’] (sigma rule )
Peripheral Device Discovery via fsutil [‘windows’] (sigma rule )
T1218.007
Msiexec.exe - Execute Local MSI file with an embedded EXE [‘windows’] (sigma rule )
Msiexec.exe - Execute Local MSI file with embedded JScript [‘windows’] (sigma rule )
WMI Win32_Product Class - Execute Local MSI file with embedded JScript [‘windows’] (sigma rule )
Msiexec.exe - Execute the DllUnregisterServer function of a DLL [‘windows’] (sigma rule )
WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [‘windows’] (sigma rule )
Msiexec.exe - Execute Remote MSI file [‘windows’] (sigma rule )
WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [‘windows’] (sigma rule )
Msiexec.exe - Execute Local MSI file with embedded VBScript [‘windows’] (sigma rule )
WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [‘windows’] (sigma rule )
Msiexec.exe - Execute Local MSI file with an embedded DLL [‘windows’] (sigma rule )
Msiexec.exe - Execute the DllRegisterServer function of a DLL [‘windows’] (sigma rule )
T1091
USB Malware Spread Simulation [‘windows’] (sigma rule )
T1037.004
rc.common [‘linux’] (sigma rule )
rc.common [‘macos’] (sigma rule )
rc.local [‘linux’] (sigma rule )
T1090.001
Connection Proxy [‘linux’, ‘macos’] (sigma rule )
portproxy reg key [‘windows’] (sigma rule )
Connection Proxy for macOS UI [‘macos’] (sigma rule )
T1218.008
Odbcconf.exe - Load Response File [‘windows’] (sigma rule )
Odbcconf.exe - Execute Arbitrary DLL [‘windows’] (sigma rule )
T1134.005
Injection SID-History with mimikatz [‘windows’] (sigma rule )
T1562.010
PowerShell Version 2 Downgrade [‘windows’] (sigma rule )
ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI [‘linux’] (sigma rule )
ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI [‘linux’] (sigma rule )
T1220
WMIC bypass using local XSL file [‘windows’] (sigma rule )
MSXSL Bypass using local files [‘windows’] (sigma rule )
WMIC bypass using remote XSL file [‘windows’] (sigma rule )
MSXSL Bypass using remote files [‘windows’] (sigma rule )
T1003.003
Create Volume Shadow Copy with Powershell [‘windows’] (sigma rule )
Create Volume Shadow Copy with vssadmin [‘windows’] (sigma rule )
Create Volume Shadow Copy remotely (WMI) with esentutl [‘windows’] (sigma rule )
Create Volume Shadow Copy with diskshadow [‘windows’] (sigma rule )
Create Volume Shadow Copy with WMI [‘windows’] (sigma rule )
Create Symlink to Volume Shadow Copy [‘windows’] (sigma rule )
Copy NTDS.dit from Volume Shadow Copy [‘windows’] (sigma rule )
Dump Active Directory Database with NTDSUtil [‘windows’] (sigma rule )
Create Volume Shadow Copy remotely with WMI [‘windows’] (sigma rule )
T1546.007
Netsh Helper DLL Registration [‘windows’] (sigma rule )
T1047
Create a Process using WMI Query and an Encoded Command [‘windows’] (sigma rule )
WMI Reconnaissance Software [‘windows’] (sigma rule )
WMI Execute rundll32 [‘windows’] (sigma rule )
WMI Execute Local Process [‘windows’] (sigma rule )
WMI Reconnaissance List Remote Services [‘windows’] (sigma rule )
WMI Execute Remote Process [‘windows’] (sigma rule )
Create a Process using obfuscated Win32_Process [‘windows’] (sigma rule )
WMI Reconnaissance Users [‘windows’] (sigma rule )
Application uninstall using WMIC [‘windows’] (sigma rule )
WMI Reconnaissance Processes [‘windows’] (sigma rule )
T1027.001
Pad Binary to Change Hash - Linux/macOS dd [‘linux’, ‘macos’] (sigma rule )
Pad Binary to Change Hash using truncate command - Linux/macOS [‘linux’, ‘macos’] (sigma rule )
T1570
Exfiltration Over SMB over QUIC (NET USE) [‘windows’] (sigma rule )
Exfiltration Over SMB over QUIC (New-SmbMapping) [‘windows’] (sigma rule )
T1003.007
Dump individual process memory with sh (Local) [‘linux’] (sigma rule )
Dump individual process memory with Python (Local) [‘linux’] (sigma rule )
Dump individual process memory with sh on FreeBSD (Local) [‘linux’] (sigma rule )
Capture Passwords with MimiPenguin [‘linux’] (sigma rule )
T1070.006
MacOS - Timestomp Date Modified [‘macos’] (sigma rule )
Set a file’s access timestamp [‘linux’, ‘macos’] (sigma rule )
Windows - Modify file creation timestamp with PowerShell [‘windows’] (sigma rule )
Windows - Timestomp a File [‘windows’] (sigma rule )
Modify file timestamps using reference file [‘linux’, ‘macos’] (sigma rule )
Set a file’s modification timestamp [‘linux’, ‘macos’] (sigma rule )
Set a file’s creation timestamp [‘linux’, ‘macos’] (sigma rule )
Windows - Modify file last modified timestamp with PowerShell [‘windows’] (sigma rule )
Windows - Modify file last access timestamp with PowerShell [‘windows’] (sigma rule )
T1547.006
MacOS - Load Kernel Module via kextload and kmutil [‘macos’] (sigma rule )
Snake Malware Kernel Driver Comadmin [‘windows’] (sigma rule )
Linux - Load Kernel Module via insmod [‘linux’] (sigma rule )
MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [‘macos’] (sigma rule )
T1489
Windows - Stop service using Service Controller [‘windows’] (sigma rule )
Windows - Stop service by killing process [‘windows’] (sigma rule )
Windows - Stop service using net.exe [‘windows’] (sigma rule )
T1559.002
Execute PowerShell script via Word DDE [‘windows’] (sigma rule )
DDEAUTO [‘windows’] (sigma rule )
Execute Commands [‘windows’] (sigma rule )
T1041
C2 Data Exfiltration [‘windows’] (sigma rule )
Text Based Data Exfiltration using DNS subdomains [‘windows’] (sigma rule )
T1552.003
Search Through Bash History [‘linux’, ‘macos’] (sigma rule )
Search Through sh History [‘linux’] (sigma rule )
T1564
Extract binary files via VBA [‘windows’] (sigma rule )
Create a Hidden User Called “$” [‘windows’] (sigma rule )
Create an “Administrator “ user (with a space on the end) [‘windows’] (sigma rule )
Create and Hide a Service with sc.exe [‘windows’] (sigma rule )
Command Execution with NirCmd [‘windows’] (sigma rule )
T1557.001
LLMNR Poisoning with Inveigh (PowerShell) [‘windows’] (sigma rule )
T1007
System Service Discovery - systemctl/service [‘linux’] (sigma rule )
System Service Discovery - net.exe [‘windows’] (sigma rule )
System Service Discovery [‘windows’] (sigma rule )
T1053.004
Event Monitor Daemon Persistence [‘macos’] (sigma rule )
T1222.001
attrib - Remove read-only attribute [‘windows’] (sigma rule )
cacls - Grant permission to specified user or group recursively [‘windows’] (sigma rule )
Take ownership using takeown utility [‘windows’] (sigma rule )
attrib - hide file [‘windows’] (sigma rule )
Grant Full Access to folder for Everyone - Ryuk Ransomware Style [‘windows’] (sigma rule )
T1071.001
Malicious User Agents - Nix [‘linux’, ‘macos’] (sigma rule )
Malicious User Agents - Powershell [‘windows’] (sigma rule )
Malicious User Agents - CMD [‘windows’] (sigma rule )
T1543.003
TinyTurla backdoor service w64time [‘windows’] (sigma rule )
Modify Fax service to run PowerShell [‘windows’] (sigma rule )
Service Installation CMD [‘windows’] (sigma rule )
Modify Service to Run Arbitrary Binary (Powershell) [‘windows’] (sigma rule )
Remote Service Installation CMD [‘windows’] (sigma rule )
Service Installation PowerShell [‘windows’] (sigma rule )
T1059.006
Execute Python via scripts [‘linux’] (sigma rule )
Execute Python via Python executables [‘linux’] (sigma rule )
Execute shell script via python’s command mode arguement [‘linux’] (sigma rule )
Python pty module and spawn function used to spawn sh or bash [‘linux’] (sigma rule )
T1059.007
JScript execution to gather local computer information via cscript [‘windows’] (sigma rule )
JScript execution to gather local computer information via wscript [‘windows’] (sigma rule )
T1573
OpenSSL C2 [‘windows’] (sigma rule )
T1216
SyncAppvPublishingServer Signed Script PowerShell Command Execution [‘windows’] (sigma rule )
manage-bde.wsf Signed Script Command Execution [‘windows’] (sigma rule )
T1546.008
Create Symbolic Link From osk.exe to cmd.exe [‘windows’] (sigma rule )
Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [‘windows’] (sigma rule )
Replace binary of sticky keys [‘windows’] (sigma rule )
Attaches Command Prompt as a Debugger to a List of Target Processes [‘windows’] (sigma rule )
T1574.012
User scope COR_PROFILER [‘windows’] (sigma rule )
System Scope COR_PROFILER [‘windows’] (sigma rule )
Registry-free process scope COR_PROFILER [‘windows’] (sigma rule )
T1542.001
UEFI Persistence via Wpbbin.exe File Creation [‘windows’] (sigma rule )
T1070.005
Remove Administrative Shares [‘windows’] (sigma rule )
Remove Network Share [‘windows’] (sigma rule )
Add Network Share [‘windows’] (sigma rule )
Disable Administrative Share Creation at Startup [‘windows’] (sigma rule )
Remove Network Share PowerShell [‘windows’] (sigma rule )
T1546.013
Append malicious start-process cmdlet [‘windows’] (sigma rule )
T1485
Overwrite deleted data on C drive [‘windows’] (sigma rule )
FreeBSD/macOS/Linux - Overwrite file with DD [‘linux’, ‘macos’] (sigma rule )
Windows - Overwrite file with SysInternals SDelete [‘windows’] (sigma rule )
GCP - Delete Bucket [‘iaas:gcp’] (sigma rule )
T1218.004
InstallUtil Uninstall method call - /U variant [‘windows’] (sigma rule )
InstallUtil evasive invocation [‘windows’] (sigma rule )
InstallHelper method call [‘windows’] (sigma rule )
InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [‘windows’] (sigma rule )
CheckIfInstallable method call [‘windows’] (sigma rule )
InstallUtil HelpText method call [‘windows’] (sigma rule )
InstallUtil Install method call [‘windows’] (sigma rule )
InstallUtil class constructor method call [‘windows’] (sigma rule )
T1016
System Network Configuration Discovery [‘macos’, ‘linux’] (sigma rule )
System Network Configuration Discovery (TrickBot Style) [‘windows’] (sigma rule )
List Windows Firewall Rules [‘windows’] (sigma rule )
Qakbot Recon [‘windows’] (sigma rule )
Adfind - Enumerate Active Directory Subnet Objects [‘windows’] (sigma rule )
DNS Server Discovery Using nslookup [‘windows’] (sigma rule )
List Open Egress Ports [‘windows’] (sigma rule )
System Network Configuration Discovery on Windows [‘windows’] (sigma rule )
List macOS Firewall Rules [‘macos’] (sigma rule )
T1059.005
Visual Basic script execution to gather local computer information [‘windows’] (sigma rule )
Extract Memory via VBA [‘windows’] (sigma rule )
Encoded VBS code execution [‘windows’] (sigma rule )
T1531
Delete User - Windows [‘windows’] (sigma rule )
Change User Password - Windows [‘windows’] (sigma rule )
Delete User via dscl utility [‘macos’] (sigma rule )
Azure AD - Delete user via Azure AD PowerShell [‘azure-ad’] (sigma rule )
Change User Password via passwd [‘macos’, ‘linux’] (sigma rule )
Remove Account From Domain Admin Group [‘windows’] (sigma rule )
Delete User via sysadminctl utility [‘macos’] (sigma rule )
Azure AD - Delete user via Azure CLI [‘azure-ad’] (sigma rule )
T1049
System Discovery using SharpView [‘windows’] (sigma rule )
System Network Connections Discovery [‘windows’] (sigma rule )
System Network Connections Discovery FreeBSD, Linux & MacOS [‘linux’, ‘macos’] (sigma rule )
System Network Connections Discovery with PowerShell [‘windows’] (sigma rule )
T1592.002
Enumerate COM Objects in Registry with Powershell [‘windows’] (sigma rule )
T1014
Loadable Kernel Module based Rootkit [‘linux’] (sigma rule )
Loadable Kernel Module based Rootkit [‘linux’] (sigma rule )
Loadable Kernel Module based Rootkit (Diamorphine) [‘linux’] (sigma rule )
dynamic-linker based rootkit (libprocesshider) [‘linux’] (sigma rule )
T1612
Build Image On Host [‘containers’] (sigma rule )
T1547.007
Append to existing loginwindow for Re-Opened Applications [‘macos’] (sigma rule )
Copy in loginwindow.plist for Re-Opened Applications [‘macos’] (sigma rule )
Re-Opened Applications using LoginHook [‘macos’] (sigma rule )
T1486
Encrypt files using openssl (FreeBSD/Linux) [‘linux’] (sigma rule )
Encrypt files using 7z utility - macOS [‘macos’] (sigma rule )
PureLocker Ransom Note [‘windows’] (sigma rule )
Encrypt files using ccrypt (FreeBSD/Linux) [‘linux’] (sigma rule )
Data Encrypted with GPG4Win [‘windows’] (sigma rule )
Encrypt files using openssl utility - macOS [‘macos’] (sigma rule )
Encrypt files using 7z (FreeBSD/Linux) [‘linux’] (sigma rule )
Encrypt files using gpg (FreeBSD/Linux) [‘linux’] (sigma rule )
Data Encrypt Using DiskCryptor [‘windows’] (sigma rule )
T1113
Capture Linux Desktop using Import Tool (freebsd) [‘linux’] (sigma rule )
Windows Screencapture [‘windows’] (sigma rule )
Windows Screen Capture (CopyFromScreen) [‘windows’] (sigma rule )
Screencapture [‘macos’] (sigma rule )
X Windows Capture [‘linux’] (sigma rule )
Capture Linux Desktop using Import Tool [‘linux’] (sigma rule )
Screencapture (silent) [‘macos’] (sigma rule )
X Windows Capture (freebsd) [‘linux’] (sigma rule )
T1012
Query Registry [‘windows’] (sigma rule )
Query Registry with Powershell cmdlets [‘windows’] (sigma rule )
T1053.003
Cron - Add script to /var/spool/cron/crontabs/ folder [‘linux’] (sigma rule )
Cron - Add script to /etc/cron.d folder [‘linux’] (sigma rule )
Cron - Add script to all cron subfolders [‘macos’, ‘linux’] (sigma rule )
Cron - Replace crontab with referenced file [‘linux’, ‘macos’] (sigma rule )
T1134.001
Named pipe client impersonation [‘windows’] (sigma rule )
Juicy Potato [‘windows’] (sigma rule )
Bad Potato [‘windows’] (sigma rule )
Launch NSudo Executable [‘windows’] (sigma rule )
SeDebugPrivilege
token duplication [‘windows’] (sigma rule )
T1547.004
Winlogon HKLM Userinit Key Persistence - PowerShell [‘windows’] (sigma rule )
Winlogon Notify Key Logon Persistence - PowerShell [‘windows’] (sigma rule )
Winlogon Shell Key Persistence - PowerShell [‘windows’] (sigma rule )
Winlogon Userinit Key Persistence - PowerShell [‘windows’] (sigma rule )
Winlogon HKLM Shell Key Persistence - PowerShell [‘windows’] (sigma rule )
T1129
ESXi - Install a custom VIB on an ESXi host [‘windows’] (sigma rule )
T1615
Display group policy information via gpresult [‘windows’] (sigma rule )
WinPwn - GPOAudit [‘windows’] (sigma rule )
WinPwn - GPORemoteAccessPolicy [‘windows’] (sigma rule )
MSFT Get-GPO Cmdlet [‘windows’] (sigma rule )
Get-DomainGPO to display group policy information via PowerView [‘windows’] (sigma rule )
T1039
Copy a sensitive File over Administrative share with copy [‘windows’] (sigma rule )
Copy a sensitive File over Administrative share with Powershell [‘windows’] (sigma rule )
T1218.011
Execution of HTA and VBS Files using Rundll32 and URL.dll [‘windows’] (sigma rule )
Rundll32 execute VBscript command [‘windows’] (sigma rule )
Running DLL with .init extension and function [‘windows’] (sigma rule )
Rundll32 execute VBscript command using Ordinal number [‘windows’] (sigma rule )
Rundll32 advpack.dll Execution [‘windows’] (sigma rule )
Rundll32 setupapi.dll Execution [‘windows’] (sigma rule )
Rundll32 with Ordinal Value [‘windows’] (sigma rule )
Rundll32 ieadvpack.dll Execution [‘windows’] (sigma rule )
Execution of non-dll using rundll32.exe [‘windows’] (sigma rule )
Rundll32 with Control_RunDLL [‘windows’] (sigma rule )
Rundll32 syssetup.dll Execution [‘windows’] (sigma rule )
Rundll32 execute JavaScript Remote Payload With GetObject [‘windows’] (sigma rule )
Rundll32 with desk.cpl [‘windows’] (sigma rule )
Launches an executable using Rundll32 and pcwutl.dll [‘windows’] (sigma rule )
Rundll32 execute command via FileProtocolHandler [‘windows’] (sigma rule )
T1552.004
Export Root Certificate with Export-PFXCertificate [‘windows’] (sigma rule )
Export Root Certificate with Export-Certificate [‘windows’] (sigma rule )
Discover Private SSH Keys [‘linux’, ‘macos’] (sigma rule )
Copy Private SSH Keys with CP (freebsd) [‘linux’] (sigma rule )
Export Certificates with Mimikatz [‘windows’] (sigma rule )
Copy Private SSH Keys with CP [‘linux’] (sigma rule )
Copy Private SSH Keys with rsync (freebsd) [‘linux’] (sigma rule )
Copy Private SSH Keys with rsync [‘macos’, ‘linux’] (sigma rule )
Copy the users GnuPG directory with rsync [‘macos’, ‘linux’] (sigma rule )
CertUtil ExportPFX [‘windows’] (sigma rule )
ADFS token signing and encryption certificates theft - Remote [‘windows’] (sigma rule )
ADFS token signing and encryption certificates theft - Local [‘windows’] (sigma rule )
Private Keys [‘windows’] (sigma rule )
Copy the users GnuPG directory with rsync (freebsd) [‘linux’] (sigma rule )
T1548.003
Sudo usage (freebsd) [‘linux’] (sigma rule )
Unlimited sudo cache timeout [‘macos’, ‘linux’] (sigma rule )
Disable tty_tickets for sudo caching (freebsd) [‘linux’] (sigma rule )
Disable tty_tickets for sudo caching [‘macos’, ‘linux’] (sigma rule )
Sudo usage [‘macos’, ‘linux’] (sigma rule )
Unlimited sudo cache timeout (freebsd) [‘linux’] (sigma rule )
T1546.009
Create registry persistence via AppCert DLL [‘windows’] (sigma rule )
T1053.001
At - Schedule a job [‘linux’] (sigma rule )
T1505.004
Install IIS Module using AppCmd.exe [‘windows’] (sigma rule )
Install IIS Module using PowerShell Cmdlet New-WebGlobalModule [‘windows’] (sigma rule )
T1083
Nix File and Directory Discovery [‘linux’, ‘macos’] (sigma rule )
Simulating MAZE Directory Enumeration [‘windows’] (sigma rule )
ESXi - Enumerate VMDKs available on an ESXi Host [‘linux’] (sigma rule )
File and Directory Discovery (cmd.exe) [‘windows’] (sigma rule )
Launch DirLister Executable [‘windows’] (sigma rule )
File and Directory Discovery (PowerShell) [‘windows’] (sigma rule )
Nix File and Directory Discovery 2 [‘linux’, ‘macos’] (sigma rule )
T1140
Hex decoding with shell utilities [‘linux’, ‘macos’] (sigma rule )
XOR decoding and command execution using Python [‘linux’, ‘macos’] (sigma rule )
Base64 decoding with shell utilities [‘linux’, ‘macos’] (sigma rule )
Base64 decoding with Perl [‘linux’, ‘macos’] (sigma rule )
FreeBSD b64encode Shebang in CLI [‘linux’] (sigma rule )
Base64 decoding with Python [‘linux’, ‘macos’] (sigma rule )
Base64 decoding with shell utilities (freebsd) [‘linux’] (sigma rule )
Deobfuscate/Decode Files Or Information [‘windows’] (sigma rule )
Certutil Rename and Decode [‘windows’] (sigma rule )
Linux Base64 Encoded Shebang in CLI [‘linux’, ‘macos’] (sigma rule )
T1572
DNS over HTTPS Long Domain Query [‘windows’] (sigma rule )
DNS over HTTPS Regular Beaconing [‘windows’] (sigma rule )
DNS over HTTPS Large Query Volume [‘windows’] (sigma rule )
run ngrok [‘windows’] (sigma rule )
T1071.004
DNS Long Domain Query [‘windows’] (sigma rule )
DNS Large Query Volume [‘windows’] (sigma rule )
DNS C2 [‘windows’] (sigma rule )
DNS Regular Beaconing [‘windows’] (sigma rule )
T1056.004
Hook PowerShell TLS Encrypt/Decrypt Messages [‘windows’] (sigma rule )
T1134.002
WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [‘windows’] (sigma rule )
Access Token Manipulation [‘windows’] (sigma rule )
T1564.003
Headless Browser Accessing Mockbin [‘windows’] (sigma rule )
Hidden Window [‘windows’] (sigma rule )
T1119
Automated Collection PowerShell [‘windows’] (sigma rule )
Recon information for export with Command Prompt [‘windows’] (sigma rule )
Automated Collection Command Prompt [‘windows’] (sigma rule )
Recon information for export with PowerShell [‘windows’] (sigma rule )
T1550.003
Mimikatz Kerberos Ticket Attack [‘windows’] (sigma rule )
Rubeus Kerberos Pass The Ticket [‘windows’] (sigma rule )
T1559
Cobalt Strike SSH (postex_ssh) pipe [‘windows’] (sigma rule )
Cobalt Strike Artifact Kit pipe [‘windows’] (sigma rule )
Cobalt Strike post-exploitation pipe (4.2 and later) [‘windows’] (sigma rule )
Cobalt Strike Lateral Movement (psexec_psh) pipe [‘windows’] (sigma rule )
Cobalt Strike post-exploitation pipe (before 4.2) [‘windows’] (sigma rule )
T1036
Malware Masquerading and Execution from Zip File [‘windows’] (sigma rule )
System File Copied to Unusual Location [‘windows’] (sigma rule )
T1482
Adfind - Enumerate Active Directory OUs [‘windows’] (sigma rule )
Get-ForestTrust with PowerView [‘windows’] (sigma rule )
Adfind - Enumerate Active Directory Trusts [‘windows’] (sigma rule )
Powershell enumerate domains and forests [‘windows’] (sigma rule )
TruffleSnout - Listing AD Infrastructure [‘windows’] (sigma rule )
Windows - Discover domain trusts with nltest [‘windows’] (sigma rule )
Windows - Discover domain trusts with dsquery [‘windows’] (sigma rule )
Get-DomainTrust with PowerView [‘windows’] (sigma rule )
T1562.002
Makes Eventlog blind with Phant0m [‘windows’] (sigma rule )
Disable Windows IIS HTTP Logging via PowerShell [‘windows’] (sigma rule )
Disable Event Logging with wevtutil [‘windows’] (sigma rule )
Kill Event Log Service Threads [‘windows’] (sigma rule )
Clear Windows Audit Policy Config [‘windows’] (sigma rule )
Impair Windows Audit Log Policy [‘windows’] (sigma rule )
Disable Windows IIS HTTP Logging [‘windows’] (sigma rule )
T1563.002
RDP hijacking [‘windows’] (sigma rule )
T1036.006
Space After Filename (Manual) [‘macos’] (sigma rule )
Space After Filename [‘macos’, ‘linux’] (sigma rule )
T1055.011
Process Injection via Extra Window Memory (EWM) x64 executable [‘windows’] (sigma rule )
T1021.001
Changing RDP Port to Non Standard Port via Powershell [‘windows’] (sigma rule )
Disable NLA for RDP via Command Prompt [‘windows’] (sigma rule )
Changing RDP Port to Non Standard Port via Command_Prompt [‘windows’] (sigma rule )
RDP to DomainController [‘windows’] (sigma rule )
T1001.002
Steganographic Tarball Embedding [‘windows’] (sigma rule )
Embedded Script in Image Execution via Extract-Invoke-PSImage [‘windows’] (sigma rule )
Execute Embedded Script in Image via Steganography [‘linux’] (sigma rule )
T1560.002
Compressing data using tarfile in Python (FreeBSD/Linux) [‘linux’] (sigma rule )
Compressing data using bz2 in Python (FreeBSD/Linux) [‘linux’] (sigma rule )
Compressing data using zipfile in Python (FreeBSD/Linux) [‘linux’] (sigma rule )
Compressing data using GZip in Python (FreeBSD/Linux) [‘linux’] (sigma rule )
T1070
Indicator Removal using FSUtil [‘windows’] (sigma rule )
Indicator Manipulation using FSUtil [‘windows’] (sigma rule )
T1490
Windows - Delete Backup Files [‘windows’] (sigma rule )
Windows - Delete Volume Shadow Copies via WMI [‘windows’] (sigma rule )
Windows - Disable the SR scheduled task [‘windows’] (sigma rule )
Windows - Delete Volume Shadow Copies [‘windows’] (sigma rule )
Disable System Restore Through Registry [‘windows’] (sigma rule )
Windows - Disable Windows Recovery Console Repair [‘windows’] (sigma rule )
Windows - Delete Volume Shadow Copies via WMI with PowerShell [‘windows’] (sigma rule )
Disable Time Machine [‘macos’] (sigma rule )
Windows - vssadmin Resize Shadowstorage Volume [‘windows’] (sigma rule )
Windows - wbadmin Delete systemstatebackup [‘windows’] (sigma rule )
Modify VSS Service Permissions [‘windows’] (sigma rule )
Windows - wbadmin Delete Windows Backup Catalog [‘windows’] (sigma rule )
T1114.002
Office365 - Remote Mail Collected [‘office-365’] (sigma rule )
T1552.005
Azure - Search Azure AD User Attributes for Passwords [‘azure-ad’] (sigma rule )
Azure - Dump Azure Instance Metadata from Virtual Machines [‘iaas:azure’] (sigma rule )
T1649
Staging Local Certificates via Export-Certificate [‘windows’] (sigma rule )
T1546.003
Windows MOFComp.exe Load MOF File [‘windows’] (sigma rule )
Persistence via WMI Event Subscription - ActiveScriptEventConsumer [‘windows’] (sigma rule )
Persistence via WMI Event Subscription - CommandLineEventConsumer [‘windows’] (sigma rule )
T1497.001
Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [‘windows’] (sigma rule )
Detect Virtualization Environment (Windows) [‘windows’] (sigma rule )
Detect Virtualization Environment (Linux) [‘linux’] (sigma rule )
Detect Virtualization Environment (MacOS) [‘macos’] (sigma rule )
Detect Virtualization Environment (FreeBSD) [‘linux’] (sigma rule )
T1027.006
HTML Smuggling Remote Payload [‘windows’] (sigma rule )
T1137.004
Install Outlook Home Page Persistence [‘windows’] (sigma rule )
T1543.001
Launch Agent [‘macos’] (sigma rule )
T1027.004
C compile [‘linux’, ‘macos’] (sigma rule )
Compile After Delivery using csc.exe [‘windows’] (sigma rule )
Go compile [‘linux’, ‘macos’] (sigma rule )
Dynamic C# Compile [‘windows’] (sigma rule )
CC compile [‘linux’, ‘macos’] (sigma rule )
T1606.002
Golden SAML [‘azure-ad’] (sigma rule )
T1197
Bits download using desktopimgdownldr.exe (cmd) [‘windows’] (sigma rule )
Bitsadmin Download (cmd) [‘windows’] (sigma rule )
Persist, Download, & Execute [‘windows’] (sigma rule )
Bitsadmin Download (PowerShell) [‘windows’] (sigma rule )
T1003.008
Access /etc/{shadow,passwd,master.passwd} with shell builtins [‘linux’] (sigma rule )
Access /etc/{shadow,passwd,master.passwd} with a standard bin that’s not cat [‘linux’] (sigma rule )
Access /etc/master.passwd (Local) [‘linux’] (sigma rule )
Access /etc/shadow (Local) [‘linux’] (sigma rule )
Access /etc/passwd (Local) [‘linux’] (sigma rule )
T1218.002
Control Panel Items [‘windows’] (sigma rule )
T1070.001
Clear Event Logs via VBA [‘windows’] (sigma rule )
Clear Logs [‘windows’] (sigma rule )
Delete System Logs Using Clear-EventLog [‘windows’] (sigma rule )
T1484.001
LockBit Black - Modify Group policy settings -cmd [‘windows’] (sigma rule )
LockBit Black - Modify Group policy settings -Powershell [‘windows’] (sigma rule )
T1048
DNSExfiltration (doh) [‘windows’] (sigma rule )
Exfiltration Over Alternative Protocol - SSH [‘macos’, ‘linux’] (sigma rule )
Exfiltration Over Alternative Protocol - SSH [‘macos’, ‘linux’] (sigma rule )
T1074.001
Zip a Folder with PowerShell for Staging in Temp [‘windows’] (sigma rule )
Stage data from Discovery.sh [‘linux’, ‘macos’] (sigma rule )
Stage data from Discovery.bat [‘windows’] (sigma rule )
T1036.005
Execute a process from a directory masquerading as the current parent directory. [‘macos’, ‘linux’] (sigma rule )
Masquerade as a built-in system executable [‘windows’] (sigma rule )
T1564.002
Create Hidden User using IsHidden option [‘macos’] (sigma rule )
Create Hidden User in Registry [‘windows’] (sigma rule )
Create Hidden User using UniqueID < 500 [‘macos’] (sigma rule )
T1202
Indirect Command Execution - forfiles.exe [‘windows’] (sigma rule )
Indirect Command Execution - pcalua.exe [‘windows’] (sigma rule )
Indirect Command Execution - conhost.exe [‘windows’] (sigma rule )
T1547.010
Add Port Monitor persistence in Registry [‘windows’] (sigma rule )
T1552.002
Enumeration for Credentials in Registry [‘windows’] (sigma rule )
Enumeration for PuTTY Credentials in Registry [‘windows’] (sigma rule )
T1546.014
Persistance with Event Monitor - emond [‘macos’] (sigma rule )
T1218.010
Regsvr32 Silent DLL Install Call DllRegisterServer [‘windows’] (sigma rule )
Regsvr32 local DLL execution [‘windows’] (sigma rule )
Regsvr32 remote COM scriptlet execution [‘windows’] (sigma rule )
Regsvr32 Registering Non DLL [‘windows’] (sigma rule )
Regsvr32 local COM scriptlet execution [‘windows’] (sigma rule )
T1055.002
Portable Executable Injection [‘windows’] (sigma rule )
T1505.005
Modify Terminal Services DLL Path [‘windows’] (sigma rule )
Simulate Patching termsrv.dll [‘windows’] (sigma rule )
T1571
Testing usage of uncommonly used port with PowerShell [‘windows’] (sigma rule )
Testing usage of uncommonly used port [‘linux’, ‘macos’] (sigma rule )
T1614.001
Discover System Language by Environment Variable Query [‘linux’] (sigma rule )
Discover System Language with locale [‘linux’] (sigma rule )
Discover System Language with localectl [‘linux’] (sigma rule )
Discover System Language by locale file [‘linux’] (sigma rule )
Discover System Language by Registry Query [‘windows’] (sigma rule )
Discover System Language with chcp [‘windows’] (sigma rule )
T1056.002
AppleScript - Prompt User for Password [‘macos’] (sigma rule )
AppleScript - Spoofing a credential prompt using osascript [‘macos’] (sigma rule )
PowerShell - Prompt User for Password [‘windows’] (sigma rule )
T1137.002
Office Application Startup Test Persistence (HKCU) [‘windows’] (sigma rule )
T1027.007
Dynamic API Resolution-Ninja-syscall [‘windows’] (sigma rule )
T1115
Execute commands from clipboard [‘macos’] (sigma rule )
Execute Commands from Clipboard using PowerShell [‘windows’] (sigma rule )
Utilize Clipboard to store or execute commands from [‘windows’] (sigma rule )
Add or copy content to clipboard with xClip [‘linux’] (sigma rule )
Collect Clipboard Data via VBA [‘windows’] (sigma rule )
T1528
Azure - Dump All Azure Key Vaults with Microburst [‘iaas:azure’] (sigma rule )
T1619
AWS S3 Enumeration [‘iaas:aws’] (sigma rule )
T1611
Deploy container using nsenter container escape [‘containers’] (sigma rule )
Mount host filesystem to escape privileged Docker container [‘containers’] (sigma rule )
T1547.015
Add macOS LoginItem using Applescript [‘macos’] (sigma rule )
Persistence by modifying Windows Terminal profile [‘windows’] (sigma rule )
T1095
Netcat C2 [‘windows’] (sigma rule )
ICMP C2 [‘windows’] (sigma rule )
Powercat C2 [‘windows’] (sigma rule )
T1620
WinPwn - Reflectively load Mimik@tz into memory [‘windows’] (sigma rule )
T1114.003
Office365 - Email Forwarding [‘office-365’] (sigma rule )
T1137.006
Persistent Code Execution Via Word Add-in File (WLL) [‘windows’] (sigma rule )
Code Executed Via Excel Add-in File (XLL) [‘windows’] (sigma rule )
Persistent Code Execution Via Excel VBA Add-in File (XLAM) [‘windows’] (sigma rule )
Persistent Code Execution Via Excel Add-in File (XLL) [‘windows’] (sigma rule )
Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM) [‘windows’] (sigma rule )
T1543.004
Launch Daemon [‘macos’] (sigma rule )
T1550.002
crackmapexec Pass the Hash [‘windows’] (sigma rule )
Mimikatz Pass the Hash [‘windows’] (sigma rule )
Invoke-WMIExec Pass the Hash [‘windows’] (sigma rule )
T1027.002
Binary packed by UPX, with modified headers (linux) [‘linux’] (sigma rule )
Binary packed by UPX, with modified headers [‘macos’] (sigma rule )
Binary simply packed by UPX [‘macos’] (sigma rule )
Binary simply packed by UPX (linux) [‘linux’] (sigma rule )
T1505.003
Web Shell Written to Disk [‘windows’] (sigma rule )
T1110.002
Password Cracking with Hashcat [‘windows’] (sigma rule )
T1547.009
Shortcut Modification [‘windows’] (sigma rule )
Create shortcut to cmd in startup folders [‘windows’] (sigma rule )
T1098.001
Azure AD Application Hijacking - App Registration [‘azure-ad’] (sigma rule )
AWS - Create Access Key and Secret Key [‘iaas:aws’] (sigma rule )
Azure AD Application Hijacking - Service Principal [‘azure-ad’] (sigma rule )
T1530
Azure - Enumerate Azure Blobs with MicroBurst [‘iaas:azure’] (sigma rule )
Azure - Scan for Anonymous Access to Azure Storage (Powershell) [‘iaas:azure’] (sigma rule )
AWS - Scan for Anonymous Access to S3 [‘iaas:aws’] (sigma rule )
T1055.012
Process Hollowing in Go using CreateProcessW WinAPI [‘windows’] (sigma rule )
RunPE via VBA [‘windows’] (sigma rule )
Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [‘windows’] (sigma rule )
Process Hollowing using PowerShell [‘windows’] (sigma rule )
T1137
Office Application Startup - Outlook as a C2 [‘windows’] (sigma rule )
T1562.012
Delete all auditd rules using auditctl [‘linux’] (sigma rule )
Disable auditd using auditctl [‘linux’] (sigma rule )
T1204.003
Malicious Execution from Mounted ISO Image [‘windows’] (sigma rule )
T1134.004
Parent PID Spoofing - Spawn from Specified Process [‘windows’] (sigma rule )
Parent PID Spoofing - Spawn from New Process [‘windows’] (sigma rule )
Parent PID Spoofing - Spawn from Current Process [‘windows’] (sigma rule )
Parent PID Spoofing using PowerShell [‘windows’] (sigma rule )
Parent PID Spoofing - Spawn from svchost.exe [‘windows’] (sigma rule )
T1218.009
Regasm Uninstall Method Call Test [‘windows’] (sigma rule )
Regsvcs Uninstall Method Call Test [‘windows’] (sigma rule )
T1055.004
Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [‘windows’] (sigma rule )
Process Injection via C# [‘windows’] (sigma rule )
EarlyBird APC Queue Injection in Go [‘windows’] (sigma rule )
T1569.001
Launchctl [‘macos’] (sigma rule )
T1016.002
Enumerate Stored Wi-Fi Profiles And Passwords via netsh [‘windows’] (sigma rule )
T1610
Deploy Docker container [‘containers’] (sigma rule )
T1005
Find and dump sqlite databases (Linux) [‘linux’] (sigma rule )
Search files of interest and save them to a single zip file (Windows) [‘windows’] (sigma rule )
T1562
Disable journal logging via sed utility [‘linux’] (sigma rule )
Windows Disable LSA Protection [‘windows’] (sigma rule )
Disable journal logging via systemctl utility [‘linux’] (sigma rule )
T1491.001
Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [‘windows’] (sigma rule )
Replace Desktop Wallpaper [‘windows’] (sigma rule )
T1552.006
GPP Passwords (findstr) [‘windows’] (sigma rule )
GPP Passwords (Get-GPPPassword) [‘windows’] (sigma rule )
T1010
List Process Main Windows - C# .NET [‘windows’] (sigma rule )
T1564.006
Create and start Hyper-V virtual machine [‘windows’] (sigma rule )
Create and start VirtualBox virtual machine [‘windows’] (sigma rule )
Register Portable Virtualbox [‘windows’] (sigma rule )
T1580
AWS - EC2 Enumeration from Cloud Instance [‘linux’, ‘macos’, ‘iaas:aws’] (sigma rule )
AWS - EC2 Security Group Enumeration [‘iaas:aws’] (sigma rule )
T1574.002
DLL Side-Loading using the Notepad++ GUP.exe binary [‘windows’] (sigma rule )
DLL Side-Loading using the dotnet startup hook environment variable [‘windows’] (sigma rule )
T1218.003
CMSTP Executing Remote Scriptlet [‘windows’] (sigma rule )
CMSTP Executing UAC Bypass [‘windows’] (sigma rule )
T1055.015
Process injection ListPlanting [‘windows’] (sigma rule )
T1496
FreeBSD/macOS/Linux - Simulate CPU Load with Yes [‘linux’, ‘macos’] (sigma rule )
T1059.002
AppleScript [‘macos’] (sigma rule )
T1552.007
ListSecrets [‘containers’] (sigma rule )
Cat the contents of a Kubernetes service account token file [‘linux’] (sigma rule )
List All Secrets [‘containers’] (sigma rule )
T1613
Docker Container and Resource Discovery [‘containers’] (sigma rule )
Podman Container and Resource Discovery [‘containers’] (sigma rule )
T1132.001
Base64 Encoded data (freebsd) [‘linux’] (sigma rule )
XOR Encoded data. [‘windows’] (sigma rule )
Base64 Encoded data. [‘macos’, ‘linux’] (sigma rule )
T1003.004
Dumping LSA Secrets [‘windows’] (sigma rule )
T1221
WINWORD Remote Template Injection [‘windows’] (sigma rule )
T1053.002
At.exe Scheduled task [‘windows’] (sigma rule )
T1207
DCShadow (Active Directory) [‘windows’] (sigma rule )
T1547.002
Authentication Package [‘windows’] (sigma rule )
T1567.003
Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows) [‘windows’] (sigma rule )
T1098.004
Modify SSH Authorized Keys [‘linux’, ‘macos’] (sigma rule )
T1125
Registry artefact when application use webcam [‘windows’] (sigma rule )
T1609
Docker Exec Into Container [‘containers’] (sigma rule )
ExecIntoContainer [‘containers’] (sigma rule )
T1003.006
DCSync (Active Directory) [‘windows’] (sigma rule )
Run DSInternals Get-ADReplAccount [‘windows’] (sigma rule )
T1137.001
Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell [‘windows’] (sigma rule )
T1566.001
Word spawned a command shell and used an IP address in the command line [‘windows’] (sigma rule )
Download Macro-Enabled Phishing Attachment [‘windows’] (sigma rule )
T1574.006
Shared Library Injection via /etc/ld.so.preload [‘linux’] (sigma rule )
Shared Library Injection via LD_PRELOAD [‘linux’] (sigma rule )
Dylib Injection via DYLD_INSERT_LIBRARIES [‘macos’] (sigma rule )
T1127.001
MSBuild Bypass Using Inline Tasks (C#) [‘windows’] (sigma rule )
MSBuild Bypass Using Inline Tasks (VB) [‘windows’] (sigma rule )
T1654
Get-EventLog To Enumerate Windows Security Log [‘windows’] (sigma rule )
Enumerate Windows Security Log via WevtUtil [‘windows’] (sigma rule )
T1123
using device audio capture commandlet [‘windows’] (sigma rule )
Registry artefact when application use microphone [‘windows’] (sigma rule )
using Quicktime Player [‘macos’] (sigma rule )
T1053.007
CreateCronjob [‘containers’] (sigma rule )
ListCronjobs [‘containers’] (sigma rule )
T1098.002
EXO - Full access mailbox permission granted to a user [‘office-365’] (sigma rule )
T1106
WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [‘windows’] (sigma rule )
WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [‘windows’] (sigma rule )
WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [‘windows’] (sigma rule )
Execution through API - CreateProcess [‘windows’] (sigma rule )
Run Shellcode via Syscall in Go [‘windows’] (sigma rule )
T1059
AutoIt Script Execution [‘windows’] (sigma rule )
T1560
Compress Data for Exfiltration With PowerShell [‘windows’] (sigma rule )
T1547.005
Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [‘windows’] (sigma rule )
Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [‘windows’] (sigma rule )
T1553.001
Gatekeeper Bypass [‘macos’] (sigma rule )
T1546.012
GlobalFlags in Image File Execution Options [‘windows’] (sigma rule )
IFEO Add Debugger [‘windows’] (sigma rule )
IFEO Global Flags [‘windows’] (sigma rule )
T1567.002
Exfiltrate data with rclone to cloud Storage - Mega (Windows) [‘windows’] (sigma rule )
T1574.008
powerShell Persistence via hijacking default modules - Get-Variable.exe [‘windows’] (sigma rule )
T1006
Read volume boot sector via DOS device path (PowerShell) [‘windows’] (sigma rule )
T1547.003
Edit an existing time provider [‘windows’] (sigma rule )
Create a new time provider [‘windows’] (sigma rule )
T1020
Exfiltration via Encrypted FTP [‘windows’] (sigma rule )
IcedID Botnet HTTP PUT [‘windows’] (sigma rule )
T1574.011
Service ImagePath Change with reg.exe [‘windows’] (sigma rule )
Service Registry Permissions Weakness [‘windows’] (sigma rule )
T1071
Telnet C2 [‘windows’] (sigma rule )
T1114.001
Email Collection with PowerShell Get-Inbox [‘windows’] (sigma rule )
T1021.006
Enable Windows Remote Management [‘windows’] (sigma rule )
Remote Code Execution with PS Credentials Using Invoke-Command [‘windows’] (sigma rule )
WinRM Access with Evil-WinRM [‘windows’] (sigma rule )
T1574.001
DLL Search Order Hijacking - amsi.dll [‘windows’] (sigma rule )
T1195
Octopus Scanner Malware Open Source Supply Chain [‘windows’] (sigma rule )
T1021.005
Enable Apple Remote Desktop Agent [‘macos’] (sigma rule )
T1647
Plist Modification [‘macos’] (sigma rule )
T1133
Running Chrome VPN Extensions via the Registry 2 vpn extension [‘windows’] (sigma rule )
T1556.002
Install and Register Password Filter DLL [‘windows’] (sigma rule )
T1562.009
Safe Mode Boot [‘windows’] (sigma rule )
T1037.001
Logon Scripts [‘windows’] (sigma rule )
T1021.004
ESXi - Enable SSH via PowerCLI [‘linux’] (sigma rule )
T1037.005
Add file to Local Library StartupItems [‘macos’] (sigma rule )
T1547.012
Print Processors [‘windows’] (sigma rule )
T1552
AWS - Retrieve EC2 Password Data using stratus [‘linux’, ‘macos’, ‘iaas:aws’] (sigma rule )
T1484.002
Add Federation to Azure AD [‘azure-ad’] (sigma rule )
T1127
Lolbin Jsc.exe compile javascript to exe [‘windows’] (sigma rule )
Lolbin Jsc.exe compile javascript to dll [‘windows’] (sigma rule )
T1546.010
Install AppInit Shim [‘windows’] (sigma rule )
T1553.003
SIP (Subject Interface Package) Hijacking via Custom DLL [‘windows’] (sigma rule )
T1546.002
Set Arbitrary Binary as Screensaver [‘windows’] (sigma rule )
T1003.005
Cached Credential Dump via Cmdkey [‘windows’] (sigma rule )
T1547.008
Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [‘windows’] (sigma rule )
T1547
Add a driver [‘windows’] (sigma rule )
T1526
Azure - Dump Subscription Data with MicroBurst [‘iaas:azure’] (sigma rule )
T1505.002
Install MS Exchange Transport Agent Persistence [‘windows’] (sigma rule )
T1546.001
Change Default File Association [‘windows’] (sigma rule )
T1553.006
Code Signing Policy Modification [‘windows’] (sigma rule )
T1592.001
Enumerate PlugNPlay Camera [‘windows’] (sigma rule )
T1055.003
Thread Execution Hijacking [‘windows’] (sigma rule )