thor[.]exe[.]zip

resource	yara_rule
static1/unpack001/tools/upx.exe	upx

resource
unpack001/thor.exe
unpack001/thor64.exe
unpack001/tools/upx.exe

thor.exe.zip

.zip

changes.log

custom-signatures/iocs/templates/custom-c2-domains.txt.template

custom-signatures/iocs/templates/custom-events.template

custom-signatures/iocs/templates/custom-filename-iocs.txt.template

custom-signatures/iocs/templates/custom-hash-iocs.txt.template

custom-signatures/iocs/templates/custom-keywords.txt.template

custom-signatures/iocs/templates/custom-mutexes.txt.template

custom-signatures/iocs/templates/custom-namedpipes.txt.template

docs/3rd-party-signatures/LICENSE-yara-rules-BruteRatel

docs/3rd-party-signatures/LICENSE-yara-rules-Cape

docs/3rd-party-signatures/LICENSE-yara-rules-CarbonBlack

docs/3rd-party-signatures/LICENSE-yara-rules-ESET

docs/3rd-party-signatures/LICENSE-yara-rules-FireEye

docs/3rd-party-signatures/LICENSE-yara-rules-GCTI

docs/3rd-party-signatures/LICENSE-yara-rules-JPCERT

docs/3rd-party-signatures/LICENSE-yara-rules-ReversingLabs

docs/3rd-party-signatures/LICENSE-yara-rules-Volexity

docs/3rd-party-signatures/LICENSE-yara-rules-ditekshen

docs/License_Acknowledgement.txt

docs/THOR_EULA.pdf

.pdf

docs/THOR_LogAnalysis.pdf

.pdf

https://countuponsecurity.com/2016/05/18/digital-forensics-shimcache-artifacts/
http://SRV1123.internal.net/10.0.0.112
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
http://system.internal.net/10.1.2.50
http://System23.local.net/10.2.2.14
http://gi.webshop.com
https://adsecurity.org/?p=2288
http://niiconsulting.com/checkmate/2016/02/hunting-passwords-in-sysvol/
http://System32.local.net/10.2.0.7
http://win55.local.net
http://system123.local.net/10.6.2.10
http://system123.local.net/10.10.1.8
http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/
https://github.com/darkquasar/WMI_Persistence
http://server44.local.net/10.23.3.1
http://server44.local.net/1.253.103.134
http://server44.local.net/10.7.1.100
https://sysforensics.org/2014/01/know-your-windows-processes/
http://server22.local.net/10.6.19.8
http://server.local.net/10.1.19.2
http://.lookipv6.com
http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
https://windowsir.blogspot.de/2017/03/incorporating-amcache-data-into.html
http://server4448.local.net/10.0.10.1
http://server23.local.net/10.19.2.17
http://server77.local.net/10.10.9.19
http://system444.local.net/172.27.2.7
http://60.10.1.183.in-addr.arpa
http://system88.local.net/10.10.9.15
http://altftp.compsys.biz
http://vpnaccess.companybranch.info
http://in-add.arpa
http://ipv6.com
http://benign-site-ipv6.com
http://servftp.companyname.biz
http://www2.companybranch.cn
https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/
http://server555.local.net/10.7.1.14
http://master.comp-a.net
http://server99.local.net/10.1.1.55
http://ctldl.windowsupdate.com
http://www.company-intranet.net
http://update1.f-secure.com
http://server55.local.net/10.16.1.44
http://server55.local.net/10.1.12.2
http://server88.local.net/10.10.9.33
http://server77.local.net/10.1.90.18
http://server66.local.net/147.2.20.16
http://server66.local.net/10.1.30.2
http://server44.local.net/10.216.2.186
http://server44.local.net/10.16.3.7
http://goo.gl/Fm00Q8
http://1dns.dubkill.com.in
http://s3newss.effers.com
http://upport.proxydns.com
http://e.authorizeddns.org
http://server44.local.net/10.10.1.4
http://server44.local.net/10.16.22.2
https://www.virustotal.com/en/
http://Virustotal.com
https://www.virustotal.com
https://www.virustotal.com/en/domain/DOMAIN/information/
https://www.virustotal.com/en/ip-address/58.158.177.102/information/
http://virustotal.com
https://www.winitor.com
https://www.passivetotal.org
https://cymon.io
https://censys.io
https://www.threatcrowd.org
https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc
https://www.hybrid-analysis.com
http://munin.py
https://github.com/Neo23x0/munin
Show all

docs/THOR_Manual.url

docs/THOR_Thunderstorm_Setup_Guide.pdf

.pdf

http://thunderstorm-installer.sh

docs/THOR_Util_Manual.url

licenses/20210414073506-20210417073506_1164.lic

signatures/changes.log

signatures/iocs/custom-evil-hashes.dat

signatures/iocs/filename-characteristics.dat

signatures/iocs/keywords.dat

signatures/iocs/malicious-events.dat

signatures/iocs/malicious-mutexes.dat

signatures/iocs/malicious-namedpipes.dat

signatures/iocs/malware-domains.dat

signatures/misc/file-type-signatures.cfg

signatures/sigma/category/antivirus/av_exploiting.yms

signatures/sigma/category/antivirus/av_hacktool.yms

signatures/sigma/category/antivirus/av_password_dumper.yms

signatures/sigma/category/antivirus/av_printernightmare_cve_2021_34527.yms

signatures/sigma/category/antivirus/av_ransomware.yms

signatures/sigma/category/antivirus/av_relevant_files.yms

signatures/sigma/category/antivirus/av_webshell.yms

signatures/sigma/emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yms

signatures/sigma/emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yms

signatures/sigma/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yms

signatures/sigma/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yms

signatures/sigma/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yms

signatures/sigma/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yms

signatures/sigma/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yms

signatures/sigma/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yms

signatures/sigma/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yms

signatures/sigma/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yms

signatures/sigma/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yms

signatures/sigma/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yms

signatures/sigma/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yms

signatures/sigma/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yms

signatures/sigma/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yms

signatures/sigma/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yms

signatures/sigma/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yms

signatures/sigma/emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yms

signatures/sigma/emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yms

signatures/sigma/emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yms

signatures/sigma/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yms

signatures/sigma/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yms

signatures/sigma/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yms

signatures/sigma/emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yms

signatures/sigma/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yms

signatures/sigma/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yms

signatures/sigma/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yms

signatures/sigma/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yms

signatures/sigma/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yms

signatures/sigma/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yms

signatures/sigma/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yms

signatures/sigma/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yms

signatures/sigma/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yms

signatures/sigma/emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yms

signatures/sigma/emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yms

signatures/sigma/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yms

signatures/sigma/emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yms

signatures/sigma/emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yms

signatures/sigma/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yms

signatures/sigma/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yms

signatures/sigma/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yms

signatures/sigma/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yms

signatures/sigma/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yms

signatures/sigma/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yms

signatures/sigma/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yms

signatures/sigma/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yms

signatures/sigma/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yms

signatures/sigma/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yms

signatures/sigma/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yms

signatures/sigma/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yms

signatures/sigma/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yms

signatures/sigma/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yms

signatures/sigma/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yms

signatures/sigma/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yms

signatures/sigma/emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_exchange_exploit.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_msexchange.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-10148/web_cve_2020_10148_solarwinds_exploit.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-14882/web_cve_2020_14882_weblogic_exploit.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-28188/web_cve_2020_28188_terramaster_rce_exploit.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-3452/web_cve_2020_3452_cisco_asa_ftd.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-5902/web_cve_2020_5902_f5_bigip.yms

signatures/sigma/emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.yms

signatures/sigma/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yms

signatures/sigma/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yms

signatures/sigma/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yms

signatures/sigma/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yms

signatures/sigma/emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yms

signatures/sigma/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yms

signatures/sigma/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yms

signatures/sigma/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yms

signatures/sigma/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yms

signatures/sigma/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yms

signatures/sigma/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yms

signatures/sigma/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yms

signatures/sigma/emerging-threats/2020/TA/SolarWinds-Supply-Chain/web_solarwinds_supernova_webshell.yms

signatures/sigma/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yms

signatures/sigma/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yms

signatures/sigma/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-2109/web_cve_2021_2109_weblogic_rce_exploit.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-22005/web_cve_2021_22005_vmware_file_upload.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-22123/web_cve_2021_22123_fortinet_exploit.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-22893/web_cve_2021_22893_pulse_secure_rce_exploit.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-26814/web_cve_2021_26814_wzuh_rce.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yms

signatures/sigma/emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yms

signatures/sigma/emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yms

signatures/sigma/emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell_successful.yms

signatures/sigma/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yms

signatures/sigma/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yms

signatures/sigma/emerging-threats/2021/Exploits/VisualDoor-Exploit/web_sonicwall_jarrewrite_exploit.yms

signatures/sigma/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yms

signatures/sigma/emerging-threats/2021/Exploits/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yms

signatures/sigma/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yms

signatures/sigma/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yms

signatures/sigma/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yms

signatures/sigma/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yms

signatures/sigma/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yms

signatures/sigma/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yms

signatures/sigma/emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yms

signatures/sigma/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yms

signatures/sigma/emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yms

signatures/sigma/emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yms

signatures/sigma/emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yms

signatures/sigma/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yms

signatures/sigma/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yms

signatures/sigma/emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yms

signatures/sigma/emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yms

signatures/sigma/emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yms

signatures/sigma/emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yms

signatures/sigma/emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yms

signatures/sigma/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yms

signatures/sigma/emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yms

signatures/sigma/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yms

signatures/sigma/emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yms

signatures/sigma/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yms

signatures/sigma/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yms

signatures/sigma/emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yms

signatures/sigma/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yms

signatures/sigma/emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yms

signatures/sigma/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yms

signatures/sigma/emerging-threats/2021/TA/UNC2546/web_unc2546_dewmode_php_webshell.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yms

signatures/sigma/emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yms

signatures/sigma/emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yms

signatures/sigma/emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yms

signatures/sigma/emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yms

signatures/sigma/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yms

signatures/sigma/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yms

signatures/sigma/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yms

signatures/sigma/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yms

signatures/sigma/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yms

signatures/sigma/emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yms

signatures/sigma/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yms

signatures/sigma/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yms

signatures/sigma/emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yms

signatures/sigma/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yms

signatures/sigma/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yms

signatures/sigma/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yms

signatures/sigma/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yms

signatures/sigma/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yms

signatures/sigma/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yms

signatures/sigma/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yms

signatures/sigma/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yms

signatures/sigma/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yms

signatures/sigma/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yms

signatures/sigma/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yms

signatures/sigma/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yms

signatures/sigma/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yms

signatures/sigma/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yms

signatures/sigma/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yms

signatures/sigma/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yms

signatures/sigma/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yms

signatures/sigma/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yms

signatures/sigma/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yms

signatures/sigma/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yms

signatures/sigma/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yms

signatures/sigma/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yms

signatures/sigma/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yms

signatures/sigma/emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yms

signatures/sigma/emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yms

signatures/sigma/emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yms

signatures/sigma/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yms

signatures/sigma/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yms

signatures/sigma/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yms

signatures/sigma/emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yms

signatures/sigma/emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yms

signatures/sigma/emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yms

signatures/sigma/emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yms

signatures/sigma/emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yms

signatures/sigma/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yms

signatures/sigma/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yms

signatures/sigma/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yms

signatures/sigma/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yms

signatures/sigma/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yms

signatures/sigma/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yms

signatures/sigma/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yms

signatures/sigma/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yms

signatures/sigma/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yms

signatures/sigma/emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yms

signatures/sigma/emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yms

signatures/sigma/emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yms

signatures/sigma/emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yms

signatures/sigma/emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yms

signatures/sigma/emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yms

signatures/sigma/linux/auditd/lnx_auditd_audio_capture.yms

signatures/sigma/linux/auditd/lnx_auditd_auditing_config_change.yms

signatures/sigma/linux/auditd/lnx_auditd_binary_padding.yms

signatures/sigma/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yms

signatures/sigma/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yms

signatures/sigma/linux/auditd/lnx_auditd_capabilities_discovery.yms

signatures/sigma/linux/auditd/lnx_auditd_change_file_time_attr.yms

signatures/sigma/linux/auditd/lnx_auditd_chattr_immutable_removal.yms

signatures/sigma/linux/auditd/lnx_auditd_clipboard_collection.yms

signatures/sigma/linux/auditd/lnx_auditd_clipboard_image_collection.yms

signatures/sigma/linux/auditd/lnx_auditd_coinminer.yms

signatures/sigma/linux/auditd/lnx_auditd_create_account.yms

signatures/sigma/linux/auditd/lnx_auditd_data_compressed.yms

signatures/sigma/linux/auditd/lnx_auditd_data_exfil_wget.yms

signatures/sigma/linux/auditd/lnx_auditd_dd_delete_file.yms

signatures/sigma/linux/auditd/lnx_auditd_disable_system_firewall.yms

signatures/sigma/linux/auditd/lnx_auditd_file_or_folder_permissions.yms

signatures/sigma/linux/auditd/lnx_auditd_find_cred_in_files.yms

signatures/sigma/linux/auditd/lnx_auditd_hidden_binary_execution.yms

signatures/sigma/linux/auditd/lnx_auditd_hidden_files_directories.yms

signatures/sigma/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yms

signatures/sigma/linux/auditd/lnx_auditd_keylogging_with_pam_d.yms

signatures/sigma/linux/auditd/lnx_auditd_ld_so_preload_mod.yms

signatures/sigma/linux/auditd/lnx_auditd_load_module_insmod.yms

signatures/sigma/linux/auditd/lnx_auditd_logging_config_change.yms

signatures/sigma/linux/auditd/lnx_auditd_masquerading_crond.yms

signatures/sigma/linux/auditd/lnx_auditd_modify_system_firewall.yms

signatures/sigma/linux/auditd/lnx_auditd_network_service_scanning.yms

signatures/sigma/linux/auditd/lnx_auditd_network_sniffing.yms

signatures/sigma/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yms

signatures/sigma/linux/auditd/lnx_auditd_password_policy_discovery.yms

signatures/sigma/linux/auditd/lnx_auditd_pers_systemd_reload.yms

signatures/sigma/linux/auditd/lnx_auditd_screencapture_import.yms

signatures/sigma/linux/auditd/lnx_auditd_screencaputre_xwd.yms

signatures/sigma/linux/auditd/lnx_auditd_split_file_into_pieces.yms

signatures/sigma/linux/auditd/lnx_auditd_steghide_embed_steganography.yms

signatures/sigma/linux/auditd/lnx_auditd_steghide_extract_steganography.yms

signatures/sigma/linux/auditd/lnx_auditd_susp_c2_commands.yms

signatures/sigma/linux/auditd/lnx_auditd_susp_cmds.yms

signatures/sigma/linux/auditd/lnx_auditd_susp_exe_folders.yms

signatures/sigma/linux/auditd/lnx_auditd_susp_histfile_operations.yms

signatures/sigma/linux/auditd/lnx_auditd_system_info_discovery.yms

signatures/sigma/linux/auditd/lnx_auditd_system_info_discovery2.yms

signatures/sigma/linux/auditd/lnx_auditd_system_shutdown_reboot.yms

signatures/sigma/linux/auditd/lnx_auditd_systemd_service_creation.yms

signatures/sigma/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yms

signatures/sigma/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yms

signatures/sigma/linux/auditd/lnx_auditd_user_discovery.yms

signatures/sigma/linux/auditd/lnx_auditd_web_rce.yms

signatures/sigma/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yms

signatures/sigma/linux/builtin/clamav/lnx_clamav_relevant_message.yms

signatures/sigma/linux/builtin/cron/lnx_cron_crontab_file_modification.yms

signatures/sigma/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yms

signatures/sigma/linux/builtin/lnx_apt_equationgroup_lnx.yms

signatures/sigma/linux/builtin/lnx_buffer_overflows.yms

signatures/sigma/linux/builtin/lnx_clear_syslog.yms

signatures/sigma/linux/builtin/lnx_file_copy.yms

signatures/sigma/linux/builtin/lnx_ldso_preload_injection.yms

signatures/sigma/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yms

signatures/sigma/linux/builtin/lnx_potential_susp_ebpf_activity.yms

signatures/sigma/linux/builtin/lnx_privileged_user_creation.yms

signatures/sigma/linux/builtin/lnx_shell_clear_cmd_history.yms

signatures/sigma/linux/builtin/lnx_shell_susp_commands.yms

signatures/sigma/linux/builtin/lnx_shell_susp_log_entries.yms

signatures/sigma/linux/builtin/lnx_shell_susp_rev_shells.yms

signatures/sigma/linux/builtin/lnx_shellshock.yms

signatures/sigma/linux/builtin/lnx_space_after_filename_.yms

signatures/sigma/linux/builtin/lnx_susp_dev_tcp.yms

signatures/sigma/linux/builtin/lnx_susp_jexboss.yms

signatures/sigma/linux/builtin/lnx_symlink_etc_passwd.yms

signatures/sigma/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yms

signatures/sigma/linux/builtin/sshd/lnx_sshd_susp_ssh.yms

signatures/sigma/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yms

signatures/sigma/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yms

signatures/sigma/linux/builtin/syslog/lnx_syslog_susp_named.yms

signatures/sigma/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yms

signatures/sigma/linux/file_event/file_event_lnx_doas_conf_creation.yms

signatures/sigma/linux/file_event/file_event_lnx_persistence_cron_files.yms

signatures/sigma/linux/file_event/file_event_lnx_persistence_sudoers_files.yms

signatures/sigma/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yms

signatures/sigma/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yms

signatures/sigma/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yms

signatures/sigma/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yms

signatures/sigma/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yms

signatures/sigma/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yms

signatures/sigma/linux/network_connection/net_connection_lnx_ngrok_tunnel.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_at_command.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_base64_decode.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_base64_execution.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_capa_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_cat_sudoers.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_clear_logs.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_clear_syslog.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_clipboard_collection.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_conti_encrypto.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_crontab_enumeration.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_crontab_removal.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_crypto_mining.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_curl_usage.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_disable_ufw.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_doas_execution.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_file_deletion.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_groupdel.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_gtfobin_apt.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_gtfobin_vim.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_hack_tools.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_install_root_certificate.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_kill_process.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_local_account.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_local_groups.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_mount_hidepid.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_ncat_flags.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_network_service_scanning.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_nohup.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_php_reverse_shell.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_process_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_proxy_connection.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_python_pty_spawn.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_python_reverse_shell.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_remote_system_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_remove_package.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_security_software_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_security_tools_disabling.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_setgid_setuid.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_find_execution.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_git_clone.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_history_delete.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_history_recon.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_inod_listing.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_java_children.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_system_info_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_system_network_discovery.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_touch_susp.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_userdel.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_usermod_susp_group.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_villain_payload.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_webshell_detection.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yms

signatures/sigma/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yms

signatures/sigma/macos/process_creation/proc_creation_macos_sqlite_quarantine_enumeration.yms

signatures/sigma/proxy/proxy_batloader_traffic.yms

signatures/sigma/proxy/proxy_enigma_stealer_traffic.yms

signatures/sigma/proxy/proxy_malware_socgholish_activity.yms

signatures/sigma/proxy/proxy_potential_dcrat_traffic.yms

signatures/sigma/proxy/proxy_potential_delfloader_traffic.yms

signatures/sigma/proxy/proxy_potential_diamondfox_traffic.yms

signatures/sigma/proxy/proxy_potential_zeus_traffic.yms

signatures/sigma/proxy/proxy_proxynotshell_traffic.yms

signatures/sigma/proxy/proxy_raccoon_stealer_traffic.yms

signatures/sigma/proxy/proxy_risepro_stealer_traffic.yms

signatures/sigma/proxy/proxy_zloader_traffic.yms

signatures/sigma/thor.yms

signatures/sigma/web/product/apache/web_apache_segfault.yms

signatures/sigma/web/product/apache/web_apache_threading_error.yms

signatures/sigma/web/product/nginx/web_nginx_core_dump.yms

signatures/sigma/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yms

signatures/sigma/web/proxy_generic/proxy_apt40.yms

signatures/sigma/web/proxy_generic/proxy_baby_shark.yms

signatures/sigma/web/proxy_generic/proxy_chafer_malware.yms

signatures/sigma/web/proxy_generic/proxy_cobalt_amazon.yms

signatures/sigma/web/proxy_generic/proxy_cobalt_malformed_uas.yms

signatures/sigma/web/proxy_generic/proxy_cobalt_ocsp.yms

signatures/sigma/web/proxy_generic/proxy_cobalt_onedrive.yms

signatures/sigma/web/proxy_generic/proxy_download_susp_dyndns.yms

signatures/sigma/web/proxy_generic/proxy_download_susp_tlds_blacklist.yms

signatures/sigma/web/proxy_generic/proxy_download_susp_tlds_whitelist.yms

signatures/sigma/web/proxy_generic/proxy_downloadcradle_webdav.yms

signatures/sigma/web/proxy_generic/proxy_empire_ua_uri_combos.yms

signatures/sigma/web/proxy_generic/proxy_empty_ua.yms

signatures/sigma/web/proxy_generic/proxy_exchange_owassrf_exploitation.yms

signatures/sigma/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yms

signatures/sigma/web/proxy_generic/proxy_ios_implant.yms

signatures/sigma/web/proxy_generic/proxy_java_class_download.yms

signatures/sigma/web/proxy_generic/proxy_powershell_ua.yms

signatures/sigma/web/proxy_generic/proxy_pwndrop.yms

signatures/sigma/web/proxy_generic/proxy_raw_paste_service_access.yms

signatures/sigma/web/proxy_generic/proxy_susp_flash_download_loc.yms

signatures/sigma/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yms

signatures/sigma/web/proxy_generic/proxy_telegram_api.yms

signatures/sigma/web/proxy_generic/proxy_turla_comrat.yms

signatures/sigma/web/proxy_generic/proxy_ua_apt.yms

signatures/sigma/web/proxy_generic/proxy_ua_base64_encoded.yms

signatures/sigma/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yms

signatures/sigma/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yms

signatures/sigma/web/proxy_generic/proxy_ua_cryptominer.yms

signatures/sigma/web/proxy_generic/proxy_ua_frameworks.yms

signatures/sigma/web/proxy_generic/proxy_ua_hacktool.yms

signatures/sigma/web/proxy_generic/proxy_ua_malware.yms

signatures/sigma/web/proxy_generic/proxy_ua_rclone.yms

signatures/sigma/web/proxy_generic/proxy_ua_susp.yms

signatures/sigma/web/proxy_generic/proxy_ua_susp_base64.yms

signatures/sigma/web/proxy_generic/proxy_ursnif_malware_c2_url.yms

signatures/sigma/web/proxy_generic/proxy_ursnif_malware_download_url.yms

signatures/sigma/web/proxy_generic/proxy_webdav_search_ms.yms

signatures/sigma/web/web_cve_2023_35078_exploitation_indicators.yms

signatures/sigma/web/web_proxynotshell_traffic.yms

signatures/sigma/web/web_webshell_patterns.yms

signatures/sigma/web/webserver_generic/web_iis_tilt_shortname_scan.yms

signatures/sigma/web/webserver_generic/web_java_payload_in_access_logs.yms

signatures/sigma/web/webserver_generic/web_jndi_exploit.yms

signatures/sigma/web/webserver_generic/web_path_traversal_exploitation_attempt.yms

signatures/sigma/web/webserver_generic/web_source_code_enumeration.yms

signatures/sigma/web/webserver_generic/web_sql_injection_in_access_logs.yms

signatures/sigma/web/webserver_generic/web_ssti_in_access_logs.yms

signatures/sigma/web/webserver_generic/web_susp_useragents.yms

signatures/sigma/web/webserver_generic/web_susp_windows_path_uri.yms

signatures/sigma/web/webserver_generic/web_webshell_regeorg.yms

signatures/sigma/web/webserver_generic/web_win_webshells_in_access_logs.yms

signatures/sigma/web/webserver_generic/web_xss_in_access_logs.yms

signatures/sigma/windows/builtin/amsi/win_amsi_malicious_content_detected.yms

signatures/sigma/windows/builtin/application/Other/win_av_relevant_match.yms

signatures/sigma/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yms

signatures/sigma/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yms

signatures/sigma/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yms

signatures/sigma/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yms

signatures/sigma/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yms

signatures/sigma/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yms

signatures/sigma/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yms

signatures/sigma/windows/builtin/application/msexchange_control_panel/win_vul_cve_2020_0688.yms

signatures/sigma/windows/builtin/application/msiinstaller/win_builtin_remove_application.yms

signatures/sigma/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yms

signatures/sigma/windows/builtin/application/msiinstaller/win_msi_install_from_web.yms

signatures/sigma/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yms

signatures/sigma/windows/builtin/application/msiinstaller/win_vul_cve_2021_41379.yms

signatures/sigma/windows/builtin/application/msmq/win_msmq_corrupted_packet.yms

signatures/sigma/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yms

signatures/sigma/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yms

signatures/sigma/windows/builtin/application/mssqlserver/win_mssql_sp_maggie.yms

signatures/sigma/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yms

signatures/sigma/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yms

signatures/sigma/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yms

signatures/sigma/windows/builtin/application/win_snoozed_defender.yms

signatures/sigma/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yms

signatures/sigma/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yms

signatures/sigma/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yms

signatures/sigma/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yms

signatures/sigma/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yms

signatures/sigma/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yms

signatures/sigma/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yms

signatures/sigma/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yms

signatures/sigma/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yms

signatures/sigma/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yms

signatures/sigma/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yms

signatures/sigma/windows/builtin/audit_cve/win_audit_cve_generic.yms

signatures/sigma/windows/builtin/bits_client/win_bits_client_new_job_from_temp.yms

signatures/sigma/windows/builtin/bits_client/win_bits_client_new_job_from_uncommon_paths.yms

signatures/sigma/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yms

signatures/sigma/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yms

signatures/sigma/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yms

signatures/sigma/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yms

signatures/sigma/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yms

signatures/sigma/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yms

signatures/sigma/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yms

signatures/sigma/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yms

signatures/sigma/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yms

signatures/sigma/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yms

signatures/sigma/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yms

signatures/sigma/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yms

signatures/sigma/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yms

signatures/sigma/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yms

signatures/sigma/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yms

signatures/sigma/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yms

signatures/sigma/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yms

signatures/sigma/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yms

signatures/sigma/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yms

signatures/sigma/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yms

signatures/sigma/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yms

signatures/sigma/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yms

signatures/sigma/windows/builtin/dns_client/win_dns_client_mega_nz.yms

signatures/sigma/windows/builtin/dns_client/win_dns_client_tor_onion.yms

signatures/sigma/windows/builtin/dns_client/win_dns_client_ufile_io.yms

signatures/sigma/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yms

signatures/sigma/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yms

signatures/sigma/windows/builtin/dns_server_analytic/win_dns_analytic_apt_gallium.yms

signatures/sigma/windows/builtin/driverframeworks/win_usb_device_plugged.yms

signatures/sigma/windows/builtin/firewall_as/win_firewall_as_add_rule.yms

signatures/sigma/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yms

signatures/sigma/windows/builtin/firewall_as/win_firewall_as_change_rule.yms

signatures/sigma/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yms

signatures/sigma/windows/builtin/firewall_as/win_firewall_as_delete_rule.yms

signatures/sigma/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yms

signatures/sigma/windows/builtin/firewall_as/win_firewall_as_reset_config.yms

signatures/sigma/windows/builtin/firewall_as/win_firewall_as_setting_change.yms

signatures/sigma/windows/builtin/ldap/win_ldap_recon.yms

signatures/sigma/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yms

signatures/sigma/windows/builtin/msexchange/win_exchange_cve_2021_42321.yms

signatures/sigma/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yms

signatures/sigma/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yms

signatures/sigma/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yms

signatures/sigma/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yms

signatures/sigma/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yms

signatures/sigma/windows/builtin/msexchange/win_exchange_transportagent.yms

signatures/sigma/windows/builtin/msexchange/win_exchange_transportagent_failed.yms

signatures/sigma/windows/builtin/ntlm/win_susp_ntlm_auth.yms

signatures/sigma/windows/builtin/ntlm/win_susp_ntlm_brute_force.yms

signatures/sigma/windows/builtin/ntlm/win_susp_ntlm_rdp.yms

signatures/sigma/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yms

signatures/sigma/windows/builtin/security/account_management/win_security_access_token_abuse.yms

signatures/sigma/windows/builtin/security/account_management/win_security_admin_rdp_login.yms

signatures/sigma/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yms

signatures/sigma/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yms

signatures/sigma/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yms

signatures/sigma/windows/builtin/security/account_management/win_security_overpass_the_hash.yms

signatures/sigma/windows/builtin/security/account_management/win_security_pass_the_hash_2.yms

signatures/sigma/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yms

signatures/sigma/windows/builtin/security/account_management/win_security_rdp_localhost_login.yms

signatures/sigma/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yms

signatures/sigma/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yms

signatures/sigma/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yms

signatures/sigma/windows/builtin/security/account_management/win_security_susp_krbrelayup.yms

signatures/sigma/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yms

signatures/sigma/windows/builtin/security/account_management/win_security_susp_rottenpotato.yms

signatures/sigma/windows/builtin/security/account_management/win_security_susp_wmi_login.yms

signatures/sigma/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yms

signatures/sigma/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yms

signatures/sigma/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yms

signatures/sigma/windows/builtin/security/win_security_account_discovery.yms

signatures/sigma/windows/builtin/security/win_security_ad_object_writedac_access.yms

signatures/sigma/windows/builtin/security/win_security_ad_replication_non_machine_account.yms

signatures/sigma/windows/builtin/security/win_security_ad_user_enumeration.yms

signatures/sigma/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yms

signatures/sigma/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yms

signatures/sigma/windows/builtin/security/win_security_add_remove_computer.yms

signatures/sigma/windows/builtin/security/win_security_admin_logon.yms

signatures/sigma/windows/builtin/security/win_security_admin_share_access.yms

signatures/sigma/windows/builtin/security/win_security_alert_active_directory_user_control.yms

signatures/sigma/windows/builtin/security/win_security_alert_ad_user_backdoors.yms

signatures/sigma/windows/builtin/security/win_security_alert_enable_weak_encryption.yms

signatures/sigma/windows/builtin/security/win_security_alert_ruler.yms

signatures/sigma/windows/builtin/security/win_security_atsvc_task.yms

signatures/sigma/windows/builtin/security/win_security_camera_microphone_access.yms

signatures/sigma/windows/builtin/security/win_security_cobaltstrike_service_installs.yms

signatures/sigma/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yms

signatures/sigma/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yms

signatures/sigma/windows/builtin/security/win_security_dcsync.yms

signatures/sigma/windows/builtin/security/win_security_defender_bypass.yms

signatures/sigma/windows/builtin/security/win_security_device_installation_blocked.yms

signatures/sigma/windows/builtin/security/win_security_disable_event_auditing.yms

signatures/sigma/windows/builtin/security/win_security_disable_event_auditing_critical.yms

signatures/sigma/windows/builtin/security/win_security_dot_net_etw_tamper.yms

signatures/sigma/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yms

signatures/sigma/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yms

signatures/sigma/windows/builtin/security/win_security_event_log_cleared.yms

signatures/sigma/windows/builtin/security/win_security_external_device.yms

signatures/sigma/windows/builtin/security/win_security_gpo_scheduledtasks.yms

signatures/sigma/windows/builtin/security/win_security_hidden_user_creation.yms

signatures/sigma/windows/builtin/security/win_security_hktl_local_potato_privilege_escalation.yms

signatures/sigma/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yms

signatures/sigma/windows/builtin/security/win_security_impacket_psexec.yms

signatures/sigma/windows/builtin/security/win_security_impacket_secretdump.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yms

signatures/sigma/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yms

signatures/sigma/windows/builtin/security/win_security_iso_mount.yms

signatures/sigma/windows/builtin/security/win_security_lm_namedpipe.yms

signatures/sigma/windows/builtin/security/win_security_lsass_access_non_system_account.yms

signatures/sigma/windows/builtin/security/win_security_mal_creddumper.yms

signatures/sigma/windows/builtin/security/win_security_mal_service_installs.yms

signatures/sigma/windows/builtin/security/win_security_mal_wceaux_dll.yms

signatures/sigma/windows/builtin/security/win_security_metasploit_authentication.yms

signatures/sigma/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yms

signatures/sigma/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yms

signatures/sigma/windows/builtin/security/win_security_net_ntlm_downgrade.yms

signatures/sigma/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yms

signatures/sigma/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yms

signatures/sigma/windows/builtin/security/win_security_not_allowed_rdp_access.yms

signatures/sigma/windows/builtin/security/win_security_password_policy_enumerated.yms

signatures/sigma/windows/builtin/security/win_security_pcap_drivers.yms

signatures/sigma/windows/builtin/security/win_security_petitpotam_network_share.yms

signatures/sigma/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yms

signatures/sigma/windows/builtin/security/win_security_possible_dc_shadow.yms

signatures/sigma/windows/builtin/security/win_security_powershell_script_installed_as_service.yms

signatures/sigma/windows/builtin/security/win_security_protected_storage_service_access.yms

signatures/sigma/windows/builtin/security/win_security_rdp_reverse_tunnel.yms

signatures/sigma/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yms

signatures/sigma/windows/builtin/security/win_security_remote_powershell_session.yms

signatures/sigma/windows/builtin/security/win_security_replay_attack_detected.yms

signatures/sigma/windows/builtin/security/win_security_sam_registry_hive_handle_request.yms

signatures/sigma/windows/builtin/security/win_security_scheduled_task_deletion.yms

signatures/sigma/windows/builtin/security/win_security_scheduled_task_suspicious_contents.yms

signatures/sigma/windows/builtin/security/win_security_scheduled_task_suspicious_locations.yms

signatures/sigma/windows/builtin/security/win_security_scheduled_task_uncommon_contents.yms

signatures/sigma/windows/builtin/security/win_security_scm_database_handle_failure.yms

signatures/sigma/windows/builtin/security/win_security_scm_database_privileged_operation.yms

signatures/sigma/windows/builtin/security/win_security_service_install_remote_access_software.yms

signatures/sigma/windows/builtin/security/win_security_service_installation_by_unusal_client.yms

signatures/sigma/windows/builtin/security/win_security_smb_file_creation_admin_shares.yms

signatures/sigma/windows/builtin/security/win_security_susp_add_domain_trust.yms

signatures/sigma/windows/builtin/security/win_security_susp_add_sid_history.yms

signatures/sigma/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yms

signatures/sigma/windows/builtin/security/win_security_susp_computer_name.yms

signatures/sigma/windows/builtin/security/win_security_susp_dsrm_password_change.yms

signatures/sigma/windows/builtin/security/win_security_susp_eventlog_cleared.yms

signatures/sigma/windows/builtin/security/win_security_susp_failed_logon_reasons.yms

signatures/sigma/windows/builtin/security/win_security_susp_kerberos_manipulation.yms

signatures/sigma/windows/builtin/security/win_security_susp_ldap_dataexchange.yms

signatures/sigma/windows/builtin/security/win_security_susp_local_anon_logon_created.yms

signatures/sigma/windows/builtin/security/win_security_susp_logon_explicit_credentials.yms

signatures/sigma/windows/builtin/security/win_security_susp_lsass_dump.yms

signatures/sigma/windows/builtin/security/win_security_susp_lsass_dump_generic.yms

signatures/sigma/windows/builtin/security/win_security_susp_net_recon_activity.yms

signatures/sigma/windows/builtin/security/win_security_susp_opened_encrypted_zip.yms

signatures/sigma/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yms

signatures/sigma/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yms

signatures/sigma/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yms

signatures/sigma/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yms

signatures/sigma/windows/builtin/security/win_security_susp_privileges_enabled.yms

signatures/sigma/windows/builtin/security/win_security_susp_psexec.yms

signatures/sigma/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yms

signatures/sigma/windows/builtin/security/win_security_susp_rc4_kerberos.yms

signatures/sigma/windows/builtin/security/win_security_susp_scheduled_task_creation.yms

signatures/sigma/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yms

signatures/sigma/windows/builtin/security/win_security_susp_scheduled_task_update.yms

signatures/sigma/windows/builtin/security/win_security_susp_sdelete.yms

signatures/sigma/windows/builtin/security/win_security_susp_time_modification.yms

signatures/sigma/windows/builtin/security/win_security_svcctl_remote_service.yms

signatures/sigma/windows/builtin/security/win_security_syskey_registry_access.yms

signatures/sigma/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yms

signatures/sigma/windows/builtin/security/win_security_tap_driver_installation.yms

signatures/sigma/windows/builtin/security/win_security_teams_suspicious_objectaccess.yms

signatures/sigma/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yms

signatures/sigma/windows/builtin/security/win_security_user_added_to_local_administrators.yms

signatures/sigma/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yms

signatures/sigma/windows/builtin/security/win_security_user_creation.yms

signatures/sigma/windows/builtin/security/win_security_user_driver_loaded.yms

signatures/sigma/windows/builtin/security/win_security_user_logoff.yms

signatures/sigma/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yms

signatures/sigma/windows/builtin/security/win_security_wmi_persistence.yms

signatures/sigma/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yms

signatures/sigma/windows/builtin/security/win_security_workstation_was_locked.yms

signatures/sigma/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yms

signatures/sigma/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yms

signatures/sigma/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yms

signatures/sigma/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yms

signatures/sigma/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yms

signatures/sigma/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yms

signatures/sigma/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yms

signatures/sigma/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yms

signatures/sigma/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yms

signatures/sigma/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yms

signatures/sigma/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yms

signatures/sigma/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yms

signatures/sigma/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yms

signatures/sigma/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yms

signatures/sigma/windows/builtin/system/microsoft_windows_kernel_general/win_system_quarkspwdump_clearing_hive_access_history.yms

signatures/sigma/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yms

signatures/sigma/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yms

signatures/sigma/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yms

signatures/sigma/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yms

signatures/sigma/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yms

signatures/sigma/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yms

signatures/sigma/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_apt_carbonpaper_turla.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_apt_stonedrill.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_apt_turla_service_png.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_defender_disabled.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_susp_double_ampersand.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_susp_proceshacker.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_susp_service_installation.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yms

signatures/sigma/windows/builtin/system/service_control_manager/win_system_tap_driver_installation.yms

signatures/sigma/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yms

signatures/sigma/windows/builtin/system/win_system_advancedrun_service_installation.yms

signatures/sigma/windows/builtin/system/win_system_kernel_driver_install_from_susp_locations.yms

signatures/sigma/windows/builtin/system/win_system_service_hktl_masky.yms

signatures/sigma/windows/builtin/system/win_system_service_install_impacket.yms

signatures/sigma/windows/builtin/system/win_system_service_install_mrc_ram_capture.yms

signatures/sigma/windows/builtin/system/win_system_service_install_susp_binary.yms

signatures/sigma/windows/builtin/system/win_system_service_install_susp_unc.yms

signatures/sigma/windows/builtin/system/win_system_service_susp_admin.yms

signatures/sigma/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yms

signatures/sigma/windows/builtin/taskscheduler/win_taskscheduler_fake_system_tasks_execution.yms

signatures/sigma/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yms

signatures/sigma/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yms

signatures/sigma/windows/builtin/taskscheduler/win_taskscheduler_task_masquerading.yms

signatures/sigma/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yms

signatures/sigma/windows/builtin/vhd/win_mount_iso_file.yms

signatures/sigma/windows/builtin/vhd/win_susp_mount_iso_vhd_locations.yms

signatures/sigma/windows/builtin/win_alert_mimikatz_keywords.yms

signatures/sigma/windows/builtin/windefend/win_defender_alert_lsass_access.yms

signatures/sigma/windows/builtin/windefend/win_defender_amsi_trigger.yms

signatures/sigma/windows/builtin/windefend/win_defender_disabled.yms

signatures/sigma/windows/builtin/windefend/win_defender_exclusions.yms

signatures/sigma/windows/builtin/windefend/win_defender_exploit_guard_tamper.yms

signatures/sigma/windows/builtin/windefend/win_defender_history_delete.yms

signatures/sigma/windows/builtin/windefend/win_defender_psexec_wmi_asr.yms

signatures/sigma/windows/builtin/windefend/win_defender_real_time_protection_errors.yms

signatures/sigma/windows/builtin/windefend/win_defender_restored_quarantine_file.yms

signatures/sigma/windows/builtin/windefend/win_defender_suspicious_features_tampering.yms

signatures/sigma/windows/builtin/windefend/win_defender_tamper_protection_trigger.yms

signatures/sigma/windows/builtin/windefend/win_defender_threat.yms

signatures/sigma/windows/builtin/wmi/win_wmi_create_environment_variable.yms

signatures/sigma/windows/builtin/wmi/win_wmi_delete_environment_variable.yms

signatures/sigma/windows/builtin/wmi/win_wmi_delete_filter_to_consumer_binding.yms

signatures/sigma/windows/builtin/wmi/win_wmi_delete_shadow_copy.yms

signatures/sigma/windows/builtin/wmi/win_wmi_enum_av_product.yms

signatures/sigma/windows/builtin/wmi/win_wmi_hotfix_enum.yms

signatures/sigma/windows/builtin/wmi/win_wmi_impacket_wmipersist_filter_binding.yms

signatures/sigma/windows/builtin/wmi/win_wmi_impacket_wmipersist_filter_query.yms

signatures/sigma/windows/builtin/wmi/win_wmi_metasploit_waitfor_event_filter_persistence.yms

signatures/sigma/windows/builtin/wmi/win_wmi_obfuscated_win32_process.yms

signatures/sigma/windows/builtin/wmi/win_wmi_persistence.yms

signatures/sigma/windows/builtin/wmi/win_wmi_seatbelt_applocker_service_recon.yms

signatures/sigma/windows/builtin/wmi/win_wmi_seatbelt_env_variables_recon.yms

signatures/sigma/windows/builtin/wmi/win_wmi_seatbelt_process_owners.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_active_script_consumer_persistence.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_cli_consumer_persistence.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_event_consumer_creation.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_logevent_event_filter_persistence.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_logon_event_filter_persistence.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_process_creation.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_process_event_filer_persistence.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_system_filter_to_consumer_binding.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_systemuptime_event_filter_persistence.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_task_creation.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_time_event_filter_persistence.yms

signatures/sigma/windows/builtin/wmi/win_wmi_susp_volume_change_event_filter_persistence.yms

signatures/sigma/windows/builtin/wmi/win_wmi_win32_encryptablevolume_disable_protection.yms

signatures/sigma/windows/builtin/wmi/win_wmi_win32_encryptablevolume_protectionstatus_query.yms

signatures/sigma/windows/builtin/wmi/win_wmi_win32_process_create.yms

signatures/sigma/windows/builtin/wmi/win_wmi_win32_process_get_owner.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_keepass.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_susp_file_appdata.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_susp_locations.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_susp_process_injection.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_susp_wrong_bitness.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yms

signatures/sigma/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yms

signatures/sigma/windows/create_stream_hash/create_stream_hash_ads_executable.yms

signatures/sigma/windows/create_stream_hash/create_stream_hash_creation_internet_file.yms

signatures/sigma/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yms

signatures/sigma/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yms

signatures/sigma/windows/create_stream_hash/create_stream_hash_hacktool_download.yms

signatures/sigma/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yms

signatures/sigma/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yms

signatures/sigma/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yms

signatures/sigma/windows/create_stream_hash/create_stream_hash_zip_tld_download.yms

signatures/sigma/windows/dns_query/dns_query_win_anonymfiles_com.yms

signatures/sigma/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yms

signatures/sigma/windows/dns_query/dns_query_win_lolbin_appinstaller.yms

signatures/sigma/windows/dns_query/dns_query_win_mal_cobaltstrike.yms

signatures/sigma/windows/dns_query/dns_query_win_malware_socgholish_second_stage_c2.yms

signatures/sigma/windows/dns_query/dns_query_win_mega_nz.yms

signatures/sigma/windows/dns_query/dns_query_win_regsvr32_network_activity.yms

signatures/sigma/windows/dns_query/dns_query_win_remote_access_software_domains.yms

signatures/sigma/windows/dns_query/dns_query_win_susp_ipify.yms

signatures/sigma/windows/dns_query/dns_query_win_susp_ldap.yms

signatures/sigma/windows/dns_query/dns_query_win_susp_teamviewer.yms

signatures/sigma/windows/dns_query/dns_query_win_susp_tlds_process.yms

signatures/sigma/windows/dns_query/dns_query_win_tor_onion.yms

signatures/sigma/windows/dns_query/dns_query_win_ufile_io.yms

signatures/sigma/windows/driver_load/driver_load_win_magnet_ram_capture.yms

signatures/sigma/windows/driver_load/driver_load_win_mal_creddumper.yms

signatures/sigma/windows/driver_load/driver_load_win_mal_poortry_driver.yms

signatures/sigma/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yms

signatures/sigma/windows/driver_load/driver_load_win_pua_process_hacker.yms

signatures/sigma/windows/driver_load/driver_load_win_pua_system_informer.yms

signatures/sigma/windows/driver_load/driver_load_win_susp_temp_use.yms

signatures/sigma/windows/driver_load/driver_load_win_unsigned_susp_location.yms

signatures/sigma/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yms

signatures/sigma/windows/driver_load/driver_load_win_vuln_dell_driver.yms

signatures/sigma/windows/driver_load/driver_load_win_vuln_drivers.yms

signatures/sigma/windows/driver_load/driver_load_win_vuln_drivers_names.yms

signatures/sigma/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yms

signatures/sigma/windows/driver_load/driver_load_win_vuln_hevd_driver.yms

signatures/sigma/windows/driver_load/driver_load_win_vuln_hw_driver.yms

signatures/sigma/windows/driver_load/driver_load_win_vuln_lenovo_driver.yms

signatures/sigma/windows/driver_load/driver_load_win_vuln_winring0_driver.yms

signatures/sigma/windows/driver_load/driver_load_win_windivert.yms

signatures/sigma/windows/file/file_access/file_access_win_browser_credential_access.yms

signatures/sigma/windows/file/file_access/file_access_win_credential_manager_access.yms

signatures/sigma/windows/file/file_access/file_access_win_dpapi_master_key_access.yms

signatures/sigma/windows/file/file_access/file_access_win_reg_and_hive_access.yms

signatures/sigma/windows/file/file_access/file_access_win_susp_cred_hist_access.yms

signatures/sigma/windows/file/file_access/file_access_win_volumecopy_sam.yms

signatures/sigma/windows/file/file_change/file_change_win_2022_timestomping.yms

signatures/sigma/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yms

signatures/sigma/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yms

signatures/sigma/windows/file/file_delete/file_delete_win_delete_backup_file.yms

signatures/sigma/windows/file/file_delete/file_delete_win_delete_event_log_files.yms

signatures/sigma/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yms

signatures/sigma/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yms

signatures/sigma/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yms

signatures/sigma/windows/file/file_delete/file_delete_win_delete_prefetch.yms

signatures/sigma/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yms

signatures/sigma/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yms

signatures/sigma/windows/file/file_delete/file_delete_win_scheduled_tasks.yms

signatures/sigma/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yms

signatures/sigma/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yms

signatures/sigma/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yms

signatures/sigma/windows/file/file_event/file_event_win_access_susp_teams.yms

signatures/sigma/windows/file/file_event/file_event_win_access_susp_unattend_xml.yms

signatures/sigma/windows/file/file_event/file_event_win_advanced_ip_scanner.yms

signatures/sigma/windows/file/file_event/file_event_win_anydesk_artefact.yms

signatures/sigma/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yms

signatures/sigma/windows/file/file_event/file_event_win_aspnet_temp_files.yms

signatures/sigma/windows/file/file_event/file_event_win_bloodhound_collection.yms

signatures/sigma/windows/file/file_event/file_event_win_conti_programdata_dropped_files.yms

signatures/sigma/windows/file/file_event/file_event_win_crackmapexec_patterns.yms

signatures/sigma/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yms

signatures/sigma/windows/file/file_event/file_event_win_create_non_existent_dlls.yms

signatures/sigma/windows/file/file_event/file_event_win_creation_new_shim_database.yms

signatures/sigma/windows/file/file_event/file_event_win_creation_scr_binary_file.yms

signatures/sigma/windows/file/file_event/file_event_win_creation_system_file.yms

signatures/sigma/windows/file/file_event/file_event_win_creation_unquoted_service_path.yms

signatures/sigma/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yms

signatures/sigma/windows/file/file_event/file_event_win_cscript_wscript_dropper.yms

signatures/sigma/windows/file/file_event/file_event_win_csexec_service.yms

signatures/sigma/windows/file/file_event/file_event_win_csharp_compile_artefact.yms

signatures/sigma/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yms

signatures/sigma/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yms

signatures/sigma/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yms

signatures/sigma/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yms

signatures/sigma/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yms

signatures/sigma/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yms

signatures/sigma/windows/file/file_event/file_event_win_dcmacro_dropped_files.yms

signatures/sigma/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yms

signatures/sigma/windows/file/file_event/file_event_win_dll_sideloading_space_path.yms

signatures/sigma/windows/file/file_event/file_event_win_errorhandler_persistence.yms

signatures/sigma/windows/file/file_event/file_event_win_exchange_webshell_drop.yms

signatures/sigma/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yms

signatures/sigma/windows/file/file_event/file_event_win_file_header_mz_fake_extension.yms

signatures/sigma/windows/file/file_event/file_event_win_gotoopener_artefact.yms

signatures/sigma/windows/file/file_event/file_event_win_hktl_dumpert.yms

signatures/sigma/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yms

signatures/sigma/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yms

signatures/sigma/windows/file/file_event/file_event_win_hktl_mimikatz_files.yms

signatures/sigma/windows/file/file_event/file_event_win_hktl_nppspy.yms

signatures/sigma/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yms

signatures/sigma/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yms

signatures/sigma/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yms

signatures/sigma/windows/file/file_event/file_event_win_hktl_safetykatz.yms

signatures/sigma/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yms

signatures/sigma/windows/file/file_event/file_event_win_install_teamviewer_desktop.yms

signatures/sigma/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yms

signatures/sigma/windows/file/file_event/file_event_win_iso_file_mount.yms

signatures/sigma/windows/file/file_event/file_event_win_iso_file_recent.yms

signatures/sigma/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yms

signatures/sigma/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yms

signatures/sigma/windows/file/file_event/file_event_win_lsass_shtinkering.yms

signatures/sigma/windows/file/file_event/file_event_win_lsass_werfault_dump.yms

signatures/sigma/windows/file/file_event/file_event_win_mal_adwind.yms

signatures/sigma/windows/file/file_event/file_event_win_mal_octopus_scanner.yms

signatures/sigma/windows/file/file_event/file_event_win_msdt_susp_directories.yms

signatures/sigma/windows/file/file_event/file_event_win_mstsc_susp_dropped_files.yms

signatures/sigma/windows/file/file_event/file_event_win_net_cli_artefact.yms

signatures/sigma/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yms

signatures/sigma/windows/file/file_event/file_event_win_new_scr_file.yms

signatures/sigma/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yms

signatures/sigma/windows/file/file_event/file_event_win_ntds_dit_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yms

signatures/sigma/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yms

signatures/sigma/windows/file/file_event/file_event_win_ntds_exfil_tools.yms

signatures/sigma/windows/file/file_event/file_event_win_office_addin_persistence.yms

signatures/sigma/windows/file/file_event/file_event_win_office_macro_files_created.yms

signatures/sigma/windows/file/file_event/file_event_win_office_macro_files_downloaded.yms

signatures/sigma/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yms

signatures/sigma/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yms

signatures/sigma/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yms

signatures/sigma/windows/file/file_event/file_event_win_office_outlook_macro_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_office_outlook_newform.yms

signatures/sigma/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yms

signatures/sigma/windows/file/file_event/file_event_win_office_startup_persistence.yms

signatures/sigma/windows/file/file_event/file_event_win_office_susp_file_extension.yms

signatures/sigma/windows/file/file_event/file_event_win_office_uncommon_file_startup.yms

signatures/sigma/windows/file/file_event/file_event_win_pcre_net_temp_file.yms

signatures/sigma/windows/file/file_event/file_event_win_perflogs_susp_files.yms

signatures/sigma/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yms

signatures/sigma/windows/file/file_event/file_event_win_powershell_drop_powershell.yms

signatures/sigma/windows/file/file_event/file_event_win_powershell_exploit_scripts.yms

signatures/sigma/windows/file/file_event/file_event_win_powershell_module_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_powershell_module_susp_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yms

signatures/sigma/windows/file/file_event/file_event_win_powerupsql_output.yms

signatures/sigma/windows/file/file_event/file_event_win_ppldump_indicator.yms

signatures/sigma/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yms

signatures/sigma/windows/file/file_event/file_event_win_rclone_config_files.yms

signatures/sigma/windows/file/file_event/file_event_win_rdp_file_susp_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yms

signatures/sigma/windows/file/file_event/file_event_win_remcom_service.yms

signatures/sigma/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yms

signatures/sigma/windows/file/file_event/file_event_win_ripzip_attack.yms

signatures/sigma/windows/file/file_event/file_event_win_sam_dump.yms

signatures/sigma/windows/file/file_event/file_event_win_shell_write_susp_directory.yms

signatures/sigma/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yms

signatures/sigma/windows/file/file_event/file_event_win_startup_folder_file_write.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_colorcpl.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_compressed.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_desktop_ini.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_desktop_txt.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_diagcab.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_double_extension.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_dropper.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_executable_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_file_data_folders.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_get_variable.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_homoglyph_filename.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_lnk_double_extension.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_perflogs_write.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_pfx_file_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_powershell_profile.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_ransomware_extensions.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_ransomware_notes.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_task_write.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yms

signatures/sigma/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yms

signatures/sigma/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yms

signatures/sigma/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yms

signatures/sigma/windows/file/file_event/file_event_win_sysinternals_psexec_service.yms

signatures/sigma/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yms

signatures/sigma/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yms

signatures/sigma/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yms

signatures/sigma/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yms

signatures/sigma/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yms

signatures/sigma/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yms

signatures/sigma/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yms

signatures/sigma/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yms

signatures/sigma/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yms

signatures/sigma/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yms

signatures/sigma/windows/file/file_event/file_event_win_uac_bypass_winsat.yms

signatures/sigma/windows/file/file_event/file_event_win_uac_bypass_wmp.yms

signatures/sigma/windows/file/file_event/file_event_win_vhd_download_via_browsers.yms

signatures/sigma/windows/file/file_event/file_event_win_webshell_creation_detect.yms

signatures/sigma/windows/file/file_event/file_event_win_werfault_dll_hijacking.yms

signatures/sigma/windows/file/file_event/file_event_win_winrm_awl_bypass.yms

signatures/sigma/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yms

signatures/sigma/windows/file/file_event/file_event_win_wmiexec_default_filename.yms

signatures/sigma/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yms

signatures/sigma/windows/file/file_event/file_event_win_wpbbin_persistence.yms

signatures/sigma/windows/file/file_event/file_event_win_writing_local_admin_share.yms

signatures/sigma/windows/file/file_rename/file_rename_win_not_dll_to_dll.yms

signatures/sigma/windows/file/file_rename/file_rename_win_ransomware.yms

signatures/sigma/windows/image_load/image_load_azure_microsoft_account_token_provider_dll_load.yms

signatures/sigma/windows/image_load/image_load_clickonce_unsigned_module_loaded.yms

signatures/sigma/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yms

signatures/sigma/windows/image_load/image_load_credui_uncommon_process_load.yms

signatures/sigma/windows/image_load/image_load_dll_amsi_suspicious_process.yms

signatures/sigma/windows/image_load/image_load_dll_amsi_uncommon_process.yms

signatures/sigma/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yms

signatures/sigma/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yms

signatures/sigma/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yms

signatures/sigma/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yms

signatures/sigma/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yms

signatures/sigma/windows/image_load/image_load_dll_system_drawing_load.yms

signatures/sigma/windows/image_load/image_load_dll_system_management_automation_susp_load.yms

signatures/sigma/windows/image_load/image_load_dll_vss_ps_susp_load.yms

signatures/sigma/windows/image_load/image_load_dll_vssapi_susp_load.yms

signatures/sigma/windows/image_load/image_load_dll_vsstrace_susp_load.yms

signatures/sigma/windows/image_load/image_load_hacktool_driver_load.yms

signatures/sigma/windows/image_load/image_load_hktl_sharpevtmute.yms

signatures/sigma/windows/image_load/image_load_hktl_silenttrinity_stager.yms

signatures/sigma/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yms

signatures/sigma/windows/image_load/image_load_odbcad32_susp_location.yms

signatures/sigma/windows/image_load/image_load_odbcconf_susp_location.yms

signatures/sigma/windows/image_load/image_load_office_dotnet_assembly_dll_load.yms

signatures/sigma/windows/image_load/image_load_office_dotnet_clr_dll_load.yms

signatures/sigma/windows/image_load/image_load_office_dotnet_gac_dll_load.yms

signatures/sigma/windows/image_load/image_load_office_dsparse_dll_load.yms

signatures/sigma/windows/image_load/image_load_office_excel_xll_susp_load.yms

signatures/sigma/windows/image_load/image_load_office_kerberos_dll_load.yms

signatures/sigma/windows/image_load/image_load_office_outlook_outlvba_load.yms

signatures/sigma/windows/image_load/image_load_office_powershell_dll_load.yms

signatures/sigma/windows/image_load/image_load_office_vbadll_load.yms

signatures/sigma/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yms

signatures/sigma/windows/image_load/image_load_sdiagnhost_powershell.yms

signatures/sigma/windows/image_load/image_load_side_load_7za.yms

signatures/sigma/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yms

signatures/sigma/windows/image_load/image_load_side_load_antivirus.yms

signatures/sigma/windows/image_load/image_load_side_load_appverifui.yms

signatures/sigma/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yms

signatures/sigma/windows/image_load/image_load_side_load_avkkid.yms

signatures/sigma/windows/image_load/image_load_side_load_ccleaner_du.yms

signatures/sigma/windows/image_load/image_load_side_load_ccleaner_reactivator.yms

signatures/sigma/windows/image_load/image_load_side_load_chrome_frame_helper.yms

signatures/sigma/windows/image_load/image_load_side_load_classicexplorer32.yms

signatures/sigma/windows/image_load/image_load_side_load_comctl32.yms

signatures/sigma/windows/image_load/image_load_side_load_coregen.yms

signatures/sigma/windows/image_load/image_load_side_load_dbgcore_dll.yms

signatures/sigma/windows/image_load/image_load_side_load_dbghelp_dll.yms

signatures/sigma/windows/image_load/image_load_side_load_eacore.yms

signatures/sigma/windows/image_load/image_load_side_load_edputil.yms

signatures/sigma/windows/image_load/image_load_side_load_from_non_system_location.yms

signatures/sigma/windows/image_load/image_load_side_load_goopdate.yms

signatures/sigma/windows/image_load/image_load_side_load_gup_libcurl.yms

signatures/sigma/windows/image_load/image_load_side_load_iviewers.yms

signatures/sigma/windows/image_load/image_load_side_load_jsschhlp.yms

signatures/sigma/windows/image_load/image_load_side_load_libvlc.yms

signatures/sigma/windows/image_load/image_load_side_load_mfdetours.yms

signatures/sigma/windows/image_load/image_load_side_load_mfdetours_unsigned.yms

signatures/sigma/windows/image_load/image_load_side_load_non_existent_dlls.yms

signatures/sigma/windows/image_load/image_load_side_load_office_dlls.yms

signatures/sigma/windows/image_load/image_load_side_load_rcdll.yms

signatures/sigma/windows/image_load/image_load_side_load_rjvplatform_default_location.yms

signatures/sigma/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yms

signatures/sigma/windows/image_load/image_load_side_load_robform.yms

signatures/sigma/windows/image_load/image_load_side_load_shell_chrome_api.yms

signatures/sigma/windows/image_load/image_load_side_load_shelldispatch.yms

signatures/sigma/windows/image_load/image_load_side_load_smadhook.yms

signatures/sigma/windows/image_load/image_load_side_load_solidpdfcreator.yms

signatures/sigma/windows/image_load/image_load_side_load_svchost_dlls.yms

signatures/sigma/windows/image_load/image_load_side_load_third_party.yms

signatures/sigma/windows/image_load/image_load_side_load_ualapi.yms

signatures/sigma/windows/image_load/image_load_side_load_vivaldi_elf.yms

signatures/sigma/windows/image_load/image_load_side_load_vmguestlib.yms

signatures/sigma/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yms

signatures/sigma/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yms

signatures/sigma/windows/image_load/image_load_side_load_vmware_xfer.yms

signatures/sigma/windows/image_load/image_load_side_load_waveedit.yms

signatures/sigma/windows/image_load/image_load_side_load_wazuh.yms

signatures/sigma/windows/image_load/image_load_side_load_windows_defender.yms

signatures/sigma/windows/image_load/image_load_side_load_wwlib.yms

signatures/sigma/windows/image_load/image_load_spoolsv_dll_load.yms

signatures/sigma/windows/image_load/image_load_susp_dll_load_system_process.yms

signatures/sigma/windows/image_load/image_load_susp_python_image_load.yms

signatures/sigma/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yms

signatures/sigma/windows/image_load/image_load_susp_smb_touch_scanner.yms

signatures/sigma/windows/image_load/image_load_susp_uncommon_image_load.yms

signatures/sigma/windows/image_load/image_load_tttracer_mod_load.yms

signatures/sigma/windows/image_load/image_load_uac_bypass_iscsicpl.yms

signatures/sigma/windows/image_load/image_load_uac_bypass_via_dism.yms

signatures/sigma/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yms

signatures/sigma/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yms

signatures/sigma/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yms

signatures/sigma/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yms

signatures/sigma/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yms

signatures/sigma/windows/image_load/image_load_wsman_provider_image_load.yms

signatures/sigma/windows/network_connection/net_connection_win_binary_susp_com.yms

signatures/sigma/windows/network_connection/net_connection_win_certutil_initiated_connection.yms

signatures/sigma/windows/network_connection/net_connection_win_crypto_mining_pools.yms

signatures/sigma/windows/network_connection/net_connection_win_dead_drop_resolvers.yms

signatures/sigma/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yms

signatures/sigma/windows/network_connection/net_connection_win_dllhost_net_connections.yms

signatures/sigma/windows/network_connection/net_connection_win_eqnedt.yms

signatures/sigma/windows/network_connection/net_connection_win_excel_outbound_network_connection.yms

signatures/sigma/windows/network_connection/net_connection_win_google_api_non_browser_access.yms

signatures/sigma/windows/network_connection/net_connection_win_hh.yms

signatures/sigma/windows/network_connection/net_connection_win_imewdbld.yms

signatures/sigma/windows/network_connection/net_connection_win_malware_backconnect_ports.yms

signatures/sigma/windows/network_connection/net_connection_win_mega_nz.yms

signatures/sigma/windows/network_connection/net_connection_win_msiexec.yms

signatures/sigma/windows/network_connection/net_connection_win_mstsc_rdp_connection.yms

signatures/sigma/windows/network_connection/net_connection_win_mstsc_susp_remote_port.yms

signatures/sigma/windows/network_connection/net_connection_win_ngrok_io.yms

signatures/sigma/windows/network_connection/net_connection_win_ngrok_tunnel.yms

signatures/sigma/windows/network_connection/net_connection_win_notepad_network_connection.yms

signatures/sigma/windows/network_connection/net_connection_win_notion_api_susp_communication.yms

signatures/sigma/windows/network_connection/net_connection_win_office_susp_ports.yms

signatures/sigma/windows/network_connection/net_connection_win_powershell_network_connection.yms

signatures/sigma/windows/network_connection/net_connection_win_python.yms

signatures/sigma/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yms

signatures/sigma/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yms

signatures/sigma/windows/network_connection/net_connection_win_rdp_to_http.yms

signatures/sigma/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yms

signatures/sigma/windows/network_connection/net_connection_win_regsvr32_network_activity.yms

signatures/sigma/windows/network_connection/net_connection_win_remote_powershell_session_network.yms

signatures/sigma/windows/network_connection/net_connection_win_rundll32_net_connections.yms

signatures/sigma/windows/network_connection/net_connection_win_script.yms

signatures/sigma/windows/network_connection/net_connection_win_script_wan.yms

signatures/sigma/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yms

signatures/sigma/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yms

signatures/sigma/windows/network_connection/net_connection_win_susp_cmstp.yms

signatures/sigma/windows/network_connection/net_connection_win_susp_dropbox_api.yms

signatures/sigma/windows/network_connection/net_connection_win_susp_epmap.yms

signatures/sigma/windows/network_connection/net_connection_win_susp_external_ip_lookup.yms

signatures/sigma/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yms

signatures/sigma/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yms

signatures/sigma/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yms

signatures/sigma/windows/network_connection/net_connection_win_susp_processes_connections.yms

signatures/sigma/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yms

signatures/sigma/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yms

signatures/sigma/windows/network_connection/net_connection_win_winlogon_net_connections.yms

signatures/sigma/windows/network_connection/net_connection_win_wuauclt_network_connection.yms

signatures/sigma/windows/pipe_created/pipe_created_catalog_change_listener_susp_creation.yms

signatures/sigma/windows/pipe_created/pipe_created_csexec_default_pipe.yms

signatures/sigma/windows/pipe_created/pipe_created_hktl_cobaltstrike.yms

signatures/sigma/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yms

signatures/sigma/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yms

signatures/sigma/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yms

signatures/sigma/windows/pipe_created/pipe_created_hktl_efspotato.yms

signatures/sigma/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yms

signatures/sigma/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yms

signatures/sigma/windows/pipe_created/pipe_created_mal_namedpipes.yms

signatures/sigma/windows/pipe_created/pipe_created_paexec_default_pipe.yms

signatures/sigma/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yms

signatures/sigma/windows/pipe_created/pipe_created_powershell_execution_pipe.yms

signatures/sigma/windows/pipe_created/pipe_created_remcom_default_pipe.yms

signatures/sigma/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yms

signatures/sigma/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yms

signatures/sigma/windows/pipe_created/pipe_created_susp_havoc_pipe_patterns.yms

signatures/sigma/windows/pipe_created/pipe_created_susp_locations.yms

signatures/sigma/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yms

signatures/sigma/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_powercat.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_script_c2_reverse_tcp_shell_payload.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_script_c2_reverse_tcp_shell_payload_obfusc.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_script_susp_func_lookup_via_gac_enum.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_susp_download.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yms

signatures/sigma/windows/powershell/powershell_classic/posh_pc_xor_commandline.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_c2_reverse_tcp_shell_payload.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_decompress_commands.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_exploit_scripts.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_get_addbaccount.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_get_clipboard.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_block_execution_by_av.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_download.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_virus_or_pua_execution.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yms

signatures/sigma/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_accessing_native_win_api.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_add_windows_capability.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_adrecon_execution.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_aes_encryption_capability.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_automated_collection.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_base64_encoded_mz_reflective_load.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_bypass_amsi.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_c2_reverse_tcp_shell_main_script.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_c2_reverse_tcp_shell_payload.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_c2_reverse_tpc_shell_payload_obfusc.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_capture_screenshots.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_clear_eventlog_clearlog.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_com_object_msscript_control.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_conti_rpd_firewall_rules.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_cor_profiler.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_create_local_user.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_data_compressed.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_dctoolbox_cmdlets_execution.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_detect_vm_env.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_device_driver_control.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_directorysearcher.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_disable_process_mitigation.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_disable_ps_etw.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_disable_script_block_logging.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_dnscat_execution.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_dotnet_assembly_in_memory_load_and_execution.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_download_com_cradles.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_dynamic_type_lookup.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_enable_psremoting.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_export_certificate.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_get_acl_service.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_get_adcomputer.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_get_adgroup.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_hotfix_enum.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_commandindesktoppackage.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_hunt_smb_shares.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_keylogging.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_localuser.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_malicious_keywords.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_mini_dump_write_dump_wer.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_msxml_com.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_powerup_sql_cmdlets.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_prompt_credentials.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_psasyncshell.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_psattack.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_registry_reflective_assembly_load.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_remote_session_creation.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_remove_item_path.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_rootkit_r77_registry_reflective_load.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_screenshot_capability.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_script_execution_from_suspicious_path.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_security_software_discovery.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_send_mailmessage.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_set_acl.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_shellcode_b64.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_shortcut_creation_susp.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_shortcut_creation_susp_encoded.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_software_discovery.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_alias_powershell.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_defender_exclusions_added.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_download.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_dynamic_definitions.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_extracting.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_func_lookup_via_gac_enum.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_func_lookup_via_gac_enum_encoded.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_get_process.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_gwmi.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_hoaxshell_encoded_payload.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_hoaxshell_raw_payload.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_keywords.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_new_firewall_rule.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_obfuscation.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_recon_export.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_set_alias.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_start_process.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_villain_raw_payload.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_websites_powershell_scripts.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_win32_api_imports.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_wmi_queries.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_tabshell_exploit.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_tamper_defender_features.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_test_netconnection.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_timestomp.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_token_obfuscation.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_wmi_persistence.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_wmimplant.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_x509enrollment.yms

signatures/sigma/windows/powershell/powershell_script/posh_ps_xml_iex.yms

signatures/sigma/windows/process_access/proc_access_win_cmstp_execution_by_access.yms

signatures/sigma/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yms

signatures/sigma/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yms

signatures/sigma/windows/process_access/proc_access_win_hack_sysmonente.yms

signatures/sigma/windows/process_access/proc_access_win_handlekatz_lsass_access.yms

signatures/sigma/windows/process_access/proc_access_win_invoke_patchingapi.yms

signatures/sigma/windows/process_access/proc_access_win_invoke_phantom.yms

signatures/sigma/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yms

signatures/sigma/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yms

signatures/sigma/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yms

signatures/sigma/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yms

signatures/sigma/windows/process_access/proc_access_win_lsass_memdump.yms

signatures/sigma/windows/process_access/proc_access_win_lsass_memdump_evasion.yms

signatures/sigma/windows/process_access/proc_access_win_lsass_memdump_indicators.yms

signatures/sigma/windows/process_access/proc_access_win_lsass_werfault.yms

signatures/sigma/windows/process_access/proc_access_win_malware_verclsid_shellcode.yms

signatures/sigma/windows/process_access/proc_access_win_mimikatz_trough_winrm.yms

signatures/sigma/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yms

signatures/sigma/windows/process_access/proc_access_win_rare_proc_access_lsass.yms

signatures/sigma/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yms

signatures/sigma/windows/process_access/proc_access_win_susp_proc_access_lsass.yms

signatures/sigma/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yms

signatures/sigma/windows/process_access/proc_access_win_susp_proc_access_steal_token.yms

signatures/sigma/windows/process_access/proc_access_win_susp_seclogon.yms

signatures/sigma/windows/process_access/proc_access_win_svchost_cred_dump.yms

signatures/sigma/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yms

signatures/sigma/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yms

signatures/sigma/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yms

signatures/sigma/windows/process_creation/proc_creation_win_7zip_password_compression.yms

signatures/sigma/windows/process_creation/proc_creation_win_7zip_password_extraction.yms

signatures/sigma/windows/process_creation/proc_creation_win_adplus_memory_dump.yms

signatures/sigma/windows/process_creation/proc_creation_win_advancedrun_via_cfg_file.yms

signatures/sigma/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yms

signatures/sigma/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_apt_apt41_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_apt_backdoordiplomacy_recon_tool.yms

signatures/sigma/windows/process_creation/proc_creation_win_apt_blackbasta_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_apt_gamaredon_mshta.yms

signatures/sigma/windows/process_creation/proc_creation_win_apt_kimsuky_pattern.yms

signatures/sigma/windows/process_creation/proc_creation_win_apt_nk_lazarus_dll_load_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yms

signatures/sigma/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yms

signatures/sigma/windows/process_creation/proc_creation_win_at_interactive_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_attrib_hiding_files.yms

signatures/sigma/windows/process_creation/proc_creation_win_attrib_system.yms

signatures/sigma/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yms

signatures/sigma/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_auditpol_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_avdump_utility.yms

signatures/sigma/windows/process_creation/proc_creation_win_bash_command_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_bash_file_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yms

signatures/sigma/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_bitsadmin_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yms

signatures/sigma/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yms

signatures/sigma/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yms

signatures/sigma/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yms

signatures/sigma/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yms

signatures/sigma/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yms

signatures/sigma/windows/process_creation/proc_creation_win_blackbyte.yms

signatures/sigma/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yms

signatures/sigma/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yms

signatures/sigma/windows/process_creation/proc_creation_win_browsers_msedge_arbitrary_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_browsers_remote_debugging.yms

signatures/sigma/windows/process_creation/proc_creation_win_browsers_tor_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yms

signatures/sigma/windows/process_creation/proc_creation_win_certoc_load_dll.yms

signatures/sigma/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yms

signatures/sigma/windows/process_creation/proc_creation_win_certutil_certificate_installation.yms

signatures/sigma/windows/process_creation/proc_creation_win_certutil_decode.yms

signatures/sigma/windows/process_creation/proc_creation_win_certutil_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yms

signatures/sigma/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yms

signatures/sigma/windows/process_creation/proc_creation_win_certutil_encode.yms

signatures/sigma/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yms

signatures/sigma/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yms

signatures/sigma/windows/process_creation/proc_creation_win_certutil_export_pfx.yms

signatures/sigma/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yms

signatures/sigma/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yms

signatures/sigma/windows/process_creation/proc_creation_win_chcp_codepage_switch.yms

signatures/sigma/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yms

signatures/sigma/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yms

signatures/sigma/windows/process_creation/proc_creation_win_clip_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yms

signatures/sigma/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_assoc_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_del_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_dir_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_dosfuscation.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_http_appdata.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_no_space_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_path_traversal.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_redirect.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_uncommon_flag.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmd_unusual_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmdkey_delete_cred.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmdkey_generic_zip_password_add.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmdkey_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yms

signatures/sigma/windows/process_creation/proc_creation_win_conhost_legacy_option.yms

signatures/sigma/windows/process_creation/proc_creation_win_conhost_path_traversal.yms

signatures/sigma/windows/process_creation/proc_creation_win_conhost_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_control_panel_item.yms

signatures/sigma/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yms

signatures/sigma/windows/process_creation/proc_creation_win_csc_susp_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_csi_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yms

signatures/sigma/windows/process_creation/proc_creation_win_csvde_export.yms

signatures/sigma/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yms

signatures/sigma/windows/process_creation/proc_creation_win_curl_custom_user_agent.yms

signatures/sigma/windows/process_creation/proc_creation_win_curl_download_direct_ip.yms

signatures/sigma/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yms

signatures/sigma/windows/process_creation/proc_creation_win_curl_insecure_connection.yms

signatures/sigma/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yms

signatures/sigma/windows/process_creation/proc_creation_win_curl_local_file_read.yms

signatures/sigma/windows/process_creation/proc_creation_win_curl_susp_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yms

signatures/sigma/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_dirlister_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_disable_process_mitigation.yms

signatures/sigma/windows/process_creation/proc_creation_win_discovery_echo_separator.yms

signatures/sigma/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yms

signatures/sigma/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yms

signatures/sigma/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yms

signatures/sigma/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yms

signatures/sigma/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_dns_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_dnscmd_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yms

signatures/sigma/windows/process_creation/proc_creation_win_driverquery_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_driverquery_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yms

signatures/sigma/windows/process_creation/proc_creation_win_dsacls_password_spray.yms

signatures/sigma/windows/process_creation/proc_creation_win_dsim_remove.yms

signatures/sigma/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_dsquery_modified_location.yms

signatures/sigma/windows/process_creation/proc_creation_win_dsquery_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yms

signatures/sigma/windows/process_creation/proc_creation_win_dumpel.yms

signatures/sigma/windows/process_creation/proc_creation_win_dumpminitool_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_earthworm_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_encoded_vbscript.yms

signatures/sigma/windows/process_creation/proc_creation_win_esentutl_params.yms

signatures/sigma/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yms

signatures/sigma/windows/process_creation/proc_creation_win_esentutl_webcache.yms

signatures/sigma/windows/process_creation/proc_creation_win_exchange_pool_exploit.yms

signatures/sigma/windows/process_creation/proc_creation_win_exchange_proxy_not_shell.yms

signatures/sigma/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_expand_cabinet_files.yms

signatures/sigma/windows/process_creation/proc_creation_win_explorer_break_process_tree.yms

signatures/sigma/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_explorer_nouaccheck.yms

signatures/sigma/windows/process_creation/proc_creation_win_fake_msiexec.yms

signatures/sigma/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yms

signatures/sigma/windows/process_creation/proc_creation_win_findstr_lnk.yms

signatures/sigma/windows/process_creation/proc_creation_win_findstr_lsass.yms

signatures/sigma/windows/process_creation/proc_creation_win_findstr_recon_everyone.yms

signatures/sigma/windows/process_creation/proc_creation_win_findstr_susp_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yms

signatures/sigma/windows/process_creation/proc_creation_win_finger_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_fltmc_unload_driver.yms

signatures/sigma/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yms

signatures/sigma/windows/process_creation/proc_creation_win_fsuninstallationtool.yms

signatures/sigma/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yms

signatures/sigma/windows/process_creation/proc_creation_win_fsutil_setzerodata.yms

signatures/sigma/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yms

signatures/sigma/windows/process_creation/proc_creation_win_fsutil_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_gacutil_install_assemblies.yms

signatures/sigma/windows/process_creation/proc_creation_win_gacutil_install_assemblies_from_susp_locations.yms

signatures/sigma/windows/process_creation/proc_creation_win_get_variable_powershell_persistence.yms

signatures/sigma/windows/process_creation/proc_creation_win_git_susp_clone.yms

signatures/sigma/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_gpg4win_decryption.yms

signatures/sigma/windows/process_creation/proc_creation_win_gpg4win_encryption.yms

signatures/sigma/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_gpg4win_susp_location.yms

signatures/sigma/windows/process_creation/proc_creation_win_gpresult_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_grant_overpermissive_permissions.yms

signatures/sigma/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_gup_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_gup_suspicious_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_hack_earthworm.yms

signatures/sigma/windows/process_creation/proc_creation_win_hack_hoaxshell.yms

signatures/sigma/windows/process_creation/proc_creation_win_hack_impacket_tool.yms

signatures/sigma/windows/process_creation/proc_creation_win_hack_villain.yms

signatures/sigma/windows/process_creation/proc_creation_win_hack_villain_encoded_obfusc.yms

signatures/sigma/windows/process_creation/proc_creation_win_hacktool_allinone.yms

signatures/sigma/windows/process_creation/proc_creation_win_hacktool_cve_exploit_pattern.yms

signatures/sigma/windows/process_creation/proc_creation_win_hacktool_dumpy.yms

signatures/sigma/windows/process_creation/proc_creation_win_hacktool_krbrelay.yms

signatures/sigma/windows/process_creation/proc_creation_win_hacktool_pe_info.yms

signatures/sigma/windows/process_creation/proc_creation_win_hermeticwiper_ransom.yms

signatures/sigma/windows/process_creation/proc_creation_win_hh_chm_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_hh_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_adcspwn.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_certify.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_certipy.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_covenant.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_createminidump.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_dinjector.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_dumpert.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_edrsandblast.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_evil_winrm.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_gmer.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_handlekatz.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_hashcat.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_hydra.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_impacket_tools.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_impersonate.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_inveigh.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_koadic.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_krbrelay.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_krbrelayup.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_localpotato.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_pchunter.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_powertool.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_pypykatz.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_rubeus.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_safetykatz.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_secutyxploded.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_selectmyparent.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_sharpersist.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_sharpup.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_sharpview.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_sysmoneop.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_trufflesnout.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_uacme.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_wce.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_winpeas.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_xordump.yms

signatures/sigma/windows/process_creation/proc_creation_win_hktl_zipexec.yms

signatures/sigma/windows/process_creation/proc_creation_win_hoaxshell_encoded_payload.yms

signatures/sigma/windows/process_creation/proc_creation_win_hoaxshell_raw_payload.yms

signatures/sigma/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yms

signatures/sigma/windows/process_creation/proc_creation_win_hostname_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_htkl_sharpsphere_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_hwp_exploits.yms

signatures/sigma/windows/process_creation/proc_creation_win_hxtsr_masquerading.yms

signatures/sigma/windows/process_creation/proc_creation_win_icacls_deny.yms

signatures/sigma/windows/process_creation/proc_creation_win_iex_direct_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yms

signatures/sigma/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yms

signatures/sigma/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yms

signatures/sigma/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yms

signatures/sigma/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yms

signatures/sigma/windows/process_creation/proc_creation_win_iis_susp_module_registration.yms

signatures/sigma/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yms

signatures/sigma/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yms

signatures/sigma/windows/process_creation/proc_creation_win_inline_hta.yms

signatures/sigma/windows/process_creation/proc_creation_win_inline_native_win_api_access.yms

signatures/sigma/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_ip_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_java_remote_debugging.yms

signatures/sigma/windows/process_creation/proc_creation_win_java_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_java_susp_child_process_2.yms

signatures/sigma/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_kd_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yms

signatures/sigma/windows/process_creation/proc_creation_win_ksetup_password_change_user.yms

signatures/sigma/windows/process_creation/proc_creation_win_lazagne_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_ldifde_export.yms

signatures/sigma/windows/process_creation/proc_creation_win_ldifde_file_load.yms

signatures/sigma/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yms

signatures/sigma/windows/process_creation/proc_creation_win_logman_disable_eventlog.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_appvlp.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_cdb.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_certoc_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_cmdl32.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_customshellhost.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_defaultpack.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_dnx.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_dotnet.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_dump64.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_extexport.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_extrac32.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_findstr.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_forfiles.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_format.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_ftp.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_gpscript.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_ilasm.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_installutil_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_jsc.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_kavremover.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_manage_bde.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_mpiexec.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_msdeploy.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_mspub_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_openconsole.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_openwith.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_pcalua.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_pcwrun.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_pcwutl.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_pester.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_pester_1.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_presentationhost.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_printbrm.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_pubprn.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_register_app.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_remote.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_replace.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_runexehelper.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_setres.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_sftp.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_sigverif.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_squirrel.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_ssh.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_tracker.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_ttdinject.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_type.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_unregmp2.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_wfc.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolbin_wuauclt.yms

signatures/sigma/windows/process_creation/proc_creation_win_lolscript_register_app.yms

signatures/sigma/windows/process_creation/proc_creation_win_lsass_dump_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_lsass_process_clone.yms

signatures/sigma/windows/process_creation/proc_creation_win_mal_guloader_activity.yms

signatures/sigma/windows/process_creation/proc_creation_win_mal_orcus_rat_commandline.yms

signatures/sigma/windows/process_creation/proc_creation_win_mal_sccm.yms

signatures/sigma/windows/process_creation/proc_creation_win_mal_teleport_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yms

signatures/sigma/windows/process_creation/proc_creation_win_malware_gootkit_activity.yms

signatures/sigma/windows/process_creation/proc_creation_win_malware_gootkit_loader.yms

signatures/sigma/windows/process_creation/proc_creation_win_malware_script_dropper.yms

signatures/sigma/windows/process_creation/proc_creation_win_malware_sload_downloader_variant_1.yms

signatures/sigma/windows/process_creation/proc_creation_win_malware_socgholish_activity.yms

signatures/sigma/windows/process_creation/proc_creation_win_mftrace_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yms

signatures/sigma/windows/process_creation/proc_creation_win_mmc_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_mofcomp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yms

signatures/sigma/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yms

signatures/sigma/windows/process_creation/proc_creation_win_mrc_ram_capture.yms

signatures/sigma/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yms

signatures/sigma/windows/process_creation/proc_creation_win_msdt_susp_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_mshta_http.yms

signatures/sigma/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yms

signatures/sigma/windows/process_creation/proc_creation_win_mshta_javascript.yms

signatures/sigma/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yms

signatures/sigma/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_mshta_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_mshta_susp_pattern.yms

signatures/sigma/windows/process_creation/proc_creation_win_mshta_vbscript_execute.yms

signatures/sigma/windows/process_creation/proc_creation_win_msiexec_dll.yms

signatures/sigma/windows/process_creation/proc_creation_win_msiexec_embedding.yms

signatures/sigma/windows/process_creation/proc_creation_win_msiexec_execute_dll.yms

signatures/sigma/windows/process_creation/proc_creation_win_msiexec_install_quiet.yms

signatures/sigma/windows/process_creation/proc_creation_win_msiexec_install_remote.yms

signatures/sigma/windows/process_creation/proc_creation_win_msiexec_masquerading.yms

signatures/sigma/windows/process_creation/proc_creation_win_msiexec_web_install.yms

signatures/sigma/windows/process_creation/proc_creation_win_msra_process_injection.yms

signatures/sigma/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_mssql_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yms

signatures/sigma/windows/process_creation/proc_creation_win_mstsc_remote_connection.yms

signatures/sigma/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yms

signatures/sigma/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yms

signatures/sigma/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_ncat_flags.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_network_connections_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_share_unmount.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_start_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_stop_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_use_mount_share.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_use_password_plaintext.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_user_add.yms

signatures/sigma/windows/process_creation/proc_creation_win_net_user_add_never_expire.yms

signatures/sigma/windows/process_creation/proc_creation_win_netscan_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_disable_allprofiles.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_fw_disable.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_packet_capture.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_port_forwarding.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yms

signatures/sigma/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yms

signatures/sigma/windows/process_creation/proc_creation_win_network_sniffing.yms

signatures/sigma/windows/process_creation/proc_creation_win_nirsoft_password_recovery_tools.yms

signatures/sigma/windows/process_creation/proc_creation_win_nltest_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_nltest_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_node_abuse.yms

signatures/sigma/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yms

signatures/sigma/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_ntdsutil_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_odbcad32_uncommon_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_odbcconf_driver_install.yms

signatures/sigma/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yms

signatures/sigma/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yms

signatures/sigma/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yms

signatures/sigma/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yms

signatures/sigma/windows/process_creation/proc_creation_win_odbcconf_response_file.yms

signatures/sigma/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yms

signatures/sigma/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_shell_tree.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_susp_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_svchost_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_office_winword_dll_load.yms

signatures/sigma/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yms

signatures/sigma/windows/process_creation/proc_creation_win_pdqdeploy_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yms

signatures/sigma/windows/process_creation/proc_creation_win_perl_inline_command_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_phishinglnk_default_command.yms

signatures/sigma/windows/process_creation/proc_creation_win_php_inline_command_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_ping_hex_ip.yms

signatures/sigma/windows/process_creation/proc_creation_win_pktmon_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_plink_port_forwarding.yms

signatures/sigma/windows/process_creation/proc_creation_win_plink_susp_tunneling.yms

signatures/sigma/windows/process_creation/proc_creation_win_portqry_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_powercfg_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_audio_capture.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_base64_iex.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_base64_invoke.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_cl_invocation.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_create_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_dctoolbox_cmdlets_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_decode_gzip.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_disable_firewall.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_dll_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_download_cradles.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_download_dll.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_download_iex.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_download_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_email_exfil.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_encode.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_exec_data_file.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_export_certificate.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_frombase64string.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_get_clipboard.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_iex_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_invocation_specific.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_invoke_commandindesktoppackage.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_public_folder.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_sam_access.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_set_acl.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_stop_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_webclient_casing.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_x509enrollment.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_xor_commandline.yms

signatures/sigma/windows/process_creation/proc_creation_win_powershell_zip_compress.yms

signatures/sigma/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_print_remote_file_copy.yms

signatures/sigma/windows/process_creation/proc_creation_win_process_trees_suspicious.yms

signatures/sigma/windows/process_creation/proc_creation_win_process_trees_uncommon.yms

signatures/sigma/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yms

signatures/sigma/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_pscp_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_psr_capture_screenshots.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_3proxy_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_advancedrun.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_chisel.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_cleanwipe.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_crassus.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_csexec.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_defendercheck.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_ditsnap.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_frp.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_iox.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_mouselock_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_netcat.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_ngrok.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_nimgrab.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_nircmd.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_nps.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_nsudo.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_process_hacker.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_radmin.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_rcedit_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_rclone_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_runxcmd.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_seatbelt.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_system_informer.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yms

signatures/sigma/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_pushd.yms

signatures/sigma/windows/process_creation/proc_creation_win_python_adidnsdump.yms

signatures/sigma/windows/process_creation/proc_creation_win_python_inline_command_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_python_pty_spawn.yms

signatures/sigma/windows/process_creation/proc_creation_win_query_session_exfil.yms

signatures/sigma/windows/process_creation/proc_creation_win_random_cli_args.yms

signatures/sigma/windows/process_creation/proc_creation_win_rar_compress_data.yms

signatures/sigma/windows/process_creation/proc_creation_win_rar_compression_with_password.yms

signatures/sigma/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yms

signatures/sigma/windows/process_creation/proc_creation_win_rasdial_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yms

signatures/sigma/windows/process_creation/proc_creation_win_recon_via_process_injection.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_add_run_key.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_add_safeboot.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_bitlocker.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_defender_exclusion.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_delete_safeboot.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_delete_services.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_disable_sec_services.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_machineguid.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_open_command.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_query_registry.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_screensaver.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_software_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_susp_paths.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_volsnap_disable.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yms

signatures/sigma/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yms

signatures/sigma/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yms

signatures/sigma/windows/process_creation/proc_creation_win_regedit_export_keys.yms

signatures/sigma/windows/process_creation/proc_creation_win_regedit_import_keys.yms

signatures/sigma/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yms

signatures/sigma/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yms

signatures/sigma/windows/process_creation/proc_creation_win_regini_ads.yms

signatures/sigma/windows/process_creation/proc_creation_win_regini_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_logon_script.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_new_network_provider.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_reflective_assembly_load.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yms

signatures/sigma/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yms

signatures/sigma/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yms

signatures/sigma/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yms

signatures/sigma/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yms

signatures/sigma/windows/process_creation/proc_creation_win_regsvr32_remote_share.yms

signatures/sigma/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yms

signatures/sigma/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yms

signatures/sigma/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yms

signatures/sigma/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_software_ultraviewer.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yms

signatures/sigma/windows/process_creation/proc_creation_win_remote_time_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_adfind.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_autohotkey.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_autoit.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_binary.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_browsercore.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_createdump.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_dctask64.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_dsquery.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_ftp.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_gpg4win.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_jusched.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_mavinject.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_megasync.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_msdt.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_office_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_paexec.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_plink.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_portqry.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_pressanykey.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_pscp.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_rurat.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_vlc.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_vmnat.yms

signatures/sigma/windows/process_creation/proc_creation_win_renamed_whoami.yms

signatures/sigma/windows/process_creation/proc_creation_win_rpcping_credential_capture.yms

signatures/sigma/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_keymgr.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_no_params.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_run_locations.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_script_run.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_susp_activity.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_sys.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_unc_path.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_user32_dll.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_rundll32_without_parameters.yms

signatures/sigma/windows/process_creation/proc_creation_win_runonce_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_create_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_disable_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_query.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_sdset_modification.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_service_path_modification.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yms

signatures/sigma/windows/process_creation/proc_creation_win_sc_stop_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_change.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_creation.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_delete.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_delete_all.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_disable.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_env_folder.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_folder_combos.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_reg_loader.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_schedule_type.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yms

signatures/sigma/windows/process_creation/proc_creation_win_schtasks_system.yms

signatures/sigma/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yms

signatures/sigma/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yms

signatures/sigma/windows/process_creation/proc_creation_win_sdclt_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yms

signatures/sigma/windows/process_creation/proc_creation_win_sdiagnhost_susp_desendant.yms

signatures/sigma/windows/process_creation/proc_creation_win_secedit_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_servu_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yms

signatures/sigma/windows/process_creation/proc_creation_win_sharp_dpapi.yms

signatures/sigma/windows/process_creation/proc_creation_win_sharp_wmi.yms

signatures/sigma/windows/process_creation/proc_creation_win_sharp_wsus.yms

signatures/sigma/windows/process_creation/proc_creation_win_shutdown_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_shutdown_logoff.yms

signatures/sigma/windows/process_creation/proc_creation_win_smss_cli_anomaly.yms

signatures/sigma/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yms

signatures/sigma/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yms

signatures/sigma/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yms

signatures/sigma/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yms

signatures/sigma/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yms

signatures/sigma/windows/process_creation/proc_creation_win_ssh_port_forward.yms

signatures/sigma/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yms

signatures/sigma/windows/process_creation/proc_creation_win_ssm_agent_abuse.yms

signatures/sigma/windows/process_creation/proc_creation_win_stop_eset_av_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_stop_kaspersky_kes_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_stop_symantec_sep_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_stop_trendmicro_deepsecurity_agent_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_sups_cli_websites.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_16bit_application.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ads_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_alias_powershell.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_appx_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_automated_collection.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_calc.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_cipher_encrypt.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_cli_websites_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_command_apolloc2.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_commandline_confusion.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_compressed_children.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_copy_browser_data.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_copy_system_dir.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_createevent.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_defender_exclusions_added.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_disable_raccine.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_double_extension.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_double_extension_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_download_office_domain.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_electron_app_children.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_eventlog_clear.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_execution_path.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_file_characteristics.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_file_data_folders.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_image_missing.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_injected_into_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_network_command.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_network_scan_loop.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_non_exe_image.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ntds.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_office_token_search.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_parents.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_private_keys_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_progname.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ps1_obfuscation_patterns_nov21.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ps_commandline_payload_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ps_commandline_usage.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ps_download_cradles.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ps_iex_patterns.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_ps_obfuscation.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_pscp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_right_to_left_override.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_rundll32_allocconsole.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_sc_query.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_scheduled_tasks_running_system_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_schtasks_trigger.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_schtasks_wscript.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_service_creation.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_service_dir.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_service_tamper.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_shellcode_cli.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_svchost_uncommon_children.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_svchost_unknown_host_group.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_svchost_unsuspected_children.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_sysnative.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_sysvol_access.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_userinit_child.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_whoami_as_param.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_wmi_process_tree.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_wmi_queries.yms

signatures/sigma/windows/process_creation/proc_creation_win_susp_workfolders.yms

signatures/sigma/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yms

signatures/sigma/windows/process_creation/proc_creation_win_svchost_susp_parent_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yms

signatures/sigma/windows/process_creation/proc_creation_win_symantec_sshelper_lolbin.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_procdump.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_psloglist.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_psservice.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_sdelete.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yms

signatures/sigma/windows/process_creation/proc_creation_win_sysprep_appdata.yms

signatures/sigma/windows/process_creation/proc_creation_win_system_processes_child_process_anomaly.yms

signatures/sigma/windows/process_creation/proc_creation_win_system_processes_cli_anomaly.yms

signatures/sigma/windows/process_creation/proc_creation_win_systeminfo_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yms

signatures/sigma/windows/process_creation/proc_creation_win_tabshell_exploit.yms

signatures/sigma/windows/process_creation/proc_creation_win_takeown_recursive_own.yms

signatures/sigma/windows/process_creation/proc_creation_win_tamper_defender_features.yms

signatures/sigma/windows/process_creation/proc_creation_win_tapinstall_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_taskkill_av.yms

signatures/sigma/windows/process_creation/proc_creation_win_taskkill_sep.yms

signatures/sigma/windows/process_creation/proc_creation_win_tasklist_basic_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_taskmgr_localsystem.yms

signatures/sigma/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yms

signatures/sigma/windows/process_creation/proc_creation_win_tokenvator.yms

signatures/sigma/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yms

signatures/sigma/windows/process_creation/proc_creation_win_tscon_localsystem.yms

signatures/sigma/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yms

signatures/sigma/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yms

signatures/sigma/windows/process_creation/proc_creation_win_typo_squating_builtin_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_winsat.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_wmp.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yms

signatures/sigma/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yms

signatures/sigma/windows/process_creation/proc_creation_win_ultravnc.yms

signatures/sigma/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_uncommon_exports.yms

signatures/sigma/windows/process_creation/proc_creation_win_uncommon_script_engines.yms

signatures/sigma/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yms

signatures/sigma/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yms

signatures/sigma/windows/process_creation/proc_creation_win_verclsid_runs_com.yms

signatures/sigma/windows/process_creation/proc_creation_win_virtualbox_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yms

signatures/sigma/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yms

signatures/sigma/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yms

signatures/sigma/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yms

signatures/sigma/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yms

signatures/sigma/windows/process_creation/proc_creation_win_w32tm.yms

signatures/sigma/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yms

signatures/sigma/windows/process_creation/proc_creation_win_wab_unusual_parents.yms

signatures/sigma/windows/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yms

signatures/sigma/windows/process_creation/proc_creation_win_wbemtest.yms

signatures/sigma/windows/process_creation/proc_creation_win_webdav_lnk_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_webshell_chopper.yms

signatures/sigma/windows/process_creation/proc_creation_win_webshell_detection.yms

signatures/sigma/windows/process_creation/proc_creation_win_webshell_detection_tree.yms

signatures/sigma/windows/process_creation/proc_creation_win_webshell_hacking.yms

signatures/sigma/windows/process_creation/proc_creation_win_webshell_recon_detection.yms

signatures/sigma/windows/process_creation/proc_creation_win_webshell_spawn.yms

signatures/sigma/windows/process_creation/proc_creation_win_webshell_spawn_tree.yms

signatures/sigma/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yms

signatures/sigma/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yms

signatures/sigma/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yms

signatures/sigma/windows/process_creation/proc_creation_win_wevtutil_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_wget_download_direct_ip.yms

signatures/sigma/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yms

signatures/sigma/windows/process_creation/proc_creation_win_where_browser_data_recon.yms

signatures/sigma/windows/process_creation/proc_creation_win_whoami_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_whoami_groups_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yms

signatures/sigma/windows/process_creation/proc_creation_win_whoami_priv_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_whoami_susp_flags.yms

signatures/sigma/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yms

signatures/sigma/windows/process_creation/proc_creation_win_winget_add_custom_source.yms

signatures/sigma/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yms

signatures/sigma/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yms

signatures/sigma/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yms

signatures/sigma/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yms

signatures/sigma/windows/process_creation/proc_creation_win_winrar_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_winrm_awl_bypass.yms

signatures/sigma/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yms

signatures/sigma/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_winrm_susp_child_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_winzip_password_compression.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmi_security_center_namespace.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_namespace_defender.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_process_creation.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_recon_group.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_recon_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_recon_product.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_recon_product_class.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_recon_service.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_remote_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_service_manipulation.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_uninstall_application.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yms

signatures/sigma/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yms

signatures/sigma/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yms

signatures/sigma/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yms

signatures/sigma/windows/process_creation/proc_creation_win_wscript_cscript_susp_exec_uncommon_extension.yms

signatures/sigma/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yms

signatures/sigma/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yms

signatures/sigma/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_wuauclt_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yms

signatures/sigma/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yms

signatures/sigma/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yms

signatures/sigma/windows/process_creation/proc_creation_win_wusa_remove_update.yms

signatures/sigma/windows/process_creation/proc_creation_win_xor_encoded_powershell.yms

signatures/sigma/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yms

signatures/sigma/windows/registry/registry_add/registry_add_malware_netwire.yms

signatures/sigma/windows/registry/registry_add/registry_add_malware_ursnif.yms

signatures/sigma/windows/registry/registry_add/registry_add_persistence_amsi_providers.yms

signatures/sigma/windows/registry/registry_add/registry_add_persistence_com_key_linking.yms

signatures/sigma/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yms

signatures/sigma/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yms

signatures/sigma/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yms

signatures/sigma/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yms

signatures/sigma/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yms

signatures/sigma/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yms

signatures/sigma/windows/registry/registry_delete/registry_delete_logging_providers.yms

signatures/sigma/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yms

signatures/sigma/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yms

signatures/sigma/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yms

signatures/sigma/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yms

signatures/sigma/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yms

signatures/sigma/windows/registry/registry_event/registry_event_add_local_hidden_user.yms

signatures/sigma/windows/registry/registry_event/registry_event_apt_leviathan.yms

signatures/sigma/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yms

signatures/sigma/windows/registry/registry_event/registry_event_apt_oilrig_mar18.yms

signatures/sigma/windows/registry/registry_event/registry_event_apt_pandemic.yms

signatures/sigma/windows/registry/registry_event/registry_event_bypass_via_wsreset.yms

signatures/sigma/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yms

signatures/sigma/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yms

signatures/sigma/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yms

signatures/sigma/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yms

signatures/sigma/windows/registry/registry_event/registry_event_hack_wce_reg.yms

signatures/sigma/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yms

signatures/sigma/windows/registry/registry_event/registry_event_mal_azorult.yms

signatures/sigma/windows/registry/registry_event/registry_event_mal_flowcloud.yms

signatures/sigma/windows/registry/registry_event/registry_event_malware_qakbot_registry.yms

signatures/sigma/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yms

signatures/sigma/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yms

signatures/sigma/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yms

signatures/sigma/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yms

signatures/sigma/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yms

signatures/sigma/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yms

signatures/sigma/windows/registry/registry_event/registry_event_office_test_regadd.yms

signatures/sigma/windows/registry/registry_event/registry_event_office_trust_record_modification.yms

signatures/sigma/windows/registry/registry_event/registry_event_persistence_recycle_bin.yms

signatures/sigma/windows/registry/registry_event/registry_event_portproxy_registry_key.yms

signatures/sigma/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yms

signatures/sigma/windows/registry/registry_event/registry_event_runkey_dcbot.yms

signatures/sigma/windows/registry/registry_event/registry_event_runkey_dropit_framework.yms

signatures/sigma/windows/registry/registry_event/registry_event_runkey_pyloggy.yms

signatures/sigma/windows/registry/registry_event/registry_event_runkey_winekey.yms

signatures/sigma/windows/registry/registry_event/registry_event_runonce_persistence.yms

signatures/sigma/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yms

signatures/sigma/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yms

signatures/sigma/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yms

signatures/sigma/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yms

signatures/sigma/windows/registry/registry_event/registry_event_susp_atbroker_change.yms

signatures/sigma/windows/registry/registry_event/registry_event_susp_download_run_key.yms

signatures/sigma/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yms

signatures/sigma/windows/registry/registry_event/registry_event_susp_mic_cam_access.yms

signatures/sigma/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yms

signatures/sigma/windows/registry/registry_set/registry_set_add_port_monitor.yms

signatures/sigma/windows/registry/registry_set/registry_set_aedebug_persistence.yms

signatures/sigma/windows/registry/registry_set/registry_set_allow_protected_renames.yms

signatures/sigma/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yms

signatures/sigma/windows/registry/registry_set/registry_set_amsi_com_hijack.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yms

signatures/sigma/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yms

signatures/sigma/windows/registry/registry_set/registry_set_bginfo_custom_db.yms

signatures/sigma/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yms

signatures/sigma/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yms

signatures/sigma/windows/registry/registry_set/registry_set_blackbyte_ransomware.yms

signatures/sigma/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yms

signatures/sigma/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yms

signatures/sigma/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yms

signatures/sigma/windows/registry/registry_set/registry_set_change_rdp_port.yms

signatures/sigma/windows/registry/registry_set/registry_set_change_security_zones.yms

signatures/sigma/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yms

signatures/sigma/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yms

signatures/sigma/windows/registry/registry_set/registry_set_chrome_extension.yms

signatures/sigma/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yms

signatures/sigma/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yms

signatures/sigma/windows/registry/registry_set/registry_set_comhijack_sdclt.yms

signatures/sigma/windows/registry/registry_set/registry_set_crashdump_disabled.yms

signatures/sigma/windows/registry/registry_set/registry_set_creation_service_susp_folder.yms

signatures/sigma/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yms

signatures/sigma/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yms

signatures/sigma/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yms

signatures/sigma/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yms

signatures/sigma/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yms

signatures/sigma/windows/registry/registry_set/registry_set_defender_exclusions.yms

signatures/sigma/windows/registry/registry_set/registry_set_deviceguard_credentialguard_disabled.yms

signatures/sigma/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yms

signatures/sigma/windows/registry/registry_set/registry_set_dhcp_calloutdll.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_administrative_share.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_autologger_sessions.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_defender_firewall.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_function_user.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_security_center_notifications.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_system_restore.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_uac_registry.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_windows_defender_service.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_windows_firewall.yms

signatures/sigma/windows/registry/registry_set/registry_set_disable_winevt_logging.yms

signatures/sigma/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yms

signatures/sigma/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yms

signatures/sigma/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yms

signatures/sigma/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yms

signatures/sigma/windows/registry/registry_set/registry_set_disallowrun_execution.yms

signatures/sigma/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yms

signatures/sigma/windows/registry/registry_set/registry_set_dns_over_https_enabled.yms

signatures/sigma/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yms

signatures/sigma/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_dropit_framework.yms

signatures/sigma/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yms

signatures/sigma/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yms

signatures/sigma/windows/registry/registry_set/registry_set_eventlog_channel_isolation_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yms

signatures/sigma/windows/registry/registry_set/registry_set_fax_change_service_user.yms

signatures/sigma/windows/registry/registry_set/registry_set_fax_dll_persistance.yms

signatures/sigma/windows/registry/registry_set/registry_set_file_association_exefile.yms

signatures/sigma/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yms

signatures/sigma/windows/registry/registry_set/registry_set_hhctrl_persistence.yms

signatures/sigma/windows/registry/registry_set/registry_set_hidden_extention.yms

signatures/sigma/windows/registry/registry_set/registry_set_hide_file.yms

signatures/sigma/windows/registry/registry_set/registry_set_hide_function_user.yms

signatures/sigma/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yms

signatures/sigma/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yms

signatures/sigma/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yms

signatures/sigma/windows/registry/registry_set/registry_set_legalnotice_susp_message.yms

signatures/sigma/windows/registry/registry_set/registry_set_lime_rat_task.yms

signatures/sigma/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yms

signatures/sigma/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yms

signatures/sigma/windows/registry/registry_set/registry_set_lsass_imagefile_globalflag.yms

signatures/sigma/windows/registry/registry_set/registry_set_lsass_silentexit.yms

signatures/sigma/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yms

signatures/sigma/windows/registry/registry_set/registry_set_mal_adwind.yms

signatures/sigma/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yms

signatures/sigma/windows/registry/registry_set/registry_set_malware_blacklotus_uefi_bootkit.yms

signatures/sigma/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yms

signatures/sigma/windows/registry/registry_set/registry_set_new_application_appcompat.yms

signatures/sigma/windows/registry/registry_set/registry_set_new_network_provider.yms

signatures/sigma/windows/registry/registry_set/registry_set_odbc_driver_registered.yms

signatures/sigma/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yms

signatures/sigma/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yms

signatures/sigma/windows/registry/registry_set/registry_set_office_enable_dde.yms

signatures/sigma/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yms

signatures/sigma/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yms

signatures/sigma/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yms

signatures/sigma/windows/registry/registry_set/registry_set_office_outlook_security_settings.yms

signatures/sigma/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yms

signatures/sigma/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yms

signatures/sigma/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_owning_publisher_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_app_paths.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_appx_debugger.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_autodial_dll.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_chm.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_globalflags.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_ie.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_ifilter.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_lsa_extension.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_mpnotify.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_mycomputer.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_natural_language.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_office_vsto.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_pending_gpo.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_search_order.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_shim_database.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_typed_paths.yms

signatures/sigma/windows/registry/registry_set/registry_set_persistence_xll.yms

signatures/sigma/windows/registry/registry_set/registry_set_policies_associations_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_policies_attachments_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_powershell_as_service.yms

signatures/sigma/windows/registry/registry_set/registry_set_powershell_execution_policy.yms

signatures/sigma/windows/registry/registry_set/registry_set_powershell_in_run_keys.yms

signatures/sigma/windows/registry/registry_set/registry_set_powershell_logging_disabled.yms

signatures/sigma/windows/registry/registry_set/registry_set_protocol_handler_susp_command.yms

signatures/sigma/windows/registry/registry_set/registry_set_provisioning_command_abuse.yms

signatures/sigma/windows/registry/registry_set/registry_set_publishers_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yms

signatures/sigma/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yms

signatures/sigma/windows/registry/registry_set/registry_set_servicedll_hijack.yms

signatures/sigma/windows/registry/registry_set/registry_set_services_etw_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_set_nopolicies_user.yms

signatures/sigma/windows/registry/registry_set/registry_set_sip_persistence.yms

signatures/sigma/windows/registry/registry_set/registry_set_sophos_av_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_special_accounts.yms

signatures/sigma/windows/registry/registry_set/registry_set_suppress_defender_notifications.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_new_service_binary.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_new_service_chars.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_printer_driver.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_scheduled_tasknames.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_service_installed.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_user_shell_folders.yms

signatures/sigma/windows/registry/registry_set/registry_set_susp_windows_update_settings.yms

signatures/sigma/windows/registry/registry_set/registry_set_suspicious_env_variables.yms

signatures/sigma/windows/registry/registry_set/registry_set_tamper_notifications_settings.yms

signatures/sigma/windows/registry/registry_set/registry_set_taskcache_entry.yms

signatures/sigma/windows/registry/registry_set/registry_set_telemetry_persistence.yms

signatures/sigma/windows/registry/registry_set/registry_set_terminal_server_suspicious.yms

signatures/sigma/windows/registry/registry_set/registry_set_terminal_server_tampering.yms

signatures/sigma/windows/registry/registry_set/registry_set_timeproviders_dllname.yms

signatures/sigma/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yms

signatures/sigma/windows/registry/registry_set/registry_set_treatas_persistence.yms

signatures/sigma/windows/registry/registry_set/registry_set_turn_on_dev_features.yms

signatures/sigma/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yms

signatures/sigma/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yms

signatures/sigma/windows/registry/registry_set/registry_set_uac_bypass_winsat.yms

signatures/sigma/windows/registry/registry_set/registry_set_uac_bypass_wmp.yms

signatures/sigma/windows/registry/registry_set/registry_set_uefi_boot_config_susp_changes.yms

signatures/sigma/windows/registry/registry_set/registry_set_vault7_com_hijacking.yms

signatures/sigma/windows/registry/registry_set/registry_set_vbs_payload_stored.yms

signatures/sigma/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yms

signatures/sigma/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yms

signatures/sigma/windows/registry/registry_set/registry_set_windows_defender_tamper.yms

signatures/sigma/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yms

signatures/sigma/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yms

signatures/sigma/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yms

signatures/sigma/windows/registry/registry_set/registry_set_winlogon_notify_key.yms

signatures/sigma/windows/registry_setinfo/registry_setinfo_key_timestomp.yms

signatures/sigma/windows/sysmon/sysmon_config_modification.yms

signatures/sigma/windows/sysmon/sysmon_config_modification_error.yms

signatures/sigma/windows/sysmon/sysmon_config_modification_status.yms

signatures/sigma/windows/sysmon/sysmon_file_block_exe.yms

signatures/sigma/windows/sysmon/sysmon_file_block_shredding.yms

signatures/sigma/windows/sysmon/sysmon_file_executable.yms

signatures/sigma/windows/sysmon/sysmon_process_hollowing.yms

signatures/sigma/windows/wmi_event/sysmon_wmi_event_subscription.yms

signatures/sigma/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yms

signatures/sigma/windows/wmi_event/sysmon_wmi_susp_scripting.yms

signatures/sigmarev

signatures/sigrev

signatures/yara/thor-all.yas

signatures/yara/thor-deepscan-selectors.yasx

signatures/yara/thor-expensive.yase

signatures/yara/thor-keywords.yas

signatures/yara/thor-log-sigs.yas

signatures/yara/thor-meta.yas

signatures/yara/thor-peids.yas

signatures/yara/thor-process-memory-sigs.yas

signatures/yara/thor-registry.yas

thor-util.exe.sig

thor.exe

.exe windows:6 windows x86

e776111f96047606cb93cdb59880f00c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE

IMAGE_FILE_LINE_NUMS_STRIPPED

IMAGE_FILE_LOCAL_SYMS_STRIPPED

IMAGE_FILE_32BIT_MACHINE

IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

AdjustTokenPrivileges

dbghelp

StackWalk

kernel32

GetVersion

GetVersionExA

GetVersionExW

GetSystemTimeAsFileTime

HeapAlloc

HeapFree

ExitProcess

GetModuleHandleA

LoadLibraryA

GetProcAddress

msvcrt

__getmainargs

ntdll

NtCreateFile

psapi

EnumProcessModules

shlwapi

PathCanonicalizeA

user32

GetProcessWindowStation

Exports

_cgo_dummy_export

authorizerTrampoline

callbackTrampoline

commitHookTrampoline

compareTrampoline

compilerCallback

doneTrampoline

freeCallback

includeCallback

memoryBlockFetch

memoryBlockFetchNull

memoryBlockIteratorFilesize

memoryBlockIteratorFirst

memoryBlockIteratorNext

preUpdateHookTrampoline

rollbackHookTrampoline

scanCallbackFunc

stepTrampoline

streamRead

streamWrite

updateHookTrampoline

Sections

.text
Size: - Virtual size: 17.0MB

IMAGE_SCN_CNT_CODE

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_EXECUTE

IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 774KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 22.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.eh_fram
Size: - Virtual size: 958KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 269KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.edata
Size: - Virtual size: 656B

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.idata
Size: - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.CRT
Size: - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.uCare0
Size: - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.uCare1
Size: - Virtual size: 8.9MB

IMAGE_SCN_CNT_CODE

IMAGE_SCN_MEM_EXECUTE

IMAGE_SCN_MEM_READ

.uCare2
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.uCare3
Size: 23.2MB - Virtual size: 23.2MB

IMAGE_SCN_CNT_CODE

IMAGE_SCN_MEM_EXECUTE

IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.rsrc
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

thor.exe.sig

thor64.exe

.exe windows:6 windows x64

2f755314ccc9020297f145f615330031

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE

IMAGE_FILE_LINE_NUMS_STRIPPED

IMAGE_FILE_LOCAL_SYMS_STRIPPED

IMAGE_FILE_LARGE_ADDRESS_AWARE

IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

AdjustTokenPrivileges

dbghelp

StackWalk64

kernel32

GetVersion

GetVersionExA

GetVersionExW

GetSystemTimeAsFileTime

HeapAlloc

HeapFree

ExitProcess

GetModuleHandleA

LoadLibraryA

GetProcAddress

msvcrt

___lc_codepage_func

ntdll

NtCreateFile

psapi

EnumProcessModulesEx

shlwapi

PathCanonicalizeA

user32

GetProcessWindowStation

Exports

_cgo_dummy_export

authorizerTrampoline

callbackTrampoline

commitHookTrampoline

compareTrampoline

compilerCallback

doneTrampoline

freeCallback

includeCallback

memoryBlockFetch

memoryBlockFetchNull

memoryBlockIteratorFilesize

memoryBlockIteratorFirst

memoryBlockIteratorNext

preUpdateHookTrampoline

rollbackHookTrampoline

scanCallbackFunc

stepTrampoline

streamRead

streamWrite

updateHookTrampoline

Sections

.text
Size: - Virtual size: 19.1MB

IMAGE_SCN_CNT_CODE

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_EXECUTE

IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 23.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.pdata
Size: - Virtual size: 267KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.xdata
Size: - Virtual size: 285KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 485KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.edata
Size: - Virtual size: 656B

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.idata
Size: - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.CRT
Size: - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.uCare0
Size: - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.uCare1
Size: - Virtual size: 7.5MB

IMAGE_SCN_CNT_CODE

IMAGE_SCN_MEM_EXECUTE

IMAGE_SCN_MEM_READ

.uCare2
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.uCare3
Size: 22.4MB - Virtual size: 22.4MB

IMAGE_SCN_CNT_CODE

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_EXECUTE

IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 264B

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.rsrc
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

thor64.exe.sig

tools/UnRAR.exe

.exe windows:5 windows x86

8a029a5a06419e9e92db27b854b3a8e6

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign

KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

52:9e:3f:9f:cf:7d:58:d5:20:d6:07:ab:74:39:50:02
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

02-06-2017 00:00

Not After

01-06-2020 23:59

Subject

CN=win.rar GmbH,O=win.rar GmbH,POSTALCODE=10117,STREET=Marienstrasse 12,L=Berlin,ST=Berlin,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09-05-2013 00:00

Not After

08-05-2028 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

KeyUsageCertSign

KeyUsageCRLSign

52:9e:3f:9f:cf:7d:58:d5:20:d6:07:ab:74:39:50:02
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

02-06-2017 00:00

Not After

01-06-2020 23:59

Subject

CN=win.rar GmbH,O=win.rar GmbH,POSTALCODE=10117,STREET=Marienstrasse 12,L=Berlin,ST=Berlin,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09-05-2013 00:00

Not After

08-05-2028 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

KeyUsageCertSign

KeyUsageCRLSign

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

Issuer

Not Before

12-01-2016 00:00

Not After

11-01-2031 23:59

Subject

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign

KeyUsageCRLSign

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6
Certificate

Issuer

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

02-01-2017 00:00

Not After

01-04-2028 23:59

Subject

CN=Symantec SHA256 TimeStamping Signer - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0b:39:99:11:d8:bf:9d:7d:04:8f:f9:24:bd:bb:5a:70:88:d4:e0:0f:59:4e:1f:16:39:07:ed:ee:53:09:07:d3
Signer

Actual PE Digest

0b:39:99:11:d8:bf:9d:7d:04:8f:f9:24:bd:bb:5a:70:88:d4:e0:0f:59:4e:1f:16:39:07:ed:ee:53:09:07:d3

Digest Algorithm

sha256

PE Digest Matches

true

f6:80:12:43:81:de:b7:f7:c7:61:e9:fe:b4:27:ef:10:50:b7:31:26
Signer

Actual PE Digest

f6:80:12:43:81:de:b7:f7:c7:61:e9:fe:b4:27:ef:10:50:b7:31:26

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE

IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentProcess

DeviceIoControl

SetFileTime

CloseHandle

CreateDirectoryW

RemoveDirectoryW

CreateFileW

DeleteFileW

CreateHardLinkW

GetShortPathNameW

GetLongPathNameW

MoveFileW

ReadFile

FlushFileBuffers

SetEndOfFile

SetFilePointer

GetDriveTypeW

GetDiskFreeSpaceExW

SetFileAttributesW

GetFileAttributesW

GetVolumeInformationW

ExpandEnvironmentStringsW

FindClose

FindFirstFileW

FindNextFileW

GetVersionExW

GetModuleFileNameW

GetCurrentDirectoryW

GetFullPathNameW

FoldStringW

SetErrorMode

GetModuleHandleW

FreeLibrary

LoadLibraryW

LoadLibraryExW

GetProcAddress

GetCurrentProcessId

GetCurrentThread

SetConsoleCtrlHandler

SetThreadExecutionState

GetSystemDirectoryW

SetPriorityClass

GetProcessAffinityMask

CreateThread

InitializeCriticalSection

EnterCriticalSection

LeaveCriticalSection

DeleteCriticalSection

SetEvent

ResetEvent

ReleaseSemaphore

WaitForSingleObject

CreateEventW

CreateSemaphoreW

GetSystemTime

SystemTimeToTzSpecificLocalTime

TzSpecificLocalTimeToSystemTime

SystemTimeToFileTime

FileTimeToLocalFileTime

LocalFileTimeToFileTime

FileTimeToSystemTime

GetCPInfo

IsDBCSLeadByte

MultiByteToWideChar

WideCharToMultiByte

CompareStringW

HeapSize

DecodePointer

SetFilePointerEx

GetProcessHeap

SetEnvironmentVariableA

FreeEnvironmentStringsW

GetEnvironmentStringsW

GetOEMCP

IsValidCodePage

FormatMessageW

Sleep

SetLastError

GetLastError

LocalFree

WriteConsoleW

ReadConsoleW

SetConsoleMode

GetConsoleMode

WriteFile

GetStdHandle

GetFileType

SetThreadPriority

GetCommandLineW

FindNextFileA

FindFirstFileExA

SetStdHandle

UnhandledExceptionFilter

SetUnhandledExceptionFilter

TerminateProcess

IsProcessorFeaturePresent

WaitForSingleObjectEx

IsDebuggerPresent

GetStartupInfoW

QueryPerformanceCounter

GetCurrentThreadId

GetSystemTimeAsFileTime

InitializeSListHead

EncodePointer

RtlUnwind

RaiseException

InitializeCriticalSectionAndSpinCount

TlsAlloc

TlsGetValue

TlsSetValue

TlsFree

ExitProcess

GetModuleHandleExW

QueryPerformanceFrequency

GetModuleFileNameA

GetCommandLineA

GetACP

HeapFree

HeapAlloc

HeapReAlloc

GetStringTypeW

LCMapStringW

GetConsoleCP

user32

CharLowerW

CharUpperW

MessageBeep

ExitWindowsEx

LoadStringW

CharToOemBuffW

CharToOemA

OemToCharA

OemToCharBuffA

advapi32

FreeSid

AllocateAndInitializeSid

RegQueryValueExW

RegOpenKeyExW

RegCloseKey

LookupPrivilegeValueW

SetFileSecurityW

AdjustTokenPrivileges

OpenProcessToken

CheckTokenMembership

shell32

SHGetSpecialFolderLocation

SHGetPathFromIDListW

SHGetMalloc

Sections

.text
Size: 264KB - Virtual size: 263KB

IMAGE_SCN_CNT_CODE

IMAGE_SCN_MEM_EXECUTE

IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 240B

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.rsrc
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_DISCARDABLE

IMAGE_SCN_MEM_READ

tools/UnRAR.exe.sig

tools/bifrost-server.py

.py .sh linux

tools/bifrost-server.py.sig

tools/remote-run/Run-Thor.ps1

.ps1

tools/remote-run/Run-Thor.ps1.sig

tools/remote-run/thor-remote-share.bat

tools/remote-run/thor-remote-share.bat.sig

tools/upx.exe

.exe windows:4 windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED

IMAGE_FILE_EXECUTABLE_IMAGE

IMAGE_FILE_LINE_NUMS_STRIPPED

IMAGE_FILE_LOCAL_SYMS_STRIPPED

IMAGE_FILE_32BIT_MACHINE

IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 1.6MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA

IMAGE_SCN_MEM_EXECUTE

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

UPX1
Size: 392KB - Virtual size: 396KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_EXECUTE

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA

IMAGE_SCN_MEM_READ

IMAGE_SCN_MEM_WRITE

tools/upx.exe.sig

Sharing

General

Malware Config

Signatures

Files

e776111f96047606cb93cdb59880f00c

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

dbghelp

kernel32

msvcrt

ntdll

psapi

shlwapi

user32

Exports

Exports

Sections

.text Size: - Virtual size: 17.0MB

.data Size: - Virtual size: 774KB

.rdata Size: - Virtual size: 22.8MB

.eh_fram Size: - Virtual size: 958KB

.bss Size: - Virtual size: 269KB

.edata Size: - Virtual size: 656B

.idata Size: - Virtual size: 9KB

.CRT Size: - Virtual size: 52B

.tls Size: - Virtual size: 8B

.uCare0 Size: - Virtual size: 25KB

.uCare1 Size: - Virtual size: 8.9MB

.uCare2 Size: 2KB - Virtual size: 2KB

.uCare3 Size: 23.2MB - Virtual size: 23.2MB

.reloc Size: 2KB - Virtual size: 1KB

.rsrc Size: 26KB - Virtual size: 25KB

2f755314ccc9020297f145f615330031

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

dbghelp

kernel32

msvcrt

ntdll

psapi

shlwapi

user32

Exports

Exports

Sections

.text Size: - Virtual size: 19.1MB

.data Size: - Virtual size: 1.0MB

.rdata Size: - Virtual size: 23.9MB

.pdata Size: - Virtual size: 267KB

.xdata Size: - Virtual size: 285KB

.bss Size: - Virtual size: 485KB

.edata Size: - Virtual size: 656B

.idata Size: - Virtual size: 11KB

.CRT Size: - Virtual size: 104B

.tls Size: - Virtual size: 16B

.uCare0 Size: - Virtual size: 25KB

.uCare1 Size: - Virtual size: 7.5MB

.uCare2 Size: 4KB - Virtual size: 4KB

.uCare3 Size: 22.4MB - Virtual size: 22.4MB

.reloc Size: 512B - Virtual size: 264B

.rsrc Size: 26KB - Virtual size: 25KB

8a029a5a06419e9e92db27b854b3a8e6

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

52:9e:3f:9f:cf:7d:58:d5:20:d6:07:ab:74:39:50:02Certificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

.text
Size: - Virtual size: 17.0MB

.data
Size: - Virtual size: 774KB

.rdata
Size: - Virtual size: 22.8MB

.eh_fram
Size: - Virtual size: 958KB

.bss
Size: - Virtual size: 269KB

.edata
Size: - Virtual size: 656B

.idata
Size: - Virtual size: 9KB

.CRT
Size: - Virtual size: 52B

.tls
Size: - Virtual size: 8B

.uCare0
Size: - Virtual size: 25KB

.uCare1
Size: - Virtual size: 8.9MB

.uCare2
Size: 2KB - Virtual size: 2KB

.uCare3
Size: 23.2MB - Virtual size: 23.2MB

.reloc
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 26KB - Virtual size: 25KB

.text
Size: - Virtual size: 19.1MB

.data
Size: - Virtual size: 1.0MB

.rdata
Size: - Virtual size: 23.9MB

.pdata
Size: - Virtual size: 267KB

.xdata
Size: - Virtual size: 285KB

.bss
Size: - Virtual size: 485KB

.edata
Size: - Virtual size: 656B

.idata
Size: - Virtual size: 11KB

.CRT
Size: - Virtual size: 104B

.tls
Size: - Virtual size: 16B

.uCare0
Size: - Virtual size: 25KB

.uCare1
Size: - Virtual size: 7.5MB

.uCare2
Size: 4KB - Virtual size: 4KB

.uCare3
Size: 22.4MB - Virtual size: 22.4MB

.reloc
Size: 512B - Virtual size: 264B

.rsrc
Size: 26KB - Virtual size: 25KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

52:9e:3f:9f:cf:7d:58:d5:20:d6:07:ab:74:39:50:02
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

52:9e:3f:9f:cf:7d:58:d5:20:d6:07:ab:74:39:50:02
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6
Certificate

0b:39:99:11:d8:bf:9d:7d:04:8f:f9:24:bd:bb:5a:70:88:d4:e0:0f:59:4e:1f:16:39:07:ed:ee:53:09:07:d3
Signer

f6:80:12:43:81:de:b7:f7:c7:61:e9:fe:b4:27:ef:10:50:b7:31:26
Signer

.text
Size: 264KB - Virtual size: 263KB

.rdata
Size: 38KB - Virtual size: 37KB

.data
Size: 4KB - Virtual size: 84KB

.gfids
Size: 512B - Virtual size: 240B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 30KB - Virtual size: 30KB

.reloc
Size: 9KB - Virtual size: 8KB

UPX0
Size: - Virtual size: 1.6MB

UPX1
Size: 392KB - Virtual size: 396KB

.rsrc
Size: 2KB - Virtual size: 4KB