Files

.github
detection_rules
docs-dev
docs
hunting
lib
rules
rules_building_block
- .gitkeep
- collection_archive_data_zip_imageload.toml
- collection_common_compressed_archived_file.toml
- collection_files_staged_in_recycle_bin_root.toml
- collection_outlook_email_archive.toml
- collection_posh_compression.toml
- command_and_control_bitsadmin_activity.toml
- command_and_control_certutil_network_connection.toml
- command_and_control_non_standard_http_port.toml
- credential_access_iis_apppoolsa_pwd_appcmd.toml
- credential_access_mdmp_file_creation.toml
- credential_access_mdmp_file_unusual_extension.toml
- credential_access_win_private_key_access.toml
- defense_evasion_aws_rds_snapshot_created.toml
- defense_evasion_cmd_copy_binary_contents.toml
- defense_evasion_cmstp_execution.toml
- defense_evasion_collection_masquerading_unusual_archive_file_extension.toml
- defense_evasion_dll_hijack.toml
- defense_evasion_dotnet_clickonce_dfsvc_netcon.toml
- defense_evasion_download_susp_extension.toml
- defense_evasion_execution_via_visualstudio_prebuildevent.toml
- defense_evasion_file_permission_modification.toml
- defense_evasion_generic_deletion.toml
- defense_evasion_indirect_command_exec_pcalua_forfiles.toml
- defense_evasion_injection_from_msoffice.toml
- defense_evasion_installutil_command_activity.toml
- defense_evasion_invalid_codesign_imageload.toml
- defense_evasion_masquerading_browsers.toml
- defense_evasion_masquerading_unusual_exe_file_extension.toml
- defense_evasion_masquerading_vlc_dll.toml
- defense_evasion_masquerading_windows_dll.toml
- defense_evasion_masquerading_windows_system32_exe.toml
- defense_evasion_msdt_suspicious_diagcab.toml
- defense_evasion_msiexec_installsource_archive_file.toml
- defense_evasion_outlook_suspicious_child.toml
- defense_evasion_posh_defender_tampering.toml
- defense_evasion_powershell_clear_logs_script.toml
- defense_evasion_processes_with_trailing_spaces.toml
- defense_evasion_service_disabled_registry.toml
- defense_evasion_service_path_registry.toml
- defense_evasion_services_exe_path.toml
- defense_evasion_suspicious_msiexec_execution.toml
- defense_evasion_unsigned_bits_client.toml
- defense_evasion_unusual_process_extension.toml
- defense_evasion_unusual_process_path_wbem.toml
- defense_evasion_write_dac_access.toml
- discovery_capnetraw_capability.toml
- discovery_files_dir_systeminfo_via_cmd.toml
- discovery_generic_account_groups.toml
- discovery_generic_process_discovery.toml
- discovery_generic_registry_query.toml
- discovery_getconf_execution.toml
- discovery_hosts_file_access.toml
- discovery_internet_capabilities.toml
- discovery_kernel_module_enumeration_via_proc.toml
- discovery_linux_modprobe_enumeration.toml
- discovery_linux_sysctl_enumeration.toml
- discovery_linux_system_information_discovery.toml
- discovery_linux_system_owner_user_discovery.toml
- discovery_net_share_discovery_winlog.toml
- discovery_net_view.toml
- discovery_of_accounts_or_groups_via_builtin_tools.toml
- discovery_of_domain_groups.toml
- discovery_posh_generic.toml
- discovery_posh_password_policy.toml
- discovery_post_exploitation_external_ip_lookup.toml
- discovery_potential_memory_seeking_activity.toml
- discovery_process_discovery_via_builtin_tools.toml
- discovery_remote_system_discovery_commands_windows.toml
- discovery_security_software_wmic.toml
- discovery_signal_unusual_user_host.toml
- discovery_suspicious_proc_enumeration.toml
- discovery_system_network_connections.toml
- discovery_system_service_discovery.toml
- discovery_system_time_discovery.toml
- discovery_win_network_connections.toml
- discovery_windows_system_information_discovery.toml
- execution_aws_lambda_function_updated.toml
- execution_github_new_event_action_for_pat.toml
- execution_github_new_repo_interaction_for_pat.toml
- execution_github_new_repo_interaction_for_user.toml
- execution_github_repo_created.toml
- execution_github_repo_interaction_from_new_ip.toml
- execution_linux_segfault.toml
- execution_settingcontent_ms_file_creation.toml
- execution_unsigned_service_executable.toml
- execution_wmi_wbemtest.toml
- impact_github_member_removed_from_organization.toml
- impact_github_pat_access_revoked.toml
- impact_github_user_blocked_from_organization.toml
- initial_access_github_new_ip_address_for_pat.toml
- initial_access_github_new_ip_address_for_user.toml
- initial_access_github_new_user_agent_for_pat.toml
- initial_access_github_new_user_agent_for_user.toml
- lateral_movement_at.toml
- lateral_movement_posh_winrm_activity.toml
- lateral_movement_rdp_conn_unusual_process.toml
- lateral_movement_unusual_process_sql_accounts.toml
- lateral_movement_wmic_remote.toml
- persistence_aws_iam_login_profile_added_to_user.toml
- persistence_cap_sys_admin_added_to_new_binary.toml
- persistence_creation_of_kernel_module.toml
- persistence_github_new_pat_for_user.toml
- persistence_github_new_user_added_to_organization.toml
- persistence_iam_instance_request_to_iam_service.toml
- persistence_startup_folder_lnk.toml
- persistence_transport_agent_exchange.toml
- persistence_web_server_sus_file_creation.toml
- privilege_escalation_trap_execution.toml
tests
.gitignore
.gitmodules
.pre-commit-config.yaml
CLI.md
CONTRIBUTING.md
LICENSE.txt
Makefile
NOTICE.txt
PHILOSOPHY.md
README.md
Troubleshooting.md
pyproject.toml

rules_building_block

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

rules_building_block

rules_building_block

Name		Name	Last commit message	Last commit date
parent directory ..
.gitkeep		.gitkeep
collection_archive_data_zip_imageload.toml		collection_archive_data_zip_imageload.toml
collection_common_compressed_archived_file.toml		collection_common_compressed_archived_file.toml
collection_files_staged_in_recycle_bin_root.toml		collection_files_staged_in_recycle_bin_root.toml
collection_outlook_email_archive.toml		collection_outlook_email_archive.toml
collection_posh_compression.toml		collection_posh_compression.toml
command_and_control_bitsadmin_activity.toml		command_and_control_bitsadmin_activity.toml
command_and_control_certutil_network_connection.toml		command_and_control_certutil_network_connection.toml
command_and_control_non_standard_http_port.toml		command_and_control_non_standard_http_port.toml
credential_access_iis_apppoolsa_pwd_appcmd.toml		credential_access_iis_apppoolsa_pwd_appcmd.toml
credential_access_mdmp_file_creation.toml		credential_access_mdmp_file_creation.toml
credential_access_mdmp_file_unusual_extension.toml		credential_access_mdmp_file_unusual_extension.toml
credential_access_win_private_key_access.toml		credential_access_win_private_key_access.toml
defense_evasion_aws_rds_snapshot_created.toml		defense_evasion_aws_rds_snapshot_created.toml
defense_evasion_cmd_copy_binary_contents.toml		defense_evasion_cmd_copy_binary_contents.toml
defense_evasion_cmstp_execution.toml		defense_evasion_cmstp_execution.toml
defense_evasion_collection_masquerading_unusual_archive_file_extension.toml		defense_evasion_collection_masquerading_unusual_archive_file_extension.toml
defense_evasion_dll_hijack.toml		defense_evasion_dll_hijack.toml
defense_evasion_dotnet_clickonce_dfsvc_netcon.toml		defense_evasion_dotnet_clickonce_dfsvc_netcon.toml
defense_evasion_download_susp_extension.toml		defense_evasion_download_susp_extension.toml
defense_evasion_execution_via_visualstudio_prebuildevent.toml		defense_evasion_execution_via_visualstudio_prebuildevent.toml
defense_evasion_file_permission_modification.toml		defense_evasion_file_permission_modification.toml
defense_evasion_generic_deletion.toml		defense_evasion_generic_deletion.toml
defense_evasion_indirect_command_exec_pcalua_forfiles.toml		defense_evasion_indirect_command_exec_pcalua_forfiles.toml
defense_evasion_injection_from_msoffice.toml		defense_evasion_injection_from_msoffice.toml
defense_evasion_installutil_command_activity.toml		defense_evasion_installutil_command_activity.toml
defense_evasion_invalid_codesign_imageload.toml		defense_evasion_invalid_codesign_imageload.toml
defense_evasion_masquerading_browsers.toml		defense_evasion_masquerading_browsers.toml
defense_evasion_masquerading_unusual_exe_file_extension.toml		defense_evasion_masquerading_unusual_exe_file_extension.toml
defense_evasion_masquerading_vlc_dll.toml		defense_evasion_masquerading_vlc_dll.toml
defense_evasion_masquerading_windows_dll.toml		defense_evasion_masquerading_windows_dll.toml
defense_evasion_masquerading_windows_system32_exe.toml		defense_evasion_masquerading_windows_system32_exe.toml
defense_evasion_msdt_suspicious_diagcab.toml		defense_evasion_msdt_suspicious_diagcab.toml
defense_evasion_msiexec_installsource_archive_file.toml		defense_evasion_msiexec_installsource_archive_file.toml
defense_evasion_outlook_suspicious_child.toml		defense_evasion_outlook_suspicious_child.toml
defense_evasion_posh_defender_tampering.toml		defense_evasion_posh_defender_tampering.toml
defense_evasion_powershell_clear_logs_script.toml		defense_evasion_powershell_clear_logs_script.toml
defense_evasion_processes_with_trailing_spaces.toml		defense_evasion_processes_with_trailing_spaces.toml
defense_evasion_service_disabled_registry.toml		defense_evasion_service_disabled_registry.toml
defense_evasion_service_path_registry.toml		defense_evasion_service_path_registry.toml
defense_evasion_services_exe_path.toml		defense_evasion_services_exe_path.toml
defense_evasion_suspicious_msiexec_execution.toml		defense_evasion_suspicious_msiexec_execution.toml
defense_evasion_unsigned_bits_client.toml		defense_evasion_unsigned_bits_client.toml
defense_evasion_unusual_process_extension.toml		defense_evasion_unusual_process_extension.toml
defense_evasion_unusual_process_path_wbem.toml		defense_evasion_unusual_process_path_wbem.toml
defense_evasion_write_dac_access.toml		defense_evasion_write_dac_access.toml
discovery_capnetraw_capability.toml		discovery_capnetraw_capability.toml
discovery_files_dir_systeminfo_via_cmd.toml		discovery_files_dir_systeminfo_via_cmd.toml
discovery_generic_account_groups.toml		discovery_generic_account_groups.toml
discovery_generic_process_discovery.toml		discovery_generic_process_discovery.toml
discovery_generic_registry_query.toml		discovery_generic_registry_query.toml
discovery_getconf_execution.toml		discovery_getconf_execution.toml
discovery_hosts_file_access.toml		discovery_hosts_file_access.toml
discovery_internet_capabilities.toml		discovery_internet_capabilities.toml
discovery_kernel_module_enumeration_via_proc.toml		discovery_kernel_module_enumeration_via_proc.toml
discovery_linux_modprobe_enumeration.toml		discovery_linux_modprobe_enumeration.toml
discovery_linux_sysctl_enumeration.toml		discovery_linux_sysctl_enumeration.toml
discovery_linux_system_information_discovery.toml		discovery_linux_system_information_discovery.toml
discovery_linux_system_owner_user_discovery.toml		discovery_linux_system_owner_user_discovery.toml
discovery_net_share_discovery_winlog.toml		discovery_net_share_discovery_winlog.toml
discovery_net_view.toml		discovery_net_view.toml
discovery_of_accounts_or_groups_via_builtin_tools.toml		discovery_of_accounts_or_groups_via_builtin_tools.toml
discovery_of_domain_groups.toml		discovery_of_domain_groups.toml
discovery_posh_generic.toml		discovery_posh_generic.toml
discovery_posh_password_policy.toml		discovery_posh_password_policy.toml
discovery_post_exploitation_external_ip_lookup.toml		discovery_post_exploitation_external_ip_lookup.toml
discovery_potential_memory_seeking_activity.toml		discovery_potential_memory_seeking_activity.toml
discovery_process_discovery_via_builtin_tools.toml		discovery_process_discovery_via_builtin_tools.toml
discovery_remote_system_discovery_commands_windows.toml		discovery_remote_system_discovery_commands_windows.toml
discovery_security_software_wmic.toml		discovery_security_software_wmic.toml
discovery_signal_unusual_user_host.toml		discovery_signal_unusual_user_host.toml
discovery_suspicious_proc_enumeration.toml		discovery_suspicious_proc_enumeration.toml
discovery_system_network_connections.toml		discovery_system_network_connections.toml
discovery_system_service_discovery.toml		discovery_system_service_discovery.toml
discovery_system_time_discovery.toml		discovery_system_time_discovery.toml
discovery_win_network_connections.toml		discovery_win_network_connections.toml
discovery_windows_system_information_discovery.toml		discovery_windows_system_information_discovery.toml
execution_aws_lambda_function_updated.toml		execution_aws_lambda_function_updated.toml
execution_github_new_event_action_for_pat.toml		execution_github_new_event_action_for_pat.toml
execution_github_new_repo_interaction_for_pat.toml		execution_github_new_repo_interaction_for_pat.toml
execution_github_new_repo_interaction_for_user.toml		execution_github_new_repo_interaction_for_user.toml
execution_github_repo_created.toml		execution_github_repo_created.toml
execution_github_repo_interaction_from_new_ip.toml		execution_github_repo_interaction_from_new_ip.toml
execution_linux_segfault.toml		execution_linux_segfault.toml
execution_settingcontent_ms_file_creation.toml		execution_settingcontent_ms_file_creation.toml
execution_unsigned_service_executable.toml		execution_unsigned_service_executable.toml
execution_wmi_wbemtest.toml		execution_wmi_wbemtest.toml
impact_github_member_removed_from_organization.toml		impact_github_member_removed_from_organization.toml
impact_github_pat_access_revoked.toml		impact_github_pat_access_revoked.toml
impact_github_user_blocked_from_organization.toml		impact_github_user_blocked_from_organization.toml
initial_access_github_new_ip_address_for_pat.toml		initial_access_github_new_ip_address_for_pat.toml
initial_access_github_new_ip_address_for_user.toml		initial_access_github_new_ip_address_for_user.toml
initial_access_github_new_user_agent_for_pat.toml		initial_access_github_new_user_agent_for_pat.toml
initial_access_github_new_user_agent_for_user.toml		initial_access_github_new_user_agent_for_user.toml
lateral_movement_at.toml		lateral_movement_at.toml
lateral_movement_posh_winrm_activity.toml		lateral_movement_posh_winrm_activity.toml
lateral_movement_rdp_conn_unusual_process.toml		lateral_movement_rdp_conn_unusual_process.toml
lateral_movement_unusual_process_sql_accounts.toml		lateral_movement_unusual_process_sql_accounts.toml
lateral_movement_wmic_remote.toml		lateral_movement_wmic_remote.toml
persistence_aws_iam_login_profile_added_to_user.toml		persistence_aws_iam_login_profile_added_to_user.toml
persistence_cap_sys_admin_added_to_new_binary.toml		persistence_cap_sys_admin_added_to_new_binary.toml
persistence_creation_of_kernel_module.toml		persistence_creation_of_kernel_module.toml
persistence_github_new_pat_for_user.toml		persistence_github_new_pat_for_user.toml
persistence_github_new_user_added_to_organization.toml		persistence_github_new_user_added_to_organization.toml
persistence_iam_instance_request_to_iam_service.toml		persistence_iam_instance_request_to_iam_service.toml
persistence_startup_folder_lnk.toml		persistence_startup_folder_lnk.toml
persistence_transport_agent_exchange.toml		persistence_transport_agent_exchange.toml
persistence_web_server_sus_file_creation.toml		persistence_web_server_sus_file_creation.toml
privilege_escalation_trap_execution.toml		privilege_escalation_trap_execution.toml

Files

rules_building_block

Directory actions

More options

Directory actions

More options

Latest commit

History

rules_building_block

Folders and files

parent directory