threatengine.sh Sigma export
format: generic Sigma (one .yml per rule, the raw rule)
rules: 174

files:
  T1222.001_ad-object-writedac-access.yml  [T1222.001]  AD Object WriteDAC Access
  T1574.001_apt27-emissary-panda-activity.yml  [T1574.001]  APT27 - Emissary Panda Activity
  T1218.011_apt29-2018-phishing-campaign-commandline-indicators.yml  [T1218.011]  APT29 2018 Phishing Campaign CommandLine Indicators
  T1218.011_apt29-2018-phishing-campaign-file-indicators.yml  [T1218.011]  APT29 2018 Phishing Campaign File Indicators
  T1003.001_apt31-judgement-panda-activity.yml  [T1003.001,T1560.001]  APT31 Judgement Panda Activity
  T1003.006_active-directory-replication-from-non-machine-account.yml  [T1003.006]  Active Directory Replication from Non Machine Account
  T1203_antivirus-exploitation-framework-detection.yml  [T1203,T1219.002]  Antivirus Exploitation Framework Detection
  T1003_antivirus-password-dumper-detection.yml  [T1003,T1003.001,T1003.002,T1558]  Antivirus Password Dumper Detection
  T1055_antivirus-printernightmare-cve-2021-34527-exploit-detection.yml  [T1055]  Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
  T1486_antivirus-ransomware-detection.yml  [T1486]  Antivirus Ransomware Detection
  T1190_arcadyan-router-exploitations.yml  [T1190]  Arcadyan Router Exploitations
  T1068_audit-cve-event.yml  [T1068,T1203,T1210,T1211,T1212,T1499.004]  Audit CVE Event
  T1059.001_bad-opsec-powershell-code-artifacts.yml  [T1059.001]  Bad Opsec Powershell Code Artifacts
  T1586_bitbucket-unauthorized-access-to-a-resource.yml  [T1586]  Bitbucket Unauthorized Access To A Resource
  T1213.003_bitbucket-unauthorized-full-data-export-triggered.yml  [T1213.003,T1586]  Bitbucket Unauthorized Full Data Export Triggered
  coldsteel-rat-cleanup-command-execution.yml  []  COLDSTEEL RAT Cleanup Command Execution
  coldsteel-rat-service-persistence-execution.yml  []  COLDSTEEL RAT Service Persistence Execution
  T1190_cve-2010-5278-exploitation-attempt.yml  [T1190]  CVE-2010-5278 Exploitation Attempt
  T1190_cve-2020-0688-exchange-exploitation-via-web-log.yml  [T1190]  CVE-2020-0688 Exchange Exploitation via Web Log
  T1190_cve-2020-10148-solarwinds-orion-api-auth-bypass.yml  [T1190]  CVE-2020-10148 SolarWinds Orion API Auth Bypass
  T1190_cve-2020-5902-f5-big-ip-exploitation-attempt.yml  [T1190]  CVE-2020-5902 F5 BIG-IP Exploitation Attempt
  T1569_cve-2021-1675-print-spooler-exploitation.yml  [T1569]  CVE-2021-1675 Print Spooler Exploitation
  T1587_cve-2021-1675-print-spooler-exploitation-filename-pattern.yml  [T1587]  CVE-2021-1675 Print Spooler Exploitation Filename Pattern
  T1569_cve-2021-1675-print-spooler-exploitation-ipc-access.yml  [T1569]  CVE-2021-1675 Print Spooler Exploitation IPC Access
  T1203_cve-2021-31979-cve-2021-33771-exploits.yml  [T1203,T1566]  CVE-2021-31979 CVE-2021-33771 Exploits
  T1203_cve-2021-31979-cve-2021-33771-exploits-by-sourgum.yml  [T1203,T1566]  CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
  T1190_cve-2021-33766-exchange-proxytoken-exploitation.yml  [T1190]  CVE-2021-33766 Exchange ProxyToken Exploitation
  T1190_cve-2021-40539-zoho-manageengine-adselfservice-plus-exploit.yml  [T1190,T1505.003]  CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
  cve-2023-23397-exploitation-attempt.yml  []  CVE-2023-23397 Exploitation Attempt
  cve-2024-1708-screenconnect-path-traversal-exploitation-secu.yml  []  CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
  cve-2024-1709-screenconnect-authentication-bypass-exploitati.yml  []  CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
  T1505.003_certificate-request-export-to-exchange-webserver.yml  [T1505.003]  Certificate Request Export to Exchange Webserver
  T1190_citrix-ads-exploitation-cve-2020-8193-cve-2020-8195.yml  [T1190]  Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
  T1190_citrix-netscaler-attack-cve-2019-19781.yml  [T1190]  Citrix Netscaler Attack CVE-2019-19781
  T1071.004_cobalt-strike-dns-beaconing.yml  [T1071.004]  Cobalt Strike DNS Beaconing
  T1055_cobaltstrike-named-pipe.yml  [T1055]  CobaltStrike Named Pipe
  T1055_cobaltstrike-named-pipe-pattern-regex.yml  [T1055]  CobaltStrike Named Pipe Pattern Regex
  T1021.002_cobaltstrike-service-installations-system.yml  [T1021.002,T1543.003,T1569.002]  CobaltStrike Service Installations - System
  T1190_confluence-exploitation-cve-2019-3398.yml  [T1190]  Confluence Exploitation CVE-2019-3398
  T1543.003_cosmicduke-service-installation.yml  [T1543.003,T1569.002]  CosmicDuke Service Installation
  T1190_dns-rce-cve-2020-1350.yml  [T1190,T1569.002]  DNS RCE CVE-2020-1350
  T1204_darkside-ransomware-pattern.yml  [T1204]  DarkSide Ransomware Pattern
  diagtrackeop-default-login-username.yml  []  DiagTrackEoP Default Login Username
  T1053.005_diamond-sleet-apt-scheduled-task-creation.yml  [T1053.005]  Diamond Sleet APT Scheduled Task Creation
  T1203_droppers-exploiting-cve-2017-11882.yml  [T1203,T1204.002,T1566.001]  Droppers Exploiting CVE-2017-11882
  dumpstack-log-defender-evasion.yml  []  DumpStack.log Defender Evasion
  T1059.003_elise-backdoor-activity.yml  [T1059.003]  Elise Backdoor Activity
  T1218.011_equation-group-dll-u-export-function-load.yml  [T1218.011]  Equation Group DLL_U Export Function Load
  T1218.011_evilnum-apt-golden-chickens-deployment-via-ocx-files.yml  [T1218.011]  EvilNum APT Golden Chickens Deployment Via OCX Files
  T1190_exchange-exploitation-cve-2021-28480.yml  [T1190]  Exchange Exploitation CVE-2021-28480
  T1036.005_exploit-for-cve-2015-1641.yml  [T1036.005]  Exploit for CVE-2015-1641
  T1203_exploit-for-cve-2017-8759.yml  [T1203,T1204.002,T1566.001]  Exploit for CVE-2017-8759
  T1068_exploiting-cve-2019-1388.yml  [T1068]  Exploiting CVE-2019-1388
  T1112_flowcloud-registry-markers.yml  [T1112]  FlowCloud Registry Markers
  T1587_foggyweb-backdoor-dll-loading.yml  [T1587]  FoggyWeb Backdoor DLL Loading
  T1190_fortinet-cve-2018-13379-exploitation.yml  [T1190]  Fortinet CVE-2018-13379 Exploitation
  T1190_fortinet-cve-2021-22123-exploitation.yml  [T1190]  Fortinet CVE-2021-22123 Exploitation
  goofy-guineapig-backdoor-service-creation.yml  []  Goofy Guineapig Backdoor Service Creation
  T1190_grafana-path-traversal-exploitation-cve-2021-43798.yml  [T1190]  Grafana Path Traversal Exploitation CVE-2021-43798
  T1036.005_greenbug-espionage-group-indicators.yml  [T1036.005,T1059.001,T1105]  Greenbug Espionage Group Indicators
  griffon-malware-attack-pattern.yml  []  Griffon Malware Attack Pattern
  T1053_hafnium-exchange-exploitation-activity.yml  [T1053,T1546]  HAFNIUM Exchange Exploitation Activity
  T1071.001_hacktool-babyshark-agent-default-url-pattern.yml  [T1071.001]  HackTool - BabyShark Agent Default URL Pattern
  T1003.001_hacktool-credential-dumping-tools-named-pipe-created.yml  [T1003.001,T1003.002,T1003.004,T1003.005]  HackTool - Credential Dumping Tools Named Pipe Created
  T1055_hacktool-dinjector-powershell-cradle-execution.yml  [T1055]  HackTool - DInjector PowerShell Cradle Execution
  hacktool-diagtrackeop-default-named-pipe.yml  []  HackTool - DiagTrackEoP Default Named Pipe
  T1003.001_hacktool-dumpert-process-dumper-default-file.yml  [T1003.001]  HackTool - Dumpert Process Dumper Default File
  T1003.001_hacktool-dumpert-process-dumper-execution.yml  [T1003.001]  HackTool - Dumpert Process Dumper Execution
  T1548.002_hacktool-empire-powershell-uac-bypass.yml  [T1548.002]  HackTool - Empire PowerShell UAC Bypass
  T1218.011_hacktool-f-secure-c3-load-by-rundll32.yml  [T1218.011]  HackTool - F-Secure C3 Load by Rundll32
  T1003.001_hacktool-inveigh-execution.yml  [T1003.001]  HackTool - Inveigh Execution
  T1219.002_hacktool-inveigh-execution-artefacts.yml  [T1219.002]  HackTool - Inveigh Execution Artefacts
  T1134.001_hacktool-koh-default-named-pipe.yml  [T1134.001,T1528]  HackTool - Koh Default Named Pipe
  T1558_hacktool-mimikatz-kirbi-file-creation.yml  [T1558]  HackTool - Mimikatz Kirbi File Creation
  T1587_hacktool-purplesharp-execution.yml  [T1587]  HackTool - PurpleSharp Execution
  T1003.002_hacktool-quarkspwdump-dump-file.yml  [T1003.002]  HackTool - QuarksPwDump Dump File
  T1003_hacktool-rubeus-execution.yml  [T1003,T1550.003,T1558.003]  HackTool - Rubeus Execution
  T1003.001_hacktool-safetykatz-execution.yml  [T1003.001]  HackTool - SafetyKatz Execution
  T1555_hacktool-securityxploded-execution.yml  [T1555]  HackTool - SecurityXploded Execution
  T1569.002_hacktool-sharpup-privesc-tool-execution.yml  [T1569.002,T1574.005,T1615]  HackTool - SharpUp PrivEsc Tool Execution
  T1059_hacktool-sliver-c2-implant-activity-pattern.yml  [T1059]  HackTool - Sliver C2 Implant Activity Pattern
  T1068_hacktool-sysmoneop-execution.yml  [T1068]  HackTool - SysmonEOP Execution
  T1003.001_hacktool-windows-credential-editor-wce-execution.yml  [T1003.001]  HackTool - Windows Credential Editor (WCE) Execution
  T1003_hacktool-execution-imphash.yml  [T1003,T1588.002]  Hacktool Execution - Imphash
  T1068_installerfiletakeover-lpe-cve-2021-41379-file-create-event.yml  [T1068]  InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
  T1059_lazarus-group-activity.yml  [T1059]  Lazarus Group Activity
  T1547.001_leviathan-registry-key-activity.yml  [T1547.001]  Leviathan Registry Key Activity
  T1059.004_linux-reverse-shell-indicator.yml  [T1059.004]  Linux Reverse Shell Indicator
  T1486_lockergoga-ransomware-activity.yml  [T1486]  LockerGoga Ransomware Activity
  T1505.003_mailbox-export-to-exchange-webserver.yml  [T1505.003]  Mailbox Export to Exchange Webserver
  malicious-dll-load-by-compromised-3cxdesktopapp.yml  []  Malicious DLL Load By Compromised 3CXDesktopApp
  T1055_malicious-named-pipe-created.yml  [T1055]  Malicious Named Pipe Created
  mint-sandstorm-asperafaspex-suspicious-process-execution.yml  []  Mint Sandstorm - AsperaFaspex Suspicious Process Execution
  mint-sandstorm-manageengine-suspicious-process-execution.yml  []  Mint Sandstorm - ManageEngine Suspicious Process Execution
  T1543.003_moriya-rootkit-system.yml  [T1543.003]  Moriya Rootkit - System
  T1543.003_moriya-rootkit-file-created.yml  [T1543.003]  Moriya Rootkit File Created
  T1003.001_notpetya-ransomware-activity.yml  [T1003.001,T1218.011,T1685.005]  NotPetya Ransomware Activity
  T1190_owassrf-exploitation-attempt-using-public-poc-proxy.yml  [T1190]  OWASSRF Exploitation Attempt Using Public POC - Proxy
  T1190_owassrf-exploitation-attempt-using-public-poc-webserver.yml  [T1190]  OWASSRF Exploitation Attempt Using Public POC - Webserver
  T1112_oceanlotus-registry-activity.yml  [T1112]  OceanLotus Registry Activity
  T1053.005_oilrig-apt-activity.yml  [T1053.005,T1071.004,T1112,T1543.003]  OilRig APT Activity
  T1053.005_oilrig-apt-registry-persistence.yml  [T1053.005,T1071.004,T1112,T1543.003]  OilRig APT Registry Persistence
  T1053.005_oilrig-apt-schedule-task-persistence-security.yml  [T1053.005,T1071.004,T1112,T1543.003]  OilRig APT Schedule Task Persistence - Security
  T1053.005_oilrig-apt-schedule-task-persistence-system.yml  [T1053.005,T1071.004,T1112,T1543.003]  OilRig APT Schedule Task Persistence - System
  T1190_oracle-weblogic-exploit.yml  [T1190,T1505.003]  Oracle WebLogic Exploit
  T1190_oracle-weblogic-exploit-cve-2021-2109.yml  [T1190]  Oracle WebLogic Exploit CVE-2021-2109
  T1105_pandemic-registry-key.yml  [T1105]  Pandemic Registry Key
  T1546.008_persistence-via-sticky-key-backdoor.yml  [T1546.008]  Persistence Via Sticky Key Backdoor
  T1068_possible-coin-miner-cpu-priority-param.yml  [T1068]  Possible Coin Miner CPU Priority Param
  T1068_potential-cve-2021-41379-exploitation-attempt.yml  [T1068]  Potential CVE-2021-41379 Exploitation Attempt
  potential-cve-2023-36884-exploitation-pattern.yml  []  Potential CVE-2023-36884 Exploitation Pattern
  T1486_potential-conti-ransomware-activity.yml  [T1486]  Potential Conti Ransomware Activity
  T1003_potential-credential-dumping-via-lsass-process-clone.yml  [T1003,T1003.001]  Potential Credential Dumping Via LSASS Process Clone
  T1003.001_potential-credential-dumping-via-lsass-silentprocessexit-tec.yml  [T1003.001]  Potential Credential Dumping Via LSASS SilentProcessExit Technique
  T1021.002_potential-dcom-internetexplorer-application-dll-hijack.yml  [T1021.002,T1021.003]  Potential DCOM InternetExplorer.Application DLL Hijack
  T1021.002_potential-dcom-internetexplorer-application-dll-hijack-image.yml  [T1021.002,T1021.003]  Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
  T1033_potential-dridex-activity.yml  [T1033,T1055,T1135]  Potential Dridex Activity
  T1490_potential-dtrack-rat-activity.yml  [T1490]  Potential Dtrack RAT Activity
  T1218.011_potential-emotet-rundll32-execution.yml  [T1218.011]  Potential Emotet Rundll32 Execution
  T1047_potential-maze-ransomware-activity.yml  [T1047,T1204.002,T1490]  Potential Maze Ransomware Activity
  T1059.005_potential-qbot-activity.yml  [T1059.005]  Potential QBot Activity
  T1003.003_potential-russian-apt-credential-theft-activity.yml  [T1003.003,T1552.001]  Potential Russian APT Credential Theft Activity
  T1557.001_potential-smb-relay-attack-tool-execution.yml  [T1557.001]  Potential SMB Relay Attack Tool Execution
  T1190_potential-sharepoint-toolshell-cve-2025-53770-exploitation-f.yml  [T1190]  Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
  T1068_potential-systemnightmare-exploitation-attempt.yml  [T1068]  Potential SystemNightmare Exploitation Attempt
  T1204_printernightmare-mimikatz-driver-name.yml  [T1204]  PrinterNightmare Mimikatz Driver Name
  T1587.001_proxylogon-msexchange-oabvirtualdirectory.yml  [T1587.001]  ProxyLogon MSExchange OabVirtualDirectory
  T1190_proxylogon-reset-virtual-directories-based-on-iis-log.yml  [T1190]  ProxyLogon Reset Virtual Directories Based On IIS Log
  T1190_pulse-secure-attack-cve-2019-11510.yml  [T1190]  Pulse Secure Attack CVE-2019-11510
  T1071.001_pwndrp-access.yml  [T1071.001,T1102.001,T1102.003]  PwnDrp Access
  qakbot-rundll32-exports-execution.yml  []  Qakbot Rundll32 Exports Execution
  qakbot-rundll32-fake-dll-extension-execution.yml  []  Qakbot Rundll32 Fake DLL Extension Execution
  T1059_revil-kaseya-incident-malware-patterns.yml  [T1059]  REvil Kaseya Incident Malware Patterns
  T1055_redsun-named-pipe-created.yml  [T1055,T1685]  RedSun - Named Pipe Created
  T1036.005_redsun-tieringengineservice-exe-detected-as-eicar-test-file.yml  [T1036.005,T1055,T1685]  RedSun - TieringEngineService.exe Detected as EICAR Test File
  T1036.005_redsun-tieringengineservice-exe-staged-in-rs-prefixed-temp-d.yml  [T1036.005]  RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
  T1112_registry-entries-for-azorult-malware.yml  [T1112]  Registry Entries For Azorult Malware
  T1033_renamed-whoami-execution.yml  [T1033]  Renamed Whoami Execution
  T1059.001_rorschach-ransomware-execution-activity.yml  [T1059.001,T1059.003]  Rorschach Ransomware Execution Activity
  snake-malware-kernel-driver-file-indicator.yml  []  SNAKE Malware Kernel Driver File Indicator
  snake-malware-service-persistence.yml  []  SNAKE Malware Service Persistence
  T1136.001_serv-u-exploitation-cve-2021-35211-by-dev-0322.yml  [T1136.001]  Serv-U Exploitation CVE-2021-35211 by DEV-0322
  T1059.001_silence-eda-detection.yml  [T1059.001,T1071.004,T1529,T1572]  Silence.EDA Detection
  small-sieve-malware-potential-c2-communication.yml  []  Small Sieve Malware Potential C2 Communication
  T1505.003_solarwinds-supernova-webshell-access.yml  [T1505.003]  Solarwinds SUPERNOVA Webshell Access
  T1546.008_sticky-key-like-backdoor-execution.yml  [T1546.008]  Sticky Key Like Backdoor Execution
  T1546.008_sticky-key-like-backdoor-usage-registry.yml  [T1546.008]  Sticky Key Like Backdoor Usage - Registry
  successful-exchange-proxyshell-attack.yml  []  Successful Exchange ProxyShell Attack
  T1068_sudo-privilege-escalation-cve-2019-14287-builtin.yml  [T1068,T1548.003]  Sudo Privilege Escalation CVE-2019-14287 - Builtin
  suspicious-child-process-of-veeam-dabatase.yml  []  Suspicious Child Process Of Veeam Dabatase
  T1071.004_suspicious-cobalt-strike-dns-beaconing-dns-client.yml  [T1071.004]  Suspicious Cobalt Strike DNS Beaconing - DNS Client
  T1071.004_suspicious-cobalt-strike-dns-beaconing-sysmon.yml  [T1071.004]  Suspicious Cobalt Strike DNS Beaconing - Sysmon
  suspicious-powershell-mailbox-export-to-share.yml  []  Suspicious PowerShell Mailbox Export to Share
  suspicious-powershell-mailbox-export-to-share-ps.yml  []  Suspicious PowerShell Mailbox Export to Share - PS
  T1548.002_trustedpath-uac-bypass-pattern.yml  [T1548.002]  TrustedPath UAC Bypass Pattern
  T1027_turla-group-commands-may-2020.yml  [T1027,T1053.005,T1059.001]  Turla Group Commands May 2020
  T1021.002_turla-group-lateral-movement.yml  [T1021.002,T1059,T1083,T1135]  Turla Group Lateral Movement
  T1106_turla-group-named-pipes.yml  [T1106]  Turla Group Named Pipes
  T1543.003_turla-png-dropper-service.yml  [T1543.003]  Turla PNG Dropper Service
  T1047_unc2452-powershell-pattern.yml  [T1047,T1059.001]  UNC2452 PowerShell Pattern
  unc4841-potential-seaspy-execution.yml  []  UNC4841 - Potential SEASPY Execution
  T1071.001_ursnif-malware-c2-url-pattern.yml  [T1071.001,T1204.002,T1566.001]  Ursnif Malware C2 URL Pattern
  T1003_wce-wceaux-dll-access.yml  [T1003]  WCE wceaux.dll Access
  T1546.003_wmi-backdoor-exchange-transport-agent.yml  [T1546.003]  WMI Backdoor Exchange Transport Agent
  T1083_wannacry-ransomware-activity.yml  [T1083,T1210,T1222.001,T1486,T1490]  WannaCry Ransomware Activity
  T1505.003_webshell-remote-command-execution.yml  [T1505.003]  Webshell Remote Command Execution
  T1078_win-susp-computer-name-containing-samtheadmin.yml  [T1078]  Win Susp Computer Name Containing Samtheadmin
  T1003.001_windows-credential-editor-registry.yml  [T1003.001]  Windows Credential Editor Registry
  T1574.001_winnti-malware-hk-university-campaign.yml  [T1574.001]  Winnti Malware HK University Campaign
  T1574.001_winnti-pipemon-characteristics.yml  [T1574.001]  Winnti Pipemon Characteristics
  T1047_wmiexec-default-output-file.yml  [T1047]  Wmiexec Default Output File
  T1021.002_wmiprvse-wbemcomn-dll-hijack-file.yml  [T1021.002,T1047]  Wmiprvse Wbemcomn DLL Hijack - File
  T1210_zerologon-exploitation-using-well-known-tools.yml  [T1210]  Zerologon Exploitation Using Well-known Tools
  T1059.003_zxshell-malware.yml  [T1059.003,T1218.011]  ZxShell Malware
