Docs
Looking things up
Search by process filename (svchost.exe), SHA-256, or MD5. A profile shows what the process is, where it normally runs, what normally launches it, and how attackers abuse it. If a valid name has no record, you get a "not observed" result. You can also browse the whole set on the Explore page and filter by category, LOLBIN, or whether a process has detection rules.
Detections
Each profile's Detections tab lists open detection rules from the Sigma project that reference the process by name, split into rules that flag the process itself and rules that flag what it launches. Every rule links back to its source.
API
Everything in the UI is also available as JSON under /v1/. No key, no rate limits, plain HTTPS:
| Resource | Path |
|---|---|
| Full profile | /v1/processes/<name>.json |
| All processes (summaries) | /v1/index.json |
| Alias and hash resolution | /v1/lookup.json |
| Dataset info | /v1/meta.json |
| ATT&CK Navigator layer | /v1/attack-navigator.json |
Example: GET /v1/processes/svchost.exe.json. A 404 on a valid name means "not observed".
ATT&CK Navigator
Download the ATT&CK Navigator layer and open it in ATT&CK Navigator (Open Existing Layer → Upload) to see every technique referenced across the dataset, shaded by how many processes cite it. It shows where the dataset's abuse notes concentrate across the ATT&CK matrix.
Contributing
Each process is one YAML file in the repo. Adding or improving one is a small pull request. See the GitHub repo.