From e4035e2d1e4bc3730dbc7226ba64ad7ddfa5fa77 Mon Sep 17 00:00:00 2001
From: Ekitji <41170494+Ekitji@users.noreply.github.com>
Date: Sun, 8 Oct 2023 22:20:07 +0200
Subject: [PATCH 1/6] Update th_keywords_processnames_elk.txt

---
 elk/th_keywords_processnames_elk.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/elk/th_keywords_processnames_elk.txt b/elk/th_keywords_processnames_elk.txt
index 86904e0e6..6ed95f14f 100644
--- a/elk/th_keywords_processnames_elk.txt
+++ b/elk/th_keywords_processnames_elk.txt
@@ -147,6 +147,7 @@ ghostpack.exe
 netexec.exe
 fakelogonscreen.exe
 sharpldap.exe
+sharpldapmonitor.exe
 secretfinder.exe
 mystikal.exe
 dsquery.exe

From 18400d56723c8598de48c3ed1c67c31ee55f63f3 Mon Sep 17 00:00:00 2001
From: Ekitji <41170494+Ekitji@users.noreply.github.com>
Date: Sun, 8 Oct 2023 22:20:25 +0200
Subject: [PATCH 2/6] Update th_keywords_elk.txt

---
 elk/th_keywords_elk.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/elk/th_keywords_elk.txt b/elk/th_keywords_elk.txt
index 07c9650e2..f04bb126e 100644
--- a/elk/th_keywords_elk.txt
+++ b/elk/th_keywords_elk.txt
@@ -138,6 +138,7 @@ collectionmethod
 sharpmove
 eviltwinserver
 dcom
+dcip
 ms16
 eventhunter
 wce64

From 0a8308dd4a72a0ff32eff350652fcd7b0aa2ee8d Mon Sep 17 00:00:00 2001
From: Ekitji <41170494+Ekitji@users.noreply.github.com>
Date: Fri, 20 Oct 2023 17:55:36 -0400
Subject: [PATCH 3/6] striped list of suspicious_http_user_agents_list.csv with
 lower case chars..

---
 elk/user_agent_elk.txt | Bin 0 -> 10380 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 elk/user_agent_elk.txt

diff --git a/elk/user_agent_elk.txt b/elk/user_agent_elk.txt
new file mode 100644
index 0000000000000000000000000000000000000000..322c39069e4a1f03ee0759602477a828fd9debda
GIT binary patch
literal 10380
zcmZ{qTXG}05k>3U5#B@Zz}@2+d%PTxda?PGD2fsn?{OZSx<r-O4uwP@0VERnxS0U;
z*MIK@fBruFZEW2Qi}oXBF)WAs!S=G+55uv3?B5ToYCqJ^$8Z=n!+v<J_Um<YQ{#(k
z?>Ov+w=1vv;l1{QayLBHDmgw?5BmLZuCdLP`cS>)@HzIMhjnp&9($|W_qq7Il?-y(
z6o+&DMv_hOTV2PH@NGCvX0L|JMD9(EGUskwv1{^079{4>hmz({v-UO0-0gLCA6JH)
z&6V$s_qP6W`e<@KwrV3?lNnvrPUxziY&vqf;l_L{qgHk$@v?O4&QtE6r626N9%mkE
z&F|MXXFSwzWaYHW()jMG)7RE_7u#5VS33R}xxjldk(>VEhJr6~Hn`u_e#fS1JcM(~
z|5%#FcK1cqPNCad6<x|(tv`+JQ}M(u`{IPBqO0x!ryAQA$Jp5ZbJ5;P&WEeteHQQj
z%Px!IkK+8#TKm1)zYTv5{~CS_|7rUCccVSlj6aJ0XZ`(NzmKKa?`_s&&6fxIT-O@n
zCzRvp-^5~czo<FKn!Bml&Rdl~Jk~gphQhgR69-1gqSnyH9~|2iulwq+D&8JybYJ6m
zK_p<D5p=&VnejWKcRxlZYvr^r3GtD0?c3KQ)3H_@>+`Wbr?J3%_}&-&x$HoTmCyBe
zQ}*dxkng_j{XXtC-3iTzFN={2-mO${#pCHMYqw4PAdfq98s%q9-7QN_HK+fv({5ak
zWZ0;$3WYg(yF0V?VYCnJRgJFO9{5}ItW?C%zWg~W6PwGT9-4o~%bm}-_>umqNrmN(
zrHRklExfixbJo6gWo3_m(6=LMu^(;DvMX7;L{NgA%wk+l;n6AaUgr_D;#g)PhZexA
zwr%w3DkJua9XNaZe_5LNY<|M-^1_CfqUv{Znvt<A>w?e3^<906{>$RJA9;{3KqN3`
zInqwGN(@*w30RFTK57PtWG1-v_UUXh12SPdvX&O1M|MOz-G)$e(zHQh*OPnq&9l`E
zQG%!U-eavlmCRELxw1zxEi5ZXc%z%us2gJd3lkyn?)33a*J(*?sxQ5c*u~7(CKHyO
zt|ywiO_@htm)pK%=&=N*;G6i58TH3xo^;kyeIQ5l3BG{Q=Vl{xO&ny0Q%S{%(x;wa
zwI0`TOx&B!N{sf?AQ!vCkA0kt=a9jpl~A#Ab|LSq#~IzOr;>PE{^<(qosL7)J|G3T
zCNfZCeU<B>_J;$Xtk#xb&qHYi+;KFq51x_rlpn9a7Zzog`$9fyBIlzc?T#nCSDT$3
zd#!o+Bwp1i;m9af#M)2w)1}V{H9@yL<E}WC{Et_jV42+COM>}|kD9q{`iTU$wI>lP
z(#NmlhCXdwM&GeEB8rGpPPU)O2Oax<D|wJJ8SYzAd!+(LX1<rCy)KbT&NL%voyXEl
zJcu^7i7&chPWx)}tRXTt!_VTCRbrD7gkNe+=6}>4*`2yMF+kmb)t{Ta`<yA2Xv<nq
z7c@M#b>b|3gKttl!<q9ck)98ZM@DeU3~(xaJznSSiX*sY?BACbv6>jjeSkfQb9iaL
zP}z}Fuw!UhM{S@i_#si@$-xuOEGj0aFvqhd8$fw04X47ePYsFwu;H=Et#+P@PL*>R
zWm&a7z#x2z{DUR+h145QjYbZl9-Vv6bj*s4m<0Q$I16oCT+vPBuomRBIlXyqR~k@H
zry8U3!k$wcekv~J|MRuQ3NqhxUixT)y_3J76Z@PPulUyXgQ^E&N0H*WPQpqn0{0-E
zsK7x<aEV&A*GAZDI!@Gxv5w%!i#EqoL&e+l4SUv=*2AG3YnS)hO&OkRS6izVTb$ZH
zw(Iwo+%^-riBji!6HTOM&U8#)BHxocrX%PrSuDGdSFyVDPBkv>bGHU5@kR3<c1?Y5
zUh{4pG@v@XrGUFgax8tZ2ea@6xINV8+%p-SBCad2Eq>5-v?|Xe3vh~`#f1|bYM;-d
ze^w9sfCBi6*pCeOu`!N!-H$nvc911)KBJY;di@54bG_E5J|Kk{3NB13##kt?4Reer
zXrK>o2%dGC^U1qJw>7}+IDYyoYUfQxMi1Z)y6v_y_mVB+5!_#qhjUwr$vZg<Eyaf9
z>FHU~ICZKkxJCEd0`D2vKaoIRyF2^bcBTEZxRBj#_qzc&$qt9o6%uO0*qyUU;U>gw
ziS_HE^43JmYom41z=f>mjR5b)8|PlQF3WCf%=n~tY+gmI_!6_O)1Wshda8brhrPV#
zAc5~w$I||`+MR+7R3_aT&OEo%@ph4{2%TRtO4cKNkDpG>YsjWaj?H*^yVUyJrGq2p
zFnj2@_pzuPt)V|^bszN}(#MIqU){gq3<hxz!QVOu@`meK$Lfrc8&YF#>jmS|PEM7|
zd~5+)a0lI#T|*-;_THv4rnewG3Ovrd+Y#dizTBuX&)kp-YFqntnR+D)7EwdEN{_|w
z@HRMLFYA>aNwFwMMh%j>g+BQn4~%`n*K7~Yai>D3^LuR{i4|PAYNt;d{1XrGOtU0N
zs2@Yad+{>S)OC0$(FQ_mBW7xqAH^}Vx}EwSmzsC`;|g9FPo)8S$Li(1Op3Qna!;3<
zH!=Jv*afys@5D&h_1kfWdEBhXTGL8B8G;?C1l;+v<jVb=8TgWSD0_Gx`^;CxMwg=V
zt_iPQz0vte&Ut9)OPobUJpH}tcKRCS40TP6>sNXieXN9sA?F;e7`5h{^Mg9a^DY5n
z#wk9bv>jF0LE37>%=GYr-u50DyX;z=W+ip05lBV>^Id11PJ3VD+roS?0mPCDavy4h
zmv1SY9Q_1m`Si8*Tyyc=?j7zc9;Xe?<3VymF7AD?c4mR-N-2fNaRpKB{o!Nu3F{zi
z#0>a**VJD0S#zF@&u?n@B_8up>*8nAR{)~VcVzj;i_>H7)DP4YwZg8&4%MlZvi5K!
z((zhC1tquS_w@9ORh@KQ8mH%H#(g`S_sFy643Rpc+`Y)2shFjc`@lwhNzD=|LDjD7
zRGh9$E;*EDK|iUYL9F@pJ@2LT0V3aK-IuZsuS@cI8D1JcKC>%lN_7N1w?OuNDIM}s
zVf$R1Uh3D+{+CfK?ETrhdg^}m)^4fGQ`L9hWJEi<6Md|q?dVZ+;BD5;?nk8rf@^PP
zk+DwonQ`A;c<VEcq;uZ}owc~0!%N#|$-l4fA$}W?jTb)7f)D#nr6tW$eIIg5<bG+o
zIX5lY=CAvL3Be{L;9C^1Gw3Ys*5CQQf!CAd3bLwrPK){j{@h~VrOwbqGQ2lIs$Hrs
zWB)70Py65oH3x_*=bjJnFQR2C&FyHA6|Pt^cuJqUVzfZtS|XSSrN28_Bl2RT_Yz^q
zl^*t4x0o~@^)qHeM}D|_25(|hxuvk<G~2P7EJozwVOfn%u%CTV9DR~~JJnwL^Y=&Y
z3+(j&@>L&CM0Pz<(cqcx4k{o^DnY5_kM2!;Q;e++?Ida>^HQ@CJ<_PVcmYX|{g9K-
zXb^9uS_}pvov~&0ZXH1mF|X^-SRuQJczJvGm7g0t@5=5Bu7RRdn$vYu#3FC9k*lKt
z-$&%}QghLCY)2eV?|YrE_Y;t3>XX!&-emBBMag5OFV5%}bNTQTbmRW?zzF<E%Bi$V
zW@c?iBJPLSMSsgoB%R*>d~NQuU)QqC5&@04en#lt;?1>2w!3jx<#fm;g*ydR?f3Gw
zSnbk03CSPJI!c>r2vi|TtwQ~_iWm#}d&l<fE22=t`MUG9ra{-%e|j8xjAUugYh-xg
z_0$2#e~V7Mmwdg|`f7*8vkGhR4y+e4&I^mRsnroVIW1xwt@T^OsUma!%?7WQ*kf0j
zfY&B?5^YrRywK&g$~&z!l9)yx|BwFYV{v$KLh}~ykoiVEcL_WmEjf#Cvxr`4d2Pfi
zE^Su4l^YV0dNy(rxM|%dr+F2Ao1LZ<B8Pil&Vt8TTf`sD`CxqBOWXx%iCTQbr~xH7
zw_4OcZ@<BsQ@DBK3+%QkIpEEV%{5EXqlQWyZrp?Ucpl#x=@Z;sxS!>ni%N3JUCw-O
z$1Rf`nClA|bG7u`mYpub<xH79uMq8JAG{Au=Jo|I^IWQ=_vR=4rs_&YiATBh?*)F1
zh<y99DLtS+Zee+s5!t7sMyQnOi=*E{fT;MACzJ-x`~L^&&tF;NA&#a-<P@Rc4PxxM
zkm%HK%5ktYdx1}2+$|P}LVow#vx`)!!PE+!Lghh?i3DHk`}wS1`+r5X%$vSmNaKtj
zbt39AbB3qEHo?eS3h@A@bZnGc(6z6?%gO4ZnzQtS-0!4yt?CuG|7+qrG%7x24`kuw
z#MFBDM~gSV*@~S&-(HELPrj1?mE=KwNbA==d9JzaGtbiJLg-7$!`hFk*L{oNI})S;
z!E!GEY5eYs3Jyz(PH5h5(&Pb-`KHCnuT}0x?P7G>Iu|GFdfsjFs$o^w|GO!7-p}HP
m|0^#&a1hOKGO`3R@Vde*>RWN#_ZG)EzgnHgIB%c*{`Nlt68yyg

literal 0
HcmV?d00001


From d27dcbd29f7bd78d6a29fa1c0de29c2f2e1345a6 Mon Sep 17 00:00:00 2001
From: Ekitji <41170494+Ekitji@users.noreply.github.com>
Date: Fri, 20 Oct 2023 18:07:54 -0400
Subject: [PATCH 4/6] lower case charcs of suspicious_http_user_agents_list.csv

works with text fields with named pipes in ELK
---
 elk/suspicious_named_pipe_elk.txt | Bin 0 -> 2754 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 elk/suspicious_named_pipe_elk.txt

diff --git a/elk/suspicious_named_pipe_elk.txt b/elk/suspicious_named_pipe_elk.txt
new file mode 100644
index 0000000000000000000000000000000000000000..180562a49edd6aced7108f3709f27b6667895f3d
GIT binary patch
literal 2754
zcmZve>2jMu5QO)4s`8LB=)e|-0fC%{PtxBu;{}yVC28l_IeP~F{XL~BO{qzP{(q-m
z33?X2=rpJE#=Gj&iMGZ~)KlNM(WPEe%dpjdpI6x)Hfq*+`M!hwF-t1xpLMSETYqy}
zSv+lb(SYtHcSLYHeWrBFcJ|y^w)%A6EKRymVkNidCV9x?hcq2+o!%rV5!N{#a>8dT
zty9`pp%#bxL~boSjXCO8ry<wWah-K{N?+TTs<!zKHLa!DOE;<u@0#gzws*9%DE>A*
za%XP3*DC_NU$Tc;)_Qp{r%^Q1*0YQFqdr7(*XNvlxStnkO}p$yMdZ$2<O%Is|3kjz
z+FjH~YD)d_MP2AF8JfN+gIfNm8I?76lpXRcRYvcs9uCq4bLch7keX0W`W!hFKGnLu
z$Up-fDL4g(SVh-%2T946ILUEeTPEP990$n)rH#&Du*vt|b*}WGW1q6RC@*UI)UA{3
z;sZSJHKyPb(Iom66ZdSJ%CGq*v{BLO7Bzp{;tu*Ok4%X12A5hc%BI%Ym2Y$P9B-UI
zB%RZr>;)Wyf;HC#v@oGW-s=B|a5&D&CvdyUSJ5v>X%)r3n#}HN#+_<GBzWs&3$)S=
z(}4=py{s8uOgI|EU8yeby1_&TZP_9&T`jXU$k%@I_cU|rD(<-;1#5d=pJ&b7N|7)>
z-e-flLxyE`_W8#->R=0CEcS&F?%aGPcFz~|oNHwqL9h8H)i|pP-flnf!ED(+NB^EN
zraIztT<lA{vmIjxGY7}|1zqL?9kx(R=#Z;5s}r`n=01C;gSu88m;|KIkL<%#uX;Yj
zd(FLI%qP#N@35V`VZm;@^>mUKsvKKv63*@inl6H-Th8~XUq3~dFJs8)AmdRJ)?|zO
znjIy^EVXE43t6RH$dEYMHEe1oJTyObiY)`zIN;Pt+qamHf>h$F^VAk;K_^ls!V_$b
zhc*a%m8}?@$RXknG&&mkZ)7n|;Eb+t7hH6CvytE9N1lB>x9)ReR8J=TdauI?q{KPm
z2_MKyWq1!ED@%FS5ryAO_Iz7AKGm?p$JGRr%%11ZTa77Tb8;IG56#%SKA+pJWWV>C
zNaHdh4=&ra(|44OS|=?0Btw3b@_uqsJmsBhQKj$VoTO_ztzrSAj*Rm~6xBp-*`PRi
z3kn_LVLMmSY!o}y-s9Id9kusw;kZvRF@8D>^27e%>AvrirP!vvbjbMy-<#{mClgRk
mPJUxq_0Rp70-i(0-cwqBf_=$0Z)twgv6p92Of8e<TKor^joqC9

literal 0
HcmV?d00001


From d36c904f4c1d52ec9ced3b501fe78d0c37c79482 Mon Sep 17 00:00:00 2001
From: Ekitji <41170494+Ekitji@users.noreply.github.com>
Date: Fri, 20 Oct 2023 18:14:26 -0400
Subject: [PATCH 5/6] lowercase service names and some modifications of
 suspicious_windows_services_names_list.csv

make a matching on text fields with service names
---
 ...uspicious_windows_services_names_list_elk.txt | Bin 0 -> 1068 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 elk/suspicious_windows_services_names_list_elk.txt

diff --git a/elk/suspicious_windows_services_names_list_elk.txt b/elk/suspicious_windows_services_names_list_elk.txt
new file mode 100644
index 0000000000000000000000000000000000000000..fb6d39e28e4ac5fa6c71acc3ef94052748b6952a
GIT binary patch
literal 1068
zcmZvbZBv9W421L98Gj^iB61W4I1qol`fSpZ^K=+!n`}0lq<noAmh7<F8e6QlXM3{3
zR!%c(VJ*AFS@x23%wL@=FpZ-Z+x#@~m8bU8VN;H*ZGYfuVH&|L<W4zCHf0#F-I#iE
zl%OiCV!p6;sJg;86W_5W{K|j&2dv$X?hBkPagE!AlE1~@kWY0EL>I31>NN#M9eH(D
z#YRsi_s9N*TJQ2po!%PUmSe-xlVP=wY#Yg5QjOI2uB&xVLaVx3vZ@<rW%6vUvbL9u
zRhOh&N+x!Vz4JyVCh$9_nO;rsXt$B6Vi)*{{Gmb951Vk}IP*@#Up!tjJTh*l!Yh?V
zZuPMCx|91=fqJT0idPyIs=2>qnyGNQUqU7xX^*=m9ShGZir-+b^4(m}(ou)15%Yoq
zbx}y&ozSy*&7op+-0B>w*Iy7Zqb#&(mbwAzO_Mt&X4$3rZ|B6)dcMuI3%#RI_{T15
z0wvjEnt{~Ktg-Ci2d}(y?K8Xy<`ebXqCerDXZF6S%7{46|LK_N;0*r_tH1q#LH#`c
O@g0m*o%0Wi{;zLnP`(5J

literal 0
HcmV?d00001


From cc58848c68fa5540033ab1e35689f157614883fb Mon Sep 17 00:00:00 2001
From: Ekitji <41170494+Ekitji@users.noreply.github.com>
Date: Sat, 21 Oct 2023 00:15:08 +0200
Subject: [PATCH 6/6] Update and rename
 suspicious_windows_services_names_list_elk.txt to
 suspicious_windows_services_names_elk.txt

---
 elk/suspicious_windows_services_names_elk.txt |  51 ++++++++++++++++++
 ...icious_windows_services_names_list_elk.txt | Bin 1068 -> 0 bytes
 2 files changed, 51 insertions(+)
 create mode 100644 elk/suspicious_windows_services_names_elk.txt
 delete mode 100644 elk/suspicious_windows_services_names_list_elk.txt

diff --git a/elk/suspicious_windows_services_names_elk.txt b/elk/suspicious_windows_services_names_elk.txt
new file mode 100644
index 000000000..263b430bc
--- /dev/null
+++ b/elk/suspicious_windows_services_names_elk.txt
@@ -0,0 +1,51 @@
+anydesk
+ateraagent
+btobto
+creatsvcrpc
+dcrypt
+dwagent
+goodsync
+gotomypc
+krbscm
+lmiguardiansvc
+lmimaint
+logmein
+magnetramcapture
+mesh
+meterpreter
+metsvc
+mimidrv
+mimikatz
+monblanking
+norebootsvc
+novapdf
+npcap
+paexec
+powerupservice
+pplblade
+psexesvc
+pulseway
+pwdump
+radmin
+remcom
+rustdesk
+screenconnect
+sesshijack
+sliver
+splashtop
+supremo
+tacticalrmm
+teamviewer
+testservice
+tightvnc
+wceservice
+webroot
+windowsmonitoring
+winring
+wrboot
+wrcore
+wrcoreservice
+wrkrn
+wrskyclient
+wrsmsvc
+wrsvc
diff --git a/elk/suspicious_windows_services_names_list_elk.txt b/elk/suspicious_windows_services_names_list_elk.txt
deleted file mode 100644
index fb6d39e28e4ac5fa6c71acc3ef94052748b6952a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1068
zcmZvbZBv9W421L98Gj^iB61W4I1qol`fSpZ^K=+!n`}0lq<noAmh7<F8e6QlXM3{3
zR!%c(VJ*AFS@x23%wL@=FpZ-Z+x#@~m8bU8VN;H*ZGYfuVH&|L<W4zCHf0#F-I#iE
zl%OiCV!p6;sJg;86W_5W{K|j&2dv$X?hBkPagE!AlE1~@kWY0EL>I31>NN#M9eH(D
z#YRsi_s9N*TJQ2po!%PUmSe-xlVP=wY#Yg5QjOI2uB&xVLaVx3vZ@<rW%6vUvbL9u
zRhOh&N+x!Vz4JyVCh$9_nO;rsXt$B6Vi)*{{Gmb951Vk}IP*@#Up!tjJTh*l!Yh?V
zZuPMCx|91=fqJT0idPyIs=2>qnyGNQUqU7xX^*=m9ShGZir-+b^4(m}(ou)15%Yoq
zbx}y&ozSy*&7op+-0B>w*Iy7Zqb#&(mbwAzO_Mt&X4$3rZ|B6)dcMuI3%#RI_{T15
z0wvjEnt{~Ktg-Ci2d}(y?K8Xy<`ebXqCerDXZF6S%7{46|LK_N;0*r_tH1q#LH#`c
O@g0m*o%0Wi{;zLnP`(5J