diff --git a/elk/README.md b/elk/README.md index 9c73bd48f..9345a2971 100644 --- a/elk/README.md +++ b/elk/README.md @@ -15,7 +15,7 @@ Different lists to work with the Elastic Stack without using sigma rules by http 7. Select "Indicator Match" ![image](https://github.com/Ekitji/ThreatHunting-Keywords/assets/41170494/7f13d07c-bf3a-4f07-b415-44ff1bd62ba1) -8. NOTICE! Provided screenshot is only a example (documentation) https://www.elastic.co/guide/en/security/7.17/rules-ui-create.html#indicator-value-lists **change values as shown below (number 9-14) +8. NOTICE! Provided screenshot is only a example (documentation) https://www.elastic.co/guide/en/security/7.17/rules-ui-create.html#indicator-value-lists **change values as shown below (number 9-14)** ![image](https://github.com/Ekitji/ThreatHunting-Keywords/assets/41170494/a8daaa41-44ee-434b-803a-8263ad1370cd) 9. **Source:** Choose your index for where you have your windows logs @@ -35,7 +35,29 @@ Different lists to work with the Elastic Stack without using sigma rules by http You can do the same with th_keywords_processnames_elk.txt and the other files **as long as the field type is text** Upload it and follow the same steps, at number 12 change the list_id to th_keywords_processnames_elk.txt -Then change the indicator mapping field to process.name instead. +Then change the indicator mapping field to process.name instead (field type must be text). +**Reference list** +rmm_domain_names_elk.txt is a custom list from +https://github.com/jischell-msft/RemoteManagementMonitoringTools/blob/main/Network%20Indicators/RMM_SummaryNetworkURI.csv + +**Files** + +*Observere that the field types you want to match words on must be a text field type.* + +creds_catcher.txt, use on process.command_line AND powershell scriptblock to catch bad password usage + +rmm_domain_names_elk.txt, use on events where you have domain names to catch suspicious activity to RMM domains + +suspicious_named_pipe_elk.txt, use on events with named pipes. + +suspicious_windows_services_names_elk.txt, use on events with service names. + +th_keywords_elk.txt, use on process.command_line AND powershell scriptblock to catch malicious activity + +th_keywords_processnames_elk.txt, use on events where you have process.names OR parent.process.names + +user_agent_elk.txt, use on events where you have user_agent fields to catch malicious activity + diff --git a/elk/rmm_domain_names_elk.txt b/elk/rmm_domain_names_elk.txt new file mode 100644 index 000000000..860f44ddc Binary files /dev/null and b/elk/rmm_domain_names_elk.txt differ diff --git a/elk/th_keywords_processnames_elk.txt b/elk/th_keywords_processnames_elk.txt index 4610b91ce..02a767d6c 100644 --- a/elk/th_keywords_processnames_elk.txt +++ b/elk/th_keywords_processnames_elk.txt @@ -10,7 +10,7 @@ adconnectdump.exe adcskiller.exe adcspwn.exe adexplorer.exe -adexplorersnapshot.py.exe +adexplorersnapshot.exe adfind.exe adfspoof.exe adfspray.exe @@ -162,22 +162,6 @@ cut.exe cytool.exe damp.exe daphne.exe -ftype.exe -sharptoken.exe -t14m4t.exe -ssrfmap.exe -undertheradar.exe -cloakify.exe -pywsus.exe -dnsdumpster.exe -hcxdumptool.exe -beelogger.exe -proxyshell.exe -arpspoofing.exe -phoenix.exe -miner.exe -afrog.exe -pyexec.exe darkarmour.exe darkloadlibrary.exe darkwidow.exe @@ -393,76 +377,6 @@ injectify.exe injectproc.exe insecurepowershell.exe inspectassembly.exe -exrop.exe -webdavc2.exe -touch.exe -vrealizeloginsightrce.exe -xerror.exe -w3af.exe -dsdbutil.exe -privfu.exe -merlin.exe -nimexec.exe -swampthing.exe -p0wny.exe -credphisher.exe -tokenvator.exe -pplkiller.exe -fakecmdline.exe -eqgrp.exe -tools.exe -attifyos.exe -sudosnatch.exe -githubc2.exe -lyncsmash.exe -osmedeus.exe -striker.exe -owasp.exe -sniffair.exe -schedulerunner.exe -abandonedcomkeys.exe -krbjack.exe -obfy.exe -sqlmap.exe -rasmanpotato.exe -lapsdumper.exe -h8mail.exe -impacket.exe -targetedkerberoast.exe -hping.exe -sharpunhooker.exe -silentmoonwalk.exe -smuggler.exe -group3r.exe -adcspwn.exe -scriptsentry.exe -archerysec.exe -inveigh.exe -pingcastle.exe -fcrackzip.exe -pastebin.exe -webbrowserpassview.exe -finduncommonshares.exe -nimcrypt2.exe -powerforensics.exe -srdi.exe -tetanus.exe -sqlninja.exe -donpapi.exe -mars.exe -stealer.exe -sshlooterc.exe -deathstar.exe -prt.exe -dumpcreds.exe -apt.exe -pecloak.exe -boinc.exe -ratchatpt.exe -delegationbof.exe -maliciousmacromsbuild.exe -atlasc2.exe -atomldr.exe interactsh.exe intercepter.exe intruderpayloads.exe @@ -536,6 +450,7 @@ macchanger.exe macetrap.exe macrome.exe macrometer.exe +mail.exe mailpv.exe mailsniper.exe maliciousmacrogenerator.exe @@ -555,8 +470,8 @@ metatwin.exe metetool.exe mhydeath.exe microburst.exe -mimikatz.exe mimi.exe +mimikatz.exe mimikittenz.exe mimipenguin.exe miner.exe @@ -575,20 +490,6 @@ mortar.exe mousejack.exe movfuscator.exe msbuildshell.exe -unhookingpatch.exe -cobaltstrike.exe -nc.exe -pipeviewer.exe -spring4shell.exe -vscode.exe -sharpcollection.exe -routerscan.exe -aclpwn.exe -junctionfolder.exe -winshellcode.exe -gmsapasswordreader.exe -nuages.exe -gmsadumper.exe msdat.exe msfpc.exe msfvenom.exe @@ -775,17 +676,6 @@ ratchatgpt.exe ratchatpt.exe rdpassspray.exe rdpcredentialstealer.exe -bulletpassview.exe -inspectassembly.exe -linuxprivchecker.exe -bypassclm.exe -modlishka.exe -ruby.exe -wdextract.exe -brutesploit.exe -s3scanner.exe -cme.exe -autotimeliner.exe rdpinception.exe rdpscraper.exe rdpspray.exe @@ -999,6 +889,7 @@ threadlessinject.exe threatcheck.exe thunderdns.exe thundershell.exe +tiamat.exe timeroast.exe tmpdavfs.exe tmpwatch.exe @@ -1052,9 +943,11 @@ wbadmin.exe wce.exe wcmdump.exe wdextract.exe +weaf.exe weakpass.exe webbrowserpassview.exe webdav.exe +webdavc.exe weevely.exe wepwnise.exe wertrigger.exe @@ -1096,4 +989,4 @@ xxeinjector.exe yodo.exe zarp.exe zerologon.exe -zloader.exe \ No newline at end of file +zloader.exe diff --git a/elk/user_agent_elk.txt b/elk/user_agent_elk.txt index e69de29bb..15491a1de 100644 --- a/elk/user_agent_elk.txt +++ b/elk/user_agent_elk.txt @@ -0,0 +1,522 @@ +aaaa +aaaabbb +abcd +access +adiseexplorer +adlib +adsntd +advantage +agavadwnl +agency +ahkih +aiohttp +alawar +aldi +alertup +alizer +altera +angel +antispyprogram +antispyware +antivermeans +antiverminser +antivirgear +antivirus +antivirxp +anycleaner +anydesk +app4 +apropos +arachni +arch +archlinux +askbar +askpbar +asksearchassistant +asmupdater +asteria +atsu +auctionplusup +autodl +autohotkey +ayayayay +b5c3d0b28619de70bf5588505f4061f2 +backdor +bash +bbos +bdsclk +bigfoot +bits +blah +blahrx +bnddriveloader +bndveano4getdownldr +bobrowser +boostsoftware +brandthunderhelper +bridgev +browserbob +bundle +bunny +callstranger +cat +cfs +charon +checker +checkonline +chek +chilkatupload +chnome +cleancopupdate +clever +clickadsbyie +cmd +collection +comm +commonname +condi +connect +connector +contains +coolstreaming +count +cpush +cpython +crazybro +crazyk +cryptoapi +cso +cttbasic +curl +customexchangebrowser +customspy +dance +darecover +dash +dashes +dbcount +debut +default +defender +demo +descriptor +dialer +dialno +dinstaller2 +dirbuster +dirhunt +diva +docker +doctorpro1 +doctorvaccine +doshowmeanad +double +downing +download +downloader +drpcclean +dsinstall +dsreg +ducktales +dummy +dvadcat +dwplayer +eeloader +ei +eicar +ekeoil +electrosun +emscbvdfrt +engo +envolo +errcode +errn +errordigger +errornuker +errorsafe +esb +evnuker +example +explorer +extractor +eye +ezshop +facecooker +fast browser search +favupdate +fetcher +fian +filedown +filedownloader +filenolja +fingerprint +fixer +fking +forthgoer +forthgoner +framework +freezeinet +fuckusa +fullstuff +funwebproducts +gamehouse +gameinfo +games +gbot +geekingtothemoon +generic +getjob +gettinganswer +giftz +githubcopilotchat +globalupdate +globalx +gobuster +gomtour +gootkit +gtbank +guidtracker +gunnawunna +hacker +hackintosh +hardcore +haxermen +hbtools +headlesschrome +headlessedg +heartbeat +hello +helperh +helpsrvc +hhh +hijack +hotbar +httpdownload +httpfiledown +httpgetdata +httpread +httptest +huai +ibsband +idownloadagent +ieagent +iefeatsl +ieguideupdate +iexplore +imeshbar +imightjustpaymyselfforafeature +indy +inet +inetinst +ineturl +inferno +infobot +infobox +informer +inhold +installcapital +installed +installer +insufficient +invokead +ioinstall +iokernel +ircbot +isecu +ismyie +istsvc +isupd +iwin +jedi +jndi +josephine +justice +kali +kcableo +kktone +kpangupdate +krmak +krsystem +kvadrlson +lemon +libsfml +libtorrent +libwhisker +lilith +lineguide +linux +lmaokaazldr +loads +loands +lobo +lockxls +locus +locussoftware +logevents +loki +lsosss +lunar +m0zilla +madebylc +magic +malwarewipe +malwarewiped +masp +masscan +mbar +mbvdfresct +medialabssiteinstaller +medusa +megaupload +mez +microgaming +microsoft +miip +mirar +momentum +moonlight +morpheus +mozil1a +mozillar +mozzzzzzzzzzz +mrgud +msgplus +multibar +myagent +mycustomuser +myie +mypcdoctor +mysearch +myurl +myway +mywebsearch +mz +mzapp +n1 +natefinder +navhelper +ndes +needit +neonabyupdate +nethelper +netinstaller +netlogom +nguideup +nikto +nimo +nimplant +nmap +nope +nsis +null +oemji +ok +okcpmgr +onandon +onionwclient +open +openpage +openurl +openvas +opera +ossproxy +owned +parrot +passwd +patcher +pcapxray +pcclearplus +pcdoc +pcpcupdater +pinballcorp +pint +pivim +poker +pologiykolokol +popup +popupblockade +powershell +presto +protect +proxydown +pts +pwmi +pycurl +python +qbittorrent +qdrbi +qq +qqdownload +qqgame +qvod +qwrqrwrqwrqwr +rangecheck +rbr +readfileurl +record +rekom +releasexp +report +rescue +revolution +rfrudokop +rhyno321 +richcasino +rogue +rood +rqwrwqrqwrqw +ruler +runpatch +runupdater +rx bar +sah +save +sbtcm +scan +schtasks +search +searchengine +searchtoolbar +searchtoolup +seekmo +server +session +sextrackerwsi +shini +sickloader +sickness +sidebar +sidesearch +sidestep +single +sk +skype +skypee +slayer +smartinstaller +smartloader +sme32 +smileware +snatch +snoopstick +snventor +sogou +sometimes +spamblockerutility +speedrunner +sprout +spydawn +spyhealer +spylocked +spywareaxe +sqlmap +srinstaller +srrecover +ssol +stbhoget +stealer +steam +steroid +suggestion +suicide +sunshine +sunshinemoonlight +sureseeker +surferplugin +svchost +swizz03r +sznotifyident +takemypainback +talwininethttpclient +tbonas +test +testagent +thnall +toolbar +tpsystem +travel +trojan +trymedia +tsa +typhoeus +u2clean +ubrenquatrorusdldr +uccapi +ucheck +ucmore +udonkey +ultimate +ultimatehackerzteam +umbra +unknown +update +updater +updatesodui +uploader +urlexists +utilmind +utorrent +vaccine +vaccinekilleriu +valve +varlok +versiondwl +vhibot +vikiller +virtualbox +viruscheck +virusheat +virusprotectpro +visaoapp +visicom +vmozilla +vombaproductsinstaller +vulnerability +vulners +vulture +webcount +webdav +webdownloader +webfile +webform +wfuzz +wget +widgitoolbar +winbutler +windoss +windowspowershell +windowsshellclient +windsoft +winfixmaster +winhttp +winhttprequest +wininet +winlogon +winproxy +winrm +winsoftware +wintouch +wireshark/ +worm +wpscan +wshrat +wta +wtinstaller +wtrecover +wyzo +x11 +xehanort +xiehongwei +xmlst +xupitertoolbar +xxx +xxxwww +yandesk +yayayay +yodao +yourscreen +zadanie +zap +zcom +zilla +zload