Skip to content

Releases: mthcht/ThreatHunting-Keywords

November 2024 updates

08 Dec 23:25
Compare
Choose a tag to compare

November 2024 updates

  • 62 tools added or updated.
  • 59508 detection patterns
  • Detection patterns for Dispossesor Ransomware group tools have been added.
  • New yara strict ruleset added the yara repo

In progress:

  • Automated recuperation of hashes from github releases of each tool as soon as they are released
    • combination with another project to automatically compile and upload to virustotal some critical tools selected with the metadata_severity_score
  • reorganization of tags
  • reorganization of lookups (thinking about lookup with hash / without hash / without tags / by category ... open to suggestion)

links

new keyword detection patterns added for the following tools :

  • AVDump
  • AutoBlue-MS17-010
  • Browser Data Grabber
  • Dispossessor
  • EternalBlack
  • GrabChrome
  • Lastenzug
  • Minimalistic-offensive
  • OpenChromeDumps
  • POC
  • PowerProxy
  • PowerUpSQL
  • Powersploit
  • Powertool
  • PrintNightmare
  • ProxyLogon
  • RevoUninstaller
  • RpcView
  • SMBGhost
  • SearchOpenFileShares
  • adfind
  • anydesk
  • attrib
  • bitsadmin
  • burp-log4shell
  • bypassUAC
  • cliws
  • cobaltstrike
  • copy
  • crackmapexec
  • crackmd5.ru
  • del
  • go-lsass
  • impacket
  • msiexec
  • nc
  • net
  • netsh
  • nltest
  • nmap
  • noPac
  • peeping-tom
  • powershell
  • powerview
  • privexchange
  • pysecdump
  • rdpscan
  • reg
  • ren
  • route
  • sc
  • seatbelt
  • shad0w
  • sharphound
  • speedtest
  • syncthing
  • systemctl
  • taskkill
  • webshell
  • wmic
  • xeox
  • zerologon

⚠️ **Details of added + updated tools Full Changelog: v1.0.6...v1.0.7

October 2024 updates

02 Nov 12:57
Compare
Choose a tag to compare

October 2024 updates

  • 145 tools added, plus multiple existing tools updated.
  • 57774 detection patterns
  • Additional Threat Groups associations using the TI reports database / and many thanks to @BushidoUK cti projects

In progress:

  • Automated recuperation of hashes from github releases of each tool as soon as they are released
    • combination with another project to automatically compile and upload to virustotal some critical tools selected with the metadata_severity_score
  • reorganization of tags
  • reorganization of lookups (thinking about lookup with hash / without hash / without tags... open to suggestion)

links

new keyword detection patterns added for the following tools :

  • 4shared.com
  • ADFSDump
  • ADPassHunt
  • ADSyncDecrypt
  • Acunetix Web Vulnerability Scanner
  • Adzok
  • Argus
  • Avast
  • BadPotato
  • BetterSafetyKatz
  • BrowserSnatch
  • Cable
  • Certify
  • CheckPort
  • Checkmate
  • ChromeCookiesView
  • Cmdkey
  • DNS-Hijacking
  • Dataplicity
  • Decrypt-RDCMan
  • DecryptRDCManager
  • Dirty-Vanity
  • EarthWorm
  • Eventlogedit-evt--General
  • Eventlogedit-evtx--Evolution
  • ForgeCert
  • FruityC2
  • GMSAPasswordReader
  • GlobalUnProtect
  • GodPotato
  • Imminent-Monitor
  • Inveigh
  • Invoke-RDPThief
  • JuicyPotato
  • KeeTheft
  • KrbRelay
  • KrbRelay-SMBServer
  • KrbRelayUp
  • LAPSToolkit
  • LsassReflectDumping
  • MSSprinkler
  • MozillaCookiesView
  • NamelessC2
  • NetSess
  • NetworkServiceExploit
  • NoPowerShell
  • PSAttack
  • PWDumpX
  • PassTheCert
  • PortQry
  • Poshito
  • PowerShellRunner
  • PowerUpSQL
  • PowerView
  • Prince-Ransomware
  • PrintSpoofer
  • PrivExchange
  • Procdump
  • PwDump7
  • PwDump8
  • RottenPotatoNG
  • Rubeus
  • RunasCs
  • Rust Localtunnels
  • RustiveDump
  • SCMUACBypass
  • SMBTrap
  • Seatbelt
  • ShadowSpray
  • SharpChrome
  • SharpDPAPI
  • SharpEfsPotato
  • SharpGPOAbuse
  • SharpGpo
  • SharpHound
  • SharpKatz
  • SharpLAPS
  • SharpMove
  • SharpOxidResolver
  • SharpPack
  • SharpRDP
  • SharpSCCM
  • SharpSQL
  • SharpUp
  • SharpView
  • Sharpmad
  • SigmaPotato
  • SimpleBackdoorAdmin
  • Smbtouch-Scanner
  • Termite
  • Trellonet
  • WCE
  • Whisker
  • adfsbrute
  • arp
  • atnow
  • attrib
  • btunnel
  • burrow
  • certoc
  • cobaltstrike
  • creddump7
  • csexec
  • dir
  • dropbear
  • easyupload.io
  • echo
  • emkei.cz
  • fgdump
  • find
  • findstr
  • hak5 cloudc2
  • htran
  • libprocesshider
  • ln
  • localtunnels
  • localxpose
  • lslsass
  • ms-appinstaller
  • net
  • powershell
  • precompiled-binaries
  • pretender
  • pslist
  • psobf
  • putty
  • pwnlook
  • quarkspwdump
  • rdp
  • reg
  • resocks
  • sc
  • shootback
  • smbscan
  • sshdoor
  • stunnel
  • tmate
  • tun2socks
  • unset
  • w32times
  • wevtutil
  • winPEAS
  • winexe
  • wso-webshell
  • xspy

⚠️ **Details of added + updated tools Full Changelog: v1.0.5...v1.0.6

New contribution

August 2024 updates

30 Aug 16:31
Compare
Choose a tag to compare

August 2024 updates

  • 137 new tools added, plus multiple existing tools updated.
  • 53907 detection patterns
  • Updated the README with MITRE coverage (completed) and tools detection matrix (coming soon).
  • Significant updates to MITRE techniques and tactics.
  • More Threat actor group names associated with all relevant tools using the ransomware tool matrix and MITRE groups page
  • The new metadata_tags column has been expanded with multiple tags. As the lookup grows rapidly (including hash values for tools), additional artifact identification is becoming essential. In this version, new tags for #filehash and #GUIDproject are fully populated . Other tags, such as #Avsignature, #email, #namedpipe, #base64, #registry, #productname, #companyname, and #servicename, are still in progress but are steadily being updated.
  • small correction of a subfolder name in the tools folder

In progress:

  • Automated recuperation of hashes from github releases of each tool as soon as they are released
    • combination with another project to automatically compile and upload to virustotal some critical tools selected with the metadata_severity_score
  • tool matrix enhancements
  • new tags in the metadata_tags column

links

new keyword detection patterns added for the following tools :

  • 1ty.me
  • Arduino Pro Micro
  • AsyncRAT-C-Sharp
  • Atera
  • BITSInject
  • BadRentdrv2
  • BloodHound
  • Burntcigar KillAV
  • C3
  • Cactus WHID
  • ChaiLdr
  • ComodoRMM (Itarian RMM)
  • Digispark Attiny85
  • DirtyCLR
  • EHORUS RMM
  • ExtPassword.exe
  • Fynloski Backdoor
  • Gato-X
  • GoAWSConsoleSpray
  • Hak5 BashBunny
  • Hak5 Lan turtle
  • Hak5 O.MG Cable
  • Hak5 Rubber Ducky
  • Hak5 Screen Crab
  • Hak5 Wifi Pineapple
  • Invoke-Maldaptive
  • Invoke-SocksProxy
  • KeeFarce
  • Lansweeper
  • LostMyPassword
  • MEGAcmd
  • Maestro
  • MailPassView
  • NamedPipeMaster
  • Nordic NRF52840
  • OperaPassView
  • PCHunter
  • POC
  • PS2EXE
  • PowerLess
  • PrintSpoofer
  • PrivFu
  • RDP Recognizer
  • ROADtoken
  • RouterPassView
  • RouterScan
  • Rust-Malware-Samples
  • SCCMSecrets
  • Sandman
  • SecretServerSecretStealer
  • ShareAudit
  • SharpDump
  • ShellGen
  • ShimMe
  • Shwmae
  • SirepRAT
  • SniffPass
  • SpoolFool
  • TDSKiller
  • Taskmgr
  • Telemetry
  • TimeException
  • TinyMet
  • TokenFinder
  • TrickDump
  • TrueSocks
  • Universal Virus Sniffer
  • VNCPassView
  • WSMan-WinRM
  • WindowsDowndate
  • ZeroHVCI
  • _
  • adfind
  • aircrack
  • arp
  • asleap
  • attrib
  • autoNTDS
  • bcdedit
  • bcedit
  • canisrufus
  • chashell
  • defender-control
  • del
  • dnskire
  • dnspot
  • dropmefiles.com
  • dsregcmd
  • echo
  • eraser
  • fex.net
  • fleetdeck
  • fleetdm
  • gsecdump
  • hackshell
  • hookchain
  • http.server
  • jecretz
  • keywa7
  • knowsmore
  • metasploit
  • mimikatz
  • net
  • netsh
  • nps
  • nsocks
  • oset
  • pingcastle
  • powershell
  • premiumize.me
  • privnote.com
  • processhacker
  • put.io
  • qaz.im
  • qaz.is
  • qaz.su
  • quiet-riot
  • reg
  • rmdir
  • rs-shell
  • rsocks
  • sc
  • schtasks
  • secretsdump
  • share.riseup.net
  • sharphound
  • shellsilo
  • socat
  • ssh
  • sshamble
  • systeminfo
  • taskkill
  • tasklist
  • tor
  • ufile.io
  • wevtutil
  • wmic

⚠️ **Details of added + updated tools Full Changelog: v1.0.4...v1.0.5

ThreatHunting-Keywords

03 Aug 18:26
Compare
Choose a tag to compare

July 2024 updates

  • 74 tools added + multiple tools updated
  • 45917 detection patterns
  • updated README
  • A new column named metadata_tags was added to include multiple tags for identifying specific artifacts, such as #filehash, #namedpipe, #registry, #GUIDproject, etc. This will help avoid creating new columns or mixing them into the comment column (work in progress).

links

keyword detection patterns added for the following tools :

  • ADAPE-Script
  • Aoyama
  • Arbitrium-RAT
  • Ask4Creds
  • BackHAck
  • BarracudaRMM
  • BlackShades
  • Cam-Hackers
  • CheckSMBSigning
  • ComodoRMM
  • CursedChrome
  • DeadPotato
  • EDRPrison
  • Gecko
  • Godzilla
  • IHxExec
  • Invoke-GrabTheHash
  • Invoke-PowerIncrease
  • Invoke-RunAsSystem
  • Invoke-s4u2self
  • Kematian Stealer
  • KeyCredentialLink
  • Lime-RAT
  • Moriarty
  • Necro-Stealer
  • Openssh
  • PEASS-ng
  • POC
  • PassSpray
  • Powerlurk
  • PredatorTheStealer
  • ProtectMyTooling
  • Psnmap
  • SessionExec
  • SharpIncrease
  • SharpVeeamDecryptor
  • SoftEtherVPN
  • SomalifuscatorV2
  • SystemBC
  • TGT_Monitor
  • Token-Impersonation
  • WSAAcceptBackdoor
  • WinSCP
  • blackvision
  • certutil
  • dir
  • dirdevil
  • esxcli
  • filetransfer.io
  • gmer
  • hackforums.net
  • icacls
  • impacket
  • mshta
  • net
  • openssh-portable
  • panix
  • paste.ee
  • plink
  • powershell
  • printspoofer
  • ransomware_notes
  • reg
  • saycheese
  • sc
  • schtasks
  • sgn
  • shutter
  • specula
  • ssh
  • taskkill
  • vncviewer
  • win-brute-logon
  • wmic

⚠️ Details of added + updated tools Full Changelog: v1.0.3...v1.0.4

ThreatHunting-Keywords

01 Jul 07:10
efa508a
Compare
Choose a tag to compare

June 2024 updates

Added:

  • Alpemix
  • AmperageKit
  • AnyplaceControl
  • anyviewer
  • atexec-pro
  • AutoHotkey
  • auvik
  • AV_Evasion_Tool
  • AVKiller
  • aweray
  • Azure Storage Explorer
  • chntpw
  • clickjack
  • comsvcs.dll
  • conpass
  • crowdstrike falcon
  • csvde
  • Ddexec
  • DEDSEC-RANSOMWARE
  • Disable-TamperProtection
  • discord
  • discord-c2
  • Discord-RAT-2.0
  • DriverDump
  • fetch-some-proxies
  • File-Tunnel
  • Get-WmiObject
  • GlllPowerloader
  • gofile.io
  • hidden-tear
  • Ikeext-Privesc
  • impacketremoteshell
  • Invoke-ADEnum
  • Invoke-DumpMDEConfig
  • killProcessPOC
  • level.io
  • localtonet
  • Lockless
  • MakeMeAdmin
  • MDE_Enum
  • MetasploitCoop
  • Microsoft Recall
  • mimipy
  • mythic
  • net
  • NetRipper
  • nipe
  • NoodleRAT
  • NordVPN
  • OshiUpload
  • pcunlocker
  • PewPewPew
  • pico
  • POC
  • PowerBreach
  • Powerpick
  • powershell
  • PWA-Phishing
  • pyobfuscate
  • PySQLRecon
  • ransomware_notes
  • RdpStrike
  • rdrleakdiag
  • RealBlindingEDR
  • reconftw
  • reg
  • regsvr32
  • RemoteKrbRelay
  • responder
  • rotateproxy
  • SafetyDump
  • sc
  • SchTask_0x727
  • ScriptBlock-Smuggling
  • sdelete
  • set
  • ShadowStealer
  • SharpAppLocker
  • SharpCOM
  • SharpDecryptPwd
  • SharpEdge
  • SharpLogger
  • SharpSC
  • SharpSSDP
  • SharpThief
  • spinningteacup
  • suo5
  • TotalRecall
  • tsh
  • tsh-go
  • Tsunami
  • usaupload
  • VenomousSway
  • VNCViewer
  • Voidgate
  • wmic
  • XiebroC2

Details of added + updated tools Full Changelog: v1.0.2...v1.0.3

ThreatHunting-Keywords

31 May 19:19
Compare
Choose a tag to compare

May 2024 updates

Added:

  • 1secmail.com
  • AD-common-queries
  • ADFSDump-PS
  • AMSITrigger
  • Adcheck
  • AmsiBypass
  • AutoIt
  • BadWindowsService
  • Blank-Grabber
  • BlankOBF
  • CLR-Injection
  • DoubleDrive
  • EASSniper
  • GTFONow
  • HTTP-Shell
  • IPPrintC2
  • Invoke-DNSteal
  • Invoke-Stealth
  • LTProxy
  • Luna-Grabber
  • Malware RAT collection
  • Neo-reGeorg
  • OSEP-Code-Snippets
  • Omnispray
  • PPLSystem
  • PSAsyncShell
  • Powershell-Scripts-for-Hackers-and-Pentesters
  • Proxifier
  • QuickAssist
  • RITM
  • RPC-Backdoor
  • RedTeam_Tools_n_Stuff
  • Rust-for-Malware-Development
  • S-inject
  • SharpBruteForceSSH
  • SharpElevator
  • SharpPersistSD
  • SharpRODC
  • ShellServe
  • ShellSync
  • ThievingFox
  • TokenTacticsV2
  • TunnelVision
  • arsenal
  • beeceptor.com
  • btunnel.in
  • dropbox
  • guerrillamail
  • homeway.io
  • killer
  • ldap queries
  • localhost.run
  • lolminer
  • maildrop
  • mega.co.nz
  • myftp.biz
  • myftp.org
  • nbtscan
  • netcat
  • no_defender
  • pamspy
  • pinggy
  • powershell
  • powerview
  • pwcrack-framework
  • python
  • r77-rootkit
  • remoteit
  • serveo.net
  • spraycharles
  • staqlab-tunnel
  • temp-mail

Details of added + updated tools Full Changelog: v1.0.1...v1.0.2

ThreatHunting-Keywords

01 May 21:26
Compare
Choose a tag to compare

April 2024 updates

Added/Updated lists:

  • threathunting-keywords.csv
  • offensive_tool_keyword.csv
  • greyware_tool_keyword.csv
  • signature_keyword.csv
  • Ammyy Admin.csv
  • adexplorer.csv
  • boringproxy.csv
  • crowbar.csv
  • curl.csv
  • FileZilla.csv
  • duckdns.org.csv
  • expose.csv
  • go-http-tunnel.csv
  • gost.csv
  • gsocket.csv
  • gt.csv
  • hypertunnel.csv
  • jprq.csv
  • lsa-whisperer.csv
  • netsh.csv
  • ngrok.csv
  • Portr.csv
  • PyPagekite.csv
  • pgrok.csv
  • powershell.csv
  • python.csv
  • SetACL.csv
  • SirTunnel.csv
  • rathole.csv
  • reg.csv
  • remotemoe.csv
  • restic.csv
  • reverse-tunnel.csv
  • setspn.csv
  • shadowsocks.csv
  • sish.csv
  • softperfect networkscanner.csv
  • tunnel.csv
  • tunneller.csv
  • tunnelmole-client.csv
  • tunnelto.dev.csv
  • tunwg.csv
  • wget.csv
  • wiretap.csv
  • zrok.csv
  • ASPJinjaObfuscator.csv
  • BrowsingHistoryView.csv
  • CelestialSpark.csv
  • bpf-keylogger.csv
  • curlshell.csv
  • DLHell.csv
  • FilelessPELoader.csv
  • fuegoshell.csv
  • KExecDD.csv
  • impacket.csv
  • kali.csv
  • LDAP-Password-Hunter.csv
  • LetMeowIn.csv
  • NetNTLMtoSilverTicket.csv
  • lsassy.csv
  • metasploit.csv
  • nanodump.csv
  • Ouned.csv
  • PILOT.csv
  • Python-Rootkit.csv
  • prefetch-tool.csv
  • pyrdp.csv
  • Shell3er.csv
  • var0xshell.csv
  • veeam-creds.csv
  • wmiexec-pro.csv
  • wraith.csv
  • Amnesiac.csv
  • Antivirus Signature.csv
  • BeRoot.csv
  • Invoke-TheHash.csv
  • KPortScan.csv
  • kiglogger.csv
  • Lime-Crypter.csv
  • merlin.csv
  • PEASS.csv
  • SharpEDRChecker.csv
  • Venom.csv
  • cat.csv
  • icalcs.csv
  • RemotePC.csv
  • rdpwrap.csv
  • regsvr32.csv
  • ren.csv
  • takeown.csv
  • AMSI-Provider.csv
  • EvilClippy.csv
  • dll-hijack-by-proxying.csv
  • GraphSpy.csv
  • LocalShellExtParse.csv
  • MacroMeter.csv
  • NTMLRecon.csv
  • NetshHelperBeacon.csv
  • lnk2pwn.csv
  • logon_backdoor.csv
  • masscan.csv
  • mimidogz.csv
  • nishang.csv
  • Offensive-Netsh-Helper.csv
  • OffensiveCpp.csv
  • Office-Persistence.csv
  • Persistence-Accessibility-Features.csv
  • persistence_demos.csv
  • RID-Hijacking.csv
  • SharpDllProxy.csv
  • SharpGPOAbuse.csv
  • ShimDB.csv
  • Snaffler.csv
  • rattler.csv
  • spoofing-office-macro.csv
  • tricky.lnk.csv
  • Waitfor-Persistence.csv
  • WinPirate.csv
  • Windows-Crack.csv
  • vbad.csv
  • viperc2.csv
  • xz.csv
  • Ahk2Exe.csv
  • adfind.csv
  • adrecon.csv
  • Goodsync.csv
  • IObitUnlocker.csv
  • meshcentral.csv
  • psexec.csv
  • RemCom.csv
  • sc.csv
  • slack.csv
  • whoami.csv
  • wireproxy.csv
  • AzureADLateralMovement.csv
  • ccmpwn.csv
  • copy.csv
  • crackmapexec.csv
  • Defeat-Defender.csv
  • DragonCastle.csv
  • goWMIExec.csv
  • Jasmin-Ransomware.csv
  • Koppeling.csv
  • NTHASH-FPC.csv
  • mssqlproxy.csv
  • PickleC2.csv
  • poshc2.csv
  • pwdump.csv
  • ScheduleRunner.csv
  • SharpNoPSExec.csv
  • SharpSCCM.csv
  • SharpWSUS.csv
  • Slackor.csv
  • Tchopper.csv
  • scshell.csv
  • WMEye.csv

Details:

Lists:

  • 15,134 changes: 13,959 additions & 1,175 deletions in threathunting-keywords.csv
  • 7,017 changes: 5,220 additions & 1,797 deletions in offensive_tool_keyword.csv
  • 7,598 changes: 7,339 additions & 259 deletions in greyware_tool_keyword.csv

Yara rules details (https://github.com/mthcht/ThreatHunting-Keywords-yara-rules):

  • 1,131 changes: 567 additions & 564 deletions 1,131 yara_rules/offensive_tool_keyword/L-N/metasploit.yara
  • 10 changes: 5 additions & 5 deletions 10 yara_rules/offensive_tool_keyword/R-T/SharpWSUS.yara
  • 10 changes: 5 additions & 5 deletions 10 yara_rules/offensive_tool_keyword/U-W/WMEye.yara
  • 101 changes: 52 additions & 49 deletions 101 yara_rules/offensive_tool_keyword/L-N/lsassy.yara
  • 105 changes: 54 additions & 51 deletions 105 yara_rules/offensive_tool_keyword/L-N/nanodump.yara
  • 11 changes: 4 additions & 7 deletions 11 yara_rules/greyware_tool_keyword/A-C/Ammyy Admin.yara
  • 110 changes: 110 additions & 0 deletions 110 yara_rules/greyware_tool_keyword/R-T/tunnelmole-client.yara
  • 112 changes: 71 additions & 41 deletions 112 yara_rules/offensive_tool_keyword/I-K/Jasmin-Ransomware.yara
  • 114 changes: 57 additions & 57 deletions 114 yara_rules/offensive_tool_keyword/L-N/nishang.yara
  • 116 changes: 116 additions & 0 deletions 116 yara_rules/greyware_tool_keyword/A-C/crowbar.yara
  • 119 changes: 119 additions & 0 deletions 119 yara_rules/greyware_tool_keyword/A-C/boringproxy.yara
  • 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/O-Q/psexec.yara
  • 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/R-T/reg.yara
  • 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/U-W/whoami.yara
  • 12 changes: 6 additions & 6 deletions 12 yara_rules/offensive_tool_keyword/L-N/mssqlproxy.yara
  • 12 changes: 6 additions & 6 deletions 12 yara_rules/offensive_tool_keyword/R-T/Snaffler.yara
  • 12 changes: 6 additions & 6 deletions 12 yara_rules/signature_keyword/A-C/Antivirus Signature.yara
  • 12 changes: 9 additions & 3 deletions 12 yara_rules/greyware_tool_keyword/L-N/netsh.yara
  • 122 changes: 122 additions & 0 deletions 122 yara_rules/offensive_tool_keyword/O-Q/Ouned.yara
  • 125 changes: 125 additions & 0 deletions 125 yara_rules/greyware_tool_keyword/R-T/rdpwrap.yara
  • 125 changes: 125 additions & 0 deletions 125 yara_rules/offensive_tool_keyword/O-Q/Python-Rootkit.yara
  • 13 changes: 8 additions & 5 deletions 13 yara_rules/offensive_tool_keyword/I-K/kali.yara
  • 137 changes: 137 additions & 0 deletions 137 yara_rules/greyware_tool_keyword/A-C/Ahk2Exe.yara
  • 140 changes: 140 additions & 0 deletions 140 yara_rules/greyware_tool_keyword/R-T/tunwg.yara
  • 146 changes: 146 additions & 0 deletions 146 yara_rules/offensive_tool_keyword/D-F/Defeat-Defender.yara
  • 149 changes: 149 additions & 0 deletions 149 yara_rules/greyware_tool_keyword/E-H/go-http-tunnel.yara
  • 15 changes: 9 additions & 6 deletions 15 yara_rules/offensive_tool_keyword/U-W/veeam-creds.yara
  • 152 changes: 152 additions & 0 deletions 152 yara_rules/greyware_tool_keyword/O-Q/PyPagekite.yara
  • 16 changes: 8 additions & 8 deletions 16 yara_rules/offensive_tool_keyword/A-C/adfind.yara
  • 162 changes: 81 additions & 81 deletions 162 yara_rules/offensive_tool_keyword/A-C/Amnesiac.yara
  • 164 changes: 164 additions & 0 deletions 164 yara_rules/offensive_tool_keyword/U-W/WinPirate.yara
  • 167 changes: 167 additions & 0 deletions 167 yara_rules/greyware_tool_keyword/R-T/reverse-tunnel.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/greyware_tool_keyword/R-T/regsvr32.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/greyware_tool_keyword/R-T/slack.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/offensive_tool_keyword/U-W/Windows-Crack.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/Ammyy Admin.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/Amnesiac.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/BeRoot.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/Invoke-TheHash.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/Jasmin-Ransomware.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/KPortScan.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/kiglogger.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/L-N/Lime-Crypter.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/L-N/merlin.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/O-Q/PEASS.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/O-Q/Python-Rootkit.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/R-T/SharpEDRChecker.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/U-W/Venom.yara
  • 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/U-W/wraith.yara
  • 172 changes: 86 additions & 86 deletions 172 yara_rules/offensive_tool_keyword/L-N/NTHASH-FPC.yara
  • 178 changes: 89 additions & 89 deletions 178 yara_rules/greyware_tool_keyword/R-T/RemotePC.yara
  • 179 changes: 179 additions & 0 deletions 179 yara_rules/greyware_tool_keyword/I-K/jprq.yara
  • 179 changes: 179 additions & 0 deletions 179 yara_rules/greyware_tool_keyword/R-T/tunneller.yara
  • 18 changes: 9 additions & 9 deletions 18 yara_rules/greyware_tool_keyword/A-C/adfind.yara
  • 18 changes: 9 additions & 9 deletions 18 yara_rules/offensive_tool_keyword/R-T/SharpNoPSExec.yara
  • 19 changes: 11 additions & 8 deletions 19 yara_rules/greyware_tool_keyword/R-T/sc.yara
  • 198 changes: 99 additions & 99 deletions 198 yara_rules/offensive_tool_keyword/A-C/crackmapexec.yara
  • 2 changes: 1 addition & 1 deletion 2 yara_rules/greyware_tool_keyword/O-Q/powershell.yara
  • 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/A-C/AzureADLateralMovement.yara
  • 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/A-C/copy.yara
  • 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/R-T/scshell.yara
  • 20 changes: 10 additions & 10 deletions 20 yara_rules/offensive_tool_keyword/R-T/ScheduleRunner.yara
  • 20 changes: 20 additions & 0 deletions 20 yara_rules/greyware_tool_keyword/R-T/setspn.yara
  • 20 changes: 20 additions & 0 deletions 20 yara_rules/greyware_tool_keyword/U-W/wget.yara
  • 21 changes: 12 additions & 9 deletions 21 yara_rules/greyware_tool_keyword/L-N/netsh.yara
  • 21 changes: 21 additions & 0 deletions 21 yara_rules/greyware_tool_keyword/L-...
Read more

ThreatHunting-Keywords

29 Apr 07:01
Compare
Choose a tag to compare

February and March 2024 updates

more details on each tool added in the next releases...

First release contributors details

Contributors

Contributors updates since the publication

  • Update README.md by @wikijm in #4
  • Update th_keywords_processnames_elk.txt by @Ekitji in #9
  • striped version of suspicious_http_user_agents_list.csv with only focus on non bots by @Ekitji in #10
  • Update README.md by @Ekitji in #11
  • Update user_agent_elk.txt by @Ekitji in #12
  • Update suspicious_named_pipe_elk.txt by @Ekitji in #13
  • fixed some issues with numbs and so on by @Ekitji in #14
  • minor adjustments by @Ekitji in #15
  • Update th_keywords_processnames_elk.txt by @Ekitji in #16
  • Update user_agent_elk.txt by @Ekitji in #17
  • some additions and updates by @Ekitji in #18
  • Adding AnyDesk.exe previous version (file named 'previous-version') by @wikijm in #21