Releases: mthcht/ThreatHunting-Keywords
Releases · mthcht/ThreatHunting-Keywords
November 2024 updates
November 2024 updates
- 62 tools added or updated.
- 59508 detection patterns
- Detection patterns for Dispossesor Ransomware group tools have been added.
- New yara strict ruleset added the yara repo
In progress:
- Automated recuperation of hashes from github releases of each tool as soon as they are released
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
metadata_severity_score
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
- reorganization of tags
- reorganization of lookups (thinking about lookup with hash / without hash / without tags / by category ... open to suggestion)
links
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
- ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists
new keyword detection patterns added for the following tools :
- AVDump
- AutoBlue-MS17-010
- Browser Data Grabber
- Dispossessor
- EternalBlack
- GrabChrome
- Lastenzug
- Minimalistic-offensive
- OpenChromeDumps
- POC
- PowerProxy
- PowerUpSQL
- Powersploit
- Powertool
- PrintNightmare
- ProxyLogon
- RevoUninstaller
- RpcView
- SMBGhost
- SearchOpenFileShares
- adfind
- anydesk
- attrib
- bitsadmin
- burp-log4shell
- bypassUAC
- cliws
- cobaltstrike
- copy
- crackmapexec
- crackmd5.ru
- del
- go-lsass
- impacket
- msiexec
- nc
- net
- netsh
- nltest
- nmap
- noPac
- peeping-tom
- powershell
- powerview
- privexchange
- pysecdump
- rdpscan
- reg
- ren
- route
- sc
- seatbelt
- shad0w
- sharphound
- speedtest
- syncthing
- systemctl
- taskkill
- webshell
- wmic
- xeox
- zerologon
October 2024 updates
October 2024 updates
- 145 tools added, plus multiple existing tools updated.
- 57774 detection patterns
- Additional Threat Groups associations using the TI reports database / and many thanks to @BushidoUK cti projects
In progress:
- Automated recuperation of hashes from github releases of each tool as soon as they are released
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
metadata_severity_score
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
- reorganization of tags
- reorganization of lookups (thinking about lookup with hash / without hash / without tags... open to suggestion)
links
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
- ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists
new keyword detection patterns added for the following tools :
- 4shared.com
- ADFSDump
- ADPassHunt
- ADSyncDecrypt
- Acunetix Web Vulnerability Scanner
- Adzok
- Argus
- Avast
- BadPotato
- BetterSafetyKatz
- BrowserSnatch
- Cable
- Certify
- CheckPort
- Checkmate
- ChromeCookiesView
- Cmdkey
- DNS-Hijacking
- Dataplicity
- Decrypt-RDCMan
- DecryptRDCManager
- Dirty-Vanity
- EarthWorm
- Eventlogedit-evt--General
- Eventlogedit-evtx--Evolution
- ForgeCert
- FruityC2
- GMSAPasswordReader
- GlobalUnProtect
- GodPotato
- Imminent-Monitor
- Inveigh
- Invoke-RDPThief
- JuicyPotato
- KeeTheft
- KrbRelay
- KrbRelay-SMBServer
- KrbRelayUp
- LAPSToolkit
- LsassReflectDumping
- MSSprinkler
- MozillaCookiesView
- NamelessC2
- NetSess
- NetworkServiceExploit
- NoPowerShell
- PSAttack
- PWDumpX
- PassTheCert
- PortQry
- Poshito
- PowerShellRunner
- PowerUpSQL
- PowerView
- Prince-Ransomware
- PrintSpoofer
- PrivExchange
- Procdump
- PwDump7
- PwDump8
- RottenPotatoNG
- Rubeus
- RunasCs
- Rust Localtunnels
- RustiveDump
- SCMUACBypass
- SMBTrap
- Seatbelt
- ShadowSpray
- SharpChrome
- SharpDPAPI
- SharpEfsPotato
- SharpGPOAbuse
- SharpGpo
- SharpHound
- SharpKatz
- SharpLAPS
- SharpMove
- SharpOxidResolver
- SharpPack
- SharpRDP
- SharpSCCM
- SharpSQL
- SharpUp
- SharpView
- Sharpmad
- SigmaPotato
- SimpleBackdoorAdmin
- Smbtouch-Scanner
- Termite
- Trellonet
- WCE
- Whisker
- adfsbrute
- arp
- atnow
- attrib
- btunnel
- burrow
- certoc
- cobaltstrike
- creddump7
- csexec
- dir
- dropbear
- easyupload.io
- echo
- emkei.cz
- fgdump
- find
- findstr
- hak5 cloudc2
- htran
- libprocesshider
- ln
- localtunnels
- localxpose
- lslsass
- ms-appinstaller
- net
- powershell
- precompiled-binaries
- pretender
- pslist
- psobf
- putty
- pwnlook
- quarkspwdump
- rdp
- reg
- resocks
- sc
- shootback
- smbscan
- sshdoor
- stunnel
- tmate
- tun2socks
- unset
- w32times
- wevtutil
- winPEAS
- winexe
- wso-webshell
- xspy
New contribution
August 2024 updates
August 2024 updates
- 137 new tools added, plus multiple existing tools updated.
- 53907 detection patterns
- Updated the README with MITRE coverage (completed) and tools detection matrix (coming soon).
- Significant updates to MITRE techniques and tactics.
- More Threat actor group names associated with all relevant tools using the ransomware tool matrix and MITRE groups page
- The new
metadata_tags
column has been expanded with multiple tags. As the lookup grows rapidly (including hash values for tools), additional artifact identification is becoming essential. In this version, new tags for #filehash and #GUIDproject are fully populated . Other tags, such as #Avsignature, #email, #namedpipe, #base64, #registry, #productname, #companyname, and #servicename, are still in progress but are steadily being updated. - small correction of a subfolder name in the
tools
folder
In progress:
- Automated recuperation of hashes from github releases of each tool as soon as they are released
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
metadata_severity_score
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
- tool matrix enhancements
- new tags in the
metadata_tags
column
links
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
- ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists
new keyword detection patterns added for the following tools :
- 1ty.me
- Arduino Pro Micro
- AsyncRAT-C-Sharp
- Atera
- BITSInject
- BadRentdrv2
- BloodHound
- Burntcigar KillAV
- C3
- Cactus WHID
- ChaiLdr
- ComodoRMM (Itarian RMM)
- Digispark Attiny85
- DirtyCLR
- EHORUS RMM
- ExtPassword.exe
- Fynloski Backdoor
- Gato-X
- GoAWSConsoleSpray
- Hak5 BashBunny
- Hak5 Lan turtle
- Hak5 O.MG Cable
- Hak5 Rubber Ducky
- Hak5 Screen Crab
- Hak5 Wifi Pineapple
- Invoke-Maldaptive
- Invoke-SocksProxy
- KeeFarce
- Lansweeper
- LostMyPassword
- MEGAcmd
- Maestro
- MailPassView
- NamedPipeMaster
- Nordic NRF52840
- OperaPassView
- PCHunter
- POC
- PS2EXE
- PowerLess
- PrintSpoofer
- PrivFu
- RDP Recognizer
- ROADtoken
- RouterPassView
- RouterScan
- Rust-Malware-Samples
- SCCMSecrets
- Sandman
- SecretServerSecretStealer
- ShareAudit
- SharpDump
- ShellGen
- ShimMe
- Shwmae
- SirepRAT
- SniffPass
- SpoolFool
- TDSKiller
- Taskmgr
- Telemetry
- TimeException
- TinyMet
- TokenFinder
- TrickDump
- TrueSocks
- Universal Virus Sniffer
- VNCPassView
- WSMan-WinRM
- WindowsDowndate
- ZeroHVCI
- _
- adfind
- aircrack
- arp
- asleap
- attrib
- autoNTDS
- bcdedit
- bcedit
- canisrufus
- chashell
- defender-control
- del
- dnskire
- dnspot
- dropmefiles.com
- dsregcmd
- echo
- eraser
- fex.net
- fleetdeck
- fleetdm
- gsecdump
- hackshell
- hookchain
- http.server
- jecretz
- keywa7
- knowsmore
- metasploit
- mimikatz
- net
- netsh
- nps
- nsocks
- oset
- pingcastle
- powershell
- premiumize.me
- privnote.com
- processhacker
- put.io
- qaz.im
- qaz.is
- qaz.su
- quiet-riot
- reg
- rmdir
- rs-shell
- rsocks
- sc
- schtasks
- secretsdump
- share.riseup.net
- sharphound
- shellsilo
- socat
- ssh
- sshamble
- systeminfo
- taskkill
- tasklist
- tor
- ufile.io
- wevtutil
- wmic
ThreatHunting-Keywords
July 2024 updates
- 74 tools added + multiple tools updated
- 45917 detection patterns
- updated README
- A new column named
metadata_tags
was added to include multiple tags for identifying specific artifacts, such as #filehash, #namedpipe, #registry, #GUIDproject, etc. This will help avoid creating new columns or mixing them into the comment column (work in progress).
links
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
- ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists
keyword detection patterns added for the following tools :
- ADAPE-Script
- Aoyama
- Arbitrium-RAT
- Ask4Creds
- BackHAck
- BarracudaRMM
- BlackShades
- Cam-Hackers
- CheckSMBSigning
- ComodoRMM
- CursedChrome
- DeadPotato
- EDRPrison
- Gecko
- Godzilla
- IHxExec
- Invoke-GrabTheHash
- Invoke-PowerIncrease
- Invoke-RunAsSystem
- Invoke-s4u2self
- Kematian Stealer
- KeyCredentialLink
- Lime-RAT
- Moriarty
- Necro-Stealer
- Openssh
- PEASS-ng
- POC
- PassSpray
- Powerlurk
- PredatorTheStealer
- ProtectMyTooling
- Psnmap
- SessionExec
- SharpIncrease
- SharpVeeamDecryptor
- SoftEtherVPN
- SomalifuscatorV2
- SystemBC
- TGT_Monitor
- Token-Impersonation
- WSAAcceptBackdoor
- WinSCP
- blackvision
- certutil
- dir
- dirdevil
- esxcli
- filetransfer.io
- gmer
- hackforums.net
- icacls
- impacket
- mshta
- net
- openssh-portable
- panix
- paste.ee
- plink
- powershell
- printspoofer
- ransomware_notes
- reg
- saycheese
- sc
- schtasks
- sgn
- shutter
- specula
- ssh
- taskkill
- vncviewer
- win-brute-logon
- wmic
ThreatHunting-Keywords
June 2024 updates
- 97 tools added + multiple tools updated
- 43126 detection patterns
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists
Added:
- Alpemix
- AmperageKit
- AnyplaceControl
- anyviewer
- atexec-pro
- AutoHotkey
- auvik
- AV_Evasion_Tool
- AVKiller
- aweray
- Azure Storage Explorer
- chntpw
- clickjack
- comsvcs.dll
- conpass
- crowdstrike falcon
- csvde
- Ddexec
- DEDSEC-RANSOMWARE
- Disable-TamperProtection
- discord
- discord-c2
- Discord-RAT-2.0
- DriverDump
- fetch-some-proxies
- File-Tunnel
- Get-WmiObject
- GlllPowerloader
- gofile.io
- hidden-tear
- Ikeext-Privesc
- impacketremoteshell
- Invoke-ADEnum
- Invoke-DumpMDEConfig
- killProcessPOC
- level.io
- localtonet
- Lockless
- MakeMeAdmin
- MDE_Enum
- MetasploitCoop
- Microsoft Recall
- mimipy
- mythic
- net
- NetRipper
- nipe
- NoodleRAT
- NordVPN
- OshiUpload
- pcunlocker
- PewPewPew
- pico
- POC
- PowerBreach
- Powerpick
- powershell
- PWA-Phishing
- pyobfuscate
- PySQLRecon
- ransomware_notes
- RdpStrike
- rdrleakdiag
- RealBlindingEDR
- reconftw
- reg
- regsvr32
- RemoteKrbRelay
- responder
- rotateproxy
- SafetyDump
- sc
- SchTask_0x727
- ScriptBlock-Smuggling
- sdelete
- set
- ShadowStealer
- SharpAppLocker
- SharpCOM
- SharpDecryptPwd
- SharpEdge
- SharpLogger
- SharpSC
- SharpSSDP
- SharpThief
- spinningteacup
- suo5
- TotalRecall
- tsh
- tsh-go
- Tsunami
- usaupload
- VenomousSway
- VNCViewer
- Voidgate
- wmic
- XiebroC2
Details of added + updated tools Full Changelog: v1.0.2...v1.0.3
ThreatHunting-Keywords
May 2024 updates
- 72 tools added
- 39865 detection patterns
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists
Added:
- 1secmail.com
- AD-common-queries
- ADFSDump-PS
- AMSITrigger
- Adcheck
- AmsiBypass
- AutoIt
- BadWindowsService
- Blank-Grabber
- BlankOBF
- CLR-Injection
- DoubleDrive
- EASSniper
- GTFONow
- HTTP-Shell
- IPPrintC2
- Invoke-DNSteal
- Invoke-Stealth
- LTProxy
- Luna-Grabber
- Malware RAT collection
- Neo-reGeorg
- OSEP-Code-Snippets
- Omnispray
- PPLSystem
- PSAsyncShell
- Powershell-Scripts-for-Hackers-and-Pentesters
- Proxifier
- QuickAssist
- RITM
- RPC-Backdoor
- RedTeam_Tools_n_Stuff
- Rust-for-Malware-Development
- S-inject
- SharpBruteForceSSH
- SharpElevator
- SharpPersistSD
- SharpRODC
- ShellServe
- ShellSync
- ThievingFox
- TokenTacticsV2
- TunnelVision
- arsenal
- beeceptor.com
- btunnel.in
- dropbox
- guerrillamail
- homeway.io
- killer
- ldap queries
- localhost.run
- lolminer
- maildrop
- mega.co.nz
- myftp.biz
- myftp.org
- nbtscan
- netcat
- no_defender
- pamspy
- pinggy
- powershell
- powerview
- pwcrack-framework
- python
- r77-rootkit
- remoteit
- serveo.net
- spraycharles
- staqlab-tunnel
- temp-mail
Details of added + updated tools Full Changelog: v1.0.1...v1.0.2
ThreatHunting-Keywords
April 2024 updates
- 152 tools added/updated
- 35380 detection patterns
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists
Added/Updated lists:
- threathunting-keywords.csv
- offensive_tool_keyword.csv
- greyware_tool_keyword.csv
- signature_keyword.csv
- Ammyy Admin.csv
- adexplorer.csv
- boringproxy.csv
- crowbar.csv
- curl.csv
- FileZilla.csv
- duckdns.org.csv
- expose.csv
- go-http-tunnel.csv
- gost.csv
- gsocket.csv
- gt.csv
- hypertunnel.csv
- jprq.csv
- lsa-whisperer.csv
- netsh.csv
- ngrok.csv
- Portr.csv
- PyPagekite.csv
- pgrok.csv
- powershell.csv
- python.csv
- SetACL.csv
- SirTunnel.csv
- rathole.csv
- reg.csv
- remotemoe.csv
- restic.csv
- reverse-tunnel.csv
- setspn.csv
- shadowsocks.csv
- sish.csv
- softperfect networkscanner.csv
- tunnel.csv
- tunneller.csv
- tunnelmole-client.csv
- tunnelto.dev.csv
- tunwg.csv
- wget.csv
- wiretap.csv
- zrok.csv
- ASPJinjaObfuscator.csv
- BrowsingHistoryView.csv
- CelestialSpark.csv
- bpf-keylogger.csv
- curlshell.csv
- DLHell.csv
- FilelessPELoader.csv
- fuegoshell.csv
- KExecDD.csv
- impacket.csv
- kali.csv
- LDAP-Password-Hunter.csv
- LetMeowIn.csv
- NetNTLMtoSilverTicket.csv
- lsassy.csv
- metasploit.csv
- nanodump.csv
- Ouned.csv
- PILOT.csv
- Python-Rootkit.csv
- prefetch-tool.csv
- pyrdp.csv
- Shell3er.csv
- var0xshell.csv
- veeam-creds.csv
- wmiexec-pro.csv
- wraith.csv
- Amnesiac.csv
- Antivirus Signature.csv
- BeRoot.csv
- Invoke-TheHash.csv
- KPortScan.csv
- kiglogger.csv
- Lime-Crypter.csv
- merlin.csv
- PEASS.csv
- SharpEDRChecker.csv
- Venom.csv
- cat.csv
- icalcs.csv
- RemotePC.csv
- rdpwrap.csv
- regsvr32.csv
- ren.csv
- takeown.csv
- AMSI-Provider.csv
- EvilClippy.csv
- dll-hijack-by-proxying.csv
- GraphSpy.csv
- LocalShellExtParse.csv
- MacroMeter.csv
- NTMLRecon.csv
- NetshHelperBeacon.csv
- lnk2pwn.csv
- logon_backdoor.csv
- masscan.csv
- mimidogz.csv
- nishang.csv
- Offensive-Netsh-Helper.csv
- OffensiveCpp.csv
- Office-Persistence.csv
- Persistence-Accessibility-Features.csv
- persistence_demos.csv
- RID-Hijacking.csv
- SharpDllProxy.csv
- SharpGPOAbuse.csv
- ShimDB.csv
- Snaffler.csv
- rattler.csv
- spoofing-office-macro.csv
- tricky.lnk.csv
- Waitfor-Persistence.csv
- WinPirate.csv
- Windows-Crack.csv
- vbad.csv
- viperc2.csv
- xz.csv
- Ahk2Exe.csv
- adfind.csv
- adrecon.csv
- Goodsync.csv
- IObitUnlocker.csv
- meshcentral.csv
- psexec.csv
- RemCom.csv
- sc.csv
- slack.csv
- whoami.csv
- wireproxy.csv
- AzureADLateralMovement.csv
- ccmpwn.csv
- copy.csv
- crackmapexec.csv
- Defeat-Defender.csv
- DragonCastle.csv
- goWMIExec.csv
- Jasmin-Ransomware.csv
- Koppeling.csv
- NTHASH-FPC.csv
- mssqlproxy.csv
- PickleC2.csv
- poshc2.csv
- pwdump.csv
- ScheduleRunner.csv
- SharpNoPSExec.csv
- SharpSCCM.csv
- SharpWSUS.csv
- Slackor.csv
- Tchopper.csv
- scshell.csv
- WMEye.csv
Details:
Lists:
- 15,134 changes: 13,959 additions & 1,175 deletions in threathunting-keywords.csv
- 7,017 changes: 5,220 additions & 1,797 deletions in offensive_tool_keyword.csv
- 7,598 changes: 7,339 additions & 259 deletions in greyware_tool_keyword.csv
Yara rules details (https://github.com/mthcht/ThreatHunting-Keywords-yara-rules):
- 1,131 changes: 567 additions & 564 deletions 1,131 yara_rules/offensive_tool_keyword/L-N/metasploit.yara
- 10 changes: 5 additions & 5 deletions 10 yara_rules/offensive_tool_keyword/R-T/SharpWSUS.yara
- 10 changes: 5 additions & 5 deletions 10 yara_rules/offensive_tool_keyword/U-W/WMEye.yara
- 101 changes: 52 additions & 49 deletions 101 yara_rules/offensive_tool_keyword/L-N/lsassy.yara
- 105 changes: 54 additions & 51 deletions 105 yara_rules/offensive_tool_keyword/L-N/nanodump.yara
- 11 changes: 4 additions & 7 deletions 11 yara_rules/greyware_tool_keyword/A-C/Ammyy Admin.yara
- 110 changes: 110 additions & 0 deletions 110 yara_rules/greyware_tool_keyword/R-T/tunnelmole-client.yara
- 112 changes: 71 additions & 41 deletions 112 yara_rules/offensive_tool_keyword/I-K/Jasmin-Ransomware.yara
- 114 changes: 57 additions & 57 deletions 114 yara_rules/offensive_tool_keyword/L-N/nishang.yara
- 116 changes: 116 additions & 0 deletions 116 yara_rules/greyware_tool_keyword/A-C/crowbar.yara
- 119 changes: 119 additions & 0 deletions 119 yara_rules/greyware_tool_keyword/A-C/boringproxy.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/O-Q/psexec.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/R-T/reg.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/greyware_tool_keyword/U-W/whoami.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/offensive_tool_keyword/L-N/mssqlproxy.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/offensive_tool_keyword/R-T/Snaffler.yara
- 12 changes: 6 additions & 6 deletions 12 yara_rules/signature_keyword/A-C/Antivirus Signature.yara
- 12 changes: 9 additions & 3 deletions 12 yara_rules/greyware_tool_keyword/L-N/netsh.yara
- 122 changes: 122 additions & 0 deletions 122 yara_rules/offensive_tool_keyword/O-Q/Ouned.yara
- 125 changes: 125 additions & 0 deletions 125 yara_rules/greyware_tool_keyword/R-T/rdpwrap.yara
- 125 changes: 125 additions & 0 deletions 125 yara_rules/offensive_tool_keyword/O-Q/Python-Rootkit.yara
- 13 changes: 8 additions & 5 deletions 13 yara_rules/offensive_tool_keyword/I-K/kali.yara
- 137 changes: 137 additions & 0 deletions 137 yara_rules/greyware_tool_keyword/A-C/Ahk2Exe.yara
- 140 changes: 140 additions & 0 deletions 140 yara_rules/greyware_tool_keyword/R-T/tunwg.yara
- 146 changes: 146 additions & 0 deletions 146 yara_rules/offensive_tool_keyword/D-F/Defeat-Defender.yara
- 149 changes: 149 additions & 0 deletions 149 yara_rules/greyware_tool_keyword/E-H/go-http-tunnel.yara
- 15 changes: 9 additions & 6 deletions 15 yara_rules/offensive_tool_keyword/U-W/veeam-creds.yara
- 152 changes: 152 additions & 0 deletions 152 yara_rules/greyware_tool_keyword/O-Q/PyPagekite.yara
- 16 changes: 8 additions & 8 deletions 16 yara_rules/offensive_tool_keyword/A-C/adfind.yara
- 162 changes: 81 additions & 81 deletions 162 yara_rules/offensive_tool_keyword/A-C/Amnesiac.yara
- 164 changes: 164 additions & 0 deletions 164 yara_rules/offensive_tool_keyword/U-W/WinPirate.yara
- 167 changes: 167 additions & 0 deletions 167 yara_rules/greyware_tool_keyword/R-T/reverse-tunnel.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/greyware_tool_keyword/R-T/regsvr32.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/greyware_tool_keyword/R-T/slack.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/offensive_tool_keyword/U-W/Windows-Crack.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/Ammyy Admin.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/Amnesiac.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/A-C/BeRoot.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/Invoke-TheHash.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/Jasmin-Ransomware.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/KPortScan.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/I-K/kiglogger.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/L-N/Lime-Crypter.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/L-N/merlin.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/O-Q/PEASS.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/O-Q/Python-Rootkit.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/R-T/SharpEDRChecker.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/U-W/Venom.yara
- 17 changes: 17 additions & 0 deletions 17 yara_rules/signature_keyword/U-W/wraith.yara
- 172 changes: 86 additions & 86 deletions 172 yara_rules/offensive_tool_keyword/L-N/NTHASH-FPC.yara
- 178 changes: 89 additions & 89 deletions 178 yara_rules/greyware_tool_keyword/R-T/RemotePC.yara
- 179 changes: 179 additions & 0 deletions 179 yara_rules/greyware_tool_keyword/I-K/jprq.yara
- 179 changes: 179 additions & 0 deletions 179 yara_rules/greyware_tool_keyword/R-T/tunneller.yara
- 18 changes: 9 additions & 9 deletions 18 yara_rules/greyware_tool_keyword/A-C/adfind.yara
- 18 changes: 9 additions & 9 deletions 18 yara_rules/offensive_tool_keyword/R-T/SharpNoPSExec.yara
- 19 changes: 11 additions & 8 deletions 19 yara_rules/greyware_tool_keyword/R-T/sc.yara
- 198 changes: 99 additions & 99 deletions 198 yara_rules/offensive_tool_keyword/A-C/crackmapexec.yara
- 2 changes: 1 addition & 1 deletion 2 yara_rules/greyware_tool_keyword/O-Q/powershell.yara
- 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/A-C/AzureADLateralMovement.yara
- 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/A-C/copy.yara
- 2 changes: 1 addition & 1 deletion 2 yara_rules/offensive_tool_keyword/R-T/scshell.yara
- 20 changes: 10 additions & 10 deletions 20 yara_rules/offensive_tool_keyword/R-T/ScheduleRunner.yara
- 20 changes: 20 additions & 0 deletions 20 yara_rules/greyware_tool_keyword/R-T/setspn.yara
- 20 changes: 20 additions & 0 deletions 20 yara_rules/greyware_tool_keyword/U-W/wget.yara
- 21 changes: 12 additions & 9 deletions 21 yara_rules/greyware_tool_keyword/L-N/netsh.yara
- 21 changes: 21 additions & 0 deletions 21 yara_rules/greyware_tool_keyword/L-...
ThreatHunting-Keywords
February and March 2024 updates
- 144 tools updated
- 30513 detection patterns
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact Lists Updated: https://github.com/mthcht/awesome-lists/tree/main/Lists
more details on each tool added in the next releases...
First release contributors details
Contributors
Contributors updates since the publication
- Update README.md by @wikijm in #4
- Update th_keywords_processnames_elk.txt by @Ekitji in #9
- striped version of suspicious_http_user_agents_list.csv with only focus on non bots by @Ekitji in #10
- Update README.md by @Ekitji in #11
- Update user_agent_elk.txt by @Ekitji in #12
- Update suspicious_named_pipe_elk.txt by @Ekitji in #13
- fixed some issues with numbs and so on by @Ekitji in #14
- minor adjustments by @Ekitji in #15
- Update th_keywords_processnames_elk.txt by @Ekitji in #16
- Update user_agent_elk.txt by @Ekitji in #17
- some additions and updates by @Ekitji in #18
- Adding AnyDesk.exe previous version (file named 'previous-version') by @wikijm in #21