August 2024 updates
August 2024 updates
- 137 new tools added, plus multiple existing tools updated.
- 53907 detection patterns
- Updated the README with MITRE coverage (completed) and tools detection matrix (coming soon).
- Significant updates to MITRE techniques and tactics.
- More Threat actor group names associated with all relevant tools using the ransomware tool matrix and MITRE groups page
- The new
metadata_tags
column has been expanded with multiple tags. As the lookup grows rapidly (including hash values for tools), additional artifact identification is becoming essential. In this version, new tags for #filehash and #GUIDproject are fully populated . Other tags, such as #Avsignature, #email, #namedpipe, #base64, #registry, #productname, #companyname, and #servicename, are still in progress but are steadily being updated. - small correction of a subfolder name in the
tools
folder
In progress:
- Automated recuperation of hashes from github releases of each tool as soon as they are released
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
metadata_severity_score
- combination with another project to automatically compile and upload to virustotal some critical tools selected with the
- tool matrix enhancements
- new tags in the
metadata_tags
column
links
- WebSite: https://mthcht.github.io/ThreatHunting-Keywords/
- ThreatHunting-Keywords Github repo: https://github.com/mthcht/ThreatHunting-Keywords
- ThreatHunting-Keywords Individual Tool Lists: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools
- Yara Rules Github repo: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules
- Specific Artifact lists Github repo: https://github.com/mthcht/awesome-lists/tree/main/Lists
new keyword detection patterns added for the following tools :
- 1ty.me
- Arduino Pro Micro
- AsyncRAT-C-Sharp
- Atera
- BITSInject
- BadRentdrv2
- BloodHound
- Burntcigar KillAV
- C3
- Cactus WHID
- ChaiLdr
- ComodoRMM (Itarian RMM)
- Digispark Attiny85
- DirtyCLR
- EHORUS RMM
- ExtPassword.exe
- Fynloski Backdoor
- Gato-X
- GoAWSConsoleSpray
- Hak5 BashBunny
- Hak5 Lan turtle
- Hak5 O.MG Cable
- Hak5 Rubber Ducky
- Hak5 Screen Crab
- Hak5 Wifi Pineapple
- Invoke-Maldaptive
- Invoke-SocksProxy
- KeeFarce
- Lansweeper
- LostMyPassword
- MEGAcmd
- Maestro
- MailPassView
- NamedPipeMaster
- Nordic NRF52840
- OperaPassView
- PCHunter
- POC
- PS2EXE
- PowerLess
- PrintSpoofer
- PrivFu
- RDP Recognizer
- ROADtoken
- RouterPassView
- RouterScan
- Rust-Malware-Samples
- SCCMSecrets
- Sandman
- SecretServerSecretStealer
- ShareAudit
- SharpDump
- ShellGen
- ShimMe
- Shwmae
- SirepRAT
- SniffPass
- SpoolFool
- TDSKiller
- Taskmgr
- Telemetry
- TimeException
- TinyMet
- TokenFinder
- TrickDump
- TrueSocks
- Universal Virus Sniffer
- VNCPassView
- WSMan-WinRM
- WindowsDowndate
- ZeroHVCI
- _
- adfind
- aircrack
- arp
- asleap
- attrib
- autoNTDS
- bcdedit
- bcedit
- canisrufus
- chashell
- defender-control
- del
- dnskire
- dnspot
- dropmefiles.com
- dsregcmd
- echo
- eraser
- fex.net
- fleetdeck
- fleetdm
- gsecdump
- hackshell
- hookchain
- http.server
- jecretz
- keywa7
- knowsmore
- metasploit
- mimikatz
- net
- netsh
- nps
- nsocks
- oset
- pingcastle
- powershell
- premiumize.me
- privnote.com
- processhacker
- put.io
- qaz.im
- qaz.is
- qaz.su
- quiet-riot
- reg
- rmdir
- rs-shell
- rsocks
- sc
- schtasks
- secretsdump
- share.riseup.net
- sharphound
- shellsilo
- socat
- ssh
- sshamble
- systeminfo
- taskkill
- tasklist
- tor
- ufile.io
- wevtutil
- wmic